deploying netscaler adcs in cisco application centric ... · deploying netscaler adcs in cisco...
TRANSCRIPT
Citrix Systems, Inc.
Deploying NetScaler ADCs in Cisco
Application Centric Infrastructure (ACI)
Contents Introduction.................................................................................................................................................... 3
Policy-Based Automation Framework ....................................................................................................... 3
Policy-Based Service Insertion ................................................................................................................. 3
Benefits of Using Citrix NetScaler ADCs in Cisco ACI ............................................................................. 4
Deployment Modes of NetScaler ADCs in Cisco ACI ............................................................................... 4
Inline Mode ............................................................................................................................................ 4
Anywhere Mode .................................................................................................................................... 5
NetScaler Device Package Supported Features ...................................................................................... 6
Limitation ................................................................................................................................................... 7
Deploying the NetScaler ADC in Cisco ACI .................................................................................................. 8
Prerequisites ............................................................................................................................................. 8
Importing a Device Package ..................................................................................................................... 9
Registering the Device .............................................................................................................................. 9
Prerequisites ....................................................................................................................................... 10
Creating and Deploying a Service Graph ............................................................................................... 13
Applying the Service Graph Template to Endpoint Groups ................................................................ 14
Managing the NetScaler in Cisco ACI ......................................................................................................... 17
Modifying Attributes of the Deployed Service Graph at the EPG Level .................................................. 17
Deleting the Service Graph Template ..................................................................................................... 19
Monitoring NetScaler Device Health ....................................................................................................... 19
Monitoring Service Graph Health ............................................................................................................ 20
Customizing or Importing Function Profiles ................................................................................................ 20
Sample POC Kit on GitHub ......................................................................................................................... 23
Troubleshooting .......................................................................................................................................... 23
APIC Fault Reports ................................................................................................................................. 23
Logs Generated by Device Package ...................................................................................................... 23
Debug.log ............................................................................................................................................ 24
Apic.log ................................................................................................................................................ 24
Periodic.log .......................................................................................................................................... 25
FAQs ........................................................................................................................................................... 27
Introduction As businesses quickly move to make the datacenter more agile, the application centric automation and
virtualization of both hardware and software infrastructure become increasingly important. Cisco
Application Centric Infrastructure (ACI) supplies the critical link between business-based requirements for
applications and the infrastructure that supports them. The Citrix NetScaler application delivery controller
(ADC) connects infrastructure and applications and makes their configuration available to the Cisco
Application Policy Infrastructure Controller (APIC) through integration.
Citrix NetScaler and Cisco ACI enable datacenter and cloud administrators to holistically control L2-L7
network services in a unified manner, through seamless insertion and automation of best-in-class
NetScaler services into next-generation datacenters built on Cisco's ACI Architectures. A NetScaler ADC
leverages the Cisco Application Policy Infrastructure Controller (APIC) to programmatically automate
network provisioning and control on the basis of application requirements and policies for both datacenter
and enterprise environments.
Cisco APIC addresses the two main requirements for achieving the application centric data center vision:
Policy-based automation framework
Policy-based service insertion technology
Policy-Based Automation Framework A policy-based automation framework enables the Cisco APIC to dynamically provision and configure
resources according to application requirements. As a result, core services such as firewalls and Layer 4
through 7 services can be consumed by applications, and these services can be made ready to use in a
single automated step.
Being application centric, the APIC allows the creation of application profiles, which define the Layer 4
through 7 services consumed by a given datacenter-tenant application. A NetScaler ADC provides L4-L7
services such as load balancing, application acceleration, and application security.
Integration between the Cisco APIC controller and the NetScaler ADC is achieved through a NetScaler
device package. Imported by the APIC controller, the device package enables REST-based API
integration and allows the APIC controller to perform detailed feature-level configuration of the NetScaler.
Policy-Based Service Insertion The Cisco APIC solution automates the steps of routing network traffic to the correct services on the basis
of application policies. L4-L7 resources can be dynamically provisioned and configured according to
application requirements on a per tenant basis.
The Cisco APIC offers APIs or a graphical drag and drop GUI for easy creation of L4-L7 Service Graphs
that specify network traffic routing. Any of the L4-L7 ADC features available in the NetScaler device
package can be included in a Service Graph definition, allowing comprehensive NetScaler integration
with the Cisco APIC.
Policy-based service insertion automates the steps of routing network traffic to the correct services as
specified by application policies. The automated addition, removal, and reordering of services allows
administrators to quickly change the resources allocated to an application, without the need to rewire and
reconfigure the network or relocate the services. For example, if a business decides to use the load
balancing feature of a modern ADC, administrators can simply redefine the policy for the services that
should be used for the related applications. The Cisco APIC can dynamically distribute new policies to the
infrastructure and service nodes in minutes, without requiring manual changes to the network.
Once created, a Service Graph can be assigned to an Application Profile and contracted to a data center
tenant, thereby defining the network traffic flow for that specific application and tenant.
Benefits of Using Citrix NetScaler ADCs in Cisco ACI The unique Cisco ACI and Citrix NetScaler joint solution improves data center operations and application
deployment, using the Cisco APIC as the central policy-control and management station, and Cisco ACI
service-insertion technology to direct traffic to the appropriate service nodes.
The main benefits include:
Central point of network control with ADC service policy coordination and automation: The
Cisco APIC acts as a point of configuration management and automation for NetScaler ADCs
(both MPX appliances and VPX virtual appliances), tightly coordinates the ADC service delivery
with the network automation, and provides end-to-end telemetry and visibility of service-aware
applications and tenants.
Scalable and elastic architecture for NetScaler ADCs: Cisco ACI defines a policy-based
service insertion mechanism for both physical and virtual ADC appliances, providing full lifecycle
service management based on workload instantiation and decommissioning.
Investment protection: Cisco ACI and Cisco APIC are fully compatible with existing ADC
networks, preserving existing service operation models and using open standards protocols.
Deployment Modes of NetScaler ADCs in Cisco ACI A NetScaler ADC resides between the clients and the servers, so that client requests pass through it and
the server response pass through it or bypasses it based on the mode you have deployed the NetScaler.
In a typical installation, virtual servers configured on the ADC provide connection points that clients use to
access the applications behind the ADC. In this case, the ADC owns public IP addresses that are
associated with its virtual servers, while the real servers are isolated in a private network. It is also
possible to operate the ADC in a transparent mode as an L2 bridge or L3 router, or even to combine
aspects of these and other modes.
Note: NetScaler L2 (Go-through) mode is not applicable to Cisco ACI deployment.
A NetScaler appliance logically residing between clients and servers can be deployed in either of two
modes:
Inline
Anywhere
Inline Mode In inline mode, multiple network interfaces of the NetScaler ADC are connected to a leaf node of the
Cisco ACI fabric, and the NetScaler ADC is logically placed between the clients and the servers that are
in different subnets respectively. The appliance has a separate network interface for client networks and a
separate network interface for server networks. It is possible for the servers to be in a public network and
the clients to directly access the servers through the appliance, with the appliance transparently applying
the L4-L7 features. Usually, virtual servers are configured to provide an abstraction of the real servers.
Traffic from client passes through the ADC to access a load balanced server. Client requests at the fabric
are forwarded to the NetScaler ADC, and the NetScaler ADC uses the configured load balancing method
to select the server.
Consider an example of a load balancing setup, in the Cisco ACI fabric, that uses a NetScaler ADC called
NS1, which is deployed in inline mode. NS1 is connected to leaf node L1 of the Cisco ACI fabric. Load
balancing virtual server LBVS1 on NS1 is used to load balance servers S1 and S2 in the Cisco ACI fabric.
Servers S1 and S2 belong to same subnet, 192.0.2.0/24.
NetScaler NS1 is connected to L1 through two interfaces. The first link is dedicated to client-side
connections and the second link is dedicated to server-side connections.
Subnet IP (SNIP) address SNIP1 (192.0.2.10) is configured on NS1 for enabling NS1 to communicate
with servers S1 and S2. LBVS1 is accessible through the first link.
Using routing protocols, NS1 advertises routes for LBVS1 and SNIP1 to the Cisco ACI fabric. Similarly,
the fabric advertises routes for S1 and S2 to NS1. Services SVC-S1 and SVC-S2 on NS1 represent
servers S1 and S2, respectively.
Note: Cisco ACI supports RHI (routing) only for external devices.
Figure 1. Inline Deployment Mode
Following is the traffic flow in this example:
1. Client CL1 sends a request packet to LBVS1. The request packet has:
Source IP = IP address of the client
Destination IP = IP address of LBVS1 (203.0.113.15)
2. LBVS1 of NS1 receives the request packet.
3. LBVS1's load balancing algorithm selects server S2.
4. NS1 opens a connection between SNIP1 and S2, and then sends the request packet from SNIP1
to S2. The request packet has:
Source IP address = SNIP1 (192.0.1.10)
Destination IP address = IP address of S2 (192.0.2.20)
5. S2’s response reaches CL1 through NS1.
Anywhere Mode In Anywhere mode, single or multiple network interface of the ADC is connected to one of the leaf node in
a subnet of the Cisco ACI fabric. Anywhere mode can simplify network changes needed for NetScaler
ADC installation in some environments. Client requests received on the fabric are forwarded to the ADC,
and the ADC uses the configured load balancing method to select the server.
Consider an example of a load balancing setup, in the Cisco ACI fabric, that uses a NetScaler ADC called
NS1, which is deployed in Anywhere mode. NS1 is connected to leaf node L1 of the Cisco ACI fabric.
Load balancing virtual server LBVS1 on NS1 is used to load balance servers S1 and S2 in the Cisco ACI
fabric. Servers S1 and S2 belong to same subnet, 192.0.2.0/24.
Only one interface of NS1 is connected to L1. SNIP address SNIP1 (192.0.1.10) is configured on NS1
and is used by NS1 to communicate with servers S1 and S2.
Using routing protocols, NS1 advertises routes for LBVS1 and SNIP1 to the Cisco ACI fabric. Similarly,
the fabric advertises routes for S1 and S2 to NS1. Services SVC-S1 and SVC-S2 on NS1 represent
servers S1 and S2, respectively.
Note: Cisco ACI supports RHI (routing) only for external devices.
Figure 2. Anywhere Deployment Mode
Following is the traffic flow in this example:
1. Client CL1 sends a request packet to LBVS1. The request packet has:
Source IP = IP address of the client
Destination IP = IP address of LBVS1 (203.0.113.15)
2. LBVS1 of NS1 receives the request packet.
3. LBVS1's load balancing algorithm selects server S2.
4. NS1 opens a connection between SNIP1 and S2, and then sends the request packet from SNIP1
to S2. The request packet has:
Source IP address = SNIP1 (192.0.1.10)
Destination IP address = IP address of S2 (192.0.2.20)
5. S2’s response reaches CL1 through NS1.
NetScaler Device Package Supported Features Citrix has introduced a new notion of function-definition, which includes the complete configuration details
of a particular feature, such as Load Balancing. Cisco APIC mandates feature definitions. These
definitions are easy to use and they simplify configuration. The entire NetScaler features set is included in
the various functions definitions, although not all features are currently supported.
The NetScaler device package includes the following features:
Load Balancing
SSL Offload
AAA
Application Firewall
Cache Redirection
Compression
Content Switching
DataStream
Domain Name Service
Global Server Load Balancing
Integrated Caching
Note: NetScaler device package supports NetScaler SDX mixed mode deployment but as an out-of-band
configuration.
You can download the device package from the Citrix web site.
Limitation You must take extra precaution when removing a NetScaler ADC's configuration object from
Cisco APIC. It is important to remove an object's bindings first, before you delete the object,
because the device package does not display any error message for a failed deletion. For
example, if you delete a virtual server without unbinding the services bound to it, the NetScaler
ADC displays an error message informing you that you need to first unbind the service from the
virtual server. However, the device package does not display such an error message.
You cannot modify an existing binding. To change a binding, the administrator must remove the
existing binding and create a new one.
The following NetScaler feature configurations are out-of-band. They cannot be performed
through Cisco APIC:
o High availability
o Management network that is used to communicate between APIC to NetScaler device.
This includes Subnet IP address (SNIP), VLAN, Interfaces, and NetScaler management
IP address (NSIP) bindings.
o SSL certificates
o System user accounts and Role-Based-Access (RBA) policies
Citrix NetScaler SDX configuration is not supported through APIC.
Deploying the NetScaler ADC in Cisco ACI Use Cisco APIC to deploy a NetScaler ADC in Cisco ACI.
Prerequisites Make sure that:
You have conceptual knowledge of Cisco ACI components and Citrix NetScaler ADCs.
o For more information about Cisco ACI and its components, see the product
documentation at http://www.cisco.com/c/en/us/support/cloud-systems-
management/application-policy-infrastructure-controller-apic/tsd-products-support-series-
home.html.
o For more information about the Citrix NetScaler ADCs, see the Citrix NetScaler product
documentation at http://docs.citrix.com/.
All the required components of Cisco ACI, including Cisco APIC in the datacenter, are set up and
configured. For more information about Cisco ACI and its components, see the product
documentation at http://www.cisco.com/c/en/us/support/cloud-systems-management/application-
policy-infrastructure-controller-apic/tsd-products-support-series-home.html.
The NetScaler ADCs is deployed in the datacenter and has network connectivity to Cisco ACI.
You are cautious when providing configuration data. NetScaler features are configured as
function definitions in APIC, so make sure that:
o You provide the mandatory data for all the required entities for a given function.
o After configuring an object, you do not change attributes that cannot be modified (for
example, serviceType of lbvserver in the load balancing function).
o You are familiar with all the required parameters for a given object, such as lbvserver. For
an object that has a composite key, merely providing a unique name is not sufficient to
create the object.
To deploy NetScaler ADC in Cisco ACI by using Cisco APIC:
1. Configure the NetScaler ADCs for Management Access.
You need to configure the management IP address (NSIP) and management VLAN (NSVLAN,
VLAN of NSIP), and specify the default gateway on the deployed NetScaler ADCs that are to be
integrated with Cisco ACI. Also, make sure that you configure the high availability and SSL
certificates related configurations. These configurations are made through the user interfaces of
the NetScaler ADCs. For more information, see the Citrix NetScaler product documentation at:
http://docs.citrix.com/en-us/netscaler.html.
2. Download the NetScaler ADC Device package.
A NetScaler device package provides the APIC with information about NetScaler ADCs, including
what NetScaler ADCs are and what they are capable of.
A NetScaler device package is a zip file containing the following parts:
Device Model. An XML file that contains the following:
o Device properties (for example, model and NetScaler software version)
o Functions provided by NetScaler ADCs (for example, load balancing)
o Configuration parameters of each function
o Device configuration parameters
o Function Profiles
Device script. A Python script that integrates the APIC and the NetScaler ADC. The APIC
events are mapped to function calls defined in the device script.
Functional profile. A profile of parameters with default values that are specified by Citrix.
The administrator can configure a function to use these default values.
Device-level configuration parameters. A configuration file specifying the values of the
parameters that are required by a NetScaler ADC. The configuration can be shared by
one or more of the graphs that use the NetScaler ADC.
3. Import the NetScaler Device Package into Cisco ACI. For detailed instructions, see Importing a
Device Package.
4. Register the NetScaler ADC with the Cisco ACI. For detailed instructions, see Registering the
Device.
5. Create and deploy a service graph template. For detailed instructions, see Creating and
Deploying a Service Graph.
Importing a Device Package Cisco APIC uses a device package to communicate with NetScaler. Download the device package from
the Citrix web site and import the device package to APIC.
To import device package to APIC by using the APIC GUI:
1. On the menu bar, click L4-L7 Services tab and select the Packages panel.
2. In the Navigation pane, right-click on L4-L7 Device Types and select Import Device Package.
3. In the Import Device Package dialog box, click Browse to select the downloaded NetScaler
device package.
4. Click Submit.
After successfully importing the device package to APIC, in the Navigation pane, you can view
the details of the device package by clicking Citrix-NetScaler-1.0.
Important: After you import the device package, make sure that there are no faults in APIC. You can
view the faults by clicking the Faults tab in the Device Types window.
Registering the Device You need to register the device, in this case the NetScaler ADC, so that it can communicate with the
Cisco ACI. You need to configure the basic settings of the device configuration, such as configuration
management IP addresses, and credentials. You must also physically connect the device to the fabric,
and power on the device.
Note: Make sure that you make a note of:
The connection interfaces and IP addresses that are used for management and data-path
connectivity.
Leaf-switch details: NetScaler IP addresses, ports, interfaces, and so on.
Prerequisites Make sure that you have configured all the Cisco ACI related entities: Tenant, Application-profile,
endpoint groups (EPGs) and so on.
To register the device by using the APIC GUI:
1. On the menu bar, click Tenants > All Tenants.
2. In the Work pane, double click the tenant’s name.
3. In the Navigation pane, select tenant_name > L4-L7 Services > L4-L7 Devices.
4. In the Work pane, select Actions > Create L4-L7 Devices.
5. In the Create L4-L7 Devices dialog box, in the General section, perform the following:
a. Select the Managed check box.
b. In the Name field, enter a name for the device.
c. In the Service Type drop-down list, select ADC.
d. In the Device Type field, select Physical.
Note: Make sure that for VMware ESX, select Virtual and associate the respective Virtual
Machine Manager (VMM) domain.
e. In the Physical Domain drop-down list, select the physical domain.
f. In the Mode field, select Single Node or HA Cluster, depending on your requirement.
g. In the Device Package drop-down list, select Citirix-NetScaler-1.0.
h. In the Model drop-down list, select the device model. For example, NetScaler-MPX, or
NetScaler-VPX.
6. In the Connectivity section, select Out-Of-Band in the APIC to Device Management
Connectivity field.
7. In the Credentials section, specify the user name and password for access to the device.
8. In the Device 1 section, complete the management related configuration.
9. In the Cluster section, complete the management related configuration for the cluster.
10. Click Next.
The Device Configuration page displays a list of possible features and parameters for the
package you are using. It includes a tab with the Basic parameters displayed, and an All
Parameters tab that displays all the available parameters of your device package (including the
basic parameters).
Note: The NetScaler device package does not support some device-level configuration, but you
can configure the following cluster-level settings:
NTP
SNMP
Feature Turn or/off
Mode Turn on/off
11. On the Device Configuration page, in the Feature section, select the feature that you want to
use and configure the parameters related to the feature, and click Update.
12. Click Finish.
13. In the Work pane, review the configuration details and click Submit.
Important: After you register the device, make sure that there are no faults in APIC. You can
view the faults by clicking the Faults tab in the Work pane.
Creating and Deploying a Service Graph You have to use Cisco APIC service graph templates to create and deploy the NetScaler ADCs.
Cisco ACI treats services as an integral part of an application. Any services that are required are treated
as a service graph that is instantiated on the Cisco ACI fabric from the APIC. You need to define the
service for the application, and service graphs identify the set of network or service functions that are
needed by the application.
After the graph is configured in the APIC, the APIC automatically configures the services according to the
service function requirements that are specified in the service graph. The APIC also automatically
configures the network according to the needs of the service function that is specified in the service
graph, which does not require any changes in the service device.
A service graph is represented as two or more tiers of an application with the appropriate service function
inserted between them. A service graph is inserted between the source and destination EPGs by a
contract.
To create a service graph by using the APIC GUI:
1. On the menu bar, choose Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, select tenant_name > L4-L7 Services > L4-L7 Service Graph
Templates.
4. In the Work pane, select Actions > Create a L4-L7 Service Graph Template.
5. In the Create a L4-L7 Service Graph Template dialog box, in the Device Clusters section,
select a device cluster and perform the following:
a. In the Graph Name field, enter the name of the service graph template.
b. In the Graph Type field, select Create A New One.
c. From the Device Cluster section, drag the device and drop it between the consumer
endpoint group and provider endpoint group to create a service node.
d. In the device_name information section, do the following:
i. In the ADC field, select One-Arm or Two-Arm, depending on how NetScaler is
deployed in the fabric.
ii. In the Profile drop-down list, select the function profile provided in the device
package.
6. Click Submit.
7. In the Navigation pane, click the service graph template. The screen presents a graphic topology
of the service graph template.
Note: Cisco APIC supports the notion of connectors, and these connectors are visible in the ADCCluster
node. The connectors define the network traffic direction and the device script that dynamically binds the
allocated VLAN to a virtual IP (VIP) or subnet IP (SNIP) address, depending on whether the connection is
external or internal. VLANs are also bound to specific interfaces used for inbound and outbound traffic.
Applying the Service Graph Template to Endpoint Groups You need to apply the created service graph template to the endpoint groups (EPGs) to deploy the
NetScaler ADCs in Cisco ACI.
Prerequisites
Make sure that you configured EPGs when you configured the appliance profile.
To apply the service graph template to EPGs:
1. On the menu bar, choose Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, choose tenant_name > L4-L7 Services > L4-L7 Service Graph
Templates > template_name.
4. In the Work pane, choose Actions > Apply L4-L7 Service Graph Template.
5. In the Apply L4-L7 Service Graph Template To EPGs dialog box, in the EPG Information
section, complete the following fields:
a. In the Consumer EPG/External Network drop-down list, select the consumer endpoint
group.
b. In the Provider EPG/External Network drop-down list, select the provided endpoint
group.
6. In the Contract Information section, complete the appropriate fields. The contract information is
specific to Cisco APIC and is configured as part of the security policies associated with the EPGs.
7. Click Next.
8. In the Device Clusters section, select a device cluster.
9. In the Graph Template drop-down list, select the service graph template that you created.
10. In the Connector section, do the following:
a. In the Type field, select General.
b. In the BD drop-down list, select the bridge domain. Connector details are part of the
bridge domain that is part of the Cisco APIC infrastructure model.
c. In the Cluster Interface drop-down list, select the appropriate cluster interface for the
selected bridge domain.
The Cisco APIC uses the selected bridge domains for data path traffic between the NetScaler
ADC device and the fabric as required by the selected service graph template.
11. Click Next.
12. On the Parameters screen, on the Required Parameters tab, enter the names and values, as
appropriate, for all of the required parameters.
The Cisco APIC GUI allows you to filter the parameters on the basis of features (for example,
load balancing). You can view and set all the mandatory parameters on the Required
Parameters tab, and you can view and set all the other parameters related to the feature on the
All Parameters tab.
13. Click Finish.
Important: After you apply the service graph template, make sure that there are no faults in the
deployed graph. You can view the faults by clicking the Faults tab in the Work pane.
Also, you can verify the configuration using NetScaler or CLI.
Managing the NetScaler in Cisco ACI Using the Cisco APIC GUI, you can:
Modify attributes related to the deployed service graph template, at the EPG level.
Delete the deployed service graph template.
Monitor the NetScaler device health.
Monitor the deployed service graph template health.
Modifying Attributes of the Deployed Service Graph at the EPG Level After you have deployed the service graph template, you can edit the parameters related to the deployed
service graph at the EPG level.
To edit the parameters of the deployed servicer graph at the EPG Level:
1. On the menu bar, select Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, expand tenant_name > Application Profiles > app_profile_name
> Application EPGs > created_epg > L4-L7 Service Parameters.
4. Click the Switch To Edit Mode button.
5. In the Edit L4-L7 Service Parameters dialog box, do the following:
a. In the Contract Name drop-down list, select the contract.
b. In the Graph Name drop-down list, select the graph.
c. In the Node Name drop-down list, select the node.
d. In the Features section, select the feature that you want to edit and, on the Basic
Parameters or All Parameters tabs, edit the values of the parameters related to the
feature.
e. Click Submit.
Deleting the Service Graph Template You can delete the service graph template by using the Cisco APIC GUI.
To delete a service graph by using the APIC GUI:
1. On the menu bar, select Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, choose tenant_name > L4-L7 Services > L4-L7 Service Graph
Templates.
4. Right-click on the service graph template that you want to delete, and then click Delete.
Monitoring NetScaler Device Health After you configure a service graph template and attach the graph to an endpoint group (EPG) and a
contract, you can monitor NetScaler devices at the tenant level. The Cisco APIC monitors a NetScaler
device by periodically polling for device health. It also collects relevant statistical information from the
device and uses that information to calculate the device's health score on a scale from 0 to 100, where 0
indicates that the device is down and 100 indicates that it is in good health.
You can also monitor what devices are in use, which VLANs are configured for a NetScaler device, the
parameters passed to the device, the statistics of the device, and the health of the device.
To monitor NetScaler device by using the APIC GUI:
1. On the menu bar, choose Tenants > All Tenants.
2. In the Work pane, double click the name of the tenant whose service graph you want to monitor.
3. In the Navigation pane, expand tenant_name > L4-L7 Services > Deployed Devices.
4. Select the deployed NetScaler device and click the Health tab.
Note: For detailed NetScaler specific monitoring details, use the NetScaler GUI.
Monitoring Service Graph Health After you configure a service graph and attach the graph to an endpoint group (EPG) and a contract, you
can monitor the service graph instance. The Cisco APIC monitors the service graph template by
periodically polling for the health of the deployed service graph, and it collects various statistical
information about the deployed service graph (for example, vserver, service group, and service group
member). The Cisco APIC calculates the health score for the graph on a scale of 0 to 100, where 0
indicates that the services are down and 100 indicates that they are in good health.
You can also view the state of a graph instance, functions of a graph instance, resources allocated to a
function, and parameters specified for a function.
To monitor the service graph template by using the APIC GUI:
On the menu bar, choose Tenants > All Tenants.
In the Work pane, double click the name of the tenant whose service graph you want to monitor.
In the Navigation pane, expand tenant_name > L4-L7 Services > Deployed Devices.
Select the deployed service graph template and click the Health tab.
Customizing or Importing Function Profiles A function profile is an instance of the function definition, with default values assigned to various attributes
for various entities in the definition. You can use function profiles to customize the configurations of any
applications that use common ADC services, such as load balancing. The NetScaler device package
provides built-in function profiles for all the function definitions listed in the device package, as shown
below.
You can customize the existing built-in function profiles or import function profiles from the local file
system.
To customize a built-in function profile:
1. On the menu bar, select Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, choose tenant_name > L4-L7 Services > Function Profiles.
4. In the Work pane, choose Actions > Create L4-L7 Services Function Profile.
5. In the Create L4-L7 Services Function Profile dialog box, perform the following:
a. In the Name field, enter a name for the function profile.
b. In the Description field, enter a brief description of the function profile.
c. In the Profile Group drop-down list, select the function profile group in which you want
the function profile be listed.
d. Select the Copy Existing Profile Parameters checkbox.
e. In the Profile drop-down list, select the built-in function profile that you want to
customize.
f. In the Features section, select the feature that you want to edit and, on the Basic
Parameters or All Parameters tab, customize the parameters related to the feature.
g. Click Submit.
The customized function profile appears under tenant_name > L4-L7 Services > Function
Profiles.
To import a function profile from the local file system:
1. On the menu bar, select Tenants > All Tenants.
2. In the Work pane, double click the tenant's name.
3. In the Navigation pane, choose tenant_name > L4-L7 Services > Function Profiles.
4. You can use an existing function profile group or create a new function group. If you want to
create a new function group, in the Work pane, choose Actions > Create Profile Group.
5. Right-click the previously existing or newly created function profile group and click Post.
6. In the Post dialog box, click Browse and select the function profile file in the local file system.
7. Click Post.
The imported function profile file appears under the function profile group. For more information
on the behavior of function profile, see Cisco Product Documentation.
Sample POC Kit on GitHub You can use the sample XML payloads with scripts on GitHub to deploy various functional definitions of
NetScaler through Cisco APIC APIs. See https://github.com/citrix/netscaler_aci_poc_kit.
Troubleshooting You can troubleshoot any failures that might arise during deployment of the NetScaler device package in
Cisco ACI by using:
The fault reports generated by Cisco APIC.
The following logs generated by the device package:
o debug.log
o apic.log
o periodic.log
APIC Fault Reports When you deploy a NetScaler device package in Cisco ACI, the Cisco APIC reports any failures. You can
view the fault reports at any level of the APIC (for example, device, tenant, EPGs, or service graph). The
screen shot below shows a fault report at the device level. For more information on faults, see
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_01.html
Select any APIC entity and click the Faults tab to display the faults reported by APIC for that entity.
Logs Generated by Device Package The NetScaler device package generates configuration-related logs and monitoring-related logs. The
generated logs are located at /data/devicescript/Citrix.NetScaler.1.0/logs as shown
below.
Note: Cisco APIC runs in clusters of three nodes, and log details are captured only on the active node.
You might have to check more than one APIC node to determine which one is capturing the logs.
Debug.log The Cisco APIC triggers various configuration events, such as serviceModify. It passes device and
configuration payloads to the NetScaler ADC. These payloads are processed by the device script
provided in the device package, and then the device script initiates various NITRO requests to NetScaler.
The debug.log reports all the NITRO requests, and the responses from the device script to the NetScaler
device.
For any specific configuration issue, you can investigate the corresponding NITRO request and the
response that the device script received from the device. You can also compare the logged details with
the entries in the ns.log file on the NetScaler.
Following is a sample log entry in the debug.log file. You could use it to trace configuration related issues:
2016-01-06 02:16:31.807981 DEBUG Thread-19 395166 [10.102.102.62, 8102] Add Attr col = {'ipv46': '10.2.2.2.', 'servicetype': 'HTTP', 'port': '80', 'lbmethod': 'ROUNDROBIN', 'name': 'testLbVserver_1'} 2016-01-06 02:16:31.808045 DEBUG Thread-19 395167 [10.102.102.62, 8102] ++++++++++++++++ This is to add NITRO Object ++++++++++++++++++ …. 2016-01-06 02:16:31.842175 DEBUG Thread-19 395169 [10.102.102.62, 8102] ------ add Nitro object ------------- Response = { "errorcode": 1110, "message": "Invalid IP address [10.2.2.2.]", "severity": "ERROR" } … 2016-01-06 03:16:42.260617 DEBUG Thread-6 410970 [10.102.102.62, 8138] ++++++++++++++ ServiceAudit response = {'faults': [([(0, '', 52849), (4, 'lbvserver', 'lbvserver')], 1110, 'Invalid IP address [10.2.2.2.] SEVERITY:ERROR')], 'state': 2}
Apic.log The apic.log file captures all configuration requests from Cisco APIC and the request payload. The
following is a sample of the request, payload, and response:
request: serviceAudit{ 'args': ({ (0, '', 52849): { 'ackedstate': 0, 'ctxName': 'cokectx1', 'dn': u'uni/vDev-[uni/tn-coke_SDX2/lDevVip-ADCCluster1]-tn-[uni/tn-coke_SDX2]-ctx-cokectx1', 'state': 2, 'tenant': 'coke_SDX2', 'transaction': 0, 'txid': 10083, 'value': { (1, '', 9350): { 'absGraph': 'WebGraph',
'ackedstate': 0, 'rn': u'vGrp-[uni/tn-coke_SDX2/GraphInst_C-[uni/tn-coke_SDX2/brc-webCtrct1]-G-[uni/tn-coke_SDX2/AbsGraph-WebGraph]-S-[uni]]', 'state': 2, 'transaction': 0, 'value': { (3, 'LoadBalancing', 'Node1'): { 'ackedstate': 0, 'state': 2, 'transaction': 0, 'value': { (2, 'external', 'outside'): { 'ackedstate': 0, 'state': 2, 'transaction': 0, 'value': { (9, '', 'ADCCluster1_outside_2785280_32773'): { 'ackedstate': 0, 'state': 0, 'target': 'ADCCluster1_outside_2785280_32773', 'transaction': 0 }, …. 2016-01-0603: 16: 42.261865DEBUGThread-6410971[ 10.102.102.62, 8138 ]result: serviceAudit{ 'result': { 'faults': [ ([ (0, '', 52849), (4, 'lbvserver', 'lbvserver') ], 1110, 'Invalid IP address [10.2.2.2.] SEVERITY:ERROR') ], 'state': 2 }, 'stats': { 'max': 37.48120903968811, 'num': 94, 'last': 34.02421307563782, 'avg': 34.25977123798208, 'min': 33.137107133865356 }
Periodic.log The periodic.log file captures all the monitoring related information. The Cisco APIC monitors the health
of the device and service graph by periodically polling the device and service graph. These request
details are captured in the periodic.log. Following is an example:
2016-01-0423: 46: 33.381518DEBUGThread-444084[ 10.102.102.62, 7092 ]request: serviceHealth{
'args': ({ (0, '', 52849): { 'ctxName': 'cokectx1', 'dn': u'uni/vDev-[uni/tn-coke_SDX2/lDevVip-ADCCluster1]-tn-[uni/tn-coke_SDX2]-ctx-cokectx1', 'state': 2, 'tenant': 'coke_SDX2', 'value': { (1, '', 9350): { 'absGraph': 'WebGraph', 'rn': u'vGrp-[uni/tn-coke_SDX2/GraphInst_C-[uni/tn-coke_SDX2/brc-webCtrct1]-G-[uni/tn-coke_SDX2/AbsGraph-WebGraph]-S-[uni]]', 'state': 2, 'value': { (3, 'LoadBalancing', 'Node1'): { 'state': 2, 'value': { (2, 'external', 'outside'): { 'state': 2, 'value': { (9, '', 'ADCCluster1_outside_2785280_32773'): { 'state': 0, 'target': 'ADCCluster1_outside_2785280_32773' } } }, (2, 'internal', 'inside'): { 'state': 2, 'value': { (9, '', 'ADCCluster1_inside_2785280_49154'): { 'state': 0, 'target': 'ADCCluster1_inside_2785280_49154' } } }, (4, 'external_network', 'external_networkwebCtrct1WebGraph'): { 'connector': 'outside', 'state': 0, 'value': { (6, 'external_network_key', 'external_network_key'): { 'state': 0, 'target': 'network_webCtrct1WebGraph/snip2_webCtrct1WebGraph' } } }, … …. 2016-01-04 23:46:33.574321 DEBUG Thread-4 44123 [10.102.102.62, 7092] result: serviceHealth {'result': {'devs': 'ADC1', 'faults': [], 'health': [([(0, '', 52849), (1, '', 9350),
(3, 'LoadBalancing', 'Node1')], 0)], 'state': 0}, 'stats': {'max': 0.5484399795532227, 'num': 287, 'last': 0.2926321029663086, 'avg': 0.35803680968201534, 'min': 0.25844407081604004}} … …. 2016-01-06 03:30:53.851591 DEBUG Thread-16 411217 [10.102.102.63, 8146] result: deviceHealth {'result': {'faults': [], 'health': [([], 95)], 'state': 0}, 'stats': {'max': 0.5235550403594971, 'num': 1240, 'last': 0.44126415252685547, 'avg': 0.2513603793036553, 'min': 0.11344313621520996}}
FAQs What is a fault?
What is a function definition?
What is the compatibility matrix between NetScaler Device Package and NetScaler Versions?
What is the compatibility matrix between Cisco APIC and Device Package versions?
What is the difference between inline and anywhere mode?
What is the difference between one-arm and two-arm configurations that are pushed to the
NetScaler?
Does Cisco ACI store the configurations that APIC pushes to NetScaler appliances?
Can I use APIC to perform an upgrade or downgrade of the NetScaler firmware?
Can I use APIC to initiate a high-availability failover?
Does Cisco APIC create dynamic VLANs for each virtual IP (VIP) address even if some of the
VIPs are on the same subnet?
What kind of monitoring support does APIC provide for a NetScaler appliance and its entities?
Can I set up some configurations out-of-band while the NetScaler appliance is being managed
through APIC?
What are cluster and device configurations? What entities are present at each level?
Is NetScaler SDX mixed mode design supported, that is, some instances are managed by APIC
and others are managed manually/out-of-band?
What features are not supported for APIC integration?
What is a fault?
In Cisco APIC, a fault is a mechanism that reports failures in operations and the possible causes for the
failures. The NetScaler device package constructs an appropriate fault whenever it encounters any
NetScaler specific problem during deployment or while collecting the monitoring data.
For more information about APIC faults, see:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_01.html
What is a function definition?
A Function definition is a collection of configurable NetScaler entities for a specific feature, such as Load
Balancing. The function definition includes parameter values for a specific configuration of the feature.
For more information, see Cisco ACI product documentation.
NetScaler device package 129.62 provides 12 function definitions that simplify using Cisco APIC to
configure a NetScaler ADC. In addition to feature-parameter values, these function definitions include the
networking details, policies, and bindings that make the NetScaler data-path ready for the feature.
What is the compatibility matrix between NetScaler Device Package and NetScaler Versions?
NetScaler Device package 10.1.129.62 supports NetScaler 10.1 features and functionalities. The device
package is forward compatible, that is, the NetScaler version can be 10.1 or above. However, use with a
later version (for example, NetScaler 10.5) is restricted to features available in release 10.1.
Device Package NetScaler Version
10.1 Build #129.62 10.1 and above Released
What is the compatibility matrix between Cisco APIC and Device Package versions?
The following is the current compatibility matrix:
APIC Version Device Package Status
1.1(xx) #129.62 Released
What is the difference between inline and anywhere mode?
Inline mode uses two different interfaces. Traffic flows into one VLAN interface and out the other.
Anywhere mode uses the same interface for all traffic.
What is the difference between one-arm and two-arm configurations that are pushed to the NetScaler?
The differences are as follows:
In one-arm mode only one SNIP address is created, but in two-arm mode two SNIP addresses are created.
When you deploy L4-L7 devices in one-arm mode, each VLAN or interface is associated with both the consumer and the provider. In two-arm mode, one VLAN or interface is associated with the consumer, and another is associated with the provider.
Does Cisco ACI store the configurations that APIC pushes to NetScaler appliances?
Yes. ACI stores the pushed configurations.
Can I use APIC to perform an upgrade or downgrade of the NetScaler firmware?
No. A NetScaler firmware upgrade or downgrade can be done only out-of-band.
Can I use APIC to initiate a high-availability failover?
No. HA-failover initiation must be done out-of-band.
Does Cisco APIC create dynamic VLANs for each virtual IP (VIP) address even if some of the VIPs are
on the same subnet?
No.
What kind of monitoring support does APIC provide for a NetScaler appliance and its entities?
The Cisco APIC monitors a NetScaler device and the deployed service graph by periodically polling for
device and service graph health. For more information, see Monitoring NetScaler Device Health and
Monitoring Service Graph Health.
Can I set up some configurations out-of-band while the NetScaler appliance is being managed through
APIC?
You must not make any out-of-band modifications of NetScaler configurations supported by a device
package. APIC might trigger a configuration audit that removes the out-of-band configuration.
Is NetScaler SDX mixed mode design supported, that is, some instances are managed by APIC and
others are managed manually/out-of-band?
Yes.
What are cluster and device configurations? What entities are present at each level?
Cisco APIC supports configuration classifications at the following two levels:
Cluster
o SNMP
o NTP
o Configuration Mode
o Feature Enable/Disable
Device
o Rest of the Configuration, including Global, Policy, Network, Singleton, and all other
configuration entities, such as load balancing virtual servers.
o Binding objects are parts of object definitions. For example,
lbvserver_servicegoup_binding is part of an lbvserver definition.
What features are not supported for APIC integration?
The following NetScaler features are not supported for APIC integration:
High availability
SSL certificate management
License management
The following table lists the command-line interface (CLI) commands that are not supported in APIC
integration.
Group Resource Name Operation
AAA aaasession kill
APPFLOW appflowaction rename
APPFLOW appflowpolicy rename
APPFLOW appflowpolicylabel rename
APPFLOW appflowcollector rename
APPFW appfwcustomsettings export
APPFW appfwhtmlerrorpage update
APPFW appfwarchive export
APPFW appfwarchive import
APPFW appfwprofile archive
APPFW appfwprofile restore
APPFW appfwlearningdata export
APPFW appfwsignatures import
APPFW appfwsignatures update
APPFW appfwpolicylabel rename
APPFW appfwpolicy rename
APPFW appfwxmlerrorpage update
APPQOE appqoecustomresp import
APPQOE appqoecustomresp update
AUTHEN authenticationvserver enable
AUTHEN authenticationvserver disable
AUTHEN authenticationvserver rename
AUTHOR authorizationpolicy rename
AUTHOR authorizationpolicylabel rename
AUTOSCALE autoscalepolicy rename
BASIC locationdata clear
CACHE cachecontentgroup expire
CACHE cachecontentgroup flush
CACHE cacheobject expire
CACHE cacheobject flush
CACHE cachepolicy rename
CACHE cachepolicylabel rename
CMP cmpaction rename
CMP cmppolicylabel rename
CMP cmppolicy rename
CR crvserver enable
CR crvserver disable
CR crvserver rename
CS csvserver enable
CS csvserver disable
CS csvserver rename
CS csaction rename
CS cspolicy rename
CS cspolicylabel rename
DB dbsmonitors restart
DNS dnskey create
DNS dnsnameserver enable
DNS dnsnameserver disable
DNS dnsproxyrecords flush
DNS dnszone sign
DNS dnszone unsign
DNS dnspolicylabel rename
GSLB gslbldnsentries clear
GSLB gslbconfig sync
GSLB gslbservice rename
GSLB gslbvserver enable
GSLB gslbvserver disable
GSLB gslbvserver rename
LB lbpersistentsessions clear
LB vserver enable
LB vserver disable
LB servicegroup enable
LB servicegroup disable
LB servicegroup rename
LB lbmonitor enable
LB lbmonitor disable
LB service enable
LB service disable
LB service rename
LB lbgroup rename
LB lbvserver enable
LB lbvserver disable
LB lbvserver rename
LB server enable
LB server disable
LB server rename
NETWORK route6 clear
NETWORK route clear
NETWORK Interface clear
NETWORK Interface enable
NETWORK Interface disable
NETWORK bridgetable clear
NS nspbr enable
NS nspbr disable
NS nsacl enable
NS nsacl disable
NS nsacl rename
NS nslimitsessions clear
NS nsacls6 clear
NS nsacls6 apply
NS nsacls6 renumber
NS nstimer rename
NS rnat6 clear
NS nssurgeq flush
NS nspbr6 renumber
NS nspbr6 enable
NS nspbr6 disable
NS nspbr6 clear
NS nspbr6 apply
NS nsdhcpip release
NS nsacl6 enable
NS nsacl6 disable
NS nsacl6 rename
NS rnat clear
NS nssimpleacl6 clear
NS nssimpleacl6 flush
NS nspbrs renumber
NS nspbrs clear
NS nspbrs apply
NS arp send
NS nsip enable
NS nsip disable
NS nssimpleacl clear
NS nssimpleacl flush
NS nd6 clear
NS nsacls renumber
NS nsacls clear
NS nsacls apply
NTP ntpsync enable/ disable
NTP ntpparam set/unset
OPERATIONAL reboot reboot
OPERATIONAL nsconfig clear
OPERATIONAL nsconfig save
OPERATIONAL nsconfig diff
OPERATIONAL nstrace start
OPERATIONAL nstrace stop
OPERATIONAL shutdown shutdown
OPERATIONAL systemsession kill
OPERATIONAL systembackup create/ restore/ remove
OPERATIONAL systementitydata rm
OPERATIONAL nsaptlicense update
OPERATIONAL reporting enable/ disable
OPERATIONAL techsupport show
OPERATIONAL callhome set
RESPONDER responderaction rename
RESPONDER responderpolicylabel rename
RESPONDER responderpolicy rename
RESPONDER responderhtmlpage import
RESPONDER responderhtmlpage update
REWRITE rewritepolicy rename
REWRITE rewriteaction rename
REWRITE rewritepolicylabel rename
SNMP snmpgroup add / rm/ set/ unset
SNMP snmpmib set
SNMP snmpengineid set
SNMP snmpoption set
SPILLOVER spilloverpolicy rename
SPILLOVER spilloveraction rename
SSL sslfipssimtarget enable
SSL sslfipssimtarget init
SSL sslcert create
SSL sslrsakey create
SSL sslcertkey link
SSL sslcertkey unlink
SSL sslcertkey update
SSL sslcrl create
SSL ssldsakey create
SSL sslpkcs8 convert
SSL sslfipssimsource enable
SSL sslfipssimsource init
SSL ssldhparam create
SSL snmpalarm enable
SSL snmpalarm disable
SSL sslfipskey create
SSL sslfipskey import
SSL sslfipskey export
SSL sslcertreq create
SSL sslfips update
SSL sslwrapkey create
SSL sslpkcs12 convert
STREAM streamsession clear
TD nstrafficdomain clear
TD nstrafficdomain enable
TD nstrafficdomain disable
TRANSFORM transformpolicylabel rename
TRANSFORM transformpolicy rename
VPN vpnvserver enable
VPN vpnvserver disable
VPN vpnvserver rename
WI wipackage install
WI wipackage uninstall