Traffic Domains vs Admin partitions vs VXLAN for IP segmentation

I’ve previosly written about Admin Partitions on Netscaler, which allows us to logical seperate the NetScaler into multiple partitions which allows for instance departments to manage each of their applications within their own part of the NetScaler. This allows to safeguard from unwarranted configuration changes for instance.  You can read a bit more about admin partitions here –> http://msandbu.org/new-feature-in-netscaler-admin-partitions/ 

Of course a lot has changed on Admin partitions over the last time since I wrote this article, and with 11.1 a lot more features were supported in Admin partitions which you can see here –> http://docs.citrix.com/en-us/netscaler/11-1/admin-partition/admin-partition-config-types.html

So what about traffic domains ? traffic domains are a way to segment network traffic for different applications to a VLAN. So this allows to having multiple for instance overlapping IP addresses which can only communicate within that traffic domain

image

So for instance if we in a service provider setup, have customers who want to move existing resources and have overlapping IP address segments with another customer, we can easily bind this to an traffic domain to ensure that traffic from customer1 VIP is only headed to backend server for customer1 on that specific VLAN which it assigned to.

Now a traffic domain can be bound with mulitple VLANS, a VLAN cannot be assigned to mulitple traffic domains. Now agan traffic domains also have a list of features which are not supported inside a traffic domain http://docs.citrix.com/en-us/netscaler/11-1/networking/traffic-domains.html

Now Admin Partitions have the same advantage that it can have overlapping IP address segment, but can also do better role based access and we can also specify how much bandwidth and memory usage a partition can have

image

Which allows for much better control and management. Partitions can also be managed as an “entity” from MAS which allows better central management as well, actually Citrix recommends using partitions over traffic domains.

now both of these solutions allows overlapping IP segment in a VLAN. Now VLAN is a layer 2 features, which makes it hard to setup in a larger geo enviroment.

VXLAN however is another option to do IP-overlapping, instead of using VLAN we will now vrap IP addresses in a VXLAN header which leverages UDP as the transport protocol

This allows first of to overcome the limit of VLANs for 4096, easier way to strech layer 2 networks across layer 3 networks.  NetScaler supports VXLAN –> http://docs.citrix.com/en-us/netscaler/11-1/networking/vxlans.html

VXLAN is also an supported option in an admin partition, but leveraging for instance VXLAN with VMware NSX allows for much better seperation of overlapping IP segments. Since it completly isolates the layer 2 traffic and all traffic outside of the VXLAN domain can be exposed to the public internet using an dedicated public IP. For those who aren’t aware NetScaler MAS can actually be integrated into VMware NSX –> https://docs.citrix.com/en-us/netscaler-mas/11-1/integrating-netscaler-with-nsx-manager.html

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *