Read the Citrix white paper to learn more about how to build large-scale, high-availability clouds that ensure application availability and maintain high performance.
The Citrix DemoFriday alongside Nuage Networks gave us a fresh look at network services design and developments. The below Q&A shares further insights on the demonstration which dealt with the need for network services to provide availability, performance, and security and how software-defined networking (SDN) can automate the delivery of these services. Following the live event, our presenters took questions from the audience. Read the answers from Citrix’s Principal Product Marketing Manager Michael Leonard and Nuage Networks’ Business Development Manager Hussein Khazaal below.
In what ways has Citrix Systems’ NetScaler been designed to work with SDN?
Citrix: NetScaler has been designed to be programmable so that it can be automatically instantiated and inserted in the service chain. It is designed as software so that virtual instances have all of the same features as physical devices. It has flexible licensing and a subscription model so that it can work in a cloud hosting business model. It has auto-scaling, multi-tenancy, and high availability capabilities so it works well with scale out applications and in cloud hosting environments.
What are some advantages of using NetScaler with SDN?
Citrix: NetScaler provides Layer 4-7 capabilities that go beyond what a simple SLB can do. These include application awareness and the ability to do things like rate limit access to an application to protect performance or switch content to a different host based on policies. It can also do traffic management and health checks, application load balancing, DNS caching, and other things. NetScaler provides advanced monitoring capabilities to assist in tuning and troubleshooting. It also provides a centralized management platform so that all instances in an SDN environment can be easily managed.
What is the primary driver for deploying SDN solutions in data center?
Nuage: The two most common drivers that we have seen are data center automation and visibility/micro-segmentation. While the ability to deploy application instances has been highly automated, the network connectivity between these instances has been lagging and has grown more complex. Applications are becoming more dynamic and more portable and current data center networking solutions have not evolved fast enough and customers are looking for a solution. SDN offers a way for these customers a way to overcome today’s challenges and be able to adapt to future changes, through a higher degree of automation of network connectivity so that applications are automatically connected, based on their specific needs, and in accordance with present network and security parameters. Of course, not all SDN solutions are created equal, so the customers want to get these benefits without losing the performance, availability or scale, and the combination of Nuage Networks VSP and Citrix NetScaler offers them SDN solutions that have the maturity, reliability and performance they expect. Security is another driver, and the because of the way the Nuage SDN solution works, the customer has the added ability to secure their applications at the VM vPort itself, and “microsegment” their data center based on logical groupings that are not tied to vLANs. They can apply network/security policies based on dynamic logical groupings that best meet their application needs. In addition, the customer gains more visibility into the network activity between their workloads.
How is a Nuage Networks Neutron plugin different from stock Neutron?
Nuage: Scale, performance, availability, and network features are areas were the Nuage Networks Neutron plugin offers a clear differentiation. While “default” Neutron might be sufficient for smaller deployment, it is challenged in larger environment (number of hosts and number of VMs) and the ability to perform with a large number of transactions and at higher line-rates. Finally, quality of service and service insertion are two examples of what Nuage Networks Neutron plugin unlocks in terms of capabilities when compared with the “default” Neutron. The Nuage solution leverages a code base (Alcatel-Lucent) that has been running for decades in some of the largest service provider networks in the world, and offers maturity that may not be present in the current state of Neutron.
Nuage: The endpoint is the vport, whether it is a virtual machine, a container or the physical device. That “entry” into the overlay network for that specific entity, has a network/security policy that is applied to it the moment it is attached to the network. This is the reason why the Nuage Networks VSP enables customers to micro-segment their network, with a default “zero trust” model and only allows objects to communicate if they were explicitly enabled.
Are networks isolated between clouds – say in a OpenStack and CloudStack as a service model with a common physical network infrastructure?
Nuage: The Nuage Networks VSP is a multi-tenant solution, with tenancy that can be defined at different levels. Using a single Nuage Networks VSP, the customer has the ability to create multiple “enterprises,” each having its own CMS instance. For example, one running RHEL Openstack, another with HP Helion and a third with CloudStack or Mirantis all using the same VSD, VSC and the same data center networking infrastructure. This Nuage Networks VSP overlay solution can manage different tenants, each with their own CMS.
Within each CMS, you can further partition it so that you can have different tenants within a single CMS, these will also be sharing the same hypervisor and have complete separation with overlapping IP addresses.
How is manageability of VSD/VSC when we have multi controllers?
Nuage: The Nuage Networks VSD supports communicating with multiple CMS controllers and high availability protected controllers. It is up to the CMS controller to offer the protection, whether it is in active-active or active-standby, our “plugin” communicates with our VSD through the REST API and can handle multi-controller situations
Is this a Neutron core plugin or an ML2 mech driver?
Nuage: The Nuage Networks Neutron plugin is a Neutron core plugin
How is seeing VPX vAPP from Nuage Architect?
Nuage: The following diagram is the Nuage Networks VSD view of the overlay network, with the green icons being vports of the various VMs that are instantiated. If the NetScalar VPX is manually deployed as a regular VM and configured independently of OpenStack (i.e. without using LBaaS), then you will simply see the one or more vports in the various subnets/networks (blue icons) depending on the applications. However, if you are using LBaaS and provider-network, then you will not see a vport. The OpenStack Horizon view is sufficient and you only need to use the Nuage Networks VSP if you are planning on using advanced features over and above what is supported by Nuage (i.e. QoS, Service insertion).
Nuage Networks VSD GUI view
RedHat OSP Horizon View (VPX App1 was deployed manually as an example)
Can we show some of the DPI or utilization aspects of underlaying VMs/HW and Networks?
Nuage: It is not clear what the question is focused on, but there are three possible areas:
 Correlation between the overlay and underlay networks, in various aspects of the network (failures, utilization, etc.). The Nuage Networks Virtualized Services Assurance Platform offers that capability by correlating the information from the physical infrastructure with the information that resides in the Nuage Networks VSP. The following screenshots are examples of the views available to the user from that GUI.
 The second possible answer is how to “insert” DPI into the data path.
This is done in the overlay network using redirection rules for insertion of a security appliance (NGFW, DPI, etc.) into the data path either as part of the initial deployment security/network policy, or based on a network event (suspicious activity detected and a specific VM or flow needs to be analyzed. The VSD will simply apply a new policy to steer that specific flow to a pre-defined service appliance. Because the network is fully programmable, you can automate the insertion as well as the subsequent action upon confirmation that malicious activity has been detected (isolate the VM from the network and alert security analyst to investigate). This can be done through a REST API call or using the VSD GUI. You can also mirror traffic, to a network analyzer or work with one of our partners on something more specific (quarantine or monitor processes inside the VM or Container).
 Network Statistics in the overlay. We collected network level stats from all interfaces connected and the data is stored in a Hadoop cluster (VSD). Here is a sample GUI window showing the stats interface on the Nuage Networks VSD.
How does VIP configuration work when I deploy NetScaler VPX in high availability (say App01-A App01-B)?
Nuage: With the Nuage Networks VSD “terminology” we refer to a “redirection target” as a logical label that can have a VIP associated with it. That Redirection Target can be set to “allow redundant appliance,” in which case, you can associate multiple vports to it all belonging to the same VIP. This is a fully supported model for appliance high availability support (in Layer 2 or Layer 3).