Riverbed Certified Solutions Associate
October 30, 2017 | Author: Anonymous | Category: N/A
Short Description
. Annette Filice PowerPoint Presentation Troubleshooting Riverbed® Steelhead® WAN Optimizers Eighteen ......
Description
Riverbed Certified Solutions AssociateWANOpt Workshop
RCSA (Riverbed Certified Solutions Associate) The Riverbed Certified Solutions Associate (RCSA) program is designed to validate the skills required of pre-sales engineers and technical professionals who work in the initial implementation of Riverbed products.
Designed to evaluate presales SEs who design riverbed implementations and perform basic evaluations (PoCs)
Note: The RCSP exam is more geared toward Professional Services SEs and includes detailed implementation questions on all Riverbed products.
© 2015 Riverbed Technology. All rights reserved.
2
RCSA Exam Information
Exam Number: 101-01
Exam Name: Riverbed Certified Solutions Professional – WAN Optimization
Version of RiOS: Up to RiOS version 3.6.0 for the SteelHead EX appliances and VSP;
version 9.0.0 for the SteelHead and SteelHeadTM (virtual edition); version 9.0.0 for the SteelCentralTM Controller for SteelHead, version 4.0.1 for Interceptor, and version 4.5.1 for the SteelCentralTM Controller for SteelHead Mobile.
Number of Questions: 60
Total Time: 75 minutes for exam, 15 minutes for Survey and Tutorial (90 minutes total)
Exam Provider: Pearson VUE
Exam Language: English only. Riverbed allows a 30-minute time extension for exams taken in non-English speaking countries for students that request it. English speaking countries are Australia, Bermuda, Canada, Ireland, New Zealand, United Kingdom, South Africa, and the United States. A form will need to be completed by the candidate and submitted to Pearson VUE.
Special Accommodations: Yes (must submit written request to Pearson VUE for ESL or ADA accommodations; includes time extensions and/or a reader)
Offered Locations: Worldwide (over 4000 Pearson VUE test centers in 165 countries)
Prerequisites: None (although taking a Riverbed training class is highly recommended)
Available to: Partners, customers, and employees
Passing Score: 70%
Certification Expires: Every two years (must recertify every two years, with six month grace period)
Recertification Criteria: Retake the 199-01 – RCSP-W current exam. If you are a RCSA-W certified, retaking the 199-01 – RCSP-W exam will also re-certify your RCSA-W.
Wait Between Failed Attempts: 72 hours
Wait Between Passed Exams: One year
Cost: $150.00 (USD)
Number of Attempts Allowed: Unlimited © 2015 Riverbed Technology. All rights reserved.
3
Question Distribution 60 questions total from a collection of about 180 – 17 SteelHead Deployment & SteelHead Controller for SteelHead – 11SteelHead Application Features – 9 SteelHead Mobile Client – 2 SteelHead Interceptor – 5 SteelHead Networking Features – 6 SteelHead SaaS – 15 WAN Optimization Technology
© 2015 Riverbed Technology. All rights reserved.
4
Application Performance Considerations
© 2015 Riverbed Technology. All rights reserved.
5
SteelHeads Overcoming Layers of Inefficiencies Bottlenecks / Problems
Riverbed Solutions
High Round-Trip (Chatty) Apps Lower User Productivity Homegrown App Limitations
Application Streamlining: Multiple App-Specific Optimizations out-of-box App-Specific Transaction Predictions
Inherent TCP/IP Protocol Chattiness Connection-Oriented Latency Service Provider Challenges
Transport Streamlining: Virtual Window Expansion (VWE), Window Scaling (RFC 1323) Low-Speed & High-Speed TCP optimizations
Moderate to Severe WAN Bandwidth Consistency & Availability
Data (Bandwidth) Streamlining: Scalable Data Referencing (SDR) Patented Bit-Level Deduplication & Indexing Tunable Lempel-Ziv Lossless Compression (LZ)
Adverse Environments Costly Branch IT Servicing ‘Islands of Storage’ Liabilities Outright WAN Outages
Hyper-Converged Edge*: SteelFusion Edge & SteelFusion Core Virtual Services Platform (VSP)
© 2015 Riverbed Technology. All rights reserved.
6
RiOS: Underlying Framework Maintain TCP Sessions at Client Side Outer Channel
Initiate new TCP sessions at Inner Channel
Branch Office
Maintain TCP Sessions at Server Side Outer Channel
WAN
Data Center
Transparent Deployment – Maintains client / server interaction with no changes – SteelHead Appliances auto-discover each other Optimization is controlled via rules – Traffic is optimized by default
– VoIP and video can be “passed through” with no degradation Provides data /transport/ application streamlining © 2015 Riverbed Technology. All rights reserved.
7
How Root Causes Affect Application Performance
© 2015 Riverbed Technology. All rights reserved.
8
Application Protocol Inefficiency and Latency Application Example: High “Application Turns” means chatty Chatty application designs seem slow in high latency arenas Wow! Network is fast! Request User Input
10Mbps WAN
San Jose Branch Office
Response Request Response
Low Application Turn
New York Data Center
Request
Network is sooooo slow!
Response 10Mbps WAN
User Input
San Jose Branch Office © 2015 Riverbed Technology. All rights reserved.
High Application Turn
Request Response Request
New York Data Center
Response 9
Distributed Computing Problems Tape Backup
Tape Backup
Storage
Filers
WAN Branch Office File Servers
Data Center
Mail Filers Servers
Networking problems
File Servers
Application problems
Web, email, FTP, Notes, etc… Not Enough Bandwidth Slow response times Applications too slow to use Applications not prioritized Mobile access needed
© 2015 Riverbed Technology. All rights reserved.
Web Servers
Mail Servers
Storage problems
Data sprawl Islands of storage Backup and replication Meeting SLAs Compliance worries
10
Data Streamlining
© 2015 Riverbed Technology. All rights reserved.
11
Scalable Data Referencing (SDR) Original text
Files & Data
Binary representation
0100001101101111011100000111100101110010011010010110011101101000011101000010000 01100001010101001001000000011001000110000001100010011001100001010010100100110 10010111011001100101011100100110001001100101011001000010000001010100011001010 110001101101000011011100110111101101100011011110110011101111001
1st level references Ref[9z34]
2nd level reference 3rd level reference
Copyright © 2013 Riverbed Technology
Ref[55k1]
Ref[816378] Ref[4u244]
Ref[vs5q6]
Ref[j8s]
Ref[qk7j9] Ref[vv7a2]
16-Byte references communicate megabytes of existing data (128Byte average chunk size) Data Streamlining = SDR + LZ © 2015 Riverbed Technology. All rights reserved.
12
RiOS: SDR Benefit Seattle Branch Office
New York Datacenter
Data
Seattle Branch Office
New York Datacenter
60-98% reduction in bandwidth © 2015 Riverbed Technology. All rights reserved.
13
RiOS: Bandwidth Streamlining 60-98% reduction over time in WAN utilization
Request
Data
Reconstructed Files & Data
Files & Data
WAN Branch Office
Data Center
References New data
Requests from the client to the server SteelHead auto-intercepts the request, segments data and LZ compress it Only new bytes are LZ compressed and sent over the WAN 16-Byte references communicate gigabytes of existing data Remote SteelHead reconstructs data and delivers it to the client
© 2015 Riverbed Technology. All rights reserved.
14
Transport Streamlining
© 2015 Riverbed Technology. All rights reserved.
15
RiOS: (Virtual) Window Scaling
Larger windows improve TCP throughput Max amount of data per round trip increases = net throughput of bottlenecks Challenging to configure RiOS enables automatic windows scaling across the WAN
© 2015 Riverbed Technology. All rights reserved.
16
RiOS: Congestion Algorithms Advanced TCP Acceleration High Speed (HS-TCP) for “Fill the pipe” OC-12 and larger connections Max-Speed (MX-TCP) for lossy network connections Connection Pooling – Eliminate 50% of overhead for small, short-lived connections
Adaptive Congestion Windows – Adapt transfer parameters based on network characteristics
Limited and Fast Retransmits – Ensure priority handling for packet resends
Application Aware Transport Optimization – Oracle Forms traffic in socket (native) and HTTP modes
© 2015 Riverbed Technology. All rights reserved.
17
Connection Pooling
Minimizes the time for optimized connection setup Three-way TCP handshake not required to finish the WAN SteelHead uses a TCP connection from its’ “pool” of connections Transport Streamlining = One-one ratio for active TCP connections between SteelHeads and TCP connections to clients and servers SteelHeads do not tunnel, multiplex, or demultiplex
inner connection DATA CENTER
© 2015 Riverbed Technology. All rights reserved.
connection pool
BRANCH OFFICE
18
Application Streamlining
© 2015 Riverbed Technology. All rights reserved.
19
RiOS: Application Streamlining Application Turns across the WAN and Latency affects Network Performance
SteelHead completes transaction locally
SteelHead completes transaction locally
Removes round trips from the WAN © 2015 Riverbed Technology. All rights reserved.
20
RiOS: Application Protocols CIFS(SMB1*)/SMB2/SMB3 MAPI*/eMAPI
Windows File Sharing (PCs and Macs) Microsoft Exchange with MAPI / encrypted MAPI
Microsoft Office
Microsoft Office optimizations
MS-SQL
Database driven applications
HTTP*/HTTPS
Web applications and secure applications
Citrix
Citrix ICA Presentation, Xenapp Server
NFS*
Unix File Sharing & Applications
Lotus Notes FTP*
Backup & Replication Proxy File Service
Lotus Notes 6.0 and higher File Transfer Protocol
Simplified replication of remote servers Disconnected operations, integrated file sharing
* Latency optimizations which are enabled by default within RiOS © 2015 Riverbed Technology. All rights reserved.
21
Components of a Complete WAN Optimization Solution
© 2015 Riverbed Technology. All rights reserved.
22
A Complete Optimization Solution PRIMARY DATA CENTER
BRANCH OFFICE
SteelCentral Controller Filers
BRANCH OFFICE Storage Tape Backup
SteelFusion Core
WCCP File Servers
SteelHead Mobile Controller (SMC)
SteelHead CX
Web Servers
Mail Servers
SteelHead-VE Interceptor Appliance
SteelHead EX & SteelFusion
Filer
BRANCH OFFICE (serverless) WAN/VPN
SteelHead EX
SteelHead Mobile Clients
© 2015 Riverbed Technology. All rights reserved.
23
Enhanced Auto Discovery (EAD)
© 2015 Riverbed Technology. All rights reserved.
24
TCP 3-Way Handshake TCP 3-way handshake is – SYNchronize Sequence numbers – SYNchronize-ACKnowledgement – ACKnowledge
Includes information such as TCP Options – Riverbed leverages Options field for auto discovery and transparency – Common TCP Options include Max Segment Size, Window Scaling and Selective Ack
WAN Client A
Server B
IP(Client)→IP(Server):443 SYN IP(Server):443 SYN/ACK → IP(Client) IP(Client)→IP(Server):443 ACK
© 2015 Riverbed Technology. All rights reserved.
25
Enhanced Auto Discovery: Concept Simplifies deployments for complex environments – Discovers and optimizes between most distant SteelHead pair – Removed need for manual peering rules across WAN – Enabled by default under Peering Rules
S-SH1 SYN+0x4c S/A++ 0x4c
WAN SYN
CLIENT
LAN WAN C-SH SYN+ 0x4c
WAN LAN WAN S-SH2 S/A++0x4c S/A+ SYN+0x4c
SERVER S/A
© 2015 Riverbed Technology. All rights reserved.
26
EAD: Probe Response In-Path interface: Check my Peering Rules!
IP(C)→IP(S):SYN
Data Center LAN
LAN WAN Client A
Client-side SteelHead (C-SH)
In-Path interface: Check my InPath Rules!
Server B
Server-side Server-side SteelHead (S-SH1) SteelHead (S-SH2)
IP(C)→IP(S):SYN+Probes IP(S)→IP(C):SYN/ACK++ Notification Forwarding
Server B
IP(C)→IP(S):SYN+Probes
IP(S)→IP(C):SYN/ACK++ Notification Forwarding IP(S)→IP(C):SYN/ACK+Probe Response
IP(C)→IP(S):SYN+Probes IP(C)→IP(S):ACK
Client A 14 bytes Probe Response
© 2015 Riverbed Technology. All rights reserved.
27
EAD: First Connection (3 SteelHeads) LAN
SH1 CLIENT (“C”)
LAN
WAN
WAN
WAN
SH2
WAN
SH3 SERVER (“S”)
IP(C)→IP(S):SYN SEQ1
Listening on service port 7800
IP(S)→IP(C):SYN/ACK
© 2015 Riverbed Technology. All rights reserved.
Connection Result Connect result is cached until failure
Connection Pool (default = 20)
28
SteelHead Connection Pool Auto Discovery – Port 7800
inner connection DATA CENTER
© 2015 Riverbed Technology. All rights reserved.
connection pool
BRANCH OFFICE
29
OOB Splice TCP Connection Critical connection: required for ANY optimizations to occur Used for ‘back-channel’ peered SteelHead to SteelHead communications Should automatically setup during 1st EAD (or Fixed-Target) connection – 1+ connections for optimized traffic (i.e.: HTTP, CIFS, etc..) – 1 connection for Out-of-Band Splice (30 minute timeout) – 20 connections for Connection Pool
OOB tuple properties default to Correct Addressing (Inner-Channel): – [CSH In-Path IP:xxxx]---->[SSH In-Path IP:7800]
All traffic passed through? Could be No OOB setup! – Check Reports > Optimization > Peers report
© 2015 Riverbed Technology. All rights reserved.
30
In-Path and Peering Rules Overview
© 2015 Riverbed Technology. All rights reserved.
31
In-Path Rules: Enable Optimization
In-Path Support must be enabled Enable Optimizations for each interface ↑ Ensure all IP addressing, VLAN settings, etc. are configured properly →
© 2015 Riverbed Technology. All rights reserved.
32
In-Path Rules ACL: Connection Interception SteelHeads receives SYN packet on LAN interface (SYN on LAN) then: – Checks resources (not in Admission Control – see System Settings > Alarms) – Checks In-Path rules ACL & processes packet looking for a ‘match’ CLIENT (“C”) LAN
WAN
WAN
WAN
LAN
SERVER (“S”)
SYN+ (EAD)
SYN: CS SYN on LAN? In-Path Rules!
© 2015 Riverbed Technology. All rights reserved.
SYN+ CS
33
In-Path Rules: Rule Types Similar to Access Control List (ACL): identify traffic and specify type of rule Six Rule types – – – – – –
Auto Discover Fixed-Target FT: PMO Pass Through Discard Deny
© 2015 Riverbed Technology. All rights reserved.
34
In-Path Rules: Port Labels Port Labels are name objects given to 1 or more TCP port numbers Used to simplify configuration of Rules (In-Path, Peering, QoS, etc.) All SteelHeads ship with pre-defined port labels: – Interactive – RBT-Proto – Secure – SteelFusion
– Example: Adding Citrix ports:
© 2015 Riverbed Technology. All rights reserved.
35
Peering Rules ACL SYN+ on WAN or LAN? Peering Rules ACL! Used only when a Client-Side SteelHead is attempting to Peer via EAD Peering Rule Types – Auto – Accept – Pass Through
© 2015 Riverbed Technology. All rights reserved.
36
Peering Rule Examples Auto-peering (Enhanced Auto-Discovery) ensures the SteelHead appliances closest to the client and server are used to optimize a connection, and is enabled by default Peering Rules allow optimization of only in-network SteelHead appliances – Avoid “rogue” ones from other companies
Serial Clusters of SteelHeads help ensure concurrently optimize connections
– Serial clustering requires configuring peering rules of SteelHeads from choosing each other as optimization peers Peering Rule: -Auto or Accept C-SH1 -Pass S-SH1 and Rogue
Peering Rule: -Auto or Accept C-SH1 -Pass S-SH2 and Rogue LAN
C-SH1
CLIENT
WAN
WAN
WAN
S-SH1
LAN WAN
S-SH2
LAN
Serial Cluster
SERVER
Rogue Enhanced Auto Discovery (Most Distant SteelHead Pair) © 2015 Riverbed Technology. All rights reserved.
37
In-Path Rules Additional Features
© 2015 Riverbed Technology. All rights reserved.
38
In-Path Rules: Optional Parameters Some optimized connections need special handling based on the traffic type or application/protocol being used Optional Parameters – Preoptimize Actions – Such as SSL – Latency Actions – Such as Citrix – Data Reduction – Default = SDR+LZ – Use SDR only – Use LZ only – Disable – Auto Kickoff – Neural Framing (Nagle algorithm) © 2015 Riverbed Technology. All rights reserved.
39
In-Path Rules: Auto Kickoff Used only for Auto Discover and Fixed-Target in-path rules Source and/or destination of a Pre-Existing Pass Through connection cannot be determined, so matches packets SrcIPDstIP as well as DstIPSrcIP Does not distinguish between VLANs – Connections with same src & dst addr on different VLANs will be kicked off
Useful for ensuring persistent (long-lived connections) remain optimized should SteelHead reboot / restart – See also Optimization> General Service Settings > Reset Existing Client Connections on Start Up
© 2015 Riverbed Technology. All rights reserved.
40
41
WAN Visibility: In-Path Rules Configuration Only configurable for “Auto-Discover” and “Fixed-Target” rules on Client-side SteelHead
Client-side SteelHead
WAN I/F
WAN I/F
WAN
© 2015 Riverbed Technology. All rights reserved.
Server-side SteelHead
41
42
WAN Visibility: Summary Visibility Mode
Description
Correct Addressing
Uses SteelHead appliance IP addresses and ports over the WAN. Maintains original source and destination IP addresses and ports on the LAN-side.
Correct Addressing plus Port Visibility
When to Use
Caveats
Most SteelHead implementations use this mode.
Limited WAN-side visibility
Uses SteelHead appliance IP addresses with original source port over the WAN. Maintains original source and destination IP addresses and ports on the LAN-side.
WAN-side QoS and traffic reporting by application port
More difficult to distinguish between optimized and nonoptimized traffic (only by IP address, not port) May cause issues with IDS/IDP on WAN side Loss of Connection Pooling
Full IP Address & Port Visibility
Original source and destination IP addresses and ports for traffic across the LAN and WAN with SteelHead appliances.
Network sensors on WAN-side of SteelHead appliance MSP WAN-side traffic monitoring WAN-side marking QoS for optimized traffic WAN VLAN design issues
Full Transparency with Reset
Enables full address and port transparency and also sends a forward reset between receiving the probe response and sending the transparent inner channel SYN
When deployed with stateful firewalls
© 2015 Riverbed Technology. All rights reserved.
Traffic appears to be spoofed IP Potential problems with firewalls and IDS/IDP Mis-routed traffic causes resets Cannot easily distinguish between optimized and nonoptimized traffic Loss of Connection Pooling
All SteelHeads need to be on RiOS 6.0 or higher Loss of Connection Pooling
42
Question 1 of 3 For each optimized connection, how many separate TCP sessions exist? Select one answer. a. b. c. d. e.
3 2 1 4 Depends on the tunnel mode
© 2015 Riverbed Technology. All rights reserved.
43
Question 3 of 3 You are performing a cold transfer of a 3MB Word file over FTP, this takes 1 minute. An unoptimized transfer would take 2 minutes. What component is responsible for most of these gains? a. b. c. d.
SDR LZ VWE Transaction prediction
© 2015 Riverbed Technology. All rights reserved.
44
Question 1 of 3 Admission Control alarms are triggered when: a. b. c. d.
Bandwidth utilization exceeds appliance capability The number of optimized sessions exceeds appliance capability The data store is full An unknown problem has occurred
© 2015 Riverbed Technology. All rights reserved.
45
Question 2 of 3 How many in-path rules will a single LAN initiated connection match on a Steelhead? a. b. c. d.
0 1 2 3
© 2015 Riverbed Technology. All rights reserved.
46
Question 3 of 3 What are three default port labels on the Steelhead appliance? (Select 3) a. b. c. d. e.
Secure Interactive RBT-Proto Fixed-Target Pass-Through
© 2015 Riverbed Technology. All rights reserved.
47
Question 1 of 7 1. Which of the following correctly describe the combination of cable types used in a fail-to-wire scenario for the interconnected devices shown in the accompanying figure? Assume Auto-MDIX is not enabled on any device. a. Cable 1: Cross-over, Cable 2: Cross-over b. Cable 1: Straight-through, Cable 2: Straight-through c. Cable 1: Cross-over, Cable 2: Straight-through d. Cable 1: Straight-through, Cable 2: Cross-over
© 2015 Riverbed Technology. All rights reserved.
48
Question 2 of 7 Which of these are valid addressing modes for a Steelhead? (Pick 3) a. b. c. d. e. f.
Correct addressing No Transparency Port Transparency Complete Transparency Mirrored Transparency Full Transparency
© 2015 Riverbed Technology. All rights reserved.
49
50
Knowledge Check 1. The Riverbed SteelHead devices use TCP tunneling to transfer optimized traffic. True or False? a. True b. False
2. Which of the following protocols are enabled for latency optimization on Riverbed SteelHead appliances by default? a. b. c. d. e.
MAPI HTTP Citrix CIFS SMB1 Encrypted MAPI (eMAPI)
3. Of the following devices, which ones perform the SDR function? a. b. c. d.
SteelHead Mobile Virtual SteelHead Interceptor SteelHead Mobile Controller
© 2015 Riverbed Technology. All rights reserved.
50
Question 3 of 7 A customer is enforcing QoS between Steelheads based on the destination port. What is the recommended WAN visibility mode? a. b. c. d.
Correct Addressing Port Transparency Tunnel Mode SSL Mode
© 2015 Riverbed Technology. All rights reserved.
51
Question 4 of 7 Assuming that the Steelheads have “Port transparency” configured for this session, what would the destination port between the two Steelheads be? a. 7800 b. 80 c. 4302 a. Enable “auto-peering” b. Both B and C c. B or D
© 2015 Riverbed Technology. All rights reserved.
52
Question 7 of 7 Assuming that the Steelheads have Correct Addressing configured for this session, what would the destination port between the two Steelheads be? a. 7800 b. 80 c. 4302 a. Enable “auto-peering” b. Both B and C c. B or D
© 2015 Riverbed Technology. All rights reserved.
53
Deployment Basics
© 2015 Riverbed Technology. All rights reserved.
54
55
Deployment Methods: 3 Types Three general configurations support many different network topologies: – Physical In-path
Can auto-discover
» Virtual in-path, physically out-of-path
Can auto-discover
Redirect To WANX_X
» Server-side out-of-path
Can Not auto-discover
One binding objective for all configurations: No asymmetry around SteelHeads! © 2015 Riverbed Technology. All rights reserved.
55
Deployment Methods: Example PRIMARY DATA CENTER
SECONDARY DATACENTER
SteelCentral (CMC)
SteelHead-VE Server Side Out-ofPath Storage Filers
Tape Backup File Servers
Web Servers
File Server
Mail Servers
Primary Primary
Redundant Virtual SteelHead
BRANCH OFFICE
SteelHead Mobile Controller (SMC) WANX_X WANX_X WANX_X
SteelHead CX Virtual in-path
Interceptor Appliance Physical InPath
SteelHead EX & SteelFusion Physical In-path WAN/VPN
SteelHead Mobile Clients Physical In-Path
© 2015 Riverbed Technology. All rights reserved.
Filer
BRANCH OFFICE (serverless)
SteelHead EX Physical In-path
56
In-Path Deployment
© 2015 Riverbed Technology. All rights reserved.
57
58
In-Path: Multi In-Path Interface LAN SteelHead Appliance
NAS
WAN/VPN
Multiple Pairs of LAN/WAN interfaces – Employing 4-Port Gigabit Ethernet (GigE)Card
© 2015 Riverbed Technology. All rights reserved.
CMC
CLI/WebBased Mgmt.
58
59
In-path Clustering: Serial Clustering Serial Clusters are 2+ SteelHeads placed physically In-Path Supported in all new SteelHead models & most older models – Configure In-Path & Peering Rules to avoid intra-cluster peering – Seg-Store Sync ensures continued Warm-Transfers – Failover Support ensures continued optimizations should either SteelHead fail – Functional in either client-side and/or server-side deployment
Serial In-path Deployment SteelHead Appliances 1, 2 LAN
WAN/VPN Router
© 2015 Riverbed Technology. All rights reserved.
LAN
Router Firewall or VPN
WAN
LAN
WAN
L2 Switch 59
60
In-path Clustering: Peering Rules Review Peering rules control SteelHead‘s behavior when detecting probe queries – Ordered list of fields that a SteelHead appliance uses to match with incoming SYN packet • Pass - The receiving SteelHead does not respond to the probing SteelHead • Accept - The receiving SteelHead responds to the probing SteelHead for an optimized connection • Auto - Enhanced auto-discovery is enabled and the SteelHead becomes the optimization peer only if it is the last SteelHead in the path to the server – If a packet does not match any peering rule in the list, the default rule (Auto accept) applies
LAN
Serial In-path Deployment SteelHead Appliances 1, 2 LAN
WAN/VPN Router
© 2015 Riverbed Technology. All rights reserved.
Firewall or VPN
WAN
LAN
WAN
L2 Switch Stack 60
In-Path Considerations: In-Path Deployment with Multiple VLANs NAS
802.1Q Trunk
SteelHead
802.1Q Trunk
LAN
WAN/VPN Router
Layer 3 Switch
File Servers Mail Server
Each SH interface which bridges an 802.1Q trunk link requires: -
an IP address
-
a default gateway
-
a VLAN ID (if required for the in-path interface subnet)
© 2015 Riverbed Technology. All rights reserved.
61
62
In-Path Considerations: Redundant Default Gateway SteelHead Ramifications: In a high-availability environment, there are often multiple designs to choose from which would include HSRP, VRRP AND GLBP HSRP or similar protocols have a link tracking option which should be used when possible SteelHead appliance with a 4-port card depending on the scenario May need to change Simplified Routing option depending on the scenario Layer 3 Switch HSRP Standby10.0.0.1 Fa0/0 10.0.0.3 WAN/VPN
LAN NAS
WAN Router Connection Forward Traffic WAN/VPN WAN Router © 2015 Riverbed Technology. All rights reserved.
SteelHead Inpath0_0 10.0.0.100 Inpath0_1 10.0.0.101
File Servers
Layer 3 Switch HSRP Active 10.0.0.1 Fa0/0 10.0.0.2
Mail Server 62
In-path Considerations:
63
Simplified Routing (SR) SteelHeads and packet forwarding – An in-path SH bridges a given link, giving it two potential interfaces (LAN and WAN) to send packets out from – SH appliances do not interact with routing protocols, but it is sometimes beneficial for a SH to know the “best” MAC address to forward an IP packet towards Simplified Routing Overview – Changes the process used to select the destination Ethernet address for packets transmitted from the in-path interfaces – Watches traffic entering and passing through the in-path interface to create a table • Each entry contains: IP address, MAC address – Right before sending a packet out on the wire, does the SR table lookup, and overwrites the dst MAC address if entry is found • Does not affect pass-through traffic – One SR table per in-path interface – Takes precedence over static routes including default gateway • Can be overridden with CLI command in-path simplified mac-def-gw-only © 2015 Riverbed Technology. All rights reserved.
63
In-path Redundancy: SteelHead Primary/Backup Failover SteelHead appliance closest to the LAN is configured as a primary (or Master), the other is a backup Primary SH optimizes traffic. Backup SH makes sure Primary is functioning and not in admission control If Backup SH can’t reach Primary, or if Primary enters admission control, Backup optimizes new connections until Primary recovers Recovered Primary optimizes any newly formed connections
© 2015 Riverbed Technology. All rights reserved.
64
65
SteelHead Segstore Synchronization: Overview Segstore Sync works by enabling both the Sync Client and Sync Server on each SteelHead (only two SHs can participate in a sync) – Configure one as primary and another as secondary (Master/Backup) – Backup will take on store_id of master
In this way the SteelHeads can send and receive new Segment Pages Requirements for deployment: – Same hardware model – Same RiOS version – Minimal latency between SHs
Branch Office
sync
X
Data Center
Same warm performance © 2015 Riverbed Technology. All rights reserved.
65
66
For Parallel Design….
A
Use Connection Forwarding: Addresses need for optimizing traffic in following environment – Asymmetric paths – Links are not at same physical site (or 4-port card would be preferable) – Set default gateway to LAN side – Set a static route to LAN – Use simplified routing
LAN
WAN/VPN
NAS Connection Forward Traffic File Servers
© 2015 Riverbed Technology. All rights reserved.
66
67
Asymmetric Routing: Visibility and Configuration Detects & passes through asymmetrically routed IP pairs by default Can remove cached entries manually
in-path asymmetric routing detection enable in-path asymmetric routing pass-through enable show in-path asym-route-tab show in-path ar-circbuf in-path asym-route-tab remove in-path asym-route-tab flush © 2015 Riverbed Technology. All rights reserved.
67
68
Connection Forwarding:
Configuration – Both SteelHead’s Connection Forwarding port
Neighbor Details
Steelhead communication enable [no] Steelhead name main-ip additional-ip port show in-path neighbor © 2015 Riverbed Technology. All rights reserved.
68
Server-Side Out-ofPath Deployment (SSOOP)
© 2015 Riverbed Technology. All rights reserved.
69
70
Server-Side Out-of-Path (SSOOP) SSOOP means using Primary interface for optimization Primary interface can provide both admin and optimization services Primary interface can only function as server-side SteelHead – CANNOT be Client-side SteelHead Optimized traffic transparent for clients, but NOT transparent for servers (SNAT proxy) C-SH requires Fixed-Target In-Path rule targeting S-SH PRI IP address + port 7810
LAN I/F
WAN I/F
WAN Client-side SteelHead Fixed-target Rule to SSH PRI IP + Port 7810
© 2015 Riverbed Technology. All rights reserved.
PRI
IP SRC=S-SH
Server-side SteelHead
70
71
SSOOP Optimization: Enabling SSOOP Server-side SteelHead – Enable Primary interface optimization via CLI – (config) # out-of-path enable – Enable Primary interface optimization via GUI
Client-side SteelHead – Configured for physical or logical in-path, with addition of fixed-target rule pointing to the primary interface address of the server-side SteelHead (config) # in-path rule fixed-target srcaddr 0.0.0.0/0 dstaddr 192.168.41.64/26 dstport 0 target-addr 192.168.41.80 target-port 7810 © 2015 Riverbed Technology. All rights reserved.
71
72
SSOOP Optimization: Scalable SSOOP Data Center Deployment Data Center LAN
Out-of-Path Deployment
Client-side SteelHead
NAS
WAN/VPN Primary Backup
File Servers
A
PRI CMC
B
PRI
C
PRI
D
PRI
Mail Server CLI/WebBased Mgmt.
Storage
SteelHead Appliances © 2015 Riverbed Technology. All rights reserved.
72
73
SSOOP Optimization: Out-of-path Packet Flow Client
SH1
SH2
Server
IP(C)→IP(S):SYN SEQ1 IP(SH1)→IP(SH2):7810 SYN IP(SH2)→IP(SH1):SYN/ACK
Listening on port 7810 No Probes
IP(SH1)→IP(SH2):7810 ACK IP(SH2)→IP(S):SYN SEQ2 IP(S)→IP(SH2):SYN/ACK IP(S)→IP(C):SYN/ACK
Connection Pool 20x © 2015 Riverbed Technology. All rights reserved.
73
74
SSOOP Optimization: Hybrid “Hybrid” simply means simultaneous in-path and out-of-path optimization Useful to enjoy benefits of in-path, but network requirements require flexibility of out-of-path SteelHead Mobile Users Fixed Target rule(s)
INTERNET /VPN Internet VPN Client-side SteelHead Firewall or VPN
Sites can retain in-path optimization benefits WAN/MPLS Client-side SteelHead
© 2015 Riverbed Technology. All rights reserved.
Primary Interface
File Servers
Data Center 74
Virtual In-Path Deployment
© 2015 Riverbed Technology. All rights reserved.
75
76
Virtual In-Path Deployment Topologies Auto-discovery
LAN I/F
PBR or WCCP Redirect IN
WAN I/F
WAN Client-side SteelHead
WAN I/F
Server-side SteelHead
Client & Server Fixed-target Rule
LAN I/F
PBR or WCCP Redirect IN
WAN I/F
WAN Client-side SteelHead
WAN I/F
Server-side SteelHead © 2015 Riverbed Technology. All rights reserved.
76
Virtual In-Path Deployment Topologies (con’t) Client Out-of-path, Auto-discovery
PBR or WCCP Redirect IN
PBR or WCCP Redirect IN
WAN WAN I/F
Client-side SteelHead
WAN I/F
Server-side SteelHead
***Note: You typically do not see Virtual In-Path at the Branch.
© 2015 Riverbed Technology. All rights reserved.
77
Virtual In-path SteelHead – Enabling
Enable virtual in-path support, plus at least one inpath interface; this will also “shutdown” the associated LAN interface, in this case lan3_0
Apply, then Save – Requires Service Restart © 2015 Riverbed Technology. All rights reserved.
78
79
Virtual In-Path: Web Cache Control Protocol (WCCP) Cost-effective, usually simpler to manage than PBR, handles complex WAN interfaces and topologies Un-optimized (fail-through) on error automatically Many Cisco bugs, check router/IOS version with Cisco Cisco-centric
L3 Cisco Switch
LAN
WAN/VPN Router Firewall or VPN SteelHead Appliance
© 2015 Riverbed Technology. All rights reserved.
79
80
WCCPv2 SteelHead Configuration Enable WCCPv2 Support (LAN is then disabled) 2nd
Enable and Apply
Click Apply
Define Service Group ID
1st Setup Group Define Unicast Router ID (You can define up to 32 routers)
Click Add © 2015 Riverbed Technology. All rights reserved.
80
81
Virtual In-Path: Layer-4 Switch Possible, though rarely deployed due to simplicity of Interceptor and broad familiarity of PBR and WCCP SteelHead configuration is similar to PBR, simply enable virtual in-path – Handles high volume environments – Auto-discovery of SteelHeads – Clients and servers continue to see client and server IP addresses
L4 Switch
L2 Switch
WAN/VPN Router Firewall or VPN
SteelHead Appliances © 2015 Riverbed Technology. All rights reserved.
81
Deployment Methods Summary In-path: simple, auto-peering. Controls: in-path rules. Note: use fixed-target rule if firewall or other device strips probe
Virtual in-path: routing forces traffic to WAN. auto-peering. Controls: external setup (PBR, WCCP, Interceptor) Note: enabling this mode disables LAN interface
redirect to WAN
SSOOP: client SH directly sends to server SH Controls: fixed target rules Note: server SH uses SNAT
WAN
LAN © 2015 Riverbed Technology. All rights reserved.
Parallel SHs: multiple routes or parallel design Controls: connection forwarding to handle routing asymmetry Note: very high conn setup rate can mimic asymmetric routing Quad (High Avail): serial clusters in a parallel design Controls: peering rules, connection forwarding Note: Auto Discovery and EAD optimize from different sides of the cluster 82
SteelHead Interceptor Overview
© 2015 Riverbed Technology. All rights reserved.
83
Interceptor Solution Benefits Scalability – – – –
Up to 2,500,000 concurrent connections on INT9600 (INT9350 supports 1,000,000 concurrent connections) Up to 40 Gbps LAN side throughput Cluster of up to 25 SteelHeads
High Availability – Real-time Cluster Management – Failover Support • Fail-to-wire and Fail-to-block – In-path or Virtual In-Path Support – ~3 second SteelHead non-response recognition
Configuration & Management – Familiar & Intuitive User Interface – SteelHead Appliance Awareness – SteelCentral Controller (SCCS/CMC) Managment © 2015 Riverbed Technology. All rights reserved.
84
Interceptor Solution The Interceptor Appliance leverages RiOS awareness to load balance optimized traffic to a local cluster of SteelHead Appliances Virtual in-path can be done via router, L4, load balancer, etc… but choosing Interceptor is better because Interceptor understands SH Interceptor Appliance(s)
L2/L3 Switch
WAN/VPN Router
© 2015 Riverbed Technology. All rights reserved.
Firewall or VPN
85
Interceptor: SteelHead Aware Load-Balancer Interceptor 9350
L3 Switch
WAN/VPN Router
Firewall or VPN DATA CENTER
SteelHead Interceptor Basics: Appliances No data store on Interceptor Distributes connections to SH’s SH(s) in “virtual in-path” Interceptor stats: Supports 25 SteelHead devices Up to 2.5 million optimized connections Up to 12Gbps of optimized traffic Using Xbridge can handle 40 Gbps High-availability configurations 5000+ new connections per second © 2015 Riverbed Technology. All rights reserved.
Interceptor packet handling: Hardware assist NIC In-path rules (like SH!) Load balancing rules
86
Load Balancing – Standard Example: Only one LB rule added to specify all data replication (DR) traffic is sent to SH-1
LB Rule: All DR Traffic to this SH SH-1
DR WAN R-SH1 R-SH2 R-SH1
SH-2
SH-3
LB Default Rule: All ‘other’ traffic to Pool of SH’s © 2015 Riverbed Technology. All rights reserved.
87
88
Fair Peering v2: More Informed Load Balancing
LB based on SH connection capacity, of both local and remote SH’s LB based on SH connection count & peer affinity Monitor local SH “pressure” on CPU, disk, & memory Dynamically re-allocate peers based on above
OTHER BRANCH
BRANCH OFFICE
OFFICES
Interceptor
WAN
BRANCH OFFICE
Steelhead Cluster DATA CENTER © 2015 Riverbed Technology. All rights reserved.
88
Interceptor and Packets Three ways of controlling which traffic is redirected to SteelHeads and which SteelHeads will be targeted: Interceptor packet handling: 1. Hardware assist NIC 2. In-path rules 3. Load balancing rules – Round robin – Fair peering – SteelHead pressure monitoring • Packets given to SteelHead that already peered to remote site • Otherwise, new connections go to “least full” SteelHead • Interceptor knows if SteelHead is under resource pressure and redirects accordingly © 2015 Riverbed Technology. All rights reserved.
89
Question 5 of 7 Which version of WCCP supports redirection of all types of traffic? a.v1 b.v2 c. v3 d.v5 e.v9
© 2015 Riverbed Technology. All rights reserved.
90
Question 6 of 7 What port needs to be connected in a server-side out-of-path configuration? a. b. c. d. e.
Inpath0_0 Wan0_0 Lan0_0 Primary Aux
© 2015 Riverbed Technology. All rights reserved.
91
Question 5 of 6 How many Steelhead appliances can an Interceptor appliance support in a single cluster or group? a. b. c. d. e.
Up to 10 Up to 15 Up to 20 Up to 25 Up to 30
© 2015 Riverbed Technology. All rights reserved.
92
One more Question When performing a logical in-path deployment, which interface on the Steelhead needs to be physically cabled for optimization to occur? a. b. c. d.
LAN AUX Primary WAN
© 2015 Riverbed Technology. All rights reserved.
93
SteelCentral® Controller for SteelHeads (SCC) Overview © 2015 Riverbed Technology. All rights reserved.
94
SCC Overview Enterprise management and reporting for SteelHead family appliances delivers greater control Simplifies deployment, configuration, monitoring, and upgrading – Lower Total Cost of Ownership for SteelHead environments – Available as physical or virtual appliance San Francisco Datacenter
London Office
SteelHeads
Branch Data
Branch Servers
SteelCentral Controller
SteelFusion Edge Device
WAN Tokyo Office
Branch Data
Branch Servers
© 2015 Riverbed Technology. All rights reserved.
SteelHead Interceptor
SteelHead
SteelHead Mobile Controller
Datacenter Servers
SteelFusion Core
95
SCC Highlights Overview Configuration: Configures SteelHeads & Interceptors, status info for SteelHead Mobile Controllers and SteelFusion devices Monitoring: both high-level status and detailed statistics Maintenance: image updates, restarts, reboots, & more Troubleshooting: centralized system & TCP dumps
© 2015 Riverbed Technology. All rights reserved.
96
SCC: Centralized Management PRIMARY DATA CENTER with In-Path
SteelCentral Controller
BRANCH OFFICE with Virtual In-Path
Interceptor
Storage Tape Backup File Servers
SteelHead EX
BRANCH OFFICE With Server SteelHead EX Appliance
Web Mail Servers Servers
Filer
SteelHead Mobile Controller (SMC)
Server SteelHead Appliance
BRANCH OFFICE (Serverless) SteelHead EX Appliance
WAN/VPN
SteelHead Appliances auto-discover SteelCentral Controller via DHCP & DNS Configure CentrallySteelHeads configure and andset Interceptor(s) optimizationinpolicies minutes Data is centralized for Global Reporting GC, IC, SMC & WW manually registered to the SteelCentral Controller © 2015 Riverbed Technology. All rights reserved.
97
Configurations Management Features Hierarchical management with policy inheritance – Central Policy Administration for most SteelHead configurations Central configuration and monitoring – Scheduled Operations / Operation History – Health monitoring – Central updates to Steelhead firmware images – Import existing Steelhead configurations Scheduled Operations
© 2015 Riverbed Technology. All rights reserved.
98
Configurations Management Features Operation History SteelHead firmware library for centralized updates Import existing SteelHead configurations CLI command broadcasting Touchless SteelHead configuration Secure appliance communications – HTTPS access to CMC – SH to CMC communications over SSH – Radius / TACACS+ authentication
© 2015 Riverbed Technology. All rights reserved.
99
SCC Startup & Operations Overview
© 2015 Riverbed Technology. All rights reserved.
100
SCC Backups Backups: Scheduled Operations
SteelCentral Controller and SteelHead configuration are full backups Statistics (data for reporting) backups are incremental Configuration and statistic backups can be scheduled separately Protocol can be CIFS, NFS, or SSH Backups can be configured as one-time or recurring
Backups: Operational History Shows status of idle, success, running, or failed Backup and Restore operations can be manually performed – Independent of a previously scheduled backup
© 2015 Riverbed Technology. All rights reserved.
101
Appliance Administration Perform actions on appliances / groups of appliances
Next slide… © 2015 Riverbed Technology. All rights reserved.
102
CLI Broadcasting Quickly send CLI commands to a group of SteelHead appliances Send immediately or schedule for later Assumes a “conf t” mode
© 2015 Riverbed Technology. All rights reserved.
103
Scheduled Jobs Ability to schedule any configuration push Scheduler built into software upgrade mechanism
Job Management interface for job status
© 2015 Riverbed Technology. All rights reserved.
104
Operation History View operations applied to SteelHead appliances and groups Search filter by date/time, event, or type
© 2015 Riverbed Technology. All rights reserved.
105
SteelCentral Controller (SCC) Workflow Process
© 2015 Riverbed Technology. All rights reserved.
106
Example Workflow Register SteelHead Appliance(s)
Create Appliance Groups
Create Policies
Map Policies to Appliances or Groups
Push Policies and Perform Operations
Unassigned SteelHeads are assigned to “Global” group Each SteelHead can only belong to one group Maximum of 256 total groups (parent + child groups)
© 2015 Riverbed Technology. All rights reserved.
107
SteelHead Registration To SCC Register SteelHead Appliance(s)
Create Appliance Groups
Create Policies
Map Policies to Appliances or Groups
Push Policies and Perform Operations
Manual Configuration – Existing or pre-deployed SteelHead (SH) appliances – Manual push of policies Auto-configuration (“Touchless Deployment”) – Deploy unconfigured SH appliances –Default Password Considerations – If the default password has been changed, SteelHead Appliances can auto register with the SteelCentral Controller but cannot be managed until the password is set in the manual configuration wizard. – Policies pushed automatically as SH auto-registers via DHCP/DNS – Rack it, cable it and GO! © 2015 Riverbed Technology. All rights reserved.
108
Grouping Hierarchical Management Register SteelHead Appliance(s)
Create Appliance Groups
Create Policies
Map Policies to Appliances or Groups
Push Policies and Perform Operations
The SCC hierarchical management of devices allows intuitive access to all of the SteelHead and other RiOS-based appliances in your global infrastructure. With a filtered view of SteelHead appliances and groups, you can easily view which policies are applied to each of your appliances and groups.
© 2015 Riverbed Technology. All rights reserved.
109
Mapping Policies Register SteelHead Appliance(s)
Create Appliance Groups
Create Policies
Map Policies to Appliances or Groups
Push Policies and Perform Operations
Each SteelHead appliance, or group of SteelHead appliances, can be assigned any number of policies Policy inheritance implies policies assigned to the Global group provide the default values for all groups and SteelHead appliances Values inherited from parent groups are overridden by enabled pages in policies deeper in the hierarchy In essence, groups inherits settings from enabled policy pages applied to the closest ancestor group (the group(s) above them in the hierarchy), down to the individual SH, whose settings on the SCC override all inherited policy settings © 2015 Riverbed Technology. All rights reserved.
110
SteelCentral Controller for SteelHead Best Practices Make sure the SteelHeads talk to the SCC REST API used to push PS/ST/QoS configuration – Configure REST API Access
SSL communication channel between SH and SCC – Install SSL-license on SHs
Register SHs with SCC – Branch (config) # scc enable – Branch (config) # scc hostname
© 2015 Riverbed Technology. All rights reserved.
111
SteelHead Mobile Solution Overview
© 2015 Riverbed Technology. All rights reserved.
112
SteelHead Mobile Optimization Benefits SteelHead Mobile: – Delivers mobile optimization and application acceleration to mobile workers whether from a laptop or a desktop in the branch office. – Provides mobile workers with access to corporate files and applications. – Improves productivity for on-the-go workers and branch offices – Accelerates business-critical web applications up to 60x – Reduces bandwidth by up to 99% – Interacts directly with any SteelHead solution to optimize applications © 2015 Riverbed Technology. All rights reserved.
113
SteelHead Mobile Solution Overview SteelHead Mobile Controller Mobile Users
WAN Home Users
SteelHead Appliance
DATA CENTER
Small Branch Offices
© 2015 Riverbed Technology. All rights reserved.
SteelHead Mobile Controller Appliance / Virtual: Physical or virtual (ESXi v5.0, 5.1, & 5.5) Handles Client licensing and reporting Controllers can be clustered for scale & resiliency Facilitates large deployments and rapidly growing organizations 114
SteelHead Mobile Considerations NTFS file system only for Windows. – No FAT or FAT32 file systems
Mac OS support – Mobile Client installer for Mac OS X is standard Apple PackageMaker installer
Mobile client host (laptop/desktop) firewalls – Must allow TCP port 7801 for NAT – Use fixed-target rule if discovery probe (0x4c) is stripped
Data Store Size – Range from 256MB to 20GB
Data Store Size – – – –
256 MB 2 GB 10 GB 20 GB
→ → → →
Memory Usage 81 MB 100 MB 161 MB 228 MB
For SSL optimization, an SSL license will need to be installed on the Controller in the Setup > Licenses menu to build trust relationship © 2015 Riverbed Technology. All rights reserved.
115
SMC Policies, Location Awareness, and Branch Warming
© 2015 Riverbed Technology. All rights reserved.
116
Managing Mobile Clients Mobile Clients are managed using Policies, Packages, and Group Assignments. Policy - a set of configuration settings that determine the optimization rules for Mobile Clients, such as – In-Path Rules – Protocol Settings (CIFS, MAPI, HTTP, Lotus Notes, and so on) – SSL – Location Awareness (whether to leverage SHM or a SteelHead appliance) – Endpoint Settings (segstore size, log settings, SMC to use, and so on) Package – combination of the Mobile Client software and Policy Group Assignment – an association of end users to packages and policies
© 2015 Riverbed Technology. All rights reserved.
117
Location Awareness Overview SteelHead Mobile Controller Mobile Users (3G)
VPN/WAN Home Users (WiFi)
SteelHead Appliance
Data Center
Branch Office (LAN)
© 2015 Riverbed Technology. All rights reserved.
1. Mobile user returns to Branch Office 2. Enhanced auto-detection detects branch SteelHead appliance • Location Awareness 3. Link based licensing by adapter allows optimization based on: • Wired vs. Wireless Clients • VPN Clients vs. LAN clients • 3G vs. Dialup 118
Branch Warming Process Overview SteelHead Mobile Controller
Mobile Users (3G)
WAN Home Users (WiFi)
SteelHead Appliance
Data Center
Branch Office (LAN) © 2015 Riverbed Technology. All rights reserved.
1. Mobile user returns to branch office 2. Enhanced auto-detection allows the branch office SteelHead to optimize while leaving SHM license in pool for other users 3. Data references are populated among the segstores of the SHM client, data center and branch office SteelHeads 4. As other clients request similar files, they receive the benefit of warm transfer on first access while warming their own segstore 5. When users return to the field, they enjoy warm performance 119
Branch Warming: SH Configuration Enable Branch Warming on both SteelHead appliances: – Datacenter SteelHead
– Branch Note: default is enabled
© 2015 Riverbed Technology. All rights reserved.
120
Question 1 of 6 You are deploying Steelhead Mobile with the server side Steelhead deployed server-side out-of-path. What do you need to configure in the mobile controller so that clients optimize traffic to that Steelhead appliance? a. b. c. d.
Define the SH IP address in the End Point policy. Create an “Auto-discovery” optimization rule in the Acceleration policy. Create a “Fixed-target” optimization rule in the Acceleration policy. Steelhead Mobile cannot be deployed with server-side out-of-path Steelheads.
© 2015 Riverbed Technology. All rights reserved.
121
Question 4 of 6 What are two benefits of using a SCC appliance? (Select 2) a. b. c. d. e.
Centralized monitoring of Steelhead appliances Centralized reporting of Turbo Tunnel Initiator appliances Centralized reporting of Cascade appliances Centralized configuration of Steelhead appliances Centralized configuration of Cascade Profiler appliances
© 2015 Riverbed Technology. All rights reserved.
122
Question 6 of 6 Once a Steelhead Mobile client connects to the Mobile Controller (SMC), it retrieves what from the SMC? a. b. c. d.
Secure vault key License The CMC tree The Steelhead domain catalog descriptor database (DCDD)
© 2015 Riverbed Technology. All rights reserved.
123
Latency Reduction Optimization Overview
© 2015 Riverbed Technology. All rights reserved.
124
Latency Reduction Optimization Latency Reduction Methods: – Chatty protocols (high application turns) –Examples: CIFS/SMB/SMB2, NFS, MAPI/eMAPI, Lotus Notes, and HTTP
– Caching and Pre-population – Examples: DNS Caching, CIFS Prepopulation, and HTTP Prepopulation
© 2015 Riverbed Technology. All rights reserved.
125
CIFS Optimizations & SMB Signing
© 2015 Riverbed Technology. All rights reserved.
126
127
CIFS Optimizations Read Ahead – Regular and Strided – Metadata prefetching and caching – Convert multiple requests into one larger request
Write Behind – Convert multiple requests into one larger request – Note WAN bandwidth rating of ‘writing’-side SH
Applock – specifically for .doc/.docx & .xls/.xlsx file types Print – improves centralized print traffic performance Many more happen “under the hood/bonnet”… SMB1/SMB2/SMB2.1, clear and signed Latency optimization disables automatically by default if: – SMB Signing is required – Opportunistic Lock is lost (still allows bandwidth reduction and TCP optimizations)
© 2015 Riverbed Technology. All rights reserved.
127
CIFS: Windows File Systems CIFS(SMB1), SMB2, SMB3 are optimizable via RiOS file system optimization blades – CIFS pre-population can be used for all flavors of SMB
CIFS / SMB
Windows XP
Windows Server 2003
Windows 7
Windows Server 2008R2
SMB2
Windows 8 SMB3
© 2015 Riverbed Technology. All rights reserved.
Windows Server 2012
128
Messaging Application Programming Interface (MAPI)
© 2015 Riverbed Technology. All rights reserved.
129
130
Messaging Application Programming Interface (MAPI)
The MAPI protocol is used by Microsoft Mail/Microsoft Exchange The RiOS system can perform optimization for Exchange versions 2000, 2003, 2007, 2010 MAPI optimization does not require a separate license and is enabled by default RiOS MAPI optimizations enabled by default include – – – –
Read ahead on emails and attachments Write behind on emails and attachments Folder Synchronization Prepopulation
Optional RiOS MAPI optimizations include – Outlook Anywhere (RPC over HTTP/S, technically a subset of standard MAPI) – Encrypted Optimization
Exchange has historically increased optimizable connections through releases; watch for SteelHeads going into Admission Control
© 2015 Riverbed Technology. All rights reserved.
130
131
Accelerating Exchange Transfers
A
MAPI configuration options
© 2015 Riverbed Technology. All rights reserved.
131
MAPI Prepopulation Avoids Spikes in WAN Usage MAPI Connection TCP Port 135 EPM MAPI Connection Maintained
WAN Data Center
Branch Office
• • • • • © 2015 Riverbed Technology. All rights reserved.
Mail Servers
Client opens up a connection with the Exchange Server SteelHead auto-intercepts responses, and accelerates transfers Client disconnects, but client-side SteelHead maintains the connection Server continues to deliver email and attachments When client logs in again, all email is delivered with LAN performance and no spike in WAN usage 132
Outlook Anywhere Configuration In-Path Rules Identify Outlook Anywhere traffic to client-side SH – If IIS HTTP server is only used for RPC Proxy, use Latency Optimization Policy: Outlook Anywhere and disable auto-detect (on MAPI config) – If IIS HTTP server is also handling web sites, use Latency Optimization Policy: Normal and enable auto-detect
[no] protocol mapi outlook-anywhr enable [no] protocol mapi outlook-anywhr auto-detect © 2015 Riverbed Technology. All rights reserved.
133
134
MAPI Decryption/SMB Signing MAPI Decryption/SMB Signing Requires Domain Join Optimization enablement for both MAPI Encryption and SMB Signing has a similar overall architecture:
Client
C-SH
S-SH
Server
S-SH is required to join the domain Domain Controller (DC) – The join requires domain admin credentials – After join, the actual admin username/password are discarded
This is a non-trivial undertaking due to many variables, to include Exchange and domain controller version-specific requirements; – Note: consult SteelHead Appliance Deployment Guide – Protocols for more information © 2015 Riverbed Technology. All rights reserved.
134
DNS Caching, Lotus Notes, NFS, MS-SQL , HTTP, FTP Optimizations © 2015 Riverbed Technology. All rights reserved.
135
136
DNS Caching Configuration Simple, value-add feature, not enabled by default Check the Enable Caching DNS box and select desired interface Then, add & configure interactions with DNS servers the SteelHead should contact on behalf of clients – Finally, configure clients to access SH for DNS
© 2015 Riverbed Technology. All rights reserved.
136
137
HTTP Features Primary web content optimization methods – Strip compression – maximizes SDR by disabling compression of web page – URL Learning – learns associations between base request and follow-on requests
– Parse and Prefetch – handles dynamically generated pages and URLs that include state information – Object Pre-fetch Table (OPT) – Client-side SteelHead responds to both IMS and regular request using previously save responses from server – Authentication Tuning – NTLM and Kerberos – Automated Tuning – – Can reduce complexity of configuring HTTP optimization – Recommended for back-hauled Internet traffic, where S-SH to Server latency is usually much greater than enterprise-based applications and normal conventions of application optimization do not hold true
© 2015 Riverbed Technology. All rights reserved.
137
HTTP Prepopulation Prewarms HTTP protocol on RiOS segstore – Delivers data content residing on Web server into segstore of SH relevant appliances – Provides remote users an enhanced viewing experience
Use the job command on Client-side SteelHead to run the transfer during off hours At 12:15 - Job name “prepop” starts HTTP prepopulate with http://intranet/hr/Interview.mp4
WAN Client
Client-side SteelHead
Server-side SteelHead
Web Server
(config)# protocol http prepop list Hrvideos (config)# protocol http prepop list HRvideos url http://intranet/hr/Interview.mp4 (config) # job 1 name prepop (config) # job 1 command 1 "protocol http prepop list HRvideos start" (config) # job 1 date-time 12:15:00 (config) # job 1 enable © 2015 Riverbed Technology. All rights reserved.
138
HTTP Stream Splitting Live On Demand Video Enabled on client-side SteelHead Support with – Microsoft Silverlight – Adobe HTTP Dynamic Streaming – Apple’s HTTP Live Stream (HLS) on RiOS 8.5 Example: • 512kbps stream • 50 viewers in office A • 10 viewers in office B
25.6Mbps
© 2015 Riverbed Technology. All rights reserved.
512kbps
139
Additional SharePoint Protocols Front Page Server Extension (FPSE) is one of the protocols in SharePoint protocol suite – Used for displaying site content as file system
© 2015 Riverbed Technology. All rights reserved.
Web Distributed Authoring & Versioning (WebDAV) is an open-standard extension to the HTTP1.1 protocol that enables file management on remote Web Servers
140
Web Proxy Overview
© 2015 Riverbed Technology. All rights reserved.
141
Web Proxy: Key Benefits Transparent HTTP(S) proxy Asymmetrical deployment – Only on the client side Local connection termination Co-existence with traditional WAN-opt features Cache storage is separate from WAN-opt seg store YouTube video caching
Centralized management and reporting via SCC © 2015 Riverbed Technology. All rights reserved.
142
Web Proxy: Fundamentals IP Address Support – IPV4 Only – Non-RFC 1918 (Public) addressing supported by default – RFC 1918 (Private) can be used via additional in-path rule configuration – Customer’s intranet and internal addressing
TCP Port Support – TCP 80 (HTTP) and 443 (HTTPS) default – Non standard ports can be supported via additional in-path rule configuration
Web Proxy and SaaS – SaaS does not use Web Proxy – SaaS uses traditional DEI HTTP optimization
Video Caching – Static video content that is cache-eligible – Think video “files” not “streams” – YouTube is not really “streaming” video to your browser – Most Internet browsers are supported when accessing YouTube © 2015 Riverbed Technology. All rights reserved.
143
144
FTP Optimization Considerations Both Active and Passive: Ephemeral port >1023 to FTP control port 21
WAN FTP Client
Client-side SteelHead
Server-side SteelHead
FTP Server
Active FTP: data channel from server port 20 to client ephemeral port Passive FTP: data channel from client ephemeral port to server ephemeral port
By default, SteelHead FTP optimization is enabled on all FTP connections – If you desire to use manual in-path rules, specify destination port 21 on client-side SteelHead appliance – If you want to pass through FTP, configure pass-through rules on BOTH client-side and server-side SteelHead appliance
SteelHead Mobile – supports only passive FTP – Note: Mobile client does not support optimization of in-bound connections © 2015 Riverbed Technology. All rights reserved.
144
Citrix Optimization
© 2015 Riverbed Technology. All rights reserved.
145
Citrix Features Overview Optimizations of Citrix traffic – – – –
Single-channel Independent Computing Architecture (ICA) Multi-Stream and Multi-Port ICA ICA over SSL Client Drive Mapping Citrix ICA Clients
USERS
© 2015 Riverbed Technology. All rights reserved.
Single ICA Channel (Ports 1494/2598)
SDR SDR Interactive RealTime
SDR Default
SDR SDR Bulk Background
Citrix Servers: Presentation Server Metaframe Server
DATA CENTER
146
Citrix Multi-Stream ICA Multi-stream/multi-port ICA Channel Citrix ICA Clients
SDR – RealTime
Citrix Servers: Presentation Server Metaframe Server
SDR – Interactive SDR – Bulk
USERS
SDR – Background
DATA CENTER
UDP – RTP / Audio
© 2015 Riverbed Technology. All rights reserved.
147
Citrix – ICA Optimization over SSL To optimize ICA over SSL, a C-SH SSL pre-optimization policy is applied as in-path rule, allowing the chaining of multiple optimization features – SSL Preoptimization – Citrix Latency Optimization – SDR-M Bandwidth Optimization (automatic with Citrix latency optimization) Citrix Access Gateway (CAG) Citrix ICA Servers Listening on TCP/443
Citrix ICA Clients
tcp/443 USERS
TCP ICA/1494 TCP CGP/2598
DATA CENTER © 2015 Riverbed Technology. All rights reserved.
148
Citrix Client Drive Mapping (CDM) Enables bandwidth and latency optimization of CDM Traffic
© 2015 Riverbed Technology. All rights reserved.
149
Packet Mode Optimization
© 2015 Riverbed Technology. All rights reserved.
150
Packet Mode Optimization In RiOS the packet mode optimization feature can optimize TCP IPv6 and UDP IPv4 traffic only – With packet mode optimization, SteelHead appliances apply the same SDR and LZ data streamlining techniques to UDP IPv4 or TCP IPv6 packets
RiOS v8.5 or later expands packet mode support to include TCP IPv4 and UDP IPv6 traffic
Optimization via rule on SteelHead-1 TCP IPv6, or UDP IPv4
TCP IPv6, or UDP IPv4
1 Client
2
TCP Inner Channel
TCP IPv6, or UDP IPv4
© 2015 Riverbed Technology. All rights reserved.
WAN
Optimization via rule on SteelHead-2
Server TCP IPv6, or UDP IPv4
151
Configuring Packet Mode Optimization Two steps to configure – Enable Packet Mode Optimization from either: – The Management Console, at Optimization > General Service Settings, or – Via the CLI command packetmode enable – Note: restart optimization service after enabling packet mode
– Create in-path fixed target rule(s) identifying traffic
© 2015 Riverbed Technology. All rights reserved.
152
Configure Fixed Target rule for UDP Configure a fixed-target (packet mode optimization) in-path rule on the each client-side SteelHead appliance To optimize UDP traffic in both directions, you must configure a similar in-path rule on the peer SteelHead appliance
© 2015 Riverbed Technology. All rights reserved.
153
Configure Fixed Target rule for TCP IPv6 Configure a fixed-target (packet mode optimization) in-path rule on each client-side SteelHead appliance To optimize TCP IPv6 traffic in both directions, you must configure a similar in-path rule on the peer SteelHead appliance
© 2015 Riverbed Technology. All rights reserved.
154
UDP Packet Mode Optimization Verification View Channel Summary – show packet-mode ip-channels – shows per-flow ip-channels
– Can have individual filters – filter , sort-by, brief – source and destination shown are SH IP addresses
View Channel details (hidden) – show packet-mode srcip * srcport * dstip * dstport * – shows flows associated with channels (C-SH only)
© 2015 Riverbed Technology. All rights reserved.
155
SSL Optimization
© 2015 Riverbed Technology. All rights reserved.
156
SSL Optimization Work Flow 1. Establish SSL Infrastructure & Trust Relationships – –
S-SH must trust Server-provided Certificate C-SH & S-SH must enable SSL optimization and trust one another (selfsigned or CA-signed cert’s)
2. Install Server ‘credentials’ on S-SH – –
Either Server’s original Cert & Key, or Proxy Cert & Key Client must trust S-SH-provided “Server” credentials
3. C-SH in-path rule to allow SSL optimization clientSH
serverSH TRUST server
client
TRUST SH-provided “server cert”
© 2015 Riverbed Technology. All rights reserved.
TRUST Server-provided server cert
157
Riverbed SSL Solution: SSL Sequence Diagram Client
Client-side SH
LAN
Server
Server-side SH
WAN
LAN Server Cert & Private Key(k)
Inner SSL Connection: kt Hello
{Hello}kt
{Server Certificate}kt
Server Certificate {Secret}k’ kc time
{App. Data}kc
© 2015 Riverbed Technology. All rights reserved.
kc
ks
{{Secret}k’}kt {Session-key:kc}kt
{App. Data}kc
Hello Certificate {Secret}k ks
{Optimized App. Data}kt
{Optimized App. Data}kt
kc
{App. Data}ks {App. Data}ks
158
SteelHead Appliance SSL Configuration
© 2015 Riverbed Technology. All rights reserved.
159
SSL Optimized Connection Basics Enable SSL on clientSH and serverSH (off by default) – Select desired config options / extensions Allow desired SSL port via clientSH inpath rules – Port 443 is in the Secure port label, bypassed by default – Can add inpath rule above Secure pass-through rule
Choose any additional (non-SSL) optimized traffic to encrypt over inner channel – SSL traffic is always over SSL inner channel – Can re-encrypt secure apps (SSL, eMAPI, signed CIFS, and others) – Can encrypt All optimized connections
© 2015 Riverbed Technology. All rights reserved.
160
Path Selection
© 2015 Riverbed Technology. All rights reserved.
161
Path Selection Overview Classification
Path Monitoring
Classify Applications
Monitor an endpoint
MPLS
Internet/VPN
Branch
Traffic Steering Steer Applications to the best suited path
Data Center
Path Failover What happens when a path fails?
Must be configured on SHs on both ends Use SCC for end-to-end configuration © 2015 Riverbed Technology. All rights reserved.
162
Path Selection: Traffic Steering How it works SteelHead appliance in-path interface – Traffic switched between in-path interfaces
Next-hop MAC address – Resolved from configured GW-IP
DSCP marking with upstream PBR Paths – Up to three, priority order, alternate paths for matched applications
© 2015 Riverbed Technology. All rights reserved.
163
Path Selection Configuration On SteelHead UI Topology (sites, uplinks, networks) already configured Connect to DC SH Configure Path Selection Rule – Application / Application Group – Make sure Application exists first
– Destination Site – DefaultSite (match unknown) – Any (match all) – #configuredsites (match known)
– Configure Uplinks – Decide what to do if all Uplinks are down – Relay or Drop
Connect to Branch SH – Repeat above © 2015 Riverbed Technology. All rights reserved.
164
MPLS
Things to keep in mind For Path Selection to work SteelHead appliance must “see” all paths
Internet/VPN
– Internet and private WAN may terminate in different places
Classification – IP-Header rules: 5-tuple, DSCP, etc. means classification on first packet – Stateful firewall friendly
– App Flow / DPI Rules – Delayed Classification: May require multiple data packets – Can result in path switching mid-session
Probe will follow routing – Make sure it can’t go through if path is down
Firewalls and the like – may block packets, when FW didn’t see SYN – Use GRE encapsulation (probes are encapsulated, too!)
Consider client default gateway: use VRRP or similar mechanisms © 2015 Riverbed Technology. All rights reserved.
165
QoS
© 2015 Riverbed Technology. All rights reserved.
166
SteelHead QoS QoS needs Applications – Build Application definition as independent objects –Custom Application or pre-defined, 1148 recognized
– Use application properties to group applications –Use single rule with application group vs. many rules for each application
QoS needs a view on Network Topology – Sites, Networks, Bandwidth –Automatically calculate available end-to-end bandwidth
QoS needs a Profile to enforce
To Do
– Classes to shape and prioritize – Rules to tell which application goes into which class © 2015 Riverbed Technology. All rights reserved.
167
Topology and QoS Networks, Sites and Uplinks It’s still HFSC class hierarchy, but structured differently Uplink local site = root class Uplink sites = 1. level of hierarchy Uplinks connected to same network = class tree/network Uplink sites = root class in QoS profile – 2. level hierarchy in QoS profile – Enables re-use
One in-/outbound QoS profile per site – Multiple uplinks Classes boundaries applied as percentage – No “per uplink QoS” (yet) © 2015 Riverbed Technology. All rights reserved.
168
QoS – Topology A word on uplinks Uplinks define available bandwidth to network(s) – Needed for QoS Shaping / Prioritization – To calculate available bandwidth – Example: DC link: 100Mbps Sum of sites: 115Mbps Oversubscribed – Min.BW calculated automatically
When using the SH UI Special uplink : Local site “where you’re at” – Your Point-of-View on QoS – Defines root bandwidth
Special uplink : Default site
Different thinking when using SCC for configuration
– Catch all (think internet traffic) – No uplinks configured: default bandwidth = interface bandwidth – DON’T FORGET to configure uplink(s) for the default site © 2015 Riverbed Technology. All rights reserved.
169
Configure a QoS Profile SCC UI Select source and destination – Profile gets assigned to sites –Any – all configured sites –Site Type – collection of sites –Site – just one
Configure QoS Profile – Same as SH WEB UI
© 2015 Riverbed Technology. All rights reserved.
170
RiOS QoS Things to keep in mind USE SCC – Avoid repetitive configuration steps
TCP connections existing before QoS configuration will always go to default class – RiOS QoS needs to see TCP 3-way HS to be able to classify – For UDP traffic it needs to see the first packets as well
Configure your custom applications before you configure the profile – How do you create a rule for a non-existing application?
SCC 200 site limit applies 1 rule in QoS profile counts as 1 rule regardless how many sites profile is assigned to… – Keeping # of profiles low – keeps total # of rules low
POQ not supported in RiOS 9.0
© 2015 Riverbed Technology. All rights reserved.
171
SteelHead SaaS Overview
© 2015 Riverbed Technology. All rights reserved.
172
SteelHead SaaS Service optimization SteelHead SaaS combines: – Riverbed WAN optimization technology (RiOS) – Akamai Internet optimization technology (SureRoute) for accelerating SaaS platform performance
Akamai SureRoute provides: – A transport across the fastest path through multiple servers – Dynamically adding RiOS instances at points nearest to the SaaS application provider
The Riverbed Cloud Portal provides capabilities to: – Register or unregister SteelHead SaaS appliances – Obtain the service status – Manage SSL certificates – Manage licenses, and © 2015 Riverbed Technology. All rights reserved. – Enable optimization for available SaaS applications
173
“All SaaS” Feature and License Details Single license provides access to multiple growing list of SaaS (O365, SFDC, *Box, etc.) License is bound per-user, where each user translates to: – 10 connections / 80 kbps per user – Regardless of the number of different SaaS in use by that user
Control to enable SaaS optimization at – Enterprise level (on Portal for all registered SteelHeads) – Branch level (on individual SteelHead)
Same license provides access to new SaaS introduced on an ongoing basis Continue to support existing O365 and SFDC
© 2015 Riverbed Technology. All rights reserved.
174
SteelHead Saas Components Component
Description
SaaS Application
The application delivered as Software as a Service
Akamai Intelligent Platform
Hosts Riverbed SteelHead technology and provides Internet-based optimization for Enterprise SaaS traffic
Akamai SureRoute Optimization
Uses a suite of technologies to provide fast and reliable delivery between the Akamai Edge Servers
Akamai Edge Server
The Akamai Edge Server in the Akamai Intelligent Platform closest to the end user is dynamically and intelligently selected and the one closest to the SaaS application runs a RiOS instance
© 2015 Riverbed Technology. All rights reserved.
175
SteelHead Saas Components Component
Description
Data Center SteelHead (DCSH)
A SteelHead in the customer data center close to the customer’s Internet egress point, containing the Akamai Cloud Proxy (ACP) feature. A SteelHead in the customer branch office that
Enterprise Branch SteelHead intercepts any connections destined for the SaaS (ESH) platform Akamai Cloud SteelHead (ACSH)
A SteelHead dynamically created and managed in the Akamai network based on SaaS traffic
Riverbed Cloud Portal
Enables the user to manage the SteelHead SaaS services and the branch appliances
© 2015 Riverbed Technology. All rights reserved.
176
SteelHead SaaS Configurations Deployment Topologies
Two types of deployment – Direct Branch Internet – Back-hauled Internet
© 2015 Riverbed Technology. All rights reserved.
177
Riverbed Cloud Portal
© 2015 Riverbed Technology. All rights reserved.
178
Cloud Portal – Service Summary • Grouping of apps – Service Group
© 2015 Riverbed Technology. All rights reserved.
179
Cloud Portal – SaaS Platforms Page • New section ‘SaaS Licenses’ • Grouping of apps – Service Group • Ability to control ON/OFF state for a SaaS application under a ‘Service Group’ • By default any new SaaS added to AllSaaS is in disabled state • A SaaS disabled on Portal won’t show up on SH
© 2015 Riverbed Technology. All rights reserved.
180
Cloud Portal – SaaS Platform Detail • Service Group label to identifies the group an app belongs to • Certificates are common for a SaaS (for eg. O365) under different service groups (O365-a-lacarte and AllSaaS)
© 2015 Riverbed Technology. All rights reserved.
181
Cloud Portal Statistics
© 2015 Riverbed Technology. All rights reserved.
182
SteelHead SaaS Management
© 2015 Riverbed Technology. All rights reserved.
183
Monitoring SaaS Applications (CloudSH)
Riverbed Cloud SteelHead
Branch Office
Data Center
SteelHead
SteelHead SteelFlow WTA data from Client Side SteelHeads © 2015 Riverbed Technology. All rights reserved.
SteelCentral
184
Monitoring SaaS Applications (CloudSH) Page load time
Waterfall chart showing object load times with optimization coverage (in orange)
riverbed.my.salesforce.com…6640000 000TnGa&ic=1 200 [salesforce: riverbed] Search
Results
Named page families provide simple, meaningful names to web transactions/URLs
Quantify end-user experience of your optimized web and SaaS applications Quickly identify web apps, pages, objects, sites, and users with high response times Break down HTTP response times into network vs. application delays for specific pages, objects, and applications © 2015 Riverbed Technology. All rights reserved.
185
Monitoring SaaS Applications (ACSH)
Akamai Cloud SteelHead
Branch Office
Data Center
SteelHead
SteelHead SteelFlow WTA data from Client Side SteelHeads © 2015 Riverbed Technology. All rights reserved.
SteelCentral
186
Wrap-up
© 2015 Riverbed Technology. All rights reserved.
187
Basic Knowledgement Optimization initialization : Handshake SYN/SYN/ACK validation from the CSH 1. 2.
Admission Control validation In-Path Rules validation
In-Path Rules 1. 2. 3. 4. 5. 6.
Pass-through Auto-discovery Fixed-target Fixed - Target (Packet Mode Optimization) Discard Deny
Default In-Path Rules 1. 2.
pass through: All-IP:Secure / All-IP:Interactive / All-IP: RBT-Proto Auto Discover: All-IP:*
Peering Rules 1. 2. 3.
Auto Accept Pass-through
© 2015 Riverbed Technology. All rights reserved.
188
Basic Knowledgement Auto-Discovery 1.
Client sends SYN
2.
SYN is marked with 0x4c (76 decimal) in TCP Options Field
3.
SYN+ is seen by remote Steelhead
4.
Inner channel TCP session is established (port 7800)
5.
3-Way Handshake is completed with Server then Client
Visibility Modes 1.
Correct Addressing
2.
Port transparency
3.
Full transparency
Deployment modes 1.
Physical in-path
2.
Virtual in-path
3.
Server side out-of-path (SSOOP)
© 2015 Riverbed Technology. All rights reserved.
189
Basic Knowledgement Cluster and Redundancy 1.
In-path redundancy - SteelHead Master/Backup Failover: Use a Out-of-Band connection on port 7820 to detect failover
2.
In-path clustering: Use peering Rules and In-Path rules to determine SH Master
3.
Connection forwarding: ACK Exchange between 2 SH by a tunnel GRE mounted on port 7850 by the In-path Interfaces
4.
SegStor Sync: Segment Store synchronized between a SH Master and SH Slave. Synchronisation is done by Aux or Primary interface on port 7744
Interceptor deployment modes 1.
Physical In-Path
2.
Virtual in-Path
Interceptor - Controlling the traffic 1.
Hardware-assist pass-through (HAP) rules:
2.
In-path Rules
3.
Load-balance rules
© 2015 Riverbed Technology. All rights reserved.
190
Thank You
© 2015 Riverbed Technology. All rights reserved.
191
View more...
Comments
