Configuration Mode Commands : SteelHead Configuration Commands : In-Path and Virtual In-Path Support Commands : in-path rule pass-through
  
in-path rule pass-through
Adds a pass-through in-path rule.
Syntax
[no] in-path rule pass-through [srcaddr {<ip-address>| all-ip |all-ipv4 | all-ipv6>}] [srcport <port>] [dstaddr {<ip-address>| all-ip |all-ipv4 | all-ipv6>}] [dstport <port>] [dst-domain <domain-label>] [dst-host <host-label>] [protocol <protocol>] [vlan <vlan-tag-id>] [cloud-accel <mode>] [web-proxy <mode>] [description <description>] [rule-enable {true | false}] [rulenum <rule-number>]
Parameters
srcaddr <ip-address>
Specifies the source subnet IP address and netmask. Use the format XXX.XXX.XXX.XXX/XX for IPv4 and X:X:X::X/XXX for IPv6.
srcaddr all-ip
Specifies all IPv4 and all IPv6 addresses. This is the default.
srcaddr all-ipv4
Specifies all IPv4 addresses.
srcaddr all-ipv6
Specifies all IPv6 addresses.
srcport <port>
Specifies a single port (number), a port label, or all to specify all ports.
dstaddr <ip-address>
Specifies the destination subnet IP address and netmask. Use the format XXX.XXX.XXX.XXX/XX for IPv4 and X:X:X::X/XXX for IPv6.
dstaddr all-ip
Specifies all IPv4 and all IPv6 addresses. This is the default.
dstaddr all-ipv4
Specifies all IPv4 addresses.
dstaddr all-ipv6
Specifies all IPv6 addresses.
dstport <port>
Specifies a single port (number), a port label, or all to specify all ports.
dst-domain <domain-label>
Specifies a destination domain label for this rule. You configure the domain label settings using the domain-label command.
When you add a domain label to an existing in-path rule that is using all-ip, you must change the destination address to all-ipv4. Domain labels are only compatible with IPv4.
Domain labels and cloud acceleration are mutually exclusive. To use cloud acceleration with domain labels, place the domain label rules lower than cloud acceleration rules in your rule list so the cloud rules match before the domain label rules.
We recommend positioning domain label rules as the last in the list, so RiOS matches all previous rules before matching the domain label rule.
We recommend using host labels as the destination IP address for a rule configured with domain labels. The host label limits the connections for the extra processing needed for the domain label check. If you rely on the default rule in the in-path rule set for optimization and would like to incorporate domain-label optimization, see the SteelHead Deployment Guide for best practices.
Enter an empty string, represented by two quotation marks (""), to remove a domain label.
dst-host <host-label>
Specifies a destination host label for this rule. You configure the host label settings using the host-label command.
A destination IP address and host label cannot be specified in the same rule. A host label can be used instead of a destination IP address.
Enter an empty string, represented by two quotation marks (""), to remove a host label.
protocol <protocol>
Specifies the protocol traffic to pass through:
•  tcp - Passes through TCPv4 and TCPv6 traffic.
•  udp -Passes through UDPv4 and UDPv6 traffic.
•  any - Passes through all TCP and UDP traffic.
vlan <vlan-tag-id>
Specifies the VLAN tag ID (if any). The VLAN identification number is a value with a range from 0 to 4094. Specify 0 to mark the link untagged.
cloud-accel <mode>
Specifies a cloud-acceleration action mode for this rule.
After you subscribe to a SaaS platform and enable it, ensure that cloud acceleration is ready and enabled. If cloud acceleration is enabled, then by default, connections to the subscribed SaaS platform will be optimized by the SteelHead SaaS. You do not need to add an in-path rule unless you want to optimize specific users and not others. Then, select one of these modes:
•  auto - If the in-path rule matches, the connection is optimized by the SCA connection.
•  passthru - If the in-path rule matches, the connection is not optimized by the SteelHead SaaS, but it follows the rule’s other parameters so that the connection might be optimized by this SteelHead with other SteelHeads in the network, or it might be passed through.
web-proxy <mode>
Specifies the web proxy optimization mode for this rule:
•  auto - Automatically directs all Internet-bound traffic destined to a public IP address on ports 80 and 443 through the web proxy. This is the default setting. An in-path cloud acceleration rule (cloud_accel <mode> option) for SaaS takes priority over a web proxy auto mode rule when they are configured together. Only IPv4 addressing is supported.
•  force - Forwards any IP address and port matching this rule to the web proxy service. This is a pass-through rule. No address in an SCA server list is web-proxied unless the web-proxy force mode is configured.
•  none - Does not direct traffic matching this rule through the web proxy service.
Web proxy enables a client-side appliance with an autodiscovery or pass-through rule to use a single-ended web proxy to transparently intercept all traffic bound to the Internet. Enabling the web proxy improves performance by providing optimization services such as web object caching and SSL decryption to enable content caching and logging services.
You can use host labels and domain labels to define more granular traffic with the web proxy service.
description <description>
Specifies a description to facilitate communication about network administration.
rule-enable true
Enables the rule.
rule-enable false
Disables the rule.
rulenum <rule-number>
Specifies the order in which the rule is consulted: 1-N or start or end.
The rule is inserted into the list at the specified position. For example, if you specify rulenum as 3, the new rule will be 3, the old rule 3 will become 4, and subsequent rules will also move down the list.
Specify start for the rule to be the first rule and end for the rule to be the last rule.
If you do not specify a rule number, the rule is added to the end of the list.
Usage
The SteelHead automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all) and optimizes according to default settings.
Specify pass-through rules for traffic that you want to pass through to its destination without optimization by the Riverbed system.
This pass-through rule allows the SYN packet to pass through the SteelHead unoptimized. No optimization is performed on the TCP connection initiated by this SYN packet. You define pass-through rules to exclude subnets from optimization. Traffic is also passed through when the SteelHead is in bypass mode. (Pass through of traffic might occur because of in-path rules or because the connection was established before the SteelHead was put in place or before the SteelHead service was enabled.)
Web proxy is a client-side feature and is controlled and managed from a SteelCentral Controller for SteelHead (SCC). You can configure the in-path rule on the client-side SteelHead running the web proxy or on the SCC. You must also enable the web proxy globally on the SCC, add domains to the global HTTPs whitelist, and create any exceptions to the whitelist. For details, see the SteelCentral Controller for SteelHead User’s Guide.
 
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rule-number>
Example
amnesiac (config) # in-path rule pass-through srcaddr 10.10.10.1 rulenum 25
Product
Interceptor, SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands
domain-label, in-path rule edit pass-through, show in-path, show in-path rules