in-path hw-assist rule
Enables the hardware UDP pass-through feature.
Syntax
[no] in-path hw-assist rule [accept | pass-through] [subnet-a <subnet-a>] [subnet-b <subnet-b>] [description "<description>"] | [vlan <vlan>] [rulenum <rule-number>]
Parameters
accept | Accepts traffic for this rule. |
pass-through | Passes through traffic for this rule. |
subnet-a <subnet-a> | Specifies an IP address for the subnet that can be both source and destination together with Subnet B. Use the format XXX.XXX.XXX.XXX/XX. Note: You can specify all or 0.0.0.0/0 as the wildcard for all traffic. |
subnet-b <subnet-b> | Specifies an IP address for the subnet that can be both source and destination together with Subnet A. Use the format XXX.XXX.XXX.XXX/XX. Note: You can specify all or 0.0.0.0/0 as the wildcard for all traffic. |
description "<string>" | Specifies a description of the rule. The string must be in enclosed in quotes ("). |
vlan <vlan> | Specifies the VLAN identification number to set the VLAN tag ID: -1 = all, 1 = untagged, maximum = 4094 • Specify all to specify the rule applies to all VLANs. • Specify untagged to specify the rule applies to non-tagged connections. Note: Pass-through traffic maintains any preexisting VLAN tagging between the LAN and WAN interfaces. Note: To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the SteelHead Interceptor uses to communicate with other SteelHead Interceptor. |
rulenum <rule-number> | Specifies the rule number to insert the pass-through load-balancing rule before. |
Usage
This feature functions only on a SteelHead or SteelHead Interceptor equipped with one or more Two-Port SR Multimode Fiber 10 Gigabit-Ethernet PCI-E or Two-Port LR Single Mode Fiber 10 Gigabit-Ethernet PCI-E cards.
Hardware Assist rules can automatically bypass all UDP (User Datagram Protocol) connections. You can also configure rules for bypassing specific TCP (Transmission Control Protocol) connections. Automatically bypassing these connections decreases the work load on the local SteelHeads because the traffic is immediately sent to the kernel of the host machine or out of the other interface before the system receives it.
Note: For a hardware assist rule to be applied to a specific 10G bypass card, the corresponding in-path interface must be enabled and have an IP address.
If the system is not equipped with the necessary card, an error message displays.
To delete a rule, use the no command option as follows:
no in-path hw-assist rule rulenum <rule-number>
Example
amnesiac (config) # in-path hw-assist rule accept subnet-a 10.0.0.1/16 subnet-b 10.0.0.4/16
rulenum 1
Product
Interceptor, SteelHead CX, SteelHead EX
Related Commands
Hardware Security Module Commands
A Hardware Security Module (HSM) is a cryptographic device that secures and manages cryptographic keys offering accelerated cryptographic operations. Appliances that need the private key (for example, servers, load balancers, and WAN optimization appliances such as the SteelHead) communicate with the HSM and retrieve the required certificate and/or session key. The private keys from the HSM are used for proxy certificates in SSL optimization.
The server-side SteelHead and HSM communicate through a Network Trust Link (NTL) connection. NTLs are secure, authenticated network connections between the HSM server and its clients (for example, a server-side SteelHead), which use two-way digital certificate authentication and SSL data encryption. Initial configuration steps are needed to create the two-way certificate trust between the server-side SteelHead and HSM.
The server-side SteelHead must be accessible from the HSM on either the auxiliary or management interfaces. Riverbed recommends that the server-side SteelHead and HSM be on the same LAN because high latency between them will adversely affect the SSL handshake between the SteelHead and the clients.
RiOS supports Luna HSM Client version 5.4.2 that ships preinstalled with RiOS 9.2. SafeNet Network HSM is a product from Gemalto/Safenet. You need a SafeNet support account to log in to the documentation at:
The following is the workflow of commands to configure HSM support:
• How to set up the initial configuration to create the two-way certificates of trust between the server-side SteelHead and HSM:
• How to configure proxy certificates and private keys (you need to assign a slot on the HSM dedicated to the server-side SteelHead before you run these commands. See the SafeNet knowledge base documentation for instructions on how to configure the HSM server):
• How to display HSM information: