Configuring in-path interfaces

Modifying Host and Network Integration Settings : Configuring in-path interfaces

Configuring in-path interfaces

You can configure in-path interfaces in the In-Path Interfaces page.

Unique IP addresses for in-path interfaces

IP addresses assigned to in-path interfaces (such as inpath0_0) or VLAN in-path interfaces (such as inpath0_0.1) must be unique across the configuration mode in use (standard mode or VLAN segregation mode).

If you need to reuse an IP address assigned to an in-path interface for use on a VLAN in-path interface, you need to remove the IP address from the in-path interface. To remove the IP address from the in-path interface, use the CLI. Using the Management Console to remove or edit the IP address has these constraints based on mode:

• In VLAN segregation mode, you cannot edit the in-path interface or delete the IP address of a VLAN interface.

• In standard mode, you cannot delete the IP address of the in-path interface.

Configuring in-path interfaces in standard mode

You can view and modify settings for the appliance in-path interfaces in the In-Path Interfaces page.

You configure in-path interfaces for deployments where the SteelHead Interceptor is in the direct path between the client and the server in your network.

You must select an enabled in-path interface for Interceptor-to-Interceptor communication. This requirement applies whether the appliance is deployed as a failover Interceptor or a cluster Interceptor, or if the appliance is deployed as a single SteelHead Interceptor that does not communicate with other SteelHead Interceptors. For more information, see About Interceptor-to-Interceptor communication.

To modify in-path interfaces in standard mode

1. Choose Networking > Networking: In-Path Interfaces to display the In-Path Interfaces page.

In-Path Interfaces page

2. To enable link state propagation (LSP), under In-Path Settings, select the Enable Link State Propagation check box.

With LSP enabled, if the LAN interface drops the link, the WAN also drops the link. LSP is enabled by default. If you require a SteelHead Interceptor to bypass traffic (fail-to-wire) when the LAN or WAN ports become disconnected, enable this feature. This feature is similar to what ISPs do to follow the state of a link.

3. Under In-Path Interface Settings, select the interface name to enable it and complete the configuration as described in this table.

Control	Description
Enable <in-path interface> interface	Select the check box to enable the interface.
Assign IPv4	Select this check box to assign an IPv4 address. To remove an IPv4 address, clear the check box and click Apply.
IPv4 Address	Specify an IP address. This IP address is the in-path main interface.
IPv4 Subnet Mask	Specify the subnet mask.
IPv4 Gateway	Specify the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. If there is a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
Assign IPv6	Select this check box to assign an IPv6 address. IPv6 addresses are disabled by default. You can only assign one IPv6 address per in-path interface. To remove an IPv6 address, clear the check box and click Apply. The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces can’t share the same network subnet.
IPv6 Address	Specify a global or site-local IPv6 address. This IP address is the in-path main interface. You can’t use a DHCP server to assign an IPv6 address automatically.
IPv6 Prefix	Specify the prefix. The prefix length is 0 to 128 bits, separated from the address by a forward slash (/). In this example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60
IPv6 Gateway	Specify the IPv6 address for the in-path gateway. You can use a link local address. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. If there’s a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
Disable load balancing	Select this option to disable load balancing on this interface. This option shuts down the interface, essentially putting it into bypass mode. In this mode, all traffic on that interface will be pass-through; there will be no load balancing or optimization. This option allows you to intentionally put specific interfaces into bypass without needing to shut down the Interceptor.
LAN Speed and Duplex WAN Speed and Duplex	Specify these settings for the LAN and WAN ports: • Speed—Select a speed from the drop-down list. The default value is Auto. • Duplex—Select a choice from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. To avoid speed and duplex mismatches, see Avoiding speed and duplex mismatches.
MTU	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500.
VLAN Tag ID	Specify a numeric VLAN Tag ID. When you specify the VLAN Tag ID for the maintenance intermediate point (MIP) interface, all packets originating from the SteelHead Interceptor are tagged with that identification number. Specify the VLAN tag that the appliance uses to communicate with other SteelHead Interceptors in your network. The VLAN Tag ID might be the same value or a different value than the VLAN tag used on the client. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the in-path interface is 192.168.1.1 in VLAN 200, you would specify tag 200. When the SteelHead Interceptor communicates with a client or a server, it uses the same VLAN tag as the client or the server. If the SteelHead Interceptor cannot determine which VLAN the client or server is in, it uses its own VLAN until it is able to determine that information. You must also define in-path rules to apply to your VLANs.
Failure Condition	Select the failure condition from the drop-down list: • Block—Enables fail-to-block mode. A failed SteelHead Interceptor blocks any network traffic on its path, as opposed to passing it through. • Bypass—Enables fail-to-wire mode. A failed SteelHead Interceptor passes through network traffic. The default value is Bypass. The SteelHead Interceptor supports the same concepts of fail-to-block and fail-to-wire as the SteelHead. In physical in-path deployments, the SteelHead Interceptor LAN and WAN ports that traffic flows through are internally connected by circuitry that can take special action in the event of a disk failure, a software crash, a runaway software process, or even loss of power to the SteelHead Interceptor. If a serious failure occurs on the SteelHead Interceptor, the appliance either passes traffic through (for fail-to-wire mode) or prevents traffic from passing (for fail-to-block mode). In a parallel configuration, fail-to-block mode should be enabled to force all traffic through a cluster SteelHead Interceptor, thereby enabling optimization to continue. In a serial, quad, or octal configuration, fail-to-wire mode should be enabled to pass all traffic through to the cluster or failover SteelHead Interceptor, thereby enabling optimization to continue.
Apply	Click to apply your changes to the running configuration. After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file, or save it as a file. For details about saving configurations, see Managing configuration files.

4. Under IPv4 Routing Table, you can configure routes with IPv4 addresses as described in this table.

Control	Description
Add a New Route	Displays the controls to add a new route.
Destination IP Address	Specify the destination IPv4 address for the out-of-path appliance or network management device.
Subnet Mask	Specify the IPv4 subnet mask.
Gateway IP Address	Specify the IPv4 address for the gateway.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

5. Under IPv6 Routing Table, you can configure routes with IPv6 addresses as described in this table.

Control	Description
Add a New Route	Displays the controls to add a new route.
Destination IPv6 Address	Specify the destination IPv6 address for the out-of-path appliance or network management device.
IPv6 Prefix	Specify the prefix.
Gateway IPv6 Address	Specify the IPv6 address for the gateway.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

6. Click Save to save your changes permanently.

Configuring in-path interfaces in VLAN segregation mode

When a SteelHead Interceptor is in VLAN segregation mode, in-path interfaces have both global settings and instance-specific settings. Global settings apply to all the in-path interfaces on the SteelHead Interceptor, and instance-specific settings apply only to a single instance.

• Global settings include whether link state propagation is enabled, whether the in-path interface is active or in bypass mode, LAN speed and WAN speed, and the failure condition (that is, whether a failed SteelHead Interceptor passes through network traffic or blocks it).

• Instance-specific settings include IP addresses, the MTU value, and routing table settings.

MTU is also a global setting. If you change the MTU value of a VLAN in-path interface, the system propagates the value to the in-path interface and to the physical LAN/WAN interfaces. The system calculates the MTU from the maximum MTU of all the VLAN in-path interfaces (inpathx_y.v) for that in-path interface (inpathx_y).

The VLAN Segregation feature on SteelHead Interceptor is supported only for IPv4 addressing and not supported for IPv6 addressing. VLAN Segregation will not work for IPv6.

To modify in-path interfaces in VLAN segregation mode

1. Choose Networking > Networking: In-Path Interfaces.

The In-Path Interfaces page appears.

In-Path Interfaces page in VLAN segregation mode

2. Enable Link State Propagation. Under In-Path Settings, select the Enable Link State Propagation check box.

With LSP enabled, if the LAN interface drops the link, the WAN also drops the link. LSP is enabled by default.

If you need a SteelHead Interceptor to fail-to-wire (bypass) when the LAN or WAN ports become disconnected, enable this feature. This feature is similar to what ISPs do to follow the state of a link.

3. Under In-Path Interface Settings, select the interface name and complete the configuration as described in this table.

Control	Description
Enable Bypass	Select this option to enable bypass on this interface. By enabling bypass, you disable load balancing on this interface.
LAN Speed and Duplex WAN Speed and Duplex	Specify these settings for the LAN and WAN ports: • Speed—Select a speed from the drop-down list. The default value is Auto. • Duplex—Select a choice from the drop-down list. The default value is Auto. If your network routers or switches don’t automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. To avoid speed and duplex mismatches, see Avoiding speed and duplex mismatches.
Failure Condition	Select the failure condition from the drop-down list: • Bypass—Enables fail-to-wire mode. A failed SteelHead Interceptor passes through network traffic. • Block—Enables fail-to-block mode. A failed SteelHead Interceptor blocks any network traffic on its path, as opposed to passing it through. The default value is Bypass. The SteelHead Interceptor supports the same concepts of fail-to-block and fail-to-wire as the SteelHead. In physical in-path deployments, the SteelHead Interceptor LAN and WAN ports that traffic flows through are internally connected by circuitry that can take special action in the event of a disk failure, a software crash, a runaway software process, or even loss of power to the SteelHead Interceptor. If a serious failure occurs on the SteelHead Interceptor, the appliance either passes traffic through (for fail-to-wire mode) or prevents traffic from passing (for fail-to-block mode). In a parallel configuration, fail-to-block mode should be enabled to force all traffic through a cluster SteelHead Interceptor, thereby enabling optimization to continue. In a serial, quad, or octal configuration, fail-to-wire mode should be enabled to pass all traffic through to the cluster or failover SteelHead Interceptor, thereby enabling optimization to continue.

4. Click Apply to apply your changes to the running configuration.

5. Click Save to save your settings permanently.

To modify the instance-specific configuration settings

1. Click the instance name in the instance dashboard page, or choose Networking > Networking: VLAN Segregation, and click Configure in the row for the desired instance to go to the instance dashboard.

2. On the instance dashboard, click VLAN Interfaces in the Networking section to display the VLAN Interfaces page.

3. Under VLAN Interfaces, click the VLAN tag you want to view.

4. Click the in-path interface you want to configure.

The in-path interface is identified by the slot and interface number and appended with the VLAN ID.

VLAN Interfaces page

5. Under In-path Interface Settings, select the interface name and complete the configuration as described in this table.

Control	Description
Enable for Load Balancing	Select this option to enable load balancing on this interface. Conversely, if this check box is selected, clear it to disable load balancing on this interface. If selected, specify these settings: • IPv4 Address—Specify an IPv4 address. This IPv4 address is the in-path main interface. • IPv4 Subnet Mask—Specify the IPv4 subnet mask. • IPv4 Gateway—Specify the IPv4 address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. • Enable IPv6—Select this option to enable specifying IPv6 addresses. – IPv6 Address—Specify an IPv6 address. Use this format: eight16‑bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282 – IPv6 Prefix—Specify the IPv6 prefix. Use this format: a number from 0 to 128, separated from the IPv6 address by a forward slash (/). In this example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 – IPv6 Gateway—Specify the IPv6 address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. • MTU—Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500. If you change the MTU value of a VLAN in-path interface, the system propagates the value to the in-path interface and to the physical LAN/WAN interfaces. The system calculates the MTU from the maximum MTU of all the VLAN in-path interfaces (inpathx_y.v) for that in-path interface (inpathx_y). If there is a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
Apply	Click to apply your changes to the running configuration.

6. Under IPv4 Routing Table, you can configure routes with IPv4 addresses as described in this table.

Control	Description
Add a New Route	Displays the controls to add a new route.
Destination IP Address	Specify the destination IPv4 address for the out-of-path appliance or network management device.
Subnet Mask	Specify the IPv4 subnet mask.
Gateway IP Address	Specify the IPv4 address for the gateway.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

7. Under IPv6 Routing Table, you can configure routes with IPv6 addresses as described in this table.

Control	Description
Add a New Route	Displays the controls to add a new route.
Destination IPv6 Address	Specify the destination IPv6 address for the out-of-path appliance or network management device.
IPv6 Prefix	Specify the prefix.
Gateway IPv6 Address	Specify the IPv6 address for the gateway.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

8. Click Save to save your changes permanently.

Avoiding speed and duplex mismatches

Speed and duplex mismatches can easily occur in a network. For example, if one end of the link is set at half-duplex or full-duplex mode and the other end of the link is configured to autonegotiate (auto), the link defaults to half-duplex, regardless of the duplex setting on the nonautonegotiated end. This duplex mismatch passes traffic, but it causes interface errors and results in degraded optimization.

These guidelines can help you avoid speed and duplex mismatches when configuring the SteelHead Interceptor:

• Routers are often configured with fixed speed and duplex settings. Check your router configuration and set it to match the Interceptor WAN and LAN settings. Ensure that your switch has the correct setting.

• After you finish configuring the SteelHead Interceptor, check for speed and duplex error messages (such as cyclic redundancy checks [CRCs] or frame errors) in the System Log page of the Management Console.

• If there is a serious problem with the Interceptor and it goes into bypass mode (that is, it automatically continues to pass traffic through your network), a speed and duplex mismatch might occur when you reboot the Interceptor. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.