Configuring Interceptor-to-Interceptor communication

• Failover Interceptors are pairs of serially connected SteelHead Interceptors. You deploy two SteelHead Interceptors physically in-path on all of the same physical links, and each appliance is configured to act as a backup for the other appliance for the same network links. If one appliance goes down or needs maintenance, the other appliance handles redirections for the connections over those links.

Even if an appliance is deployed as a single SteelHead Interceptor that does not communicate with other SteelHead Interceptors, you must select an enabled in-path interface for Interceptor-to-Interceptor communication. If you do not enable the Communicate with Interceptor using this interface option and then choose the Interface drop-down list item that specifies an enabled in-path interface, the Interceptor service fails to start.

Parallel deployment in asymmetric networks

When you configure these SteelHead Interceptors as a cluster, an appliance checks for related packets before forwarding the connection. The first appliance to send the request becomes the one that consolidates all packets for the connection and the only one to forward the connection, thereby eliminating the asymmetric route. The configuration steps are described in Configuring Interceptor-to-Interceptor communication.

Serial deployment to provide failover support

A quad deployment offers the highest availability. Each inline SteelHead Interceptor serves as a failover Interceptor for the other. Both inline SteelHead Interceptors serve to forward connections for the parallel SteelHead Interceptors. Connect the LAN in-path interface of the WAN-side SteelHead Interceptor using a crossover cable to the WAN in-path interface of the LAN-side SteelHead Interceptor, as shown in Figure: Quad deployment to provide failover support.

Quad deployment to provide failover support

SteelHead Interceptors page (standard mode)

SteelHead Interceptors page (VLAN segregation mode)

If this appliance is configured to communicate with another SteelHead Interceptor in parallel, select this option if you want to enable the allow failure feature on this appliance. The allow failure feature causes the appliance to continue to optimize new connections if connection to the cluster SteelHead Interceptor is lost. By default, the allow failure option is disabled, which means that the appliance stops attempting to optimize new connections if connection to the cluster SteelHead Interceptor is lost.

To enable the allow failure feature, you must select the allow failure option on all SteelHead Interceptors on the parallel links, and you must select the allow failure option on all SteelHeads that point to these SteelHead Interceptors. Use the allow failure feature when you can guarantee that the traffic will be rerouted across SteelHead Interceptors that are available to process traffic. To make this guarantee, enable the fail-to-block failure condition. For more information about this failure condition, see Configuring in-path interfaces.

If this appliance is not to communicate with other SteelHead Interceptors on multiple interfaces, you must select one enabled in-path interface for Interceptor-to-Interceptor communication. This requirement applies whether the appliance is deployed as a failover or cluster Interceptor, or if the appliance is deployed is a single SteelHead Interceptor that does not communicate with other SteelHead Interceptors.

When the SteelHead Interceptor is running in VLAN segregation mode, the radio buttons labeled Use Multiple Interfaces to Communicate with Interceptors and Communicate with Interceptors Using This Interface and the drop-down list for selecting the in-path interface do not appear in the Interceptors page. This is because, by definition, VLAN segregation mode requires the use of multiple interfaces. These are configured on the Networking > VLAN Interfaces page of the instance dashboard. See Adding or removing a VLAN tag to an instance for more information.

Control	Description
Add a New SteelHead Interceptor	Displays the controls for adding a local SteelHead Interceptor to the Interceptor communication list on the current configuration. If you are configuring a failover Interceptor, add the other failover Interceptor. If you are configuring a cluster Interceptor, add all of the other SteelHead Interceptors in that cluster.
Name	Specify a name for the local SteelHead Interceptor that you are adding.
Main Address	Specify the IP address of the local SteelHead Interceptor’s in-path interface that is configured to be used for Interceptor-to-Interceptor communication. For IPv4 addresses, use this format: x.x.x.x For IPv6 addresses, use this format: x:x:x::x/xxx If IPv6 connection forwarding is enabled, you can enter IPv6 addresses only.
Additional Addresses	If you are adding a SteelHead Interceptor on which multiple interface connection forwarding is enabled, specify additional network addresses for that SteelHead Interceptor. For IPv4 addresses, use this format: x.x.x.x For IPv6 addresses, use this format: x:x:x::x/xxx We recommend that you specify the IP addresses of all enabled in-path interfaces on that appliance. If IPv6 connection forwarding is enabled, you can enter IPv6 addresses only.
Use For Failover	If you are adding a SteelHead Interceptor that is in a series with the appliance you are configuring, select this option if the SteelHead Interceptor you are adding is to be the failover appliance for the appliance you are configuring. For details, see Serial deployments and Quad deployments.
Add	Adds the settings to the running configuration.
Remove Selected SteelHead Interceptors	To remove a SteelHead Interceptor from the list, select the check box next to the name and click Remove Selected Interceptors. If you remove a SteelHead Interceptor from this list, make sure that you also remove this appliance from the other SteelHead Interceptors in the set.