Modifying Host and Network Integration Settings

This section describes how to modify host and network integration settings. It includes the following tasks:

Note: This chapter assumes that you have installed and performed the initial configuration of the SteelHead Interceptor. For details, see the SteelHead Interceptor Installation Guide.

Configuring Host Settings

You can view and modify general host settings in the Host Settings page.

When you initially run the installation wizard, you set required network host settings for the SteelHead Interceptor. You can configure or modify the following settings:

• Name - Modify the hostname only if your deployment requires it.

• DNS Settings - Riverbed recommends that you use DNS resolution.

• Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can add hosts to the system.

• Web/FTP Proxy - Configure proxy addresses for web or FTP proxy access to the SteelHead Interceptor.

To view general host settings

• Choose Networking > Networking: Host Settings to display the Host Settings page.

Figure: Host Settings Page

To change the hostname

1. Choose Networking > Networking: Host Settings to display the Host Settings page.

2. Under Name, modify the hostname, if necessary.

3. Click Apply to apply the settings to the current configuration.

4. Click Save to save your settings permanently.

To specify DNS settings

1. Choose Networking > Networking: Host Settings to display the Host Settings page.

Figure: Host Settings Page

2. Under DNS Settings, complete the configuration as described in this table.

Control	Description
Primary DNS Server	Specify the IP address for the primary name server.
Secondary DNS Server	Optionally, specify the IP address for the secondary name server.
Tertiary DNS Server	Optionally, specify the IP address for the tertiary name server.
DNS Domain List	Specify an ordered list of domain names. If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system.

3. Click Apply to apply the settings to the current configuration.

4. Click Save to save your settings permanently.

To add a new host

1. Choose Networking > Networking: Host Settings to display the Host Settings page.

Figure: Host Settings

2. Under Hosts, complete the configuration as described in this table.

Control	Description
Add a New Host	Displays the controls for adding a new host.
IP Address	Specify the IP address for the host.
Hostname	Specify a hostname.
Add	Adds the host.
Remove Selected	Select the check box next to the name, and then click Remove Selected.

3. Click Apply to apply the settings to the current configuration.

4. Click Save to save your settings permanently.

To add a web/FTP proxy

1. Choose Networking > Networking: Host Settings to display the Host Settings page.

2. Under Configure How this Appliance Connects to the Network, complete the configuration as described in this table.

Control	Description
Enable Web Proxy	Select the check box to enable the web proxy.
Web/FTP Proxy	Specify the IP address for the web/FTP proxy.
Port	Specify the port for the web/FTP proxy.
Enable Authentication	Optionally, select this feature to enable authentication. Specify the following authenticate the users: • User Name - Specify a username. • Password - Specify a password. • Authentication Type- Select an authentication method from the drop-down list: – Basic - Authenticates user credentials by requesting a valid username and password. This is the default setting. – NTLM - Authenticates user credentials based on an authentication challenge and response – Digest - Provides the same functionality as basic authentication; however, digest authentication improves security because the system sends the user credentials across the network as a Message Digest 5 (MD5) hash.

3. Click Apply to apply the settings to the current configuration.

4. Click Save to save your settings permanently.

Configuring the Base Interfaces

You can view and modify settings for the primary and auxiliary interfaces in the Base Interfaces page.

On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the appliance management interface. You connect to the primary interface to use the web browser or the CLI.

To configure base interface settings

1. Choose Networking > Networking: Base Interfaces to display the Base Interfaces page.

Figure: Base Interfaces Page

2. Under Primary Interface, complete the configuration as described in this table.

Control	Description
Enable Primary Interface	Select the check box to enable the primary interface.
Obtain IPv4 Address Automatically	Select this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Optionally, select Enable IPv4 Dynamic DNS to include the appliance hostname with the DHCP request. Note: The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces cannot share the same network subnet.
Specify IPv4 Address Manually	Select this option if you do not use a DHCP server to set the IP address. Specify the following settings: • IPv4 Address - Specify an IP address. • IPv4 Subnet Mask - Specify a subnet mask. • Default IPv4 Gateway - Specify the primary gateway IP address. The primary gateway must be in the same network as the primary interface. You must set the primary gateway for in-path configurations.
Specify IPv6 Address Manually	Select this option and specify the following settings to set an IPv6 address: • IPv6 Auto-Assigned - Displays the link-local address that is automatically generated when IPv6 is enabled on the base interfaces. • IPv6 Address - Specify an IP address using the following format: eight 16-bit hexadecimal strings separated by colons, 128-bits. For example: 2001:38dc:0052:0000:0000:e9a4:00c5:6282 You do not need to include leading zeros. For example: 2001:38dc:52:0:0:e9a4:c5:6282 You can replace consecutive zero strings with double colons (::). For example: 2001:38dc:52::e9a4:c5:6282 • IPv6 Prefix - Specify a prefix. The prefix length is 0 to 128, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 • IPv6 Gateway - Specify the default gateway IP address. The gateway must be in the same network as the primary interface. Note: You cannot set an IPv6 address dynamically using a DHCP server.
Speed	Select a speed from the drop-down list. The default value is Auto.
Duplex	Select a choice from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. If they do not match, you might have a large number of errors on the interface when it is in bypass mode, because the switch and the router are not set with the same duplex settings.
MTU (Bytes)	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

3. Under Auxiliary Interface, complete the configuration as described in this table.

Control	Description
Enable Aux Interface	Enables an auxiliary interface.
Obtain IPv4 Address Automatically	Select this option to set the appliance to automatically obtain the IP address. Optionally, select Enable IPv4 Dynamic DNS to include the appliance hostname with the DHCP request. Caution: The primary and auxiliary interfaces cannot share the same network subnet. The auxiliary and in-path interfaces cannot share the same subnet. You cannot use the auxiliary port for out-of-path SteelHead Interceptors.
Specify IPv4 Address Manually	Specify the following settings: • IPv4 Address - Specify an IP address. • IPv4 Subnet Mask - Specify a subnet mask. Select this option if you do not use a DHCP server to set the IP address.
Specify IPv6 Address Manually	Specify the following settings: • IPv6 Auto-Assigned - Specify an automatic IP address. • IPv6 Address - Specify an IP address. • IPv6 Prefix - Specify a prefix.
Speed	Select the speed from the drop-down list. The default value is Auto.
Duplex	Select a choice from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.
MTU (Bytes)	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.

4. Click Apply to apply the settings to the current configuration.

5. Click Save to save your changes permanently.

6. Under Main IPv4 Routing Table, you can configure a static routing for out-of-path deployments or if your device management network requires static routes, as described in this table.

Control	Description
Add a New Route	Displays the controls for adding a new route.
Destination IPv4 Address	Specify the destination IPv4 address for the out-of-path appliance or network management device.
IPv4 Subnet Mask	Specify the IPv4 subnet mask.
Gateway IPv4 Address	Specify the IPv4 address for the gateway.
Interface	Select the interface for routing from the drop-down list.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

7. Under Main IPv6 Routing Table, you can configure a static routing for out-of-path deployments or if your device management network requires static routes, as described in this table.

Control	Description
Add a New Route	Displays the controls for adding a new route.
Destination IPv6 Address	Specify the destination IPv6 address for the out-of-path appliance or network management device.
IPv6 Prefix	Specify the prefix.
Gateway IPv6 Address	Specify the IPv6 address for the gateway.
Interface	Select the interface for routing from the drop-down list.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

8. Click Save to save your changes permanently.

Configuring In-Path Interfaces

You can configure in-path interfaces in the In-Path Interfaces page.

This section includes the following topics:

• Configuring In-Path Interfaces in Standard Mode

• Configuring In-Path Interfaces in VLAN Segregation Mode

Unique IP Addresses for In-Path Interfaces

IP addresses assigned to in-path interfaces (such as inpath0_0) or VLAN in-path interfaces (such as inpath0_0.1) must be unique across the configuration mode in use (standard mode or VLAN segregation mode).

If you need to reuse an IP address assigned to an in-path interface for use on a VLAN in-path interface, you need to remove the IP address from the in-path interface. To remove the IP address from the in-path interface, use the CLI. Using the Management Console to remove or edit the IP address has the following constraints based on mode:

• In VLAN segregation mode, you cannot edit the in-path interface or delete the IP address of a VLAN interface.

• In standard mode, you cannot delete the IP address of the in-path interface.

Configuring In-Path Interfaces in Standard Mode

You can view and modify settings for the appliance in-path interfaces in the In-Path Interfaces page.

You configure in-path interfaces for deployments where the SteelHead Interceptor is in the direct path between the client and the server in your network.

Note: You must select an enabled in-path interface for Interceptor-to-Interceptor communication. This requirement applies whether the appliance is deployed as a failover Interceptor or a cluster Interceptor, or if the appliance is deployed as a single SteelHead Interceptor that does not communicate with other SteelHead Interceptors. For more information, see Configuring Interceptor-to-Interceptor Communication.

To modify in-path interfaces in standard mode

1. Choose Networking > Networking: In-Path Interfaces to display the In-Path Interfaces page.

Figure: In-Path Interfaces Page

2. To enable link state propagation (LSP), under In-Path Settings, select the Enable Link State Propagation check box.

With LSP enabled, if the LAN interface drops the link, the WAN also drops the link. LSP is enabled by default. If you require a SteelHead Interceptor to bypass traffic (fail-to-wire) when the LAN or WAN ports become disconnected, enable this feature. This feature is similar to what ISPs do to follow the state of a link.

3. Under In-Path Interface Settings, select the interface name and complete the configuration as described in this table.

Control	Description
IPv4 Address	Specify an IP address. This IP address is the in-path main interface.
IPv4 Subnet Mask	Specify the subnet mask.
IPv4 Gateway	Specify the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. Note: If there is a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
Enable Bypass	Select this option to enable bypass on this interface. Caution: By enabling bypass, you disable load balancing on this interface.
LAN Speed and Duplex WAN Speed and Duplex	Specify the following settings for the LAN and WAN ports: • Speed - Select a speed from the drop-down list. The default value is Auto. • Duplex - Select a choice from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. To avoid speed and duplex mismatches, see Avoiding Speed and Duplex Mismatches.
MTU (Bytes)	Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500.
VLAN Tag ID	Specify a numeric VLAN Tag ID. When you specify the VLAN Tag ID for the MIP interface, all packets originating from the SteelHead Interceptor are tagged with that identification number. Specify the VLAN tag that the appliance uses to communicate with other SteelHead Interceptors in your network. The VLAN Tag ID might be the same value or a different value than the VLAN tag used on the client. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the in-path interface is 192.168.1.1 in VLAN 200, you would specify tag 200. Note: When the SteelHead Interceptor communicates with a client or a server, it uses the same VLAN tag as the client or the server. If the SteelHead Interceptor cannot determine which VLAN the client or server is in, it uses its own VLAN until it is able to determine that information. You must also define in-path rules to apply to your VLANs.
Failure Condition	Select the failure condition from the drop-down list: • Block - Enables fail-to-block mode. A failed SteelHead Interceptor blocks any network traffic on its path, as opposed to passing it through. • Bypass - Enables fail-to-wire mode. A failed SteelHead Interceptor passes through network traffic. The default value is Bypass. The SteelHead Interceptor supports the same concepts of fail-to-block and fail-to-wire as the SteelHead. In physical in-path deployments, the SteelHead Interceptor LAN and WAN ports that traffic flows through are internally connected by circuitry that can take special action in the event of a disk failure, a software crash, a runaway software process, or even loss of power to the SteelHead Interceptor. If a serious failure occurs on the SteelHead Interceptor, the appliance either passes traffic through (for fail-to-wire mode) or prevents traffic from passing (for fail-to-block mode). Note: In a parallel configuration, fail-to-block mode should be enabled to force all traffic through a cluster SteelHead Interceptor, thereby enabling optimization to continue. Note: In a serial, quad, or octal configuration, fail-to-wire mode should be enabled to pass all traffic through to the cluster or failover SteelHead Interceptor, thereby enabling optimization to continue.
Apply	Click to apply your changes to the running configuration. After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file, or save it as a file. For details about saving configurations, see Managing Configuration Files.

4. Under Routing Table, you can configure a static routing table for in-path interfaces.

5. Add routes to or remove routes from the list, as described in this table.

Control	Description
Add a New Route	Displays the controls to add a route.
Destination IP Address	Specify the destination IP address.
Subnet Mask	Specify the subnet mask.
Gateway IP Address	Specify the IP address for the gateway. The gateway must be in the same network as the in-path interface.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

6. Click Save to save your settings permanently.

Configuring In-Path Interfaces in VLAN Segregation Mode

When a SteelHead Interceptor is in VLAN segregation mode, in-path interfaces have both global settings and instance-specific settings. Global settings apply to all the in-path interfaces on the SteelHead Interceptor, and instance-specific settings apply only to a single instance.

• Global settings include whether link state propagation is enabled, whether the in-path interface is active or in bypass mode, LAN speed and WAN speed, and the failure condition (that is, whether a failed SteelHead Interceptor passes through network traffic or blocks it).

• Instance specific settings include IP addresses, the MTU value, and routing table settings.

Note: MTU is also a global setting. If you change the MTU value of a VLAN in-path interface, the system propagates the value to the in-path interface and to the physical LAN/WAN interfaces. The system calculates the MTU from the maximum MTU of all the VLAN in-path interfaces (inpathx_y.v) for that in-path interface (inpathx_y).

To modify in-path interfaces in VLAN segregation mode

1. Choose Networking > Networking: In-Path Interfaces to display the In-Path Interfaces page.

Figure: In-Path Interfaces Page in VLAN Segregation Mode

2. To enable Link State Propagation, under In-Path Settings, select the Enable Link State Propagation check box.

Enables link state propagation (LSP). With LSP enabled, if the LAN interface drops the link, the WAN also drops the link. LSP is enabled by default.

If you need a SteelHead Interceptor to fail-to-wire (bypass) when the LAN or WAN ports become disconnected, enable this feature. This feature is similar to what ISPs do to follow the state of a link.

3. Under In-Path Interface Settings, select the interface name and complete the configuration as described in this table.

Control	Description
Enable Bypass	Select this option to enable bypass on this interface. Caution: By enabling bypass, you disable load balancing on this interface.
LAN Speed and Duplex WAN Speed and Duplex	Specify the following settings for the LAN and WAN ports: • Speed - Select a speed from the drop-down list. The default value is Auto. • Duplex - Select a choice from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. To avoid speed and duplex mismatches, see Avoiding Speed and Duplex Mismatches.
Failure Condition	Select the failure condition from the drop-down list: • Bypass - Enables fail-to-wire mode. A failed SteelHead Interceptor passes through network traffic. • Block - Enables fail-to-block mode. A failed SteelHead Interceptor blocks any network traffic on its path, as opposed to passing it through. The default value is Bypass. The SteelHead Interceptor supports the same concepts of fail-to-block and fail-to-wire as the SteelHead. In physical in-path deployments, the SteelHead Interceptor LAN and WAN ports that traffic flows through are internally connected by circuitry that can take special action in the event of a disk failure, a software crash, a runaway software process, or even loss of power to the SteelHead Interceptor. If a serious failure occurs on the SteelHead Interceptor, the appliance either passes traffic through (for fail-to-wire mode) or prevents traffic from passing (for fail-to-block mode). Note: In a parallel configuration, fail-to-block mode should be enabled to force all traffic through a cluster SteelHead Interceptor, thereby enabling optimization to continue. Note: In a serial, quad, or octal configuration, fail-to-wire mode should be enabled to pass all traffic through to the cluster or failover SteelHead Interceptor, thereby enabling optimization to continue.

4. Click Apply to apply your changes to the running configuration.

5. Click Save to save your settings permanently.

To modify the instance-specific configuration settings for in-path interfaces

1. Click the instance name in the Dashboard page, or choose Networking > Networking: VLAN Segregation, and click Configure in the row for the desired instance to go to the instance dashboard.

2. On the instance configuration navigation bar of the instance dashboard, click VLAN Interfaces in the Networking section to display the In-Path Interfaces page.

3. Under VLAN Interfaces, click the VLAN Tag you want to view.

4. Click the in-path interface you want to configure.

The in-path interface is identified by the slot and interface number and appended with the VLAN ID.

Figure: VLAN Interfaces Page

5. Under In-path Interface Settings, select the interface name and complete the configuration as described in this table.

Control	Description
Enable for Load Balancing	Select this option to enable load balancing on this interface. Conversely, if this check box is selected, clear it to disable load balancing on this interface. If selected, specify the following settings: • IPv4 Address - Specify an IP address. This IP address is the in-path main interface. • IPv4 Subnet Mask - Specify the subnet mask. • IPv4 Gateway - Specify the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. • MTU - Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500. Note: If you change the MTU value of a VLAN in-path interface, the system propagates the value to the in-path interface and to the physical LAN/WAN interfaces. The system calculates the MTU from the maximum MTU of all the VLAN in-path interfaces (inpathx_y.v) for that in-path interface (inpathx_y). Note: If there is a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
Apply	Click to apply your changes to the running configuration.

6. Under Routing Table, you can configure a static routing table for in-path interfaces add routes to or remove from routes, as described in this table.

Control	Description
Add a New Route	Displays the controls to add a route.
Destination IP Address	Specify the destination IP address.
Subnet Mask	Specify the subnet mask.
Gateway IP Address	Specify the IP address for the gateway. The gateway must be in the same network as the in-path interface.
Add	Adds the route to the table list.
Remove Selected	Select the check box next to the name and click Remove Selected.

7. Click Save to save your configuration settings.

Avoiding Speed and Duplex Mismatches

Speed and duplex mismatches can easily occur in a network. For example, if one end of the link is set at half or full duplex mode and the other end of the link is configured to autonegotiate (auto), the link defaults to half-duplex, regardless of the duplex setting on the nonautonegotiated end. This duplex mismatch passes traffic, but it causes interface errors and results in degraded optimization.

The following guidelines can help you avoid speed and duplex mismatches when configuring the SteelHead Interceptor:

• Routers are often configured with fixed speed and duplex settings. Check your router configuration and set it to match the Interceptor WAN and LAN settings. Ensure that your switch has the correct setting.

• After you finish configuring the SteelHead Interceptor, check for speed and duplex error messages (crc or frame errors) in the System Log page of the Management Console.

• If there is a serious problem with the Interceptor and it goes into bypass mode (that is, it automatically continues to pass traffic through your network), a speed and duplex mismatch might occur when you reboot the Interceptor. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.

Configuring VLAN Segregation

VLAN segregation allows network traffic from different groups of users to be kept securely segregated, creating an independent environment for each group or customer. With VLAN segregation enabled, you create instances to segregate traffic to a reserved cluster of SteelHeads.

This section describes the following:

• Working with Instances

• Enabling VLAN Segregation

• Adding an Instance for VLAN Segregation

• Adding or Removing a VLAN Tag to an Instance

Working with Instances

An instance is a label that associates a group of VLANs and the configuration that applies to the traffic on those VLANs. An instance is a virtual representation of a SteelHead Interceptor that can, for example, map to a customer of an MSP (Managed Service Provider), a partner of an enterprise, or a department within an enterprise. It can also logically map a VRF environment (virtual routing and forwarding) in a network.

The instance contains all configuration necessary—including in-path rules, load-balancing rules, and connection forwarding—for setting up an optimization cluster with other Interceptors and SteelHeads in the network.

Instances have the following characteristics:

• Each instance can have multiple VLAN tags. A maximum of five VLAN tags per instance is recommended.

• Two instances cannot share the same set of VLANs or SteelHeads.

• Each VLAN interface belonging to an instance has a unique IP address, gateway, subnet, and routing table.

• You can configure up to thirty instances on a single SteelHead Interceptor.

Enabling VLAN Segregation

You can enable VLAN segregation in the VLAN Segregation page.

If you enable VLAN segregation, you must reboot the appliance. Entering VLAN segregation changes some aspects of the Interceptor Management Console. For example, the Interceptor and SteelHead configuration displays on an instance page, which is accessed from the Dashboard. Load balancing and in-path rules are also configured in the specific instance page.

Similarly, all traffic is passed through until you complete the instance configuration.

To enable VLAN segregation

1. Choose Networking > Networking: VLAN Segregation to display the VLAN Segregation page.

Figure: VLAN Segregation Page

2. Select the Enable VLAN Segregation check box.

3. Click Apply.

4. Click Save in the menu bar to save the configuration.

5. Choose Administration > Maintenance: Reboot/Shutdown, and click Reboot.

Adding an Instance for VLAN Segregation

You can add an instance to the VLAN segregation configuration. For details on instances, see Working with Instances.

To add an instance

1. Choose Networking > Networking: VLAN Segregation to display the VLAN Segregation page.

2. Click Add an Instance.

3. Enter a name for the instance.

4. Click Add.

Adding or Removing a VLAN Tag to an Instance

You can add or remove a VLAN tag to an instance in the VLAN Tag page. For details on instances, see Working with Instances.

To add a VLAN tag to an instance

1. From the VLAN segregation Dashboard, click the name of the instance to display the instance dashboard.

Figure: Instance Dashboard Page

2. Choose VLAN Interfaces under the Networking section to display the VLAN Interfaces page.

Note: You can access the Dashboard for the instance from the VLAN Segregation page by clicking Configure in the row for the desired instance.

3. Under VLAN Interfaces, select Add VLAN Tags.

4. Enter a value or comma-delimited list of values between 0 and 4094, or enter “untagged.”

5. Click Add.

To remove a VLAN tag to an instance

1. From the instance dashboard, choose VLAN Interfaces under the Networking section to display the VLAN Interfaces page.

2. Select the check box next to the name and click Remove Selected.