Configuring Network Services
This chapter describes how to configure network services. It includes the following sections:
Note: This chapter assumes that you have installed and performed the initial configuration of the SteelHead Interceptor. For details, see the SteelHead Interceptor Installation Guide.
Configuring Path Selection (Standard Mode Only)
You configure path selection in the Networking > Network Services: Network Services Table page.
This section contains the following high-level concepts related to path selection:
Path Selection Overview
Path selection ensures that the right traffic travels to the right path by choosing a predefined WAN gateway for traffic flows in real-time, based on availability. In path selection, you define a path, called an uplink, by specifying a WAN egress point and providing a direction for the egressing packets to take.
Using path selection rules, you can configure policies to specify the uplink used for specific traffic flows. This granular-level path manipulation enables you to better use and more accurately control traffic flow across multiple WAN circuits.
Efficient Use of Bandwidth
A common use of path selection is to route voice and video traffic over an expensive, high-quality multi-protocol label switching (MPLS) link, while offloading less time-sensitive traffic over a less expensive Internet VPN or direct Internet link.
Enabling Internet paths can make efficient use of existing resources by taking advantage of both private and public links. Using path selection provides the right performance levels for your applications and saves on bandwidth costs by optimizing the use of available bandwidth.
Transport Mode Compliance
The path selection WAN egress controller is compatible with all SteelHead transport modes (including fixed-target configuration).
The path selection WAN egress controller also has the following characteristics:
• Operates transparently with the client, the server, and any networking devices such as routers or switches.
• Identifies and processes UDP (pass-through and optimized) and TCP (optimized) traffic.
• Supports single-firewalled and multiple-firewalled paths (RiOS 8.6 and later).
• Encrypts traffic using the secure transport service, if applicable.
Uplink and Network Connectivity Monitoring
Configuring path selection involves specifying uplinks and the uplink preferences for certain traffic. At a high level, you can configure multiple uplinks for each connection by specifying rules based on various parameters.
The system monitors the state of the uplink and the state of the connectivity to the remote site over the uplink. Then the appropriate uplink for a packet is selected. Selecting appropriate uplinks for packets provides more control over network link use.
Path selection uses Internet Control Message Protocol (ICMP) pings to dynamically monitor the state (that is, the “reachability” or condition) of the connectivity to the remote sites over the configured uplinks on a regular schedule.
You can configure the acceptable loss observed (threshold) for each uplink. The default is 2 seconds. If the ping responses do not return within the probe timeout setting or if the system loses the number of packets defined by the loss threshold, the system considers the remote site to be unreachable and triggers an alarm indicating that the path is unavailable.
If one uplink fails, the system directs traffic through another available uplink if another uplink was specified in the path selection rule. If another uplink was not specified in the path selection rule, the default action is performed. When the original uplink can again reach the remote site, the system redirects the traffic back through the original uplink.
By default, path selection is disabled.
Note: For path selection use case examples, see the SteelHead Management Console User’s Guide for SteelHead CX. For more details on path selection, see the SteelHead Deployment Guide.
Path Selection Channels
A path selection channel is an overlay tunnel between a SteelHead and a SteelHead Interceptor that enables the SteelHead to reach the configured uplinks.
RiOS 9.1 and later extends path selection to operate in large-scale SteelHead Interceptor cluster deployments. A SteelHead Interceptor cluster is one or more SteelHead Interceptors collaborating with one or more SteelHeads to select paths dynamically. RiOS 9.1 makes configuration and maintenance easier using the SteelCentral Controller for SteelHead (SCC) to set up the path selection cluster and then push the configuration to the remote appliances.
SteelHeads select uplinks based on the following criteria:
• Uplink status
• Remote site accessibility
• Path selection rules
The SteelHeads then instruct one or more SteelHead Interceptors to steer the WAN-bound packets to the chosen uplink.
SteelHead Interceptors redirect all connections (those connections identified as needing path selection) to a SteelHead for the lifetime of the connection. These connections include UDPv4 and TCPv4 (both optimized and unoptimized) connections. A SteelHead performs path selection on these traffic flows and delivers them on the WAN through a SteelHead Interceptor.
In a SteelHead Interceptor cluster, the SteelHead can be connected to the WAN edge router over either a Layer-2 or Layer-3 uplink. A Layer-2 uplink is not required.
When a path selection channel is configured, the system associates the path selection channels with the configured uplinks. When more than one channel is configured for an uplink, only one is used actively and the others will be used only when the active channel fails.
The SteelHead uses the active channel for an uplink to tunnel packets steered to the corresponding uplink. The SteelHead also monitors the health of a channel by sending ICMP probe requests to the uplink gateway. When the SteelHead Interceptor receives the ICMP probes, the SteelHead Interceptor routes the probe to the gateways.
Note: The SteelHead Interceptor must be connected to the WAN over a Layer-2 uplink and must be accessible from the WAN side. When the uplink responds to the ICMP probe, the channel will be considered “up” on the SteelHead.
Two Ways to Configure Path Selection Clusters
To configure path selection clusters, choose one of these methods:
• Use the SCC - Set up the path selection cluster on an SCC 9.1 or later. Then use the SCC to push the cluster channel configuration to each of the SteelHeads and SteelHead Interceptors. This is the easiest method and the method Riverbed recommends because when you create one rule in one place for all cluster members (with load balancing rules and so on), this method allows for fewer errors and easier maintenance. Also, you can use the configuration wizard to create a graphical representation of your topology. The high-level tasks for using this method are listed in
Using the SCC to Configure a Path Selection Cluster.
or
• Manually configure each appliance individually - Set up the path selection cluster directly on each SteelHead and configure each SteelHead Interceptor individually. You might want to use this method if you have a small number of SteelHeads in the cluster. The high-level tasks for using this method are listed in
Manually Configuring a Path Selection Cluster.
For details about configuring a path selection cluster on a SteelHead, see the SteelHead Management Console User’s Guide.
Before Configuring Path Selection in Cluster Deployments
Before you configure path selection in a cluster deployment, the following prerequisites must be met:
• You must be using SteelHead Interceptor 5.0 or later on the SteelHead Interceptor, SteelHead 9.1 or later on the SteelHead, and SCC 9.1 or later on the SCC (if you are using the SCC to configure path selection clusters).
• You must enable connection-forwarding multi-interface support on each SteelHead Interceptor and each SteelHead.
• You must configure the appropriate subnet-side rules on each SteelHead.
• You must define the accurate subnet in the local site on each SteelHead.
• You must enable Fair Peering v2 (FPv2) on each SteelHead Interceptor.
• When a SteelHead is part of a SteelHead Interceptor cluster, and path selection is enabled, you must configure a path selection channel on both the SteelHead and the SteelHead Interceptor.
For more information about the SteelHead, see the SteelHead Management Console User’s Guide.
• You must make sure that the WAN router does not ricochet packets destined for a remote destination. That is, configure the WAN router to send packets to the WAN (to prevent WAN-bound packets from ricocheting through the LAN).
• The SteelHead Interceptor must be Layer-2-adjacent to the WAN-edge routers.
Using the SCC to Configure a Path Selection Cluster
On the SCC, to configure a path selection cluster, complete these tasks:
1. Define a cluster at the Cluster page.
2. Enable path selection and configure path selection rules.
3. Push the configuration settings to the remote appliances.
For detailed instructions, see the SteelCentral Controller for SteelHead User’s Guide and the SteelHead Interceptor Deployment Guide.
Manually Configuring a Path Selection Cluster
To manually configure a path selection cluster channel, complete the high-level tasks listed in this table on either the SteelHead or the SteelHead Interceptor, as applicable. This table includes the sections or documents you can refer to for more information.
Step | Reference |
1. Configure all SteelHeads, as applicable. Multi-interface support must be enabled on all the SteelHeads. | SteelHead Management Console User’s Guide |
2. Configure all SteelHead Interceptors, as applicable. Multi-interface support must be enabled on all the SteelHead Interceptors. | |
3. Configure all SteelHead Interceptors as connection-forwarding neighbors on all the SteelHeads. Restart the service on the SteelHeads, as required. | SteelHead Management Console User’s Guide |
4. Enable Fair Peering v2 (FPv2) load-balancing rules on all SteelHead Interceptors. | |
5. Enable path selection on all SteelHead Interceptors, then restart the service. An alarm is triggered because path selection is not yet enabled on the SteelHead. | |
6. Configure service rules to identify the nonoptimized TCP and UDP connections used for path selection or for identifying specific traffic to be passed-through to the SteelHead. | |
7. Enable path selection on the SteelHead neighbors. A service restart is not required. | SteelHead Management Console User’s Guide |
Limitations for Using Path Selection in Cluster Deployments
Path selection does not support the following features or deployments:
• Xbridge
• Web Cache Communication Protocol (WCCP)
• Policy-Based Routing (PBR)
• VLAN segregation
• Virtual in-path SteelHead Interceptor deployments
Note: SteelHead Interceptors must be configured in physical in-path deployments.
• IPv6 traffic
Note: Path selection can be configured for IPv4 traffic. Path selection bypasses fragments arriving at the SteelHead Interceptor. However, fragments caused by traffic redirection are not bypassed.
• Etherchannels connected to the SteelHead Interceptor
• Pass-through connection blocking rules on the SteelHead Interceptor
• Packet-mode optimization on the SteelHead
• Path selection firewall traversal
• Path selection with secure transport
To enable path selection on a SteelHead Interceptor
Note: You enable path selection in standard mode only. You cannot enable path selection in VLAN segregation mode.
1. Choose Networking > Network Services: Network Services Table to display the Network Services Table page.
Figure: Network Services Table and Path Selection Page
2. Select the Enable Path Selection check box. (To disable path selection, clear the check box.)
3. Click Apply to save your selection.
To add a new service rule on a SteelHead Interceptor
Service rules identify the nonoptimized TCP and UDP connections used for path selection or for identifying specific traffic to be passed-through to the SteelHead.
Service rules act like load-balancing rules for optimized traffic with one notable exception: the traffic is bidirectional so the source or destination is not important; the rules merely use the two subnets and ports.
Note: Service rules only apply to unoptimized traffic.
1. Choose Networking > Network Services: Network Services Table to display the Network Services Table page.
2. Under Service Rules, complete the configuration as described in this table.
Control | Description |
Add a New Service Rule | Displays the controls to add a new service rule. |
Type | Specify how the system handles packets if the default uplinks go down: • Redirect - Redirects connections to a SteelHead. This is the default value. • Pass-through - Passes through traffic unoptimized. |
Protocol | Specify a traffic protocol from the drop-down list: • TCP - Specifies the TCP protocol. Supports TCP-over-IPv4 only. • UDP - Specifies the UDP protocol. Supports UDP-over-IPv4 only. • Any - Specifies all TCP-based and UDP-based protocols. This is the default setting. |
Subnet 1 | Specify possible endpoints for subnet 1 connections. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or 0.0.0.0/0 as the wildcard for all traffic. |
Subnet 2 | Specify possible endpoints for subnet 2 connections. Both, local and remote, do not need to be in a specific order. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or 0.0.0.0/0 as the wildcard for all traffic. |
Port or Port Label | Specify the port or port label. The default value is all. |
Local SteelHead IPs | Specify the local SteelHead IP address(es). Optionally, specify as a comma-separated list. Note: All addresses have to be the main IPs. |
VLAN Tag ID | Enter untagged to specify that the rule applies to untagged connections. Note: Pass-through traffic maintains any preexisting VLAN tagging between the LAN and WAN interfaces. |
Position | Select the rule position order from the drop-down list. • Select Start to insert the rule at the start of the list. • Select End to insert the rule at end of the list. • Select a rule number. |
Description | Optionally, include a description of the rule. |
Add | Adds the new service rule to the list. You can add up to a maximum number of 500 rules. The appliance refreshes the rules table and applies your modifications to the running configuration, which is stored in memory. |
Remove Selected Rules | Select the check box next to the name and click Remove Selected Rule. |
Move Selected Rules | Select the check box next to the rule position and click Move Selected Rules to move the rule to the new position. |
3. Click Apply to save your selection.
What’s Next?
Be sure to complete the appropriate tasks on the SteelHead, as outlined in
Manually Configuring a Path Selection Cluster.
Configuring QoS and DSCP Marking
You can use the Network Services Table page to enable Quality of Service (QoS) features such as Differentiated Service Code Point (DSCP) marking for the traffic in your network.
For detailed information about QoS, see the SteelHead Management Console User’s Guide.
Configuring Flow Export Collectors
Flow export collectors (such as NetFlow and SteelFlow) provide the ability to collect IP network traffic as traffic enters or exits an interface. By analyzing the data provided by a flow export collector, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.
For more information about flow export collectors, see the SteelHead Management Console User’s Guide.