Configuring Subnet Side Rules

Subnet side rules enable you specify subnets as LAN-side subnets or WAN-side subnets for a virtual in-path Steelhead appliance. Subnet side rules instruct the Steelhead appliance to identify traffic as originating from the WAN side of the appliance or the LAN side of the appliance based on the source subnet. You must configure subnets on each Steelhead appliance in a virtual in-path configuration, as the subnets for each will likely be unique.

For Steelhead appliances configured for virtual in-path deployment (for Layer-4 switch, PBR, WCCP, and SteelHead Interceptor), you must configure subnet side rules to support client-side appliances or for appliances that support flow export collectors such as NetFlow. You must configure subnets on each Steelhead appliance in a virtual in-path configuration, as the subnets for each will likely be unique.

Note: If you configure a client-side Steelhead appliance for virtual in-path deployment, you must configure subnet side rules to identify LAN-side traffic, otherwise the appliance does not optimize traffic from client-side connections. In virtual in-path configurations, all traffic flows in and out of one physical interface, and the default subnet side rule causes all traffic to appear to originate from the WAN side of the device.

Because VSP is enabled by default on SteelHead EXs, and the default subnet rule assumes that all traffic is coming from the WAN, the default rule prevents client-side connections from being optimized until you create a rule to identify traffic that should be treated as LAN-side traffic. The position of this rule must be at the start of the list of rules, above the default rule.

• If you configure a virtual in-path Steelhead appliance to use flow export collectors such as NetFlow analyze nonoptimized traffic or passed-through traffic correctly. If you do not configure subnet side rules configured, the SteelHead cannot discern whether the traffic is traveling from the LAN to the WAN or in the opposite direction. This can result in over-reporting traffic in a particular direction or for a particular interface.

Figure: Subnet Side Rules Page

Control	Description
Add a Subnet Side Rule	Displays the controls to create a subnet side rule.
Insert Rule At	Select Start, End, or a rule number from the drop-down list. SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule don’t match, the system consults the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted.
Subnet	Specify the subnet. Use the following format: <ip address>/<subnet mask>
Subnet is on the LAN side of this appliance	In virtual in-path configurations, all traffic is flowing in and out of one physical interface. Select to specify that the subnet is on the LAN side of the device.
Subnet is on the WAN side of this appliance	In virtual in-path configurations, all traffic is flowing in and out of one physical interface. Select to specify that the subnet is on the WAN side of the device.
Add	Adds the rule to the subnet map table. The Management Console redisplays the subnet map table and applies your changes to the running configuration, which is stored in memory.
Remove Subnet Rules	Select the check box next to the name and click Remove Subnet Rules.
Move Subnet Rules	Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position.