About QoS, Path Selection, and Hybrid Networking : Tunneled uplinks
  
Tunneled uplinks
RiOS includes a tunnel mode to provide IPv4 generic routing encapsulation (GRE) for direct uplinks. Direct uplinks using GRE become direct tunneled uplinks. You must create direct tunneled uplinks to steer traffic over any uplink that traverses a stateful firewall between the server-side SteelHead and the client-side appliance.
Without GRE, traffic attempting to switch midstream to a uplink that traverses a stateful firewall might be blocked. The firewall needs to track the TCP connection state and sequence numbers for security reasons. Because the firewall has not logged the initial connection handshake, and has partial or no packet sequence numbers, it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, path selection can encapsulate that traffic into a GRE tunnel. The most common examples of midstream uplink switching occur when:
a high-priority uplink fails over to a secondary uplink that traverses a firewall.
a previously unavailable uplink recovers and resumes sending traffic to a firewalled uplink.
path selection is using the Application File Engine (AFE) to identify the traffic and does not yet recognize the first packets of a connection before traversing a default uplink.
The GRE tunnel starts with a SteelHead and ends at the remote appliance. Both appliances must be running RiOS 8.6.x or later. The tunnel configuration is local. The remote IP address must be a remote appliance in-path interface and the remote appliance must have path selection enabled. ICMP responses from the remote appliance use the same tunnel from which the ping is received. The remote appliance must also have GRE tunnel mode enabled if the user wants return traffic to go through a GRE as well.
1. To add an uplink to a new site, under Sites, click +Add a Site. To add an uplink to an existing site, click Edit Site next to the site name.
2. Under Uplinks, click +Add New Uplink. The New Uplink dialog box appears.
3. Specify the uplink name: for example, MPLS1. We recommend using the same name for an uplink in all sites connecting to the same network. If you later use an SCC to maintain the SteelHeads, it will group uplinks by their names to simplify the configuration of new sites. Each uplink must have a unique interface, gateway and probe DSCP setting. A topology does not allow duplicate uplinks.
4. Select a network from the drop-down list.
5. Specify a Gateway IP address.
6. Specify an in-path interface.
7. Click GRE Tunneling to provide IPv4 generic routing encapsulation (GRE) for direct uplinks. Direct uplinks using GRE become direct tunneled uplinks. You must create direct tunneled uplinks to steer traffic over any uplink that traverses a stateful firewall between the server-side SteelHead and the client-side appliance.
Without GRE, traffic attempting to switch midstream to a uplink that traverses a stateful firewall might be blocked. The firewall needs to track the TCP connection state and sequence numbers for security reasons. Because the firewall has not logged the initial connection handshake, and has partial or no packet sequence numbers, it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, path selection can encapsulate that traffic into a GRE tunnel.
For details on firewalled path selection deployments, see the SteelHead Deployment Guide.
8. Specify the up and down bandwidth in kilobits per second. RiOS uses the bandwidth to precompute the end-to-end bandwidth for QoS. The appliance automatically sets the bandwidth for the default site to this value.
The uplink rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. As an example, if your appliance connects to a router with a 100 Mbps link, do not specify this value—specify the actual WAN bandwidth (for example, T1, T3).
Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly.
9. Optionally, click the right-arrow and specify the probe settings for path selection monitoring:
Outbound DSCP
Specifies the DSCP marking for the ping packet. You must select this option if the service providers are applying QoS metrics based on DSCP marking and each provider is using a different type of metric. Path selection-based DSCP marking can also be used in conjunction with PBR on an upstream router to support Path Selection in cases where the appliance is more than a single L3 hop away from the edge router.
The default marking is preserve. Preserve specifies that the DSCP level or IP ToS value found on pass-through and optimized traffic is unchanged when it passes through the appliance.
Timeout
Specifies how much time, in seconds, elapses before the system considers the uplink to be unavailable. The default value is 2 seconds.
RiOS uses ICMP pings to probe the uplinks. If the ping responses do not make it back within this timeout setting and the system loses the number of packets defined by the threshold value, it considers the uplink to be down and triggers the Path Selection Path Down alarm.
Threshold
Specifies how many timed-out probes to count before the system considers the uplink to be unavailable and triggers the Path Down alarm. The default is 3 failed successive packets.
This value also determines how many probes the system must receive to consider the uplink to be available.
RiOS uses ICMP pings to monitor uplink availability. If the ping responses do not make it back within the probe timeout and the system loses the number of packets defined by this threshold, it considers the uplink to be down and triggers the Path Selection Path Down alarm.
When you save your settings, the sites appear in a table. The default site matches all of the traffic that does not match another site.
To edit a site, click Edit Site next to a site name, modify the definition, and click Save.