Modifying in-path interfaces
You view and modify settings for the appliance in-path interfaces in the Networking > Networking: In-Path Interfaces page. You can also enable a management in-path interface in this page.
In-Path Interfaces page
You configure in-path interfaces for deployments where the SteelHead is in the direct path (the same subnet) as the client and the server in your network. You also set the in-path gateway (WAN router).
In the Riverbed system, appliances have a unique in-path interface for each pair of LAN/WAN ports. For each appliance, the Management Console detects LAN/WAN pairs, including those added through bypass cards, and identifies them according to slot (for example, inpath0_0, inpath0_1, inpath1_0, inpath1_1, and so on).
In-path settings
This section describes in-path settings.
Enable Link State Propagation
Enable this control to shorten the recovery time of a link failure in physical in-path deployments. Link state propagation (LSP) communicates link status between the devices connected to the SteelHead. When you enable this LSP, RiOS monitors the link state of each SteelHead LAN-WAN pair.
If either physical port loses link status, the corresponding interface disconnects, blocking the link. This control allows a link failure to quickly propagate through a chain of devices. If the link recovers, the SteelHead restores the corresponding interface automatically.
LSP is enabled by default.
You can’t reach a MIP interface when LSP is also enabled and the corresponding in-path interface fails. Cloud Accelerator models don’t support LSP. SteelHead (Virtual Edition) appliances running ESXi 5.0 and later with a Riverbed NIC card support LSP.
These SteelHead (Virtual Edition) appliance configurations don’t support LSP:
• SteelHead-v models running ESX/ESXi 4.0 or 4.1
• SteelHead-v models running Microsoft Hyper-V
To display and modify the configuration for in-path interfaces
1. Choose Networking > Networking: In-Path Interfaces to display the In-Path Interfaces page.
2. To enable link state propagation, under In-Path Settings, select Enable Link State Propagation.
In-path interface settings
This section describes in-path interface settings.
Enable IPv4
Select this check box to assign an IPv4 address. You can only assign one IPv4 address per in-path interface.
The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces can’t share the same network subnet.
To remove an IPv4 address, clear this check box and click Apply.
IPv4 Address
Specify an IP address. This IP address is the in-path main interface.
IPv4 Subnet Mask
Specify the subnet mask.
In-Path Gateway IP
Specify the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway.
If there’s a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
NAT IPs and Ports
In the case of UDP encapsulation with NAT, different SteelHeads could use the same public-facing destination addresses. To uniquely identify such SteelHeads, specify a NAT IPv4 address paired with a specific port opened on the NAT.
Specify multiple NAT IPs and ports on separate lines.
Enable IPv6
Select this check box to assign an IPv6 address. You can only assign one IPv6 address per in-path interface.
The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces can’t share the same network subnet.
To remove an IPv6 address, clear this check box and click Apply.
IPv6 Address
Specify a global or site-local IPv6 address. This IP address is the in-path main interface. You can’t use a DHCP server to assign an IPv6 address automatically.
IPv6 Prefix
Specify the prefix. The prefix length is 0 to 128 bits, separated from the address by a forward slash (/). In the following example, 60 is the prefix:
2001:38dc:52::e9a4:c5:6282/60
IPv6 Gateway
Specify the IPv6 address for the in-path gateway. You can use a link local address. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway.
If there’s a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server.
LAN/WAN Speed and Duplex
If your network routers or switches don’t automatically negotiate the speed and duplex, be sure to set them on the device manually.
The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.
Speed—Select Auto, 1000, 100, or 10 from the drop-down list. The default value is Auto.
Duplex—Select Auto, Full, or Half from the drop-down list. The default value is Auto.
Speed and duplex mismatches can easily occur in a network. For example, if one end of the link is set at half or full-duplex and the other end of the link is configured to autonegotiate (auto), the link defaults to half-duplex, regardless of the duplex setting on the nonautonegotiated end. This duplex mismatch passes traffic, but it causes interface errors and results in degraded optimization.
These guidelines can help you avoid speed and duplex mismatches when configuring the SteelHead:
• Routers are often configured with fixed speed and duplex settings. Check your router configuration and set it to match the SteelHead WAN and LAN settings. Make sure that your switch has the correct setting.
• After you finish configuring the SteelHead, check for speed and duplex error messages (cyclic redundancy check (CRC) or frame errors) in the System Log page of the Management Console.
• If there’s a serious problem with the SteelHead and it goes into bypass mode (that is, it automatically continues to pass traffic through your network), a speed and duplex mismatch might occur when you reboot the SteelHead. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair.
MTU
Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is 1500.
VLAN Tag ID
Specify the VLAN tag that the appliance uses to communicate with other SteelHeads in your network. The VLAN Tag ID might be the same value or a different value than the VLAN tag used on the client. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present.
As an example, if the in-path interface is 192.168.1.1 in VLAN 200, you would specify tag 200.
When the SteelHead communicates with a client or a server, it uses the same VLAN tag as the client or the server. If the SteelHead can’t determine which VLAN the client or server is in, it doesn’t use the VLAN tag (assuming that there’s no router between the SteelHead and the client or server).
You must also define in-path rules to apply to your VLANs.
To configure in-path interface settings
1. Under In-Path Interface Settings, select the interface name.
2. Adjust the settings to your needs.
3. Under IPv4 Routing Table, you can configure a static routing table for in-path interfaces. You can add or remove routes from the table list.
Control | Description |
Add a New Route | Displays the controls to add a route. |
Destination IP Address | Specify the destination IP address. |
Gateway IP Address | Specify the IP address for the gateway. The gateway must be in the same network as the in-path interface. |
Add | Adds the route to the table list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
4. Under IPv6 Routing Table, you can configure a static routing table for in-path interfaces. You can add or remove routes from the table list.
Control | Description |
Add a New Route | Displays the controls to add a route. |
Destination IP Address | Specify the destination IP address. |
Gateway IP Address | Specify the IP address for the gateway. The gateway must be in the same network as the in-path interface. |
Add | Adds the route to the table list. |
Remove Selected | Select the check box next to the name and click Remove Selected. |
5. Click Apply to apply your changes to the running configuration.
6. Click Save to Disk to save your settings permanently.
Configuring a Management In-Path interface
You configure a Management In-Path (MIP) interface in the Networking > Networking: In‑Path Interfaces page.
In a typical in-path deployment, optimized and pass-through traffic flows through the SteelHead LAN and WAN interfaces, and Riverbed network management traffic flows through the auxiliary interface. You can also use the auxiliary interface to connect the appliance to a non-Riverbed network management device. Some deployments don’t allow access to the auxiliary management interface when plugged into a private subnet with a separate IP address space. In this type of deployment, you can’t use the auxiliary interface to manage the SteelHead.
RiOS provides a way to configure a secondary MIP interface that you can reach through the physical in-path LAN and WAN interfaces. Configuring a secondary MIP interface is a way to manage SteelHeads from a private network while maintaining a logical separation of network traffic. This configuration eliminates the need to deploy a switch or borrow a switch port. You can configure one MIP interface for each LAN and WAN interface pair.
A MIP interface is accessible from both the LAN and WAN side, and you can reach it even when:
• the primary interface is unavailable.
• the optimization service isn’t running.
• the (logical) in-path interface fails.
A MIP interface isn’t accessible if the (physical) LAN and WAN interfaces fail.
Management In-Path interface deployment
MIP interface dependencies
A MIP interface has these dependencies:
• IPv6 addresses are supported for MIP interfaces starting with RiOS version 9.5.
• Any connections destined to a MIP interface aren’t optimized by that SteelHead and don’t appear in the Current Connections report.
• A MIP interface can’t reside in the same subnet as the primary or auxiliary interfaces. It can’t share the same subnet with any other interfaces on the SteelHead.
• A MIP interface must be in its own subnet.
• You can’t enable a MIP interface after fail-to-block has been enabled and the corresponding in-path interface fails. When fail-to-block is enabled, in the event of a failure or loss of power, the SteelHead LAN and WAN interfaces completely lose link status. The failed SteelHead blocks traffic along its path, forcing traffic to be rerouted onto other paths (where the remaining SteelHeads are deployed). For details on fail-to-block, see the SteelHead Deployment Guide.
• You can’t reach a MIP interface when Link State Propagation (LSP) is also enabled and the corresponding in-path interface fails. In physical in-path deployments, LSP shortens the recovery time of a link failure. LSP communicates link status between the devices connected to the SteelHead and is enabled by default. To disable LSP, enter the no in-path lsp enable CLI command at the system prompt.
• This feature supports 802.1Q VLAN.
• A MIP interface uses the main routing table.
Enabling a Management In-Path interface
Use the controls in this page when you need to enable a MIP interface or the interface requires additional configuration.
To enable a management in-path interface
1. Choose Networking > Networking: In-Path Interfaces to display the In-Path Interfaces page.
2. In the In-Path Interface Settings pane, click the arrow next to the name of an in-path interface to expand it and scroll down to the Mgmt Interface pane.
3. In the Mgmt Interface pane, complete the configuration as described in this table.
Control | Description |
Enable Appliance Management on This Interface | Enables a secondary MIP interface that you can reach through the physical in-path LAN and WAN interfaces. Configuring a secondary MIP interface allows management of SteelHeads from a private network while maintaining a logical separation of network traffic. If LSP or fail-to-block is enabled, a message reminds you to disable the feature before enabling the MIP interface. |
IPv4 Address | Specify the IPv4 address for the MIP interface. |
IPv4 Subnet Mask | Specify the IPv4 subnet mask. |
Enable IPv6 | Select this check box to assign an IPv6 address. IPv6 addresses are disabled by default. You can only assign one IPv6 address per in-path interface. |
IPv6 Address | Specify the IPv6 address for the MIP interface. |
IPv6 Prefix | Specify the IPv6 prefix. The prefix length is 0 to 128 bits, separated from the address by a forward slash (/). In the following example, 60 is the prefix: 2001:38dc:52::e9a4:c5:6282/60 |
VLAN Tag ID | Specifies a numeric VLAN Tag ID. When you specify the VLAN Tag ID for the MIP interface, all packets originating from the SteelHead from the MIP interface are tagged with that identification number. The VLAN Tag ID might be the same value or a different value than the in-path interface VLAN tag ID. The MIP interface could be untagged and the in-path interface could be tagged and vice versa. A zero (0) value specifies nontagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the MIP interface is 192.168.1.1 in VLAN 200, you would specify tag 200. |
4. Click Apply to apply your changes to the running configuration.
5. Click Save to Disk to save your settings permanently.
After you apply your settings, choose Reports > Networking: Interface Counters to view MIP interface statistics.
You can remove MIP interfaces from the main routing table in the Networking > Networking: Base Interfaces page.
Related topics