Configuring Hybrid Networking, QoS, and Path Selection : Configuring path selection in a SteelHead Interceptor cluster
  
Configuring path selection in a SteelHead Interceptor cluster
You can use path selection in SteelHead Interceptor deployments using the SCC to manage all Interceptors in one centralized location. You can manage Interceptors as:
individual appliances.
part of a SteelHead and Interceptor cluster.
RiOS 9.1 extended path selection to operate in SteelHead Interceptor cluster deployments, providing high-scale and high-availability deployment options. A SteelHead Interceptor cluster is one or more SteelHead Interceptors collaborating with one or more SteelHeads to select uplinks dynamically.
SteelHeads select uplinks based on path selection rules and network conditions and instruct a SteelHead Interceptor to steer the WAN-bound packets to the chosen uplink. A SteelHead Interceptor redirects all connections that need to be path selected to the SteelHead for the lifetime of the connection, including UDPv4 and TCPv4 optimized and unoptimized connections.
For details on using an SCC to configure SteelHead Interceptors, see the SteelCentral Controller for SteelHead User Guide.
Path selection in Interceptor cluster deployment options
You can use path selection in Interceptor cluster deployments by configuring an Interceptor neighbor on a SteelHead. In RiOS 9.1 and later, you can use the SCC to manage all Interceptor configurations in one centralized location. We recommend that you use the SCC to configure Interceptor and SteelHead clusters instead of individually configuring each appliance for these reasons:
Enables easier configuration, operation, and management because you create one rule in one place for all cluster members (load balancing rules and so on). With one rule replacing many, you reduce the possibility of introducing configuration errors.
To operate efficiently, path selection with Interceptor clusters (PSIC) requires that cluster channels be set up between the SteelHead and SteelHead Interceptor appliances. Cluster channels are traditionally configured on the SteelHead. In RiOS 9.2, you can now enable the PSIC auto-channel configuration feature using the SteelCentral Controller (SCC) to configure the cluster channels and then push the configuration to the appliances. No additional configuration tasks are required.
You can create a graphical representation of your particular topology.
For details on using the SCC to configure path selection on Interceptors, see the SteelCentral Controller for SteelHead User Guide, the SteelHead Interceptor Deployment Guide, and the SteelHead Interceptor User Guide.
Configuring path selection on a SteelHead in an Interceptor cluster
When configuring uplinks on the SteelHead for path selection in an Interceptor cluster, the uplink gateway need not be a Layer 2 hop away from the SteelHead, but it must be a Layer 2 hop away from one or more Interceptors in the cluster.
Each SteelHead must be aware of which Interceptor it can use to reach a particular uplink. This is accomplished by configuring a channel that acts as an overlay tunnel between the SteelHead and the Interceptor and allows the SteelHead to reach an uplink. One or more channels must be configured for every uplink. After the SteelHead has this information, RiOS uses the Riverbed encapsulation protocol (RBEP) when communicating with an Interceptor neighbor.
Path selection with Interceptor cluster deployments assumes that:
every WAN edge gateway in the network must be defined in the uplink configuration on the SteelHead, and at least one Interceptor must be a Layer 2 hop away from each of those uplink gateways.
every packet to or from such an uplink gateway passes at least one Interceptor in the cluster.
the uplink gateway doesn’t ricochet any WAN-bound packets toward the LAN, and the SteelHead must have an accurate local site subnet configuration so that the LAN-bound traffic isn’t path selected.
Adding an Interceptor as a SteelHead neighbor requires an optimization service restart, and enabling path selection on a SteelHead also requires an optimization service restart. You can avoid the second optimization service restart on the SteelHead by configuring path selection on all Interceptors in the cluster and then following the procedures in this section. All Interceptors in the cluster must be running version 5.0 or later.
For path selection limitations, see Path selection limitations for SteelHeads in an Interceptor cluster.
To configure a SteelHead as part of an Interceptor cluster
1. You must enable connection forwarding multi-interface support to use path selection in an Interceptor cluster. Choose Networking > Network Integration: Connection Forwarding.
2. Select Enable Connection Forwarding.
3. Select Multiple Interface Support.
4. Under Neighbor Table, select Add a New Neighbor and add the IP address of the Interceptor. For details, see To add a new neighbor.
Repeat this step for every Interceptor in the cluster.
5. Click Restart Services.
To configure path selection on a SteelHead
1. Choose Networking > Topology: Sites & Networks.
2. Define your network and your local and remote sites, and enable path selection. These changes don’t require an optimization service restart if you configure the Interceptor prior to this step. The local site requires local subnets and the uplinks. The remote site requires the remote subnet and the remote SteelHead peer. You don’t need to configure uplinks for the remote site. For details, see Defining a hybrid network topology.
Path selection requires compatible configurations on all appliances in the cluster. When path selection is enabled on an appliance in the cluster while not enabled on another, the system considers the cluster to be incompatible and raises the Cluster Neighbor Incompatible alarm. This alarm provides the reason for the incompatibility and lists the incompatible Interceptors.
The incompatible appliances are also disconnected from each other, resulting in the Multiple Interface Connection Forwarding alarm. This alarm lists the disconnected appliances.
To configure a channel
1. Choose Networking > Network Services: Path Selection Channels. When the SteelHead has an Interceptor neighbor configured and connected, the Path Selection Channels menu option appears.
2. Under Channel Settings, define a channel as described in this table.
Control
Description
Add a New Channel
Displays the controls to define a channel.
Gateway IP Address
Specify the IP address of an uplink that is Layer 2 reachable by at least one interface on an Interceptor appliance.
Interface
Select a relay interface over which the SteelHead reaches the uplink. This interface should be the same in-path interface used for the uplink configuration for the Gateway IP Address in the local site.
Neighbor IP Address
Specify the IP address of an Interceptor in-path interface that is a Layer 2 hop away from the Gateway IP Address.
Timeout
Optionally, specify how much time, in seconds, elapses before the system considers the channel to be unavailable. The default value is 2 seconds.
Path selection uses ICMP pings to probe the channels. If the ping responses don’t make it back within this timeout setting and the system loses the number of packets defined by the threshold value, it considers the channel to be down.
Threshold
Optionally, specify how many timed-out probes to count before the system considers the channel to be unavailable. The default is 2 failed packets.
This value also determines how many probes the system must receive to consider the channel to be available.
Path selection uses ICMP pings to monitor channel availability. If the ping responses don’t make it back within the probe timeout and the system loses the number of packets defined by this threshold, it considers the channel to be down.
Add
Adds the channel to the channel table. The Management Console redisplays the channel table and applies your changes to the running configuration, which is stored in memory.
The channel table displays the configuration parameters apart from the channel status and the paths on which the channels are active.
Remove Selected Channel
Select the check box next to the name and click Remove Selected Channel.
Path selection limitations for SteelHeads in an Interceptor cluster
These limitations apply to SteelHead path selection in an Interceptor cluster:
You must enable connection forwarding multi-interface support.
You can’t add a cluster channel when a GRE-tunneled path is in use. Existing paths must not use the GRE tunnel mode.
Do not add a cluster channel when a secure uplink is in use.
For information on the Interceptor path selection limitations, see the SteelHead Interceptor Deployment Guide.