Defining a hybrid network topology
You define the network connectivity view in the Networking > Topology: Sites & Networks page.
RiOS 9.0 provides a way to define a static network topology to a configuration that is shareable between appliances. The network topology definition becomes a building block that simplifies feature configuration for path selection and QoS. You define a topology once and then reuse it as needed. The topology provides the network point-of-view to all other possible sites, including each remote site’s networks and a remotely ping-able IP address.
RiOS uses the topology definition to:
• share the remote site information between peers.
• determine possible remote paths for path selection.
• precompute the estimated end-to-end bandwidth for QoS, based on the remote uplinks.
We strongly recommend that you define topologies, push topology definitions, and distribute updates to an existing topology from a SteelCentral Controller for SteelHead to the appliances, particularly with large scale deployments. For details, see the SteelCentral Controller for SteelHead Deployment Guide.
Topology properties
A network topology includes these WAN topology properties:
• Networks - Define the carrier-provided WAN connections: for example, MPLS, VSAT, or Internet.
• Sites - Define the discrete physical locations on the network: for example, a branch office or data center. A site can be a single floor of an office building, a manufacturing facility, or a data center. The sites can be linked to one or more networks. The local sites use the WAN in the network definition to connect to the other sites. The default site is a catch-all site that is the only site needed to backhaul traffic. Sites are used with the path selection, QoS, and secure transport features.
If appliance peers connect to subnets within a network that do not communicate with each other, you can define an area, as shown in
Site definition divided into areas. To configure areas, use the Riverbed command-line interface.
• Uplinks - define the last network segment connecting the local site to a network. You define carrier-assigned characteristics to an uplink: for example, the upload and download bandwidth and latency. An uplink must be directly (L2) reachable by at least one appliance or Interceptor in the local network. An uplink does not need to be a physical in-path. Path selection uses only local uplinks.
Figure: Topology overview
Figure: Site definition divided into areas
The Sites & Networks page is central to defining networks and sites, to viewing sites with which a network is associated, changing or deleting sites, and assigning uplinks to a site.
Defining a network
Networks represent the WAN networks that sites use to communicate with each other, such as MLPS, VSAT, or Internet.
To add a network
1. Choose Networking > Topology: Sites & Networks to display the Sites & Networks page.
The networks appear. The default network is the network to which RiOS links the default uplinks. You cannot delete the default network.
If you are not using path selection, you can use the default network. To configure path selection, you can edit the network for the default uplinks: for example, Default0_0 uses MPLS, while Default0_1 uses Internet.
2. Under Networks, click + Add a Network.
3. Specify the network name: for example, MPLS1.
4. Select secure network to make the network securable using the secure transport service. Select public if you want to use UDP encapsulation on the secure traffic using the port number defined for the in-path interface.
The secure transport service enables group encryption for path selection deployments. RiOS adds all appliances having a secured uplink to a secure transport group. You can secure traffic flowing between any two appliances in the secure transport group by directing it to a secured uplink using path selection service rules.
Important: Due to export control of encryption, each appliance is required to have an SSL license before it can join the secure transport group. To verify your license, see
Managing licenses and model upgrades. If you do not have a valid Enhanced Cryptography License Key file, go to
https://sslcert.riverbed.com and follow the procedures documented there.
Select public if the network represents the Internet. Secure transport uses UDP to encapsulate traffic on a public network.
For details, see the SteelCentral Controller for SteelHead User’s Guide and the Riverbed Command-Line Interface Reference Manual.
5. Click Save.
Defining a site
You can optionally add sites to the network. A site is a logical grouping of subnets. Sites represent the physical and logical topology of a site type. You can classify traffic for each site using network addresses. Site types are typically data center, small, medium and large branch office, and so on.
RiOS determines the destination site using a longest-prefix match on the site subnets. For example, if you define site 1 with 10.0.0.0/8 and site 2 with 10.1.0.0/16, then traffic to 10.1.1.1 matches site 2, not site 1. Consequently, the default site defined as 0.0.0.0 only matches traffic that does not match any other site subnets.
You can associate an inbound or outbound QoS profile with a site to fine-tune the QoS behavior for each site. For details, see
Creating QoS Profiles.
The default site is a catch-all site that has a subnet of 0.0.0.0/0. You do not need to add a remote site if you only have one remote site and the default site is suitable.
To add a site
1. Choose Networking > Topology: Sites & Networks to display the Sites & Networks page.
2. Under Sites, click + Add a Site
3. Specify the site name: for example, DCEurope.
4. Optionally, specify a subnet IP prefix for a set of IP addresses on the LAN-side, separating multiple subnets with commas.
5. Specify the IP addresses of the peers. The site uses peers for path monitoring and GRE tunneling. Separate multiple peers with commas.
When you add a site in the SteelCentral Controller for SteelHead you do not have to specify the IP addresses of the appliances at each given site because the SCC dynamically adds them to the site configuration that it sends to the appliances.
You can use the CLI to connect a peer to multiple areas through different interfaces. For details, see the Riverbed Command-Line Interface Reference Manual.
6. Optionally, select an inbound or outbound QoS profile to use with the site. For details, see
Creating QoS Profiles.
You do not need to select a QoS profile for path selection.
7. Click Save.
Defining uplinks
Configuring a network topology involves specifying uplinks. An uplink is the last network segment connecting the local site to a network. At a high level, you can define multiple uplinks to a given network. The appliance monitors the state of the uplink and, based on this, selects the appropriate uplink for a packet. Selecting appropriate uplinks for packets provides more control over network link use.
Remote uplinks are also important for QoS because they define the available bandwidth for remote sites. RiOS uses the specified bandwidth to compute the end-to-end bottleneck bandwidth for QoS.
You can define an uplink based on an egress interface and, optionally, the next-hop gateway IP address. You can specify different DSCP marks per uplink for a given flow, allowing an upstream router to steer packets based on the observed marking.
To monitor uplink availability; you configure the latency of the uplink (timeout) and the loss observed (threshold). Path selection uses ICMP pings to monitor the uplink state dynamically, on a regular schedule (the default is 2 seconds). If the ping responses do not make it back within the probe timeout period, the probe is considered lost. If the system loses the number of packets defined by the probe threshold, it considers the uplink to be down and triggers an alarm, indicating that the uplink is unavailable.
If one uplink fails, the appliance directs traffic through another available uplink. When the original uplink comes back up, the appliance redirects the traffic back to it.
You can configure up to 1024 direct uplinks.
Defining tunneled uplinks
RiOS includes a tunnel mode to provide IPv4 generic routing encapsulation (GRE) for direct uplinks. Direct uplinks using GRE become direct tunneled uplinks. You must create direct tunneled uplinks to steer traffic over any uplink that traverses a stateful firewall between the server-side SteelHead and the client-side appliance.
Without GRE, traffic attempting to switch midstream to a uplink that traverses a stateful firewall might be blocked. The firewall needs to track the TCP connection state and sequence numbers for security reasons. Because the firewall has not logged the initial connection handshake, and has partial or no packet sequence numbers, it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, path selection can encapsulate that traffic into a GRE tunnel. The most common examples of midstream uplink switching occur when:
• a high-priority uplink fails over to a secondary uplink that traverses a firewall.
• a previously unavailable uplink recovers and resumes sending traffic to a firewalled uplink.
• path selection is using the Application File Engine (AFE) to identify the traffic and does not yet recognize the first packets of a connection before traversing a default uplink.
The GRE tunnel starts with a SteelHead and ends at the remote appliance. Both appliances must be running RiOS 8.6.x or later. The tunnel configuration is local. The remote IP address must be a remote appliance in-path interface and the remote appliance must have path selection enabled. ICMP responses from the remote appliance use the same tunnel from which the ping is received. The remote appliance must also have GRE tunnel mode enabled if the user wants return traffic to go through a GRE as well.
To add an uplink
1. Choose Networking > Topology: Sites & Networks to display the Sites & Network page.
2. To add an uplink to a new site, under Sites, click +Add a Site. To add an uplink to an existing site, click Edit Site next to the site name.
3. Under Uplinks, click +Add New Uplink.
4. Specify the uplink name: for example, MPLS1. Each uplink must have a unique interface, gateway and probe DSCP setting. A topology does not allow duplicate uplinks.
5. Select a network from the drop-down list.
6. Specify a Gateway IP address.
7. Specify an in-path interface.
8. Click GRE Tunneling to provide IPv4 generic routing encapsulation (GRE) for direct uplinks. Direct uplinks using GRE become direct tunneled uplinks. You must create direct tunneled uplinks to steer traffic over any uplink that traverses a stateful firewall between the server-side SteelHead and the client-side appliance.
Without GRE, traffic attempting to switch midstream to a uplink that traverses a stateful firewall might be blocked. The firewall needs to track the TCP connection state and sequence numbers for security reasons. Because the firewall has not logged the initial connection handshake, and has partial or no packet sequence numbers, it blocks the attempt to switch to the secondary uplink and might drop these packets. To traverse the firewall, path selection can encapsulate that traffic into a GRE tunnel.
For details on firewalled path selection deployments, see the SteelHead Deployment Guide.
9. Specify the up and down bandwidth in kilobits per second. RiOS uses the bandwidth to precompute the end-to-end bandwidth for QoS. The appliance automatically sets the bandwidth for the default site to this value.
The uplink rate is the bottleneck WAN bandwidth, not the interface speed out of the WAN interface into the router or switch. As an example, if your appliance connects to a router with a 100 Mbps link, do not specify this value—specify the actual WAN bandwidth (for example, T1, T3).
Different WAN interfaces can have different WAN bandwidths; you must enter the bandwidth link rate correctly for QoS to function properly.
10. Click the right-arrow and specify the probe settings as described in this table.
Control | Description |
Outbound DSCP | Select the DSCP marking for the ping packet. You must select this option if the service providers are applying QoS metrics based on DSCP marking and each provider is using a different type of metric. Path selection-based DSCP marking can also be used in conjunction with PBR on an upstream router to support Path Selection in cases where the appliance is more than a single L3 hop away from the edge router. The default marking is preserve. Preserve specifies that the DSCP level or IP ToS value found on pass-through and optimized traffic is unchanged when it passes through the appliance. |
Timeout | Specify how much time, in seconds, elapses before the system considers the uplink to be unavailable. The default value is 2 seconds. RiOS uses ICMP pings to probe the uplinks. If the ping responses do not make it back within this timeout setting and the system loses the number of packets defined by the threshold value, it considers the uplink to be down and triggers the Path Selection Path Down alarm. |
Threshold | Specify how many timed-out probes to count before the system considers the uplink to be unavailable and triggers the Path Down alarm. The default is 3 failed successive packets. This value also determines how many probes the system must receive to consider the uplink to be available. RiOS uses ICMP pings to monitor uplink availability. If the ping responses do not make it back within the probe timeout and the system loses the number of packets defined by this threshold, it considers the uplink to be down and triggers the Path Selection Path Down alarm. |
11. Click Save.
The sites appear in a table.
The default site matches all of the traffic that does not match another site.
To edit a site, click Edit Site next to a site name, modify the definition, and click Save.