Interceptor Network Services
  
Interceptor Network Services
This chapter explains the network services capability when SteelHeads are deployed in an Interceptor cluster. Interceptor clusters allow you to scale the number of SteelHeads deployed for optimization. When coupled with network services, Interceptor clusters provide the ability to redirect optimized and pass-through traffic for centralized visibility and control. You can choose to select the path for optimized and pass-through traffic, redirect all or some traffic for visibility, and apply the QoS marking for optimized and pass-through traffic.
This chapter includes the following sections:
•  Overview of Interceptor network services
•  Interceptor network services use cases
•  Feature compatibility, requirements, and limitations
•  Interceptor network services concepts
•  Deploying Interceptor network services
•  Quad cluster Interceptor network services example
You must be familiar with the path selection sections in the SteelHead Interceptor User’s Guide, the SteelHead Deployment Guide - Protocols and the SteelCentral Controller for SteelHead Deployment Guide. These guides provide a thorough foundation for path selection.
Overview of Interceptor network services
The Interceptor network services feature extends the path selection feature when SteelHeads are deployed in an Interceptor cluster. The key to understanding this feature is that the SteelHead is no longer deployed physically in-path in an Interceptor cluster. This deployment means you must explicitly configure the SteelHead-to-Interceptor in-path interfaces that can reach the gateway IP address in its uplink configuration. Figure: Interceptor cluster deployed in-path shows a serial Interceptor cluster that is deployed in-path and connecting to two WAN edge routers.
Figure: Interceptor cluster deployed in-path
Figure: Interceptor cluster deployed in-path shows Interceptor inpath0_0 interfaces connect to the MPLS WAN edge router and inpath0_1 interfaces connect to the INET WAN edge router. The switch is configured as a Layer-3 device and is the gateway for any hosts at the site.
The SteelHead is configured with two uplinks in the site configuration: one uplink to reach the network called MPLS connected to the MPLS WAN edge router and the other uplink to reach the network called INET connected to the INET WAN edge router.
After the Interceptor and SteelHead have the standard connection forwarding configuration applied and path selection is enabled, then the SteelHead requires a configured path selection channel to properly select the path for optimized and pass-through traffic. The SCC simplifies this process by pushing out the configuration necessary to all the devices in the cluster. Path selection channel is how the SteelHead ties an Interceptor in-path interface to the gateway IP address in the uplink for the network.
Figure: Uplinks shows the uplinks configured on the SteelHead. MPLS_Uplink1 uses a gateway of 172.16.191.1 and Internet_Uplink1 uses a gateway of 172.16.192.1.
Figure: Uplinks
The SteelHead is a Layer-3 hop away from the gateway IP addresses configured in the uplink and therefore cannot guarantee that traffic is sent to the selected path. The path selection channel ties the gateway IP address in the uplink to the Interceptor in-path interface.
Figure: Channel settings shows the path selection channels configured on the SteelHead. The channels are pushed from the SCC to the appliances in the cluster automatically.
Figure: Channel settings
The SteelHead has two possible path selection channels to reach the gateway IP address through two Interceptor in-path interfaces. Only one of the path selection channels is active. The active channel is determined randomly. The SteelHeads in the cluster are not required to use the same path selection channel.
Note: We recommend that you use the SCC to automatically configure cluster and cluster channels.
The Interceptors in the cluster already redirect optimized TCP connections to the SteelHead. To redirect other types of IPv4 traffic, the Interceptor uses a Network Services Table that you configure. This table acts much like load-balancing rules for optimized traffic with one notable exception: Traffic is bidirectional so the source or destination is not important; merely the two subnets and/or ports are used.
Choose Networking > Network Services: Network Services Table to display the Network Services Table. For more information, see the SteelHead Interceptor User’s Guide.
Interceptor network services use cases
The Interceptor network services feature allows you to redirect all or some of the IPv4 traffic (UDP, optimized TCP, pass-through TCP, and preexisting connections) to the SteelHeads in the cluster. This redirection allows you to enable SteelFlow or NetFlow export for the traffic on the SteelHead. You can use QoS marking rules or path selection rules to set the DSCP marking on the SteelHead. You can also select the path based on the path selection policy on the SteelHead. These configurations provide key capabilities with the Interceptor network services feature, namely visibility through flow export and control through path selection and QoS marking. A path selection rule does not have to select a path for flow export to be applied. For example, the SteelHead can report flows with a path selection action to relay the traffic onto the same path through the same Interceptor in-path interface that originally redirected traffic for the connection.
This feature creates the following general use cases. The Interceptors:
•  redirect IPv4 optimized and pass-through traffic and the SteelHeads use the configured path selection rules to select a path or relay.
•  in the cluster redirect all or some of the traffic for SteelHeads to report on through flow Export.
•  redirect all or some of the traffic to the SteelHeads to set the DSCP marking.
These use cases are not mutually exclusive, meaning that you can configure some or all the use cases.
Feature compatibility, requirements, and limitations
Interceptor path selection is compatible with a single Interceptor or all of the cluster types: serial, parallel, and quad. You can place the SteelHeads on the WAN side or LAN side of the Interceptors. The Interceptors in the cluster can redirect IPv4 traffic of the following types:
•  Optimized TCP
•  Pass-through TCP
•  Preexisting TCP connections (in that, those connections started before the Interceptor and SteelHead services were started)
•  UDP traffic
Interceptor path selection needs the following requirements:
•  Interceptor 5.0 or later and RiOS 9.1 or later
•  Path selection channels configures on the SteelHeads
•  Multi-interface selected in the connection forwarding settings
•  Interceptor configured for fair peering v2
•  Path selection enabled on Interceptors and SteelHeads in the cluster
•  Accurate subnets defined in the local site on the SteelHeads
•  Interceptor Layer-2 adjacent to the WAN edge routers
•  WAN routers sending packets out onto the WAN and not ricochet WAN-bound packets back through the LAN
Note: If an Interceptor is configured for path selection and a SteelHead in the cluster is not, then the SteelHead does not connect to the Interceptor and is not part of the cluster.
Path selection has the following limitations:
•  Interceptors cannot be deployed virtually in-path (in that, WCCP, PBR). They must be deployed physically in-path.
•  You can only configure path selection for IPv4 traffic.
•  Fragments arriving to the Interceptor are bypassed from path selection. This limitation does not apply to any fragments caused by the redirection process.
•  Etherchannels connected to the Interceptor are not qualified for use with the Interceptor path selection feature.
•  Xbridge is not compatible.
•  VLAN segregation is not compatible.
•  Pass-through connection blocking rules on the Interceptor are not compatible.
•  Hardware assisted pass-through traffic is not processed by the Interceptor path selection feature.
•  Packet-mode optimization on the SteelHeads is not qualified.
•  Path selection firewall traversal is not compatible.
•  Path selection with secure transport is not compatible.
Interceptor network services concepts
The following concepts provide further information on the Interceptor path selection feature:
•  Load balancing of redirected connections for network services
•  Interceptor cluster state
•  Packet size
•  Packet processing enhancement
•  Rule processing
•  Packet flow
Load balancing of redirected connections for network services
The Interceptors in the cluster are required to use fair peering v2 for optimized connections in the cluster. This mechanism remains in place and does not change with the use of Interceptor path selection.
For more information about fair peering v2, see SteelHead selection.
Interceptors in the cluster use a different logic for pass-through traffic when selecting a SteelHead. First, larger SteelHeads receive more traffic than smaller SteelHeads in the cluster. The Interceptors use a mechanism to distribute the load similar to a WCCP hash. SteelHeads in the cluster that are capable of handling more optimized TCP connections are the key factor that the Interceptors use when calculating the distribution.
Second, the Interceptors attempt to keep traffic for a TCP connection on the same SteelHead. The main purpose is to ensure a single SteelHead processes all the packets for a TCP connection to make sure the SteelHead can use deep packet inspection (DPI) for any path selection rules to detect the application.
Note: Preexisting TCP connections or UDP traffic is not guaranteed to be redirected to the same SteelHead.
Pressure monitoring for WAN optimization operates as normal. There is no new pressure monitoring for path selection, but the Interceptor does consider the current pressure of the SteelHead when calculating the distribution of pass-through TCP connections and UDP traffic. If a SteelHead is in high pressure, then the Interceptors consider that SteelHead at 50 percent of its normal operating capacity and adjust the distribution accordingly. If the SteelHead is in severe pressure, then no new pass-through TCP connections or UDP traffic are redirected to that SteelHead.
Interceptor cluster state
The Interceptors in a cluster communicate with each other to maintain a consistent status of connections. This state is considered to be the steady state during normal operation. When an Interceptor has gone down, the cluster is in a nonsteady state.
The nonsteady state is temporary but crucial to consider for path selection decisions. When the cluster is in a temporary nonsteady state, pass-through TCP connections use only header-based rules for path selection decisions. Header-based rules refers to matching traffic using the IP and TCP header information rather than application identification through deep packet inspection (DPI).
An important point is that Interceptor path selection differs from WAN optimization with the use of the allow-failure setting. The allow-failure setting instructs Interceptors in the cluster whether they should or should not redirect new connections when one of the parallel Interceptor peers (or pair of failover Interceptor peers) is down. Interceptor path selection ignores this setting for pass-through traffic. When a parallel Interceptor peer is down, the remaining Interceptors bypass any new pass-through TCP connection and UDP traffic. If availability is required when an Interceptor in the cluster fails, then consider deploying a quad cluster.
Note: In a cluster with a failover peer, and a failover peer is coming operational, the Interceptor bypasses traffic for up to one minute or until the failover peers establish connectivity, whichever is sooner.
Packet size
The Interceptor and SteelHeads apply an additional packet header when redirecting connections. As such, the Interceptor and SteelHead adjust the TCP MSS field in SYN and SYN/ACK packets to lower the overall size of the data field in order to avoid fragmentation. Also for connections that require fragmentation during redirection to the SteelHead, the Interceptor periodically send out fragmentation-needed messages to the local host to instruct the host to reduce the size of packets to accommodate the additional header. If neither of these mechanisms work, then the Interceptor can fragment packets when redirecting to the SteelHead. This redirection provides a fail-safe in case the TCP MSS or fragmentation-needed messages are not honored.
Packet processing enhancement
Interceptors leverage Xbridge in 10G environments to scale to higher throughput, but you must disable Xbridge to use Interceptor network services.
Interceptor 5.5 and later enable the Interceptor to scale to higher throughput environments by more intelligently steering packets to the CPU cores.
You enable the higher throughput by using the CLI command rps enable. You do not need a service restart.
Important: If Path Selection is enabled, you must use the rps enable command on each Interceptor and on each SteelHead in the cluster.
For more information on throughput and applicability, contact your account team.
Rule processing
The order of rule processing remains the same for connections that are optimized. In-path rules on the Interceptor are used to intercept SYN packets on the LAN interface for optimization and load-balance rules select a SteelHead. Load-balance rules also apply to TCP autodiscovery packets on the WAN interface. If the connection is passed through or preexisting, then the Network Services Table is consulted.
Figure: Workflow of rule processing shows how rules are processed when path selection is configured.
Figure: Workflow of rule processing
Packet flow
Overall the packet flow for optimized connections remains very similar to normal configuration with the notable exception when the SteelHead is selecting a new path for traffic to be delivered over the WAN. The SteelHead encapsulates the optimized WAN traffic with a new GRE-like header to direct the traffic to the specific Interceptor in-path interface to reach the desired gateway IP address.
The packet flow for pass-through traffic requires the SteelHead to choose between the following actions:
•  Select a path and encapsulate a packet to the Interceptor in-path interface adjacent to the WAN edge router - This action applies to WAN-directed traffic and is the same for traffic configured with path selection optimized TCP connections.
•  Relay - When the SteelHead relays traffic, it simply encapsulates the entire Layer-2 frame and marks it with the relay action. The Interceptor has to put the frame out on the network. The relay action applies in both directions: WAN bound and LAN bound for pass-through traffic.
Deploying Interceptor network services
The Interceptor network services feature requires that all the Interceptors in the cluster have the same configuration including the connection forwarding configuration. To minimize the number of service restarts required, We recommend the following workflow to enable Interceptor path selection:
1. Configure connection forwarding on both Interceptors and SteelHeads with multi-interface support enabled.
2. Enable fair-peering v2 under load-balancing rules, and restart service on the Interceptors.
Make sure to select Enable Pressure Monitoring if is not selected.
3. Configure the connection forwarding neighbors: all SteelHeads on the Interceptors, all Interceptor peers on the Interceptors, and all Interceptors on the SteelHeads. Restart services on the SteelHeads.
4. Enable path selection on all Interceptors in the cluster.
5. Restart service on all above Interceptors. Following the restart, all Interceptors that have SteelHead neighbors configured have an alarm indicating that the neighbor SteelHead is disconnected because it does not have path selection enabled.
6. Enable path selection on the SteelHead neighbors. This action clears the alarm on the Interceptors and the SteelHeads reconnect to the Interceptors.
7. Configure path selection channels on the SteelHead.
You can manually configure the path selection channels on each SteelHead in the cluster. There must be at least one path selection channel configured for every uplink. If you manually configure the channels, we recommend that you leave the time-out and threshold for any path selection channel at their default values. If there are two path selection channels through the same network to a remote peer, the default time-out and threshold detect whether a path selection channel becomes unavailable, leaving adequate time before declaring a remote peer unreachable through a given network.
We recommend that you use the SCC to push out all the network services configuration to the Interceptors and SteelHeads in the cluster.
Interceptor network services is one component in overall network services configuration. You must configure the rest of the components of the path selection feature such as the topology (including the sites and networks), applications, and path selection rules. In particular, the uplinks use a gateway IP address that is Layer-2 adjacent to an Interceptor in-path IP address. Knowing the gateway IP address and the Interceptor in-path IP address is necessary.
Remember that after the Interceptor network services is available, you define the Network Services Table for all pass-through TCP and UDP traffic. We recommend configuring the same Network Services Table rules on all Interceptors in the cluster, but the rules do not have to be the same for the target SteelHeads.
Quad cluster Interceptor network services example
Depending on the network topology, you can deploy SteelHeads in an Interceptor cluster to use many uplinks in an Interceptor cluster. The reason is because the path selection channels can connect a SteelHead to any Interceptor in-path interface in the cluster. Figure: Interceptor quad cluster example shows a quad Interceptor cluster.
Figure: Interceptor quad cluster example
In this topology, the SteelHead in the cluster has two uplinks to the MPLS network: one through the serial Interceptor pair of Interceptor1 and Interceptor2, and another through the serial Interceptor pair of Interceptor3 and Interceptor4. Likewise, the SteelHead has two uplinks to reach the INET network.
In total there are four uplinks configured on the SteelHead. There is a total of eight path selection channels to configure on the SteelHead, as each uplink has two Interceptor in-path interfaces it can use.
Note: The SCC automates the creation of path selection channels on the SteelHead.
When you configure a path selection rule, the SteelHead can have a maximum of three different uplinks with a final action to relay.
In this example (Figure: Path selection channels), as there are four actions to take for traffic, the SteelHead can use MPLS_Uplink1, MPLS_Uplink2, and Internet_Uplink1 in a path selection rule followed by the implicit action that Internet_Uplink2 is used for the relay action provided the routing topology does reconverge to use the final path.
Figure: Path selection channels