- Out-channel sessions (btw client SH / SH server) - 1 to 1 optimized flow always enforced between the requestor and receiver
Data Streamlining - Data reduction o Eliminate redundant data on the WAN - Compression o LZ - QoS - Disaster Recovery Intelligence o Optimize reads, writes, and segment handling for massive loads
SDR Scalabe Data Referencing - Overcomes bandwidth limitations - SH closest to the server looks to the payload, which is broken into chunks (data references) and store into the hard drive - Remote SH (closest to client) reconstructs data and delivers it to the client - 16-Byte references communicate MB of existing data (128-Byte average chunk size) - LZ technology to compress data - Eviction o Default model is LRU (Least Recently Used) o FIFO is configurable - SDR Flavors: o Default Disk based / Excellent BW reduction (using disk + RAM) o SDR-Adaptive Blended data store/compression model (I/O response time as well as another parameters are monitored) Do not use the disk writing, but only memory method Can switch btw using the disk and not using the disk o SDR-M RAM based data store Turn off the disk and only uses the RAM Excellent LAN side throughput
TCP Optimization & Virtual Window Expansion (VWE) - The payload contains data references, instead of standard data. (from 100KB+ to Virtual 1MB+) Transport Streamlining - SSL Acceleration o End-to-end acceleration of secure traffic o Maintains the preferred trust model - Advanced TCP Acceleration o Fill the pipe o Works with clean or lossy links (HS-TCP & MX-TCP) - Connection pooling o 2 SHs establishes 20 TCP connections btw each other then avoiding 3-way handshake btw SHs o Eliminate 50% of overhead for small, short-lived connections - Adaptive congestion windows o Adapt transfer parameters (TCP Windowing) based on network characteristics - Limited and fast re-transmits o Ensure priority handling for packets resends
Application Streamlining - Transaction Prediction (Steelhead is able to complete the transaction locally at the application layer) - Applications support: o CIFS (Windows file sharing / based applications) Read Ahead Write Behind Dynamic Prediction Use Markov model Stat avoidance App streamlining is disabled automatically (keeps SDR/LZ only) if SMB signing enabled Overlapping Open Optimization (only when Oplock is available) Does not optimize .ldb, .mdb All access to files MUST go through a Steelhead o NFS (Unix File Sharing / based applications) V3 only Read-ahead & read caching Write-Behind Convert multiple requests into one larger request o MAPI (Microsoft Exchange) Read ahead / write behind on attachments Read ahead / write behind on large emails If user authentication is too high, fallback to SDR+LZ+TCP Pre-Population Virtual client (keeps like client PC on) Keeps reading e-mails until timeout (96 hours - default) No one is ever reconnected to this session Can configure frequency to check mail (default 20 minutes) o HTTP / HTTPS (Web app / secure web) Client Steelhead has knowledge of the objects of the page Client SH pull down the data and keep it locally before the client requests it o Lotus Notes o Oracle (Oracle 11i traffic in socket (native) mode
o MS-SQL (DB driven applications) Off by default Ability to perform pre-fetching and synthetic pre-acknowledgment of queries TDS 7 and 8 (Tabular Data Streams)
Auto-Discovery - SH find each other in the initial TCP 3way handshake when client tries to reach a server - Handshake: o Client sends SYN o SYN is marked with 0x4c (76 dec) in TCP options field by Client SH o SYN+ is seen by remote Steelhead o Inner channel TCP session is established (Server SH sends back SYN/ACK+ including in-path IP of Server SH, and in parallel forwards the SYN to the server) o C-SH responds customer with SYN/ACK o 3-Way handshake is completed with Server then Client Enhanced Auto-Discovery (4.X and later) - Simplifies deployments for complex environments o Automatically finds and optimizes between most distant Steelhead pair o Off by default o Supports unlimited SH in transit btw C-SH and S-SH - Improves performance o Finds optimal steelhead pairing for maximum optimization o Also called as Auto-peering
In-Path rules - Determines how traffic should be optimized - Types of rules: o Pass-through rules (not optimize) o Auto-discovery (define traffic to auto-discovery (optimize) o Fixed-Target rules (manually define traffic and SH to optimize) o Discard (packets are silently dropped) o Deny (Connection is reset) - Rules are processed top down until there is a match - Rules are only inspected when coming from LAN to WAN - (auto-discover and fixed-target) Rules can be specified to: o Normal (Perform LZ compression and SDR) o SDR-Only (Only SDR, not LZ compression) o Compression only (Only LZ compression, not SDR) o None
Riverbed ports - 7800 In-path port (Auto discovery 0x4c) - 7810 Out of path (SSOoO) - 7820 Failover (Serial cluster) - 7830 MAPI Exchange 2003 - 7840 Exchange Director NSPI - 7850 TCP Connection Forwarding - 7860 Interceptor Appliance - 7870 Steelhead Mobile
Peering rules - Acts on probes - Used to configure how SH should respond to auto-discovery probes (marked SYNs) - Inspects packets coming from either WAN or LAN port - Types: o Auto Automatically determine the best response o Accept Accept peering requests that match the rule o Pass Pass-through peering requests that match the rule
System states - Healthy No problems - Admission Control - # of SH connections has been exceeded - Degraded Appliance is optimizing but not necessarily optimally - Critical May not be optimizing / Identifies an issue that requires investigation. Data Store synchronization - In HA environment, DS synchronization warms the DS from the master to the standby appliance (using port 7744) - Takes place over PRYMARY or AUX interfaces - Active/Active synchronization is supported. Each appliance acts as master for some traffic as well as standby for the other appliance - Failover is not required for DS Sync - Requirements o Same (major) revision of RiOS o Same model o LAN connection between two devices (rtd btw should be less than 10ms) Hardware - 250/550 1 In-path (single LAN & WAN) - 1050/2050 o 2 In-path (2 LAN & WAN) (max 4 in-path) o 2 power supply o 2 PCI-e expansion ports - 5050/6050 o 2 In-path (2 LAN & WAN) (max 10 in-path) o 2 power supply o 5 PCI-e expansion ports - Primary port is used for OOP deployment - WAN IF used for logical in-path (WCCP & PBR) deployments - Primary and Aux cannot be in the same subnet - Primary and In-path can be in the same subnet
Physical In-path deployment
- Like a end point device - Jump-start wizard is enough if ALL of the following are true: o Single in-path IF being used (in-path0_0) o There is a layer 2 ntk on our LAN side (single subnet) o We are not on an 802.1Q VLAN trunk o Physical in-path deployment ( not PBR or WCCP
In-path with L3 LAN segment - Packet ricochet can be avoided by: o Configuring a static routing o Simplified routing
In-path with multiple VLANs - One in-path IF for each VLAN
Visibility modes - Correcting addressing Using the src and dst addresses of the SH btw those devices o Dest port 7800 - Correcting addressing with Port Transparency Spoof the port number(dst port number keeps the same) - Full transparency Keeps the ip and port numbers end to end - Visibility mode is configured in the in-path rules (there may be one type of visibility mode for each protocol)
Logical in-path deployment - Uses WAN interface to connect - Web Cache Communications Protocol (WCCP) v2 basics: o Cisco proprietary used to redirect traffic by L2 rewriting MAC L3 GRE tunnel Both of above o Interest traffic defined by ACL and applied to specific interfaces using Service Groups: 61 Client side 62 Server side o WAN0_0 port on the SH is the only port that supports optimization with WCCP on RiOS 5.5 o Redirect in vs redirect out o Try to Layer 2 connect the SH to the router/switch - Policy Based Routing (PBR) o When in-path configuration is not an option o Traffic that matches an ACL is sent to SH for optimization o Check RiOS o Black-holed if SH fails, traffic wont redirected - L4 Redirect - Interceptor
Service side Out of Path (SSOOP) - Server side only - Use a fixed-target rule to point the traffic to a SH - Use the primary IF connected to the LAN switch - Needs to enable the OOP support on GUI Hybrid Mode Deployment - Combination of In-path and Out-path - Used to mobile SH - Traffic is NATted from the primary IF to the dest - Enabling both modes - Needs to enable L4/PBR/WCCP
Failover (High availability) - Serial In-Path o Failover operates on port 7820 o Optmization > General service settings ip add of the bk in-path IF - Parallel In-Path o Use Connection Forwarding (CF) for Asymmetric Flows Configure > networking > Connection forwarding (enable) o Asymm. Server to WAN traffic is passed back over LAN o Tunnelled btw SH on port 7850 o Routing will not failover with optimization fails, unless using fail-to-block feature o Optimization device determined by routing - Link State Propagation o Enables INC or SH to disable physical link status on LAN or WAN ports of an in- path IF when other port is the pair loses link status
Troubleshooting - Interface counters - #show peers (CLI) - Reports > Optimization > Connected Appliances - Reports > Network > Current Connections - Configure > Networking > Asymmetric Routing - Asymmetric Routing o Connection is passed-through if contained in the asymmetric routing table o The entry keeps in the AR table for a default of 24 hours o For SYN retransmissions, itll keep in the AR table for 5 seconds
Authentication and Authorization - SH can use RADIUS or TACACS+ system for logging in administrative and monitor users. - Methods for user authentication: o Local (Default accounts are admin (super user) and monitor (view only)
HS-TCP - Decreases the TCP window in 15% when a collision is detected, instead of 50% of the standard TCP - Configure > Optimization > Performance MX-TCP (4.0 and higher) - Uses 100% of its allocated bandwidth with no slowdown due to loss - Granular control: Enabled per QoS class - Uses QoS per class bandwidth limits to set sending rate - Available on all models
QoS Functionality - 5 Priority classes: o Real-Time o Interactive o Business critical o Normal (default) o Low priority Encrypted Data Store - Data is encrypted on the data store with AES 128, 192, 256-bit - Keys stored in an encrypted key vault - Data optimized with no performance hit with 128 enabled - Dont need to encrypt on both sides
PFS Proxy File Services - Ability to create an windows file sharing on SH appliances - Primary Objective: o Allow for disconnected operation The capability to continue to serve files even in the event of a WAN outage - Secondary objectives: o Provide local file server in branch offices who would like to use it Non disconnected operations o Provide temporary onsite storage for use by administrators for updates - PFS uses the same data partition (disk) as RSP
RSP Riverbed Services Pratform - Ability to run a VM-ware server - Allows to run firewall into the data path - SDR has a dedicated partition in the disk
IPSec - Encryption can be configured between steelheads - IPSec DES, Null are supported without the Strong Encryption license - 3DES and AES are supported with the Strong Encryption license - Optimized traffic only (not pass-through) - Uses shared secret passwords - No NAT between steelheads when using IPSec - We only support IPSec transport Mode(encrypts just the payload), not tunnel mode (encrypts all the packets including the header)
Additional information - WCCP redirect support by versions: o V1 80 port o V2 all types of traffic - HFSC Hierarchical Fair Service Curve QoS algorithm o Default mode is FLAT - LAN initiated 1 conn - WAN initiated 0 conn - RiOS Riverbed Optimization system - NetFlow v5 - DSCP 46 Reflect the value received - Open Virtual Appliance Packaging distribution format for Virtual SH app - Transaction Acceleration (TA) = SDR + VWE + TP (Transaction prediction)