General knowledge

- Inner-channel sessions (btw steelheads)

- Out-channel sessions (btw client SH / SH server)
- 1 to 1 optimized flow always enforced between the requestor and receiver


Data Streamlining
- Data reduction
o Eliminate redundant data on the WAN
- Compression
o LZ
- QoS
- Disaster Recovery Intelligence
o Optimize reads, writes, and segment handling for massive loads

SDR Scalabe Data Referencing
- Overcomes bandwidth limitations
- SH closest to the server looks to the payload, which is broken into chunks (data
references) and store into the hard drive
- Remote SH (closest to client) reconstructs data and delivers it to the client
- 16-Byte references communicate MB of existing data (128-Byte average chunk size)
- LZ technology to compress data
- Eviction
o Default model is LRU (Least Recently Used)
o FIFO is configurable
- SDR Flavors:
o Default Disk based / Excellent BW reduction (using disk + RAM)
o SDR-Adaptive
Blended data store/compression model (I/O response time as well as
another parameters are monitored)
Do not use the disk writing, but only memory method
Can switch btw using the disk and not using the disk
o SDR-M RAM based data store
Turn off the disk and only uses the RAM
Excellent LAN side throughput







TCP Optimization & Virtual Window
Expansion (VWE)
- The payload contains data references, instead of standard data. (from 100KB+ to
Virtual 1MB+)
Transport Streamlining
- SSL Acceleration
o End-to-end acceleration of secure traffic
o Maintains the preferred trust model
- Advanced TCP Acceleration
o Fill the pipe
o Works with clean or lossy links (HS-TCP & MX-TCP)
- Connection pooling
o 2 SHs establishes 20 TCP connections btw each other then avoiding 3-way
handshake btw SHs
o Eliminate 50% of overhead for small, short-lived connections
- Adaptive congestion windows
o Adapt transfer parameters (TCP Windowing) based on network characteristics
- Limited and fast re-transmits
o Ensure priority handling for packets resends

Application Streamlining
- Transaction Prediction (Steelhead is able to complete the transaction locally at the
application layer)
- Applications support:
o CIFS (Windows file sharing / based applications)
Read Ahead
Write Behind
Dynamic Prediction Use Markov model
Stat avoidance
App streamlining is disabled automatically (keeps SDR/LZ only) if SMB
signing enabled
Overlapping Open Optimization (only when Oplock is available)
Does not optimize .ldb, .mdb
All access to files MUST go through a Steelhead
o NFS (Unix File Sharing / based applications)
V3 only
Read-ahead & read caching
Write-Behind
Convert multiple requests into one larger request
o MAPI (Microsoft Exchange)
Read ahead / write behind on attachments
Read ahead / write behind on large emails
If user authentication is too high, fallback to SDR+LZ+TCP
Pre-Population
Virtual client (keeps like client PC on)
Keeps reading e-mails until timeout (96 hours - default)
No one is ever reconnected to this session
Can configure frequency to check mail (default 20 minutes)
o HTTP / HTTPS (Web app / secure web)
Client Steelhead has knowledge of the objects of the page
Client SH pull down the data and keep it locally before the client
requests it
o Lotus Notes
o Oracle (Oracle 11i traffic in socket (native) mode

o MS-SQL (DB driven applications)
Off by default
Ability to perform pre-fetching and synthetic pre-acknowledgment of
queries
TDS 7 and 8 (Tabular Data Streams)









Auto-Discovery
- SH find each other in the initial TCP 3way handshake when client tries to reach a server
- Handshake:
o Client sends SYN
o SYN is marked with 0x4c (76 dec) in TCP options field by Client SH
o SYN+ is seen by remote Steelhead
o Inner channel TCP session is established (Server SH sends back SYN/ACK+
including in-path IP of Server SH, and in parallel forwards the SYN to the
server)
o C-SH responds customer with SYN/ACK
o 3-Way handshake is completed with Server then Client
Enhanced Auto-Discovery (4.X and later)
- Simplifies deployments for complex environments
o Automatically finds and optimizes between most distant Steelhead pair
o Off by default
o Supports unlimited SH in transit btw C-SH and S-SH
- Improves performance
o Finds optimal steelhead pairing for maximum optimization
o Also called as Auto-peering

In-Path rules
- Determines how traffic should be optimized
- Types of rules:
o Pass-through rules (not optimize)
o Auto-discovery (define traffic to auto-discovery (optimize)
o Fixed-Target rules (manually define traffic and SH to optimize)
o Discard (packets are silently dropped)
o Deny (Connection is reset)
- Rules are processed top down until there is a match
- Rules are only inspected when coming from LAN to WAN
- (auto-discover and fixed-target) Rules can be specified to:
o Normal (Perform LZ compression and SDR)
o SDR-Only (Only SDR, not LZ compression)
o Compression only (Only LZ compression, not SDR)
o None



Riverbed ports
- 7800 In-path port (Auto discovery 0x4c)
- 7810 Out of path (SSOoO)
- 7820 Failover (Serial cluster)
- 7830 MAPI Exchange 2003
- 7840 Exchange Director NSPI
- 7850 TCP Connection Forwarding
- 7860 Interceptor Appliance
- 7870 Steelhead Mobile

- 7744 Datastores Sync
- 7801 NAT (TCP Proxy)
Interactive ports (passed through by RiOS)
- 7 TCP ECHO
- 23 Telnet
- 37 - UDP/time
- 107 Remote Telnet Service
- 179 BGP

Peering rules
- Acts on probes
- Used to configure how SH should respond to auto-discovery probes (marked SYNs)
- Inspects packets coming from either WAN or LAN port
- Types:
o Auto Automatically determine the best response
o Accept Accept peering requests that match the rule
o Pass Pass-through peering requests that match the rule



System states
- Healthy No problems
- Admission Control - # of SH connections has been exceeded
- Degraded Appliance is optimizing but not necessarily optimally
- Critical May not be optimizing / Identifies an issue that requires investigation.
Data Store synchronization
- In HA environment, DS synchronization warms the DS from the master to the standby
appliance (using port 7744)
- Takes place over PRYMARY or AUX interfaces
- Active/Active synchronization is supported. Each appliance acts as master for some
traffic as well as standby for the other appliance
- Failover is not required for DS Sync
- Requirements
o Same (major) revision of RiOS
o Same model
o LAN connection between two devices (rtd btw should be less than 10ms)
Hardware
- 250/550 1 In-path (single LAN & WAN)
- 1050/2050
o 2 In-path (2 LAN & WAN) (max 4 in-path)
o 2 power supply
o 2 PCI-e expansion ports
- 5050/6050
o 2 In-path (2 LAN & WAN) (max 10 in-path)
o 2 power supply
o 5 PCI-e expansion ports
- Primary port is used for OOP deployment
- WAN IF used for logical in-path (WCCP & PBR) deployments
- Primary and Aux cannot be in the same subnet
- Primary and In-path can be in the same subnet




Physical In-path deployment

- Like a end point device
- Jump-start wizard is enough if ALL of the following are true:
o Single in-path IF being used (in-path0_0)
o There is a layer 2 ntk on our LAN side (single subnet)
o We are not on an 802.1Q VLAN trunk
o Physical in-path deployment ( not PBR or WCCP

In-path with L3 LAN segment
- Packet ricochet can be avoided by:
o Configuring a static routing
o Simplified routing

In-path with multiple VLANs
- One in-path IF for each VLAN





Visibility modes
- Correcting addressing Using the src and dst addresses of the SH btw those devices
o Dest port 7800
- Correcting addressing with Port Transparency Spoof the port number(dst port
number keeps the same)
- Full transparency Keeps the ip and port numbers end to end
- Visibility mode is configured in the in-path rules (there may be one type of visibility
mode for each protocol)

Logical in-path deployment
- Uses WAN interface to connect
- Web Cache Communications Protocol (WCCP) v2 basics:
o Cisco proprietary used to redirect traffic by
L2 rewriting MAC
L3 GRE tunnel
Both of above
o Interest traffic defined by ACL and applied to specific interfaces using Service
Groups:
61 Client side
62 Server side
o WAN0_0 port on the SH is the only port that supports optimization with WCCP
on RiOS 5.5
o Redirect in vs redirect out
o Try to Layer 2 connect the SH to the router/switch
- Policy Based Routing (PBR)
o When in-path configuration is not an option
o Traffic that matches an ACL is sent to SH for optimization
o Check RiOS
o Black-holed if SH fails, traffic wont redirected
- L4 Redirect
- Interceptor




Service side Out of Path (SSOOP)
- Server side only
- Use a fixed-target rule to point the traffic to a SH
- Use the primary IF connected to the LAN switch
- Needs to enable the OOP support on GUI
Hybrid Mode Deployment
- Combination of In-path and Out-path
- Used to mobile SH
- Traffic is NATted from the primary IF to the dest
- Enabling both modes
- Needs to enable L4/PBR/WCCP

Failover (High availability)
- Serial In-Path
o Failover operates on port 7820
o Optmization > General service settings ip add of the bk in-path IF
- Parallel In-Path
o Use Connection Forwarding (CF) for Asymmetric Flows
Configure > networking > Connection forwarding (enable)
o Asymm. Server to WAN traffic is passed back over LAN
o Tunnelled btw SH on port 7850
o Routing will not failover with optimization fails, unless using fail-to-block
feature
o Optimization device determined by routing
- Link State Propagation
o Enables INC or SH to disable physical link status on LAN or WAN ports of an in-
path IF when other port is the pair loses link status





Troubleshooting
- Interface counters
- #show peers (CLI)
- Reports > Optimization > Connected Appliances
- Reports > Network > Current Connections
- Configure > Networking > Asymmetric Routing
- Asymmetric Routing
o Connection is passed-through if contained in the asymmetric routing table
o The entry keeps in the AR table for a default of 24 hours
o For SYN retransmissions, itll keep in the AR table for 5 seconds


Authentication and Authorization
- SH can use RADIUS or TACACS+ system for logging in administrative and monitor users.
- Methods for user authentication:
o Local (Default accounts are admin (super user) and monitor (view only)

HS-TCP
- Decreases the TCP window in 15% when a collision is detected, instead of 50% of the
standard TCP
- Configure > Optimization > Performance
MX-TCP (4.0 and higher)
- Uses 100% of its allocated bandwidth with no slowdown due to loss
- Granular control: Enabled per QoS class
- Uses QoS per class bandwidth limits to set sending rate
- Available on all models



QoS Functionality
- 5 Priority classes:
o Real-Time
o Interactive
o Business critical
o Normal (default)
o Low priority
Encrypted Data Store
- Data is encrypted on the data store with AES 128, 192, 256-bit
- Keys stored in an encrypted key vault
- Data optimized with no performance hit with 128 enabled
- Dont need to encrypt on both sides

PFS Proxy File Services
- Ability to create an windows file sharing on SH appliances
- Primary Objective:
o Allow for disconnected operation The capability to continue to serve files
even in the event of a WAN outage
- Secondary objectives:
o Provide local file server in branch offices who would like to use it Non
disconnected operations
o Provide temporary onsite storage for use by administrators for updates
- PFS uses the same data partition (disk) as RSP

RSP Riverbed Services Pratform
- Ability to run a VM-ware server
- Allows to run firewall into the data path
- SDR has a dedicated partition in the disk


IPSec
- Encryption can be configured between steelheads
- IPSec DES, Null are supported without the Strong Encryption license
- 3DES and AES are supported with the Strong Encryption license
- Optimized traffic only (not pass-through)
- Uses shared secret passwords
- No NAT between steelheads when using IPSec
- We only support IPSec transport Mode(encrypts just the payload), not tunnel mode
(encrypts all the packets including the header)


Additional information
- WCCP redirect support by versions:
o V1 80 port
o V2 all types of traffic
- HFSC Hierarchical Fair Service Curve QoS algorithm
o Default mode is FLAT
- LAN initiated 1 conn
- WAN initiated 0 conn
- RiOS Riverbed Optimization system
- NetFlow v5
- DSCP 46 Reflect the value received
- Open Virtual Appliance Packaging distribution format for Virtual SH app
- Transaction Acceleration (TA) = SDR + VWE + TP (Transaction prediction)