Silver Peak WAN Optimization Appliances. Network Deployment Guide. VXOA 6.2 March 2015 PN Rev L

Transcription

1 Silver Peak WAN Optimization Appliances Network Deployment Guide VXOA 6.2 March 2015 PN Rev L

2 Silver Peak NX Series Appliances Network Deployment Guide Silver Peak NX Series Appliances Network Deployment Guide Document PN Rev L Date: March 2015 Copyright 2015 Silver Peak Systems, Inc. All rights reserved. Information in this document is subject to change at any time. Use of this documentation is restricted as specified in the End User License Agreement. No part of this documentation can be reproduced, except as noted in the End User License Agreement, in whole or in part, without the written consent of Silver Peak Systems, Inc. Trademark Notification Silver Peak Systems TM, the Silver Peak logo, Network Memory TM, and Silver Peak NX-Series TM are trademarks of Silver Peak Systems, Inc. All trademark rights reserved. All other brand or product names are trademarks or registered trademarks of the respective companies or organizations. Warranties and Disclaimers THIS DOCUMENTATION IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SILVER PEAK SYSTEMS, INC. ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS IN THIS DOCUMENTATION OR OTHER DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS DOCUMENTATION. REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL SILVER PEAK SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS DOCUMENTATION. THIS DOCUMENTATION MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE DOCUMENTATION. SILVER PEAK SYSTEMS, INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENTATION AT ANY TIME. Silver Peak Systems, Inc De La Cruz Boulevard, Suite 100 Santa Clara, CA (toll-free in USA) ii PN Rev L

3 Contents Contents Preface vii Who Should Read This Manual? vii Manual Organization vii Related Publications viii Technical Support viii Chapter 1 Fundamentals of Deploying WAN Optimization Introduction Definition of Terms Using Physical and Virtual Appliances Ethernet Interfaces and IP Addresses Configuring the mgmt0 Interface Choosing an Optimization Strategy for the Traffic Path Determining the Need for Traffic Redirection When using subnet sharing When defaulting to TCP-based or IP-based auto-optimization When specifying a tunnel High Availability Auto-optimization or Explicit Route Maps? Asymmetry Mitigation High Availability with Explicit Route-Maps Considerations for Deployments Verifying Connectivity After Configuring Deployment ping ping -r [or ping -R]: ping with Record Route option traceroute Basic procedure Chapter 2 In-Line Deployment Overview Network Diagram Summary of Initial Configuration Tasks Collecting the Necessary Information Using the Initial Config Wizard Verifying Appliance Connectivity Creating Tunnels Verifying Traffic Chapter 3 Out-of-Path with Policy-Based-Routing Redirection SECTION 1: Using Subnet Sharing Overview Network Diagram Summary of Initial Configuration Tasks Collecting the Necessary Information Using the Initial Config Wizard PN Rev L iii

4 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity Enabling Subnet Sharing Creating Tunnels and Updating the Subnet Table Configuring the Router to Redirect Traffic Using a Cisco Router for Policy-Based Routing (PBR) Using a Juniper Router for Filter-Based Forwarding (FBF) Verifying Traffic SECTION 2: Using TCP/IP based Auto-Optimization Overview Network Diagram Summary of Initial Configuration Tasks Collecting the Necessary Information Using the Initial Config Wizard with Site A s Appliance Configuring the Router for Policy-Based Routing (PBR) Configuring a Tunnel to the Remote Site Configuring Site B s Appliance Chapter 4 Out-of-Path with WCCP Overview Network Diagram Summary of Configuration Tasks Collecting the Necessary Information Configuring the Site A Router for WCCP Outbound Redirection and Enabling WCCP Inbound Redirection Using the Initial Config Wizard with Site A s Appliance Configuring WCCP on A Using the Initial Config Wizard with Site B s Appliance Verifying Appliance Connectivity Enabling Subnet Sharing Creating Tunnels and Updating the Subnet Table Verifying Traffic Best Practices Tips for Deployment GRE and L2 Redirection Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Overview Network Diagram Summary of Initial Configuration Tasks Collecting the Necessary Information Using the Initial Config Wizard Verifying Appliance Connectivity Enabling Subnet Sharing Creating Tunnels Configuring VRRP on a Cisco Router Configuring VRRP on Silver Peak A Managing the addresses Using VRRP with a single Silver Peak and a router or L3 switch Verifying Traffic iv PN Rev L

5 Contents Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Overview Network Diagram Collecting the Necessary Information Summary of Configuration Tasks Using the Initial Config Wizard for Site A Configuring VRRP on A1 and A Using VRRP with two Silver Peaks acting as Master and Backup Configuring Flow Redirection Using the Initial Config Wizard with Site B Verifying Appliance Connectivity Enabling Subnet Sharing Creating Tunnels and Updating the Subnet Table Configuring A1 and A2 to Advertise Non-Local Subnets Configuring the Cisco Router for Policy-Based Routing (PBR) Verifying Traffic Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Overview WCCP at Site A Network Diagram Summary of Configuration Tasks Collecting the Necessary Information Configuring the Site A Router for WCCP An Alternative Practice Using the Initial Config Wizard with A Configuring WCCP on A Using the Initial Config Wizard with A Configuring WCCP on A Configuring Flow Redirection Using the Initial Config Wizard with B Verifying Appliance Connectivity Enabling Subnet Sharing Creating Tunnels Configuring A1 and A2 to Advertise Non-Local Subnets Verifying Traffic Best Practices Tips for Deployment GRE and L2 Redirection PN Rev L v

6 Silver Peak NX Series Appliances Network Deployment Guide vi PN Rev L

7 Preface Welcome to the Silver Peak Network Deployment Guide. Read the Preface to understand the target audience, the manual s organization, related documents, and how to contact Customer Support. Most deployments in this guide focus on using subnet sharing as the auto-optimization method for routing flows. A smaller number demonstrate the use of TCP-based and IP-based auto-optimization. Who Should Read This Manual? This guide is written for network administrators who are familiar with administering and managing networks. Specifically, this guide provides an overview and summary of the most common deployment scenarios, followed by detailed and illustrated procedures for configuring and verifying each deployment. Because each enterprise s network topologies and needs can differ, the network administrator needs to evaluate the environment and choose the deployment that best serves their needs. Silver Peak Systems support personnel are available to help you determine the best course of action. Because of this focus, this manual assumes that you are already familiar with the material covered in the Silver Peak Appliance Manager Operator s Guide. This includes basic installation procedures and how to use the Appliance Manager. Manual Organization This section outlines the chapters and summarizes their content. To keep things simple, we illustrate the examples with the typical in-line deployment in Site B offices and out-of-path deployment at Site A. However, Site B offices are not restricted to in-line deployment, nor is Site A restricted to out-of-path deployments. Chapter 1, Fundamentals of Deploying WAN Optimization, describes some of the fundamental concepts of deploying WAN acceleration in enterprise networks. It provides an overview and introduction to common installation models, pros and cons of each, and recommendations. Chapter 2, In-Line Deployment, describes the procedures for an in-line deployment where the Silver Peak Appliance sits between the WAN router and the Ethernet switch. Chapter 3, Out-of-Path with Policy-Based-Routing Redirection,, describes the procedures for a scenario that deploys the Site B location in-line and the Site A network out-of-path with an available spare router port and uses Policy-Based Routing (PBR) on the WAN router to redirect traffic to the Silver Peak appliance. Chapter 4, Out-of-Path with WCCP, (Comparing Subnet Sharing & TCP/IP-based Auto-Optimization), describes the procedures for setting up Web Cache Communications Protocol (WCCP) service. The example uses a Cisco router paired with a single Silver Peak appliance deployed out-of-path (Router mode). It also highlights the differences in traffic redirection required when using subnet sharing, as opposed to TCP-based or IP-based auto-optimization. PN Rev L vii

8 Silver Peak NX Series Appliances Network Deployment Guide Related Publications Chapter 5, Out-of-Path with VRRP Peering to a WAN Router, describes the procedures for a scenario where the Silver Peak appliance uses the Virtual Router Redundancy Protocol (VRRP) to peer with the existing router, when no spare router port is available. Chapter 6, Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances, describes the procedures for setting up high availability. In this example, Site A deploys a primary and a secondary appliance out-of-path (Router mode), and the Site B location deploys the appliance in-line (Bridge mode). Additionally, the peered Site A appliances use the Virtual Router Redundancy Protocol (VRRP) to create and share a common IP address, called the Virtual IP address (VIP). Chapter 7, Out-of-Path with WCCP Redundant (Active/Active) Appliances, describes the procedures for setting up high availability by using Web Cache Communications Protocol with a Cisco router and redundant Silver Peak appliances in an out-of-path deployment. Related Publications Release Notes provide information on new software features, system bugs, and software compatibility. All user documentation is also available for download from Technical Support For product and technical support, contact Silver Peak Systems at either of the following: (toll-free in USA) We re dedicated to continually improving the usability of our products and documentation. If you have suggestions or feedback for our documentation, please send an to techpubs@silver-peak.com. If you have comments or feedback about the GUI s ease of use, please send an to usability@silver-peak.com. viii PN Rev L

9 CHAPTER 1 Fundamentals of Deploying WAN Optimization This chapter describes some of the fundamental concepts of deploying WAN acceleration in enterprise networks. In This Chapter Introduction See page 2. Using Physical and Virtual Appliances See page 4. Configuring the mgmt0 Interface See page 5. Choosing an Optimization Strategy for the Traffic Path See page 8. Determining the Need for Traffic Redirection See page 9. High Availability See page 13. Considerations for Deployments See page 14. Verifying Connectivity After Configuring Deployment See page 15. PN Rev L 1

10 Silver Peak NX Series Appliances Network Deployment Guide Introduction Introduction Deploying WAN optimization in an enterprise network is similar to deploying other enterprise networking technologies (for example, firewalls). There are, however, a few tenets to keep in mind: 1 Silver Peak appliances need to have visibility into any traffic that requires optimization. As such, all traffic to be optimized must flow though the appliances. There are three ways to accomplish this: Server mode [default] Bridge mode [in-line] Router mode [out-of-path] In this default configuration, the management path and the datapath both use the same interface and the same IP address. Silver Peak appliances are deployed as a bump in a wire in between the LAN infrastructure and the WAN router. Silver Peak appliances are deployed in one-armed (or lollipop ) fashion with a single connection to the WAN router. A redirection method (such as PBR or WCCP) is used to redirect traffic to the appliance. 2 Silver Peak WAN acceleration is a symmetric solution. That is, to optimize the traffic on the link, Silver Peak appliances are required on both ends of the WAN link. 3 Silver Peak s Network Acceleration functions require that the appliances have visibility into both the transmit and receive directions of a flow. If not, the flow is considered asymmetric and Network Acceleration will be defeated although Network Integrity and Network Memory will continue to provide benefit. Definition of Terms Following are the definitions for common terms used throughout the guide, listed alphabetically: Term Acceleration Auto Optimized Traffic Bypass Definition Refers to techniques used to improve transmission of TCP protocols across a WAN. a TCP Proxy session is created to reduce the impact of latency on a TCP flow. Techniques such as local acknowledgements and window sizing are used to accelerate TCP traffic. IP traffic that is automatically recognized by the Silver Peak appliances and optimized accordingly, without the need for manually created Route Policies. This is the default entry for the Route Policy if no entries are made, or for the last line in the route map. Bypass refers to hardware bypass. If there is a major problem with the appliance hardware, software, or power, all traffic goes through the appliance without any processing. Bypass mode can be enabled manually. Silver Peak appliances can be installed in the data path (in-line) between an L2/L3 switch and the edge WAN router, with fail-to-wire in case of failure. Bypass mode and Hardware Bypass both refer to the failover method, which is Fail-to-Wire for copper interfaces, and Fail-to-Glass for fiber interfaces. 2 PN Rev L

11 Introduction Chapter 1 Fundamentals of Deploying WAN Optimization Term Data Path IP Address Failover or Fail-Safe Behavior Network Memory TM Optimization Pass-through Traffic Route Policy Tunnel Tunnelized Traffic Definition Generally, an IP address of an interface through which end-device traffic flows or to which it is redirected. If the device is out-of-path in Server mode, the data path and management path IPs are the same. In Router mode, with an out-of-band management interface, the management IP and Data Path address are different. In Bridge mode, the Data Path IP is separate from the management IP. In some deployments like DHRM (Dual Home Router Mode) or multiple VLANS there could be multiple data path IP addresses. Actions taken to minimize exposure when a network element fails. Fails-to-Wire / Fails-to-Glass: Fail-to-wire network interfaces [for copper] and fail-to-glass interfaces [for 1GB fiber only] mechanically isolate the appliances from the network in the event of a hardware, software, or power failure. This ensures that all traffic bypasses the failed appliance and maximizes up-time. Fails-Open: When configured to fail open, a failed appliance presents no link-level carrier to the network. Routers and other network elements will route around the failed appliance by using a routing protocol (i.e., RIP, OSPF, BGP, EIGRP). Silver Peak's innovative approach to data reduction that leverages advanced pattern recognition and local information A collection of techniques that accelerate, compress, and improve the efficiency of transmission of data across a WAN. Optimization includes acceleration techniques, data reduction, forward error correction, packet order correction, QoS, and other techniques. By default, traffic that is not directed to a tunnel by the Route Policy passes transparently through the Silver Peak appliance. Pass-through traffic can be either shaped or unshaped. Uses MATCH criteria to delineate flows and SET actions to specify how to handle that flow. For example, a Route Policy entry would direct a specific flow to a designated tunnel. Provide virtual point-to-point links between two application acceleration devices. They work by wrapping original packets of data inside an outer IP header, which is used to specify the address of the device on the far end of the WAN link. Data that is inside of a tunnel PN Rev L 3

12 Silver Peak NX Series Appliances Network Deployment Guide Using Physical and Virtual Appliances Using Physical and Virtual Appliances 1 Configure the management interface, mgmt0, via the console. (required for virtual machine, optional for physical appliance) 2 Configure mgmt0 with a static IP address. DHCP will work, but as a best practice, you should configure a static IP address. Otherwise, you might lose communication with the machine after an outage, upgrade, or reboot. 3 (virtual machine only) For in-line or router mode, add interface(s). By default, the Silver Peak virtual appliances come up in server mode with only one interface (mgmt0). If we re deploying the appliance in bridge (in-line) mode, we need to add virtual interfaces to the hypervisor environment for the lan0 and wan0 interfaces required for an in-line deployment. If we re deploying in router (out-of-path) mode, we need only add the wan0 interface. Add interfaces per the documentation for your hypervisor. Ethernet Interfaces and IP Addresses Each Silver Peak NX Series appliance has two management interfaces and a selection of Ethernet interfaces, labeled as follows. Table 1-1 Silver Peak Appliance Network Interfaces Ethernet Interface Function lan0 lan1 wan0 wan1 tlan0 twan0 mgmt0 mgmt1 This interface is intended for connection to the LAN side of the network. This interface is intended for connection to the LAN side of the network. This interface is intended for connection to the WAN side of the network. This interface is intended for connection to the WAN side of the network. This fiber interface is intended for connection to the LAN side of the network. This fiber interface is intended for connection to the WAN side of the network. This interface is intended for network access to the appliance s management interfaces (the Web-based Appliance Manager and the Command Line Interface). It is recommended that this interface is always connected to the network. The mgmt0 next-hop IP address points to a Level 3 (L3) switch or router. This interface is intended for local access to the appliance s management interfaces (the Web-based Appliance Manager and the Command Line Interface) with a laptop. The mgmt1 interface may sometimes be used for flow redirection. For more information, see the Silver Peak Appliance Manager Operator s Guide. If you are using out-of-band management with Router mode (as opposed to using Server mode), then each physical Silver Peak appliance requires two IP addresses on the network. These IP addresses are described in the following table. Table 1-2 IP Address Silver Peak Appliance Network Interfaces Function Appliance IP Address Management IP Address (mgmt0) The IP address originates and terminates the tunnels used to interconnect Silver Peak appliances. This IP address is used for management and configuration of the Silver Peak appliance via the web-based Appliance Manager. 4 PN Rev L

13 Using Physical and Virtual Appliances Chapter 1 Fundamentals of Deploying WAN Optimization Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance data path IP. Configuring the mgmt0 Interface The physical (NX) and virtual appliance Quick Start Guides each explain how to access and configure the mgmt0 interface. Here, we offer a quick, generic review. Note The mgmt0 next-hop is to an L3 (not L2) switch. To configure the mgmt0 interface on a physical (NX) appliance Refer to the NX Series Appliances Quick Start Guide. To configure the mgmt0 interface on a virtual appliance 1 Access the hypervisor s console tab or window. The Silver Peak Console User Interface appears. 2 The next task is to determine the virtual appliance s mgmt0 IP address. In a browser, this address provides access to the Appliance Manager. If you re using DHCP, the virtual appliance IP address displays in Silver Peak s Console User Interface. If you re not using DHCP, then you must configure the static IP address and default gateway. Continue with the following steps. PN Rev L 5

14 Silver Peak NX Series Appliances Network Deployment Guide Using Physical and Virtual Appliances 3 In the virtual appliance console, press the function key, F4, select Static, and press Enter. 4 Enter the IP addresses for the mgmt0 interface and default gateway. 6 PN Rev L

15 Using Physical and Virtual Appliances Chapter 1 Fundamentals of Deploying WAN Optimization 5 Click Okay. When the summary appears, review the information. 6 Click Okay. The initial screen returns. 7 To verify connectivity, press function key, F1, and enter the following command sequence: [vx-appliance] > enable[enter] [vx-appliance] # show ip default-gateway[enter] [vx-appliance] # ping <default-gateway>[enter] To stop the pinging, enter CTRL-C. You are now ready to complete the Silver Peak virtual appliance initial configuration wizard. PN Rev L 7

16 Silver Peak NX Series Appliances Network Deployment Guide Choosing an Optimization Strategy for the Traffic Path Choosing an Optimization Strategy for the Traffic Path The Route Policy specifies where to direct flows. By default, the Route Policy auto-optimizes all unicast IP traffic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization. The three strategies that auto-optimization uses are subnet sharing, TCP-based auto-opt, and IP-based auto-opt. Subnet sharing is the appliance s first choice for auto-optimization. When subnet sharing is disabled, the appliance defaults to using TCP-based auto-opt and IP-based auto-opt (as a shortcut, this document may refer to it as TCP/IP-based auto-optimization). When might you choose to disable subnet sharing? If your network has numerous non-local LAN-side routers, you would need to manually enter each one into the appliance s subnet table. With TCP-based or IP-based auto-opt, this is unnecessary; however, if your appliance is not deployed in-line, you would need to configure inbound redirection using either Policy-Based Routing (PBR), Filter-Based Forwarding (FBF), or Web Cache Communication Protocol (WCCP). For a discussion of when you need inbound and outbound redirection, see Determining the Need for Traffic Redirection on page 9. Auto-optimization uses different mechanisms for TCP versus non-tcp traffic. Because both mechanisms ultimately require an exchange of packets between two appliances, unidirectional IP traffic will not trigger auto-optimization. Auto-opt may not work with a firewall in the path. Some firewalls may be configured to strip out or block the TCP options in the initial SYN packet, which will break auto-optimization. Subnet sharing does not use the TCP options field, and thus avoids this issue. Therefore, use of subnet sharing is a recommended best practice. You can, if you choose, modify the default entry s SET action of auto-optimized. The Route Policy, then, only requires manual entries for flows that are to be: sent pass-through (shaped or unshaped) dropped configured for a specific high-availability deployment. routed based on application, VLAN, DSCP, or ACL (Access Control List) You can, however, choose to forego auto-optimization and create any and all route policies manually. Note IMPORTANT A tunnel must exist before subnet sharing can proceed. Using Appliance Manager, you can create tunnels in one of three ways: If you enable auto-tunnel on the Configuration - System page, then the initial TCP-based or IP-based handshaking creates the tunnel. That requires outbound and inbound redirection to be in place. You can let the Initial Configuration Wizard create the tunnel to the remote appliance. You can create a tunnel manually on the Configuration - Tunnels page. 8 PN Rev L

17 Determining the Need for Traffic Redirection Chapter 1 Fundamentals of Deploying WAN Optimization Determining the Need for Traffic Redirection To optimize traffic, the appliance must intercept both the inbound and outbound packets for each flow. Therefore, whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance. There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side redirection, or outbound redirection): PBR (Policy-Based Routing) configured on the router. No other special configuration required on the appliance. This is also known as Filter-Based Forwarding (FBF). If you want to deploy two Silver Peaks at the site, for redundancy, then you also need to use VRRP (Virtual Router Redundancy Protocol). WCCP (Web Cache Communication Protocol) configured on both the router and the Silver Peak appliance. You can also use WCCP for redundancy and load balancing. Host routing the server/end station has a default or subnet-based static route that points to the Silver Peak appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode). To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant Silver Peak. How you plan to optimize traffic affects whether or not you also need inbound redirection from the WAN router (also known as WAN-side redirection): If you enable subnet sharing (which relies on advertising local subnets between Silver Peak appliances) or route policies (which specify destination IP addresses), then you only need outbound redirection. If, instead, you default to TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), then you must set up inbound and outbound redirection on the WAN router. Additionally, for TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric as could occur in a high-availability deployment you need to configure clusters for flow redirection among local appliances. For more about flow redirection, refer to the Appliance Manager Operator s Guide. The following diagrams show where redirection is required and which methods you can use: when subnet sharing is enabled when using TCP-based or IP-based auto-optimization (that is, subnet sharing is not enabled) when directed to a specific tunnel by the Route Policy PN Rev L 9

18 Silver Peak NX Series Appliances Network Deployment Guide Determining the Need for Traffic Redirection When using subnet sharing Enable subnet sharing on both the local and remote appliances. For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or host routing. Host routing only requires configuration on the client not on the router or appliance. Figure PN Rev L

19 Determining the Need for Traffic Redirection Chapter 1 Fundamentals of Deploying WAN Optimization When defaulting to TCP-based or IP-based auto-optimization Initial handshaking between appliances happens outside the tunnel, requiring inbound redirection for packet routing. For inbound and outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF) or WCCP. Figure 1-2 PN Rev L 11

20 Silver Peak NX Series Appliances Network Deployment Guide Determining the Need for Traffic Redirection When specifying a tunnel For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or host routing. With host routing, the outbound redirection is configured on the client, as opposed to on the router and/or appliance. Host routing only requires configuration on the client not on the router or appliance. Figure PN Rev L

21 High Availability Chapter 1 Fundamentals of Deploying WAN Optimization High Availability In High Availability (HA) configurations, the redundant Silver Peak appliances are deployed in router mode and either WCCP or PBR redirects flows from the routers to the appliances. The redundant appliances may be configured Active/Active or Active/Backup. This is determined by how the WCCP or PBR redirection is configured on the routers and the appliances. For the purposes of discussion, we ll assume that HA is configured in the same location as the servers and we ll refer to the HA (redundant) appliances as server-side. We ll refer to the non-redundant appliances as client-side. Of course, it doesn t need to be this way it s possible to have redundant Silver Peak appliances in offices without servers. Auto-optimization or Explicit Route Maps? In HA configurations, the decision about whether to use auto-optimization or explicit route maps has further implications. Considerations include the following: The network may already have inherent asymmetry, relative to the deployment you want to configure. Provisioning redundant appliances may introduce network asymmetry where none existed before. Depending on exactly how a router s inbound and outbound redirection statements are configured, it s possible to arrive at an asymmetric condition. With load sharing (Active/Active) configurations, asymmetry is a fact of life. Asymmetry Mitigation Flow redirection can prevent TCP asymmetry in high availability environments. For the appliances, this requires configuring HA (or redundant) appliances as peers, and enabling flow redirection. Both tasks are on the Configuration - Flow Redirection screen. Where it s an element of any deployment chapter in this guide, the instructions include the configuration steps. High Availability with Explicit Route-Maps When auto-optimization is not enabled, explicit route maps in the appliance determine how to route traffic into the tunnels for optimization. We ll examine two high availability situations from the point of view of the client-side appliance: Asymmetry in Active/Backup Configurations One tunnel carries all the traffic. If that link goes down, then the Backup appliance receives the client s traffic via another tunnel. Enabling flow redirection on the peered server-side appliances ensures that the same tunnel carries those flows back to the client. Asymmetry in Active/Active Configurations The server-side router is load balancing and determines which peer appliance receives the returning flow. Enabling flow redirection among peers prevents TCP asymmetry. PN Rev L 13

22 Silver Peak NX Series Appliances Network Deployment Guide Considerations for Deployments Considerations for Deployments Which sites require optimization? What deployment mode (router, bridge) is appropriate for each site? Are you going to use ACLs (Access Control Lists) instead of, or in addition to, auto-optimization? Are you going to enable all optimization for all flows? Or be more specific? Are you going to use the default QoS configuration or something more advanced? Do you need to consider high availability (HA)? Do you need to consider asymmetry? 14 PN Rev L

23 Verifying Connectivity After Configuring Deployment Chapter 1 Fundamentals of Deploying WAN Optimization Verifying Connectivity After Configuring Deployment ping After you configure a deployment, you need to verify connectivity between the networks to ensure that traffic is optimized on either side. This section describes ping -r and traceroute, as well as the pros and cons of using each. Finally, it summarizes a procedure for verifying connectivity. ping is a good general tool to verify reachability. However, it is not the best tool to use to verify correct deployment of WAN optimization appliances because: 1 It doesn t verify the path that traffic takes. It s important to verify the path, not just reachability, because the appliance must intercept traffic on both sides of the WAN for optimization and acceleration to be effective. 2 It relies on ICMP, and some redirection methods (for example, WCCP) don t support ICMP. You need a tool that can verify paths by revealing all hops taken along a path. Some tools you can use to verify the paths taken are ping -r and traceroute. ping -r [or ping -R]: ping with Record Route option The exact syntax for ping with record route option depends on the operating system you re using. For ease of discussion, we ll use the notation ping -r. Environment Syntax As described by OS help... MS Windows ping -r 9 Record route for count hops. Linux/Silver Peak ping -R Record Route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Some hosts ignore or discard this option. Pros Most (but not guaranteed all) network devices support it, whether they are routers or not. Shows the return path, too. Cons traceroute Limited to nine devices in the traffic path, including the source and destination. ping -r may fail to verify connectivity with some WCCP deployments. Windows and Unix each have slightly different versions. Both are suitable for non-wccp deployments, but because Windows traceroute uses ICMP, it isn t suitable for WCCP. For WCCP deployments, you need to use Unix traceroute or a 3 rd -party Windows traceroute that uses UDP instead of ICMP. The downside of traceroute is that only router hops display. PN Rev L 15

24 Silver Peak NX Series Appliances Network Deployment Guide Verifying Connectivity After Configuring Deployment Basic procedure 1 Verify connectivity for optimized traffic. In Router mode (out-of-path deployment), Silver Peak appliances look like router hops. They ll display in both ping -r and traceroute. In Bridge mode (in-line deployment), Silver Peak appliances look like bridges. They ll display in ping -r, but not in traceroute. 2 Verify connectivity for pass-through traffic. As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. 3 Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. 16 PN Rev L

25 CHAPTER 2 In-Line Deployment Using Subnet Sharing In this deployment scenario, the Silver Peak Appliance sits between the WAN router and the Ethernet switch. In This Chapter Overview See page 18. Using the Initial Config Wizard See page 21. Verifying Appliance Connectivity See page 26. Creating Tunnels See page 27. Verifying Traffic See page 29. PN Rev L 17

26 Silver Peak NX Series Appliances Network Deployment Guide Overview Overview In an in-line deployment, the Silver Peak appliance is inserted in-line between the WAN router and the Ethernet switch on the LAN side of the network. In this mode, the appliance intercepts all packets destined for the WAN. Based on the Route Policy s MATCH criteria, or using Subnet Sharing enabled auto-optimization, the appliance optimizes all flows that are directed to a tunnel. All other traffic passes through the appliance without optimization. When the appliance fails, it behaves as if it were a crossover cable. Best practice is to use a crossover cable between the appliance and the WAN side router, and a standard ethernet cable between the appliance and the LAN side switch. Verify the physical layer connectivity between the L2 switch and router with the appliance turned off. If you don t receive link on the router and/or switch, you ll need to correct the cabling. Network Diagram Figure 2-1 In-Line Deployment: Bridge Mode [Bridging with Fail-to-Wire] Summary Appliance Placement Appliance placed in-line between Ethernet LAN switch and WAN router Appliance lan0 interface connects to Ethernet LAN switch Appliance wan0 interface connects to WAN router Fail-Safe Behavior Fails-to-Wire: The appliance behaves as a crossover cable between the Ethernet LAN switch and the WAN router in any failure scenario (hardware, software, power). IMPORTANT: Ensure that the Ethernet LAN s switch and the WAN router have compatible Ethernet interface physical configuration settings (speed and duplex settings can be found on the Configuration > Interfaces page). This is to ensure that traffic flows correctly if the Silver Peak appliance Fails-to-wire. IP Addresses This deployment model requires two IP addresses (on the same or separate subnets) Silver Peak Appliance data path IP address (to originate and terminate tunnel) Silver Peak Management IP Address (for appliance configuration and management) 18 PN Rev L

27 Overview Chapter 2 In-Line Deployment Summary of Initial Configuration Tasks The following table summarizes the tasks, and points you to the appropriate section of this chapter. Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the appliance into the network Saves time and avoids mistakes. Physical appliance: Connect each site s appliance between its WAN edge router and Ethernet switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. Collecting the Necessary Information on page 19. Silver Peak Appliance Manager Operator s Guide Quick Start Guides 3 Configure the appliances In a browser, access and use the Initial Configuration Wizard to configure each appliance in Bridge mode. 4 Verify appliance connectivity Tests data path connectivity. Do NOT proceed until you verify connectivity. Using the Initial Config Wizard on page 21. Verifying Appliance Connectivity on page Create a tunnel on each appliance 6 Test the connectivity from both ends Specify the local and remote endpoints for the tunnel. Verify that the tunnel is up and that flows are being optimized. Creating Tunnels on page 27. Verifying Traffic on page 29. Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default, auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance data path IP. Table 2-1 In-Line Deployment Hostname B C Mode In-line (Bridge) In-line (Bridge) Admin Password: Old admin admin Admin Password: New / Confirm mgmt1 IP Address / Mask Time Zone NTP Server IP Address License (for virtual appliance only) mgmt0 IP Address / Mask a / /24 mgmt0 Next-hop IP Address LAN Next-hop IP Address (optional) b PN Rev L 19

28 Silver Peak NX Series Appliances Network Deployment Guide Overview Hostname B C Appliance data path IP Address / Mask / /24 Appliance data path Next-hop IP / /24 a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. 20 PN Rev L

29 Using the Initial Config Wizard Chapter 2 In-Line Deployment Using the Initial Config Wizard The Initial Config Wizard prompts you for the information that you collected at the beginning of this chapter. This section begins with the configuration of Appliance C. Afterwards, you ll repeat all the same steps for Appliance B. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. 2 For the username and for the password, enter admin. The initial configuration page appears. PN Rev L 21

30 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 22 PN Rev L

31 Using the Initial Config Wizard Chapter 2 In-Line Deployment 5 Click Next. On this page, select Bridge/In-Line for the deployment mode. 6 Click Next. On this page, configure the datapath. Be sure to: Leave Auto Tunnel deselected. Select Auto Subnet Sharing. PN Rev L 23

32 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 7 Click Next. When the Add Remote Silver Peak page appears, make no entries. We ll do this manually later. 8 Click Next. If yours is a virtual machine, the following page appears. Select the MAC addresses for the wan0 and lan0 interfaces. Verify that the MAC addresses match the vnic interfaces for your hypervisor. If you choose the wrong MAC address, the virtual machine will not function correctly. 24 PN Rev L

33 Using the Initial Config Wizard Chapter 2 In-Line Deployment 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. The machine reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 10 Repeat the installation process for Appliance B, following the same procedure as you did for Appliance C. PN Rev L 25

34 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity Verifying Appliance Connectivity Before proceeding, you must test connectivity to the remote Silver Peak s data path address from the local data path address. This verifies that the cables are appropriately connected and that you haven t misconfigured any of the IP addresses. 1 From the menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping the remote device s IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. To specify the local device s data path address as the ping s source address, use the -I option. local appliance IP datapath address remote appliance IP datapath address Tip Prior to putting a bridge mode appliance in production, it is always a good practice to test connectivity with the appliance in bypass to make sure that the network will function in the event the Silver Peak device fails to wire. 26 PN Rev L

35 Creating Tunnels Chapter 2 In-Line Deployment Creating Tunnels Create a tunnel between appliances B and C. This involves accessing each appliance, in turn, and creating a tunnel to the other (remote) appliance. To create a tunnel on Appliance B 1 From a browser, access Appliance B. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a b c d e f g h i In the Name field, assign a locally significant name for the tunnel. In the Admin field, accept the default value, Up. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. Leave the Min BW at its default, 32 [Kbps]. Click Apply. Save the changes. To create a tunnel on Appliance C 1 From a browser, access Appliance C. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. PN Rev L 27

36 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels a b c d e f g h i In the Name field, assign a locally significant name for the tunnel. In the Admin field, accept the default value, Up. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. Leave the Min BW at its default, 32 [Kbps]. Click Apply. Save the changes. Within a few seconds, the tunnel Status changes to Up - active. Click Refresh, if required. Be aware that a tunnel doesn t come up unless it s configured on both ends. Configuring a tunnel on a single device will not cause a connection to come up. 28 PN Rev L

37 Verifying Traffic Chapter 2 In-Line Deployment Verifying Traffic Subnet sharing enables Silver Peak devices that are connected by tunnels to automatically share subnet information and direct all IP traffic to the appropriate destinations. 1 Verify that each appliance is learning subnets from the other appliance. a At each appliance, access Configuration > Subnets. b Verify that local subnets are being advertised to peers. c Verify that the subnet table lists subnets learned from the remote appliance. The local appliance uses this learned subnet information. When auto optimization is enabled (this is the default Route Policy, and it hasn t been changed in this example), LAN-to-WAN flows are examined for the destination address. If the destination address matches a subnet learned by the local appliance, the flow is routed into the tunnel that terminates at the Silver Peak advertising the subnet. 2 Verify that traffic is being optimized. a Bring up a connection between two devices on the end subnets -- in this case, hosts on the and subnets. This could be as simple as pinging between them. b For continuous pinging, use ping -t. While the ping is running, go to Monitoring > Current Flows. In the table, you should see the flow between the two end devices. If you need to refresh the screen, click Apply. After flows stop, they quickly age out of the table. So when the pinging stops, the flow soon disappears from the table. PN Rev L 29

38 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic In this example, the Outbound Tunnel is the one connecting the two Silver Peak appliances. The Inbound and Outbound sections provide basic statistical information associated with the flow. Clicking the icon in the Detail column provides additional information for as long as the flow is active. 30 PN Rev L

39 Verifying Traffic Chapter 2 In-Line Deployment Note that the flow Status is OPTIMIZED. This is the desired status. If the Status is ALERT, click on ALERT for a pop-up that provides a troubleshooting hint. Note that in this case, one end of the tunnel was set administratively down, so packets could not be properly routed. 3 Verify connectivity for pass-through traffic. As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. 4 Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. PN Rev L 31

40 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic 32 PN Rev L

41 CHAPTER 3 Out-of-Path with Policy-Based-Routing Redirection Section 1: Using Subnet Sharing Section 2: Using TCP/IP based Auto-Optimization This chapter contains two sections, each of which describes a method of using Policy-Based Routing (PBR) on the WAN router to redirect traffic to the Silver Peak appliance. The first section uses Subnet Sharing as the preferred auto-optimization method, and allows appliances connected by an operational tunnel to optimize all packets in a flow. It simplifies network configuration and, when you re using an out-of-path Silver Peak appliance, it eliminates the need for WAN-to-LAN packet redirection on the inbound WAN interfaces of your router. It may not always be possible to use subnet sharing, however, if the configuration of your network precludes it. The second section uses TCP-based or IP-based auto-optimization without subnet sharing. In this case, the first TCP SYN packet in the flow is transmitted outside the tunnel. Therefore, to ensure that the SYN packets arrive at an out-of-path Silver Peak appliance, you must configure WAN-to-LAN PBR packet redirection on your router s WAN facing interfaces, as described in this section. For more explanation, see Determining the Need for Traffic Redirection on page 9. Note If you re using a Juniper router, their equivalent term for this redirection method is Filter-Based Forwarding [FBF]. Check your router manufacturer s documentation to verify terminology. In This Chapter SECTION 1: Using Subnet Sharing See page 34. SECTION 2: Using TCP/IP based Auto-Optimization See page 62. PN Rev L 33

42 Silver Peak NX Series Appliances Network Deployment Guide SECTION 1: USING SUBNET SHARING In This Section Using the Initial Config Wizard See page 38. Verifying Appliance Connectivity See page 48. Enabling Subnet Sharing See page 50. Creating Tunnels and Updating the Subnet Table See page 52. Configuring the Router to Redirect Traffic See page 56. Verifying Traffic See page PN Rev L

43 Overview Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Overview This scenario deploys Site B in-line and the Site A network out-of-path with an available spare router port. It uses Policy-Based Routing (PBR) at the router to redirect traffic destined for the WAN to the Silver Peak appliance. Network Diagram Figure 3-1 Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [Spare Router Port Available] In this example, the Silver Peak appliance optimizes traffic to/from /24 and /24. Summary Appliance Placement Failure Method IP Addresses Attached to available router interface: Appliance wan0 interface connects to available WAN interface. Do not connect lan0 interface. Fails-Open: The appliance behaves as unconnected port in all failure cases (hardware, software, power). The WAN router sees the link to the appliance go down, Policy-Based Routing fails, unicast routing forwards traffic normally. This deployment model requires two IP addresses (on the same or separate subnets): Silver Peak Appliance data path IP address (to originate and terminate tunnel) Silver Peak Management IP Address (for appliance configuration and management) Configure PBR on WAN router Direct traffic from LAN (subnet/interface) destined for WAN to Silver Peak appliance Do NOT enable this PBR on the interface to which the Silver Peak appliance connects PN Rev L 35

44 Silver Peak NX Series Appliances Network Deployment Guide Overview Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. Summary of Initial Configuration Tasks The configuration steps are as follows: Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup Saves time and avoids mistakes. Collecting the Necessary Information on page Install the appliances Physical appliance: Connect the Site A appliance to the Site A router, and insert the Site B appliance between its WAN edge router and the Ethernet switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. 3 Configure the appliance In a browser, access and use the Initial Configuration Wizard to configure each appliance one in Bridge mode, the other in Router mode. Reboot the appliance after finishing the configuration. 4 Verify appliance connectivity Tests data path connectivity. Do NOT proceed until you verify connectivity. 5 Enable subnet sharing This prepares each appliance to share local subnets. Silver Peak Appliance Manager Operator s Guide Quick Start Guides Using the Initial Config Wizard on page 38. Verifying Appliance Connectivity on page 48. Enabling Subnet Sharing on page Create a tunnel on each appliance Specify the local and remote endpoints for the tunnel. Creating Tunnels and Updating the Subnet Table on page Configure the router Access the router s command line interface, and configure the router for policy-based routing. Configuring the Router to Redirect Traffic on page Test the connectivity from both ends Verify that the tunnel is up and that flows are being optimized. Verifying Traffic on page PN Rev L

45 Overview Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default, auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance data path IP. Table 3-1 Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [Spare Router Port Available] Hostname A1 B Mode Out-of-Path (Router) In-line (Bridge) Admin Password: Old admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt0 IP Address / Mask a / /24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / /24 Appliance data path Next-hop IP / /24 LAN Next-hop IP Address (optional) b not applicable --- a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. PN Rev L 37

46 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard Using the Initial Config Wizard The Initial Config Wizard prompts you for the information that you collected at the beginning of this chapter. This section begins with configuring Appliance A1, followed by Appliance B. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A1 2 For the username and for the password, enter admin. The initial configuration page appears. 38 PN Rev L

47 Using the Initial Config Wizard Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 39

48 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter. 40 PN Rev L

49 Using the Initial Config Wizard Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 7 Click Next. The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. 8 Click Next. If yours is a virtual machine, the following page appears. Select a MAC address for wan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. PN Rev L 41

50 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard For example, in the VMware client, you would check on the Virtual Machine Properties page. 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 42 PN Rev L

51 Using the Initial Config Wizard Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Appliance B 11 Access Appliance B s login page. For the username and for the password, enter admin. The initial configuration page appears. 12 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. PN Rev L 43

52 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 13 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 14 Click Next. On this page, select Bridge/In-Line for the deployment mode. 44 PN Rev L

53 Using the Initial Config Wizard Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 15 Click Next. On this page, configure the appliance data path IP, WAN next-hop address, and max WAN bandwidth. If Auto Tunnel and Auto Subnet Sharing are selected, then deselect them. We ll take care these features in later steps. 16 Click Next. The Add Remote Silver Peak page appears. We ll manually create tunnels later, so ignore this page and click Next. PN Rev L 45

54 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 17 Click Next. If yours is a virtual machine, the following page appears. Select MAC addresses for wan0 and lan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. For example, in the VMware client, you would check on the Virtual Machine Properties page. 46 PN Rev L

55 Using the Initial Config Wizard Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 18 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 19 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 47

56 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity Verifying Appliance Connectivity Before proceeding, you must verify Appliance A1 s connectivity from its data path address to the next-hop and to the remote devices. This verifies that the cables are appropriately connected and that you haven t misconfigured any of the IP addresses. 1 From Appliance A1 s menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping Appliance B s data path IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. Depending on your network configuration and addressing scheme, this may give misleading results. To sidestep this issue, use the -I option to specify the local device s data path address as the ping s source address. local appliance IP datapath address [Appliance A1] remote appliance IP datapath address [Appliance B] If the ping fails, verify cabling, configuration, network topology, etc. 48 PN Rev L

57 Verifying Appliance Connectivity Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 3 To ensure that local routing is working correctly, ping an address on the subnet from which PBR will be redirecting traffic. To do that, use the same ping screen, specify either an address of a device or the router s address in that subnet, and ping with the -I option, as shown. local appliance IP datapath address [Appliance A1] a host on Site A s LAN If the ping fails, verify cabling, configuration, network topology, etc. Tip Prior to putting a bridge mode appliance in production, it is always a good practice to test connectivity with the appliance in bypass to make sure that the network will function in the event the Silver Peak device fails to wire. PN Rev L 49

58 Silver Peak NX Series Appliances Network Deployment Guide Enabling Subnet Sharing Enabling Subnet Sharing Subnet information is not shared between appliance until a tunnel comes up between them. In the next few steps, we ll enable subnet sharing on both appliances, but no subnet informations will actually be shared until the tunnels are brought up in the next section. Note You could have selected Auto Subnet Sharing in the Initial Config Wizard, instead of doing this step. We do it here to highlight how the Subnet table changes after tunnels come up. To enable subnets on A1 1 Select Configuration > Subnets. The Subnets tab appears. Notice that no subnets are displayed. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50. Note that a lower metric has a higher priority. 2 Click Apply. The subnet table updates to include the local subnet. If it doesn t, try refreshing the page. 3 Save your changes. 50 PN Rev L

59 Enabling Subnet Sharing Chapter 3 Out-of-Path with Policy-Based-Routing Redirection To enable subnets on B 1 Select Configuration > Subnets. The Subnets tab appears. Set the configuration. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50 (the default). 2 Click Apply. 3 Save your changes. PN Rev L 51

60 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels and Updating the Subnet Table Creating Tunnels and Updating the Subnet Table Create a tunnel between Appliances A1 and B. This involves accessing each appliance, in turn, and creating a tunnel to the other (remote) appliance. After that, we ll add subnets that aren t directly connected to a datapath interface. To create a tunnel from A1 to B 1 From a browser, access Appliance A1. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a b c d e f g h i In the Name field, assign a locally significant name for the tunnel. In the Admin field, accept the default value, Up. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager supplies the IP address for the local appliance. In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. Leave the Min BW at its default, 32 [Kbps]. Click Apply. Save the changes. The tunnel status won t change to Up until a tunnel is configured at both ends. That is, until after we configure a tunnel from B to A1. To create a tunnel from B to A1 1 From a browser, access Appliance B. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 52 PN Rev L

61 Creating Tunnels and Updating the Subnet Table Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 3 Click Add Tunnel. a In the Name field, assign a locally significant name for the tunnel. b In the Admin field, accept the default value, Up. c Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. d In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. e In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. f Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. g Leave the Min BW at its default, 32 [Kbps]. h Click Apply. i Save the changes. Within a few seconds, the tunnel Status changes to Up - active. Click Refresh, if required. PN Rev L 53

62 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels and Updating the Subnet Table To add non-local subnet information for Appliance A1 Now that the tunnels are up, the appliances can begin advertising subnet information to each other. 1 On Appliance B, examine the subnet table by going to Configuration > Subnets. After Appliance B learns the Appliance A1 s subnets, it automatically sends packets destined there into the correct tunnels. Notice that the subnet containing Site A s end devices the subnet does not appear in the table. This is because the Silver Peak at Site A doesn t have an interface with an IP address in the subnet. As a result, the local Silver Peak at Site A can t advertise this subnet to Appliance B. So, we need to specifically configure Appliance A1 to advertise this subnet to the other Silver Peaks. 54 PN Rev L

63 Creating Tunnels and Updating the Subnet Table Chapter 3 Out-of-Path with Policy-Based-Routing Redirection To configure Appliance A1 to advertise the non-attached subnet We ve already tested connectivity from A1 to devices on , and know that the default next-hop router can reach the devices. If that were not the case, we might have to do some additional configuration such as adding a static route to the subnet via a different next-hop router. 1 On Appliance A1, go to Configuration > Subnets, and click Add new subnet. a Enter the subnet and mask: /24. b Leave the metric unchanged at 50 (the default). c Verify that Local is selected. d Verify that Advertise to Peers is selected. 2 Click Apply. 3 Save the changes. 4 To verify that Appliance B has learned the subnet, access Appliance B and select Configuration > Subnets. You should see an entry for the subnet, learned from A1. PN Rev L 55

64 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Router to Redirect Traffic Configuring the Router to Redirect Traffic The purpose of configuring the router is to redirect outbound traffic to the Silver Peak appliance. This section provides examples of scripts to use for configuring policy-based routing with Cisco routers and with Juniper routers. Juniper s nomenclature for PBR is FBF (Filter-based Forwarding): Using a Cisco Router for Policy-Based Routing (PBR) See page 56. Using a Juniper Router for Filter-Based Forwarding (FBF) See page 57. CAUTION connects. Do not enable this PBR on the interface to which the Silver Peak appliance To gain access to the CLI, access the router via the console port or a Telnet session. Using a Cisco Router for Policy-Based Routing (PBR) Here, we ll configure PBR on the Cisco router and add an SLA (Service Level Agreement) to verify the appliance s reachability. This section shows a configuration of a Cisco router: An access list is used to match traffic from the local LAN that should be redirected to the Silver Peak appliance. The route-map is used to configure the next hop IP address (the Silver Peak), and points at the ip sla to verify reachability. The ip policy is applied to the local LAN interface to intercept traffic that needs to be redirected to the appliance. Note If the Silver Peak appliances are using auto-optimization but not enabling subnet sharing, then the route-map on the Cisco router also needs to be applied to the WAN interface to intercept incoming traffic from the WAN that s not in a tunnel between the Silver Peaks. Also, an additional access-list entry would be required, with the source and destination subnets reversed to match the traffic coming in on the WAN interface. This does not apply to the example as implemented in this chapter. If the Silver Peak appliance is not directly connected to the router/switch that is doing the redirection, use an IP SLA statement to ensure that traffic is redirected only when the Silver Peak appliance is Up. configure terminal ip sla 1 icmp-echo ip sla schedule 1 life forever start-time now track 1 ip sla 1 reachability access-list 101 permit ip route-map silverpeak permit 10 match ip address 101 set ip next-hop verify-availability track 1 56 PN Rev L

65 Configuring the Router to Redirect Traffic Chapter 3 Out-of-Path with Policy-Based-Routing Redirection exit interface gigabitethernet 3 ip route-cache policy ip policy route-map silverpeak end write mem Using a Juniper Router for Filter-Based Forwarding (FBF) Following is an example of how to configure filter-based forwarding [FBF] in JUNOS. Assuming the default route is: routing-options{ static { route /0 next-hop ; } } 1 We need to configure a new forwarding routing instance: set routing-instances redirect_sp instance-type virtual-router set routing-instances redirect_sp routing-options static route /0 next-hop <IP address of Silver Peak WAN0> metric 5 set routing-instances redirect_sp routing-options static route /0 next-hop metric 20 This routing instance creates a new default route directing traffic to the Silver Peak appliance. Note the route with the higher metric. If the first route is unreachable, traffic will be directed via the second route. 2 You must create a rib group: set routing-options interface-routes rib-group inet sp-forwarding set routing-options rib-groups sp-forwarding import-rib [ inet.0 redirect_sp.inet.0 ] PN Rev L 57

66 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Router to Redirect Traffic 3 Create firewall filters that dictate which traffic uses the created routing instance: set firewall family inet filter silverpeak_fbf term 1 from source-address /24 set firewall family inet filter silverpeak_fbf term 1 then routing-instance redirect_sp set firewall family inet filter silverpeak_fbf term default then accept This simply creates a filter that says traffic from Site A should use the created routing instance. That is, traffic from /24 should use as its default route. 4 Apply the filter to an interface. Note that similar to PBR, the filter should not be applied to the interface directly connected to the Silver Peak appliance. set interfaces ge-1/0/0 unit 0 family inet filter input silverpeak_fbf Once a commit is executed, traffic that matches the filter is redirected. Note This configuration is valid for a Silver Peak appliance that is directly connected to the Juniper device. 58 PN Rev L

67 Verifying Traffic Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Verifying Traffic Here, we want to verify that the tunnels are carrying traffic and that flows are being optimized. To verify tunnel status From the menu, select Configuration > Tunnels. The Status column indicates whether the tunnels are up. To view tunnel statistics From the menu, select Monitoring > Tunnels. This tab displays the statistics associated with each tunnel. To view flow optimization From the menu, select Monitoring > Current Flows. Status column indicates whether a flow is being optimized or not. Click the icon for more information on which Silver Peak technologies are being applied to the flow. Reduction columns show the bandwidth savings achieved by each flow. PN Rev L 59

68 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic To verify the Cisco SLA With the first two commands, the router pings the Silver Peak appliance to see if the latter is up. If the appliance is down, the router stops forwarding traffic to the appliance and relies instead on its own routing tables. 1 Show ip sla summary when tracked appliance is down when tracked appliance is up 2 Show track brief when appliance is down when appliance is up 3 Show route-map all If the bytes and packets are not incrementing, then the route policy and access list are not matching the traffic that you want to redirect. If that s the case, check the IP addresses you entered, as well as the route policy. 60 PN Rev L

69 Verifying Traffic Chapter 3 Out-of-Path with Policy-Based-Routing Redirection To verify connectivity for pass-through traffic As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. To verify network connectivity Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. PN Rev L 61

70 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic SECTION 2: USING TCP/IP BASED AUTO-OPTIMIZATION In This Section Using the Initial Config Wizard See page 38. Configuring the Router to Redirect Traffic See page 56. Verifying Traffic See page 59. Configuring Site B s Appliance See page PN Rev L

71 Overview Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Overview This scenario deploys Site B in-line and the Site A network out-of-path using an available spare router port. Policy-Based Routing (PBR) is configured on interfaces of Site A s router to redirect traffic destined for the WAN to the Silver Peak appliance. Network Diagram Figure 3-2 Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [requires spare router port] In this example, the Silver Peak appliance optimizes traffic to/from /24 and /24. Summary Appliance Placement Failure Method IP Addresses Attached to available router interface: Silver Peak appliance wan0 interface connects to available router WAN interface Do not connect lan0 interface Fails-Open: The appliance behaves as an unconnected port in all failure cases (hardware, software, power) The WAN router sees the link to the appliance go down, Policy-Based Routing fails, unicast routing forwards traffic normally. This deployment model requires two IP addresses (on the same or separate subnets): Silver Peak Appliance data path IP address (to originate and terminate tunnel) Silver Peak Management IP Address (for appliance configuration and management) Configure PBR on WAN router Direct traffic from LAN (subnet/interface) destined for WAN to Silver Peak appliance Direct traffic from WAN (subnet/interface) destined for LAN to Silver Peak appliance Do NOT enable this PBR on the interface to which the Silver Peak appliance connects PN Rev L 63

72 Silver Peak NX Series Appliances Network Deployment Guide Overview Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. 64 PN Rev L

73 Overview Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Summary of Initial Configuration Tasks The configuration steps are as follows: Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the appliance into the network 3 Configure Site A s appliance a Saves time and avoids mistakes. Physical appliance: Connect the Site A appliance to the Site A router, and insert the Site B appliance between its WAN edge router and the Ethernet switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. From a web browser, access and use the Initial Configuration Wizard to configure the appliance in Router mode. Reboot the appliance after finishing the configuration. Collecting the Necessary Information on page 37. Silver Peak Appliance Manager Operator s Guide Quick Start Guides Using the Initial Config Wizard on page Configure the router Access the router s command line interface, and configure the router for policy-based routing. Configuring the Router to Redirect Traffic on page Site A Appliance: Create tunnel and Route Policy entry 7 Configure Site B s appliance for in-line deployment a Use the Appliance Manager to configure Site A s Silver Peak appliance. Use the Initial Configuration Wizard to configure Site B s appliance in Bridge mode. Reboot the appliance. Verifying Traffic on page 59. Configuring Site B s Appliance on page 77. a. IMPORTANT: The Appliance Next-hop IP Address must be the IP address of the WAN edge router. This may or may not be the same as the LAN Next-hop IP Address for hosts on the LAN side of your network. If in doubt, check with your network administrator. PN Rev L 65

74 Silver Peak NX Series Appliances Network Deployment Guide Overview Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default: auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance IP. Table 3-2 Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [Spare Router Port Available] Hostname A B Mode Out-of-Path (Router) In-line (Bridge) Admin Password: Old admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt0 IP Address / Mask a / / 24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / / 24 Appliance data path Next-hop IP LAN Next-hop IP Address (optional) b not applicable --- a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. 66 PN Rev L

75 Using the Initial Config Wizard with Site A s Appliance Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Using the Initial Config Wizard with Site A s Appliance The Initial Config Wizard prompts you for the information that you collected at the beginning of this chapter. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. 2 For the username and for the password, enter admin. The initial configuration page appears. Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. PN Rev L 67

76 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance 3 Read and click Next. The first management settings page appears. Complete the fields to assign a hostname and management IP address to the appliance. 4 Click Next. The second management settings page appears. Complete the fields to choose your time zone, change the administrator password, and enter the license key. NOTE: If using a virtual appliance, the license key is required to proceed. 68 PN Rev L

77 Using the Initial Config Wizard with Site A s Appliance Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 5 Click Next. On this page, since we ll be configuring redirection via PBR, select Router for the deployment mode. PN Rev L 69

78 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance 6 Click Next. On this page, enter the IP address for the wan0 interface and the next-hop IP address. The next-hop IP address is the IP address of the WAN edge router. On the WAN edge router, Policy Based Routing must be configured to route optimized traffic to the Silver Peak s wan0 interface IP address. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter Note IMPORTANT: The WAN Next-hop IP Address must be the IP address of the WAN edge router. This may or may not be the same as the LAN Next-hop IP Address for hosts on the LAN side of your network. If in doubt, check with your network administrator. 70 PN Rev L

79 Using the Initial Config Wizard with Site A s Appliance Chapter 3 Out-of-Path with Policy-Based-Routing Redirection 7 Click Next. On this page, enter the IP address of a remote Silver Peak appliance. In this case, enter the appliance data path IP address of Site B s appliance. 8 Click Next. On this page, confirm or edit the interface-to-mac-address mappings of the appliance. NOTE: This page only displays if this is a virtual appliance. PN Rev L 71

80 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance 9 Click Show All to confirm or edit all interfaces on the appliance, both required and not required for this deployment mode. NOTE: This page only displays if this is a virtual appliance. 10 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 11 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 72 PN Rev L

81 Configuring the Router for Policy-Based Routing (PBR) Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Configuring the Router for Policy-Based Routing (PBR) This section describes the following two related tasks: Cisco WAN Router Configuration at Site A See page 73. PBR with Silver Peak s Auto-Optimization Feature See page 74. Cisco WAN Router Configuration at Site A 1 First configure the IP SLA feature. IP SLA tracks the Silver Peak appliance, and removes the policy route when the appliance becomes unreachable. This effectively prevents a routing black hole from occurring, where the router is sending traffic to an unreachable appliance. ip sla 1 icmp-echo frequency 5 ip sla schedule 1 life forever start-time now! track 123 ip sla 1 reachability 2 Next, configure the access list and route map. The access list needs to match the traffic you wish to optimize with the Silver peak appliance. The route map creates the policy based routing feature, and uses the access list to define what traffic to route to the Silver Peak. Traffic passing through the router that does not match this access list will not be sent to the Silver Peak, and will not be optimized. access-list 101 permit ip ! route-map silverpeak-lan-to-wan permit 10 match ip address 101 set ip next-hop verify-availability track Configure interfaces in our scenario. Apply the policy route-map named silverpeak-lan-to-wan to the LAN interface. For multiple LAN interfaces, apply the policy route-map to each LAN interface with traffic to be optimized, this includes physical interfaces, sub-interfaces, or BVI interfaces (Layer 3 VLAN interfaces). Note Do not apply the policy route-map to the interface connected to the Silver Peak (in this example, GigabitEthernet0/0), or you will create a routing loop. interface GigabitEthernet0/0 description Connected to Silver Peak WAN0 ip address interface GigabitEthernet0/1 description Connected to LAN ip address ip policy route-map silverpeak-lan-to-wan interface GigabitEthernet0/2 description Connected to WAN ip address PN Rev L 73

82 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Router for Policy-Based Routing (PBR) PBR with Silver Peak s Auto-Optimization Feature In the preceding example, the Cisco router will only redirect outgoing traffic (from the LAN out to the WAN) to the Silver Peak. For Silver Peak s Auto-Optimization feature to work in this Policy-Based Routing scenario, the router also must forward the return traffic to the Silver Peak appliance (from the WAN incoming to the LAN). To accomplish this, we need to configure a routing policy to match the incoming traffic from the WAN. 1 Configure the access list and route map for the incoming traffic. The incoming access list is the inverse of outgoing access list above. access-list 102 permit ip ! route-map silverpeak-wan-to-lan permit 10 match ip address 102 set ip next-hop verify-availability track Configure the WAN interface with the policy route-map named silverpeak-wan-to-lan. interface GigabitEthernet0/2 description Connected to WAN ip address ip policy route-map silverpeak-wan-to-lan 74 PN Rev L

83 Configuring a Tunnel to the Remote Site Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Configuring a Tunnel to the Remote Site To create a tunnel 1 From the Configuration menu, click Tunnels. The Configuration - Tunnels page appears. 2 Click Add. The page displays the Add Tunnel area. 3 Complete the Add Tunnel area: a b c d e f g In the Name field, assign a locally significant name. Silver Peak recommends using the naming convention of SiteA-to-SiteB. In the Admin field, accept the default value, up, from the drop-down menu. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. In the Remote IP field, enter the Appliance data path IP address that belongs to the remote appliance. In the Max BW field, enter the maximum bandwidth for this tunnel. This must be less than or equal to the upstream bandwidth of your WAN connection. Or, select Auto Max BW so the appliances use the lower of the two system bandwidths. Leave the Min BW at its default, 32 [Kbps]. PN Rev L 75

84 Silver Peak NX Series Appliances Network Deployment Guide Configuring a Tunnel to the Remote Site 4 Click Apply. The data entry area disappears, and the table displays the new tunnel. Tunnel names hyperlink to more details, which you can edit. 5 Click Save Changes to make changes persist through a reboot. 6 To review or modify the tunnel s configuration at any point, click its name. 76 PN Rev L

85 Configuring Site B s Appliance Chapter 3 Out-of-Path with Policy-Based-Routing Redirection Configuring Site B s Appliance 1 Use the Initial Configuration Wizard to configure Site B s appliance in-line (Bridge mode). 2 Verify connectivity for Site B s appliance. 3 Create the tunnel, B-to-A. 4 Verifying connectivity for tunnel and pass-through traffic Once you ve defined the tunnel on both devices you ve configured, you must verify that the tunnel is Up and Active, and that you re able to access hosts through the tunnel. For more information, see Verifying Connectivity After Configuring Deployment on page 15. PN Rev L 77

86 Silver Peak NX Series Appliances Network Deployment Guide Configuring Site B s Appliance 78 PN Rev L

87 CHAPTER 4 Out-of-Path with WCCP Comparing Subnet Sharing & TCP/IP-based Auto-Optimization This chapter provides a step-by-step example for setting up Web Cache Communications Protocol (WCCP) service. The example uses a Cisco router paired with a single Silver Peak appliance. The Silver Peak appliances participating in the WCCP service group must be deployed out-of-path (Router mode). The example also compares two of the auto-optimization methods subnet sharing (which, when enabled, is the method that takes precedence), and TCP-based and IP-based auto-optimization. Both methods require outbound (LAN side) redirection; TCP/IP-based auto-optimization also requires inbound (WAN side) redirection. For more explanation, see Determining the Need for Traffic Redirection on page 9. In This Chapter Overview See page 80. Configuring the Site A Router for WCCP See page 84. Using the Initial Config Wizard with Site A s Appliance See page 86. Configuring WCCP on A1 See page 92. Using the Initial Config Wizard with Site B s Appliance See page 97. Verifying Appliance Connectivity See page 103. Enabling Subnet Sharing See page 105. Creating Tunnels and Updating the Subnet Table See page 107. Verifying Traffic See page 111. Best Practices See page 113. PN Rev L 79

88 Silver Peak NX Series Appliances Network Deployment Guide Overview Overview In this scenario, the Silver Peak appliances are not connected in the direct path of the network traffic. As a result, a network traffic redirection technique is used to forward traffic to the appliance. Web Cache Communications Protocol (WCCP) supports the redirection of any TCP or UDP connections to appliances participating in WCCP Service Groups. The appliance intercepts only those packets that have been redirected to it. The appliance accelerates traffic flows that the Route Policy directs to a tunnel; all other traffic passes through the appliance unmodified. In the unlikely event that the appliance fails, WCCP on the WAN router removes the appliance from the WCCP Service Group and resumes forwarding traffic normally, according to its routing tables. At Site A, both the router and the participating appliance require a separate WCCP service group for each protocol used in the tunnel. So, if a tunnel uses both TCP and UDP, you must create a separate WCCP Service Group for each protocol (TCP and UDP) used in the A-to-B tunnel. Network Diagram Figure 4-1 Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using WCCP The Silver Peak appliances optimize traffic to/from /24 and /24. Note You don t need a spare router port for this configuration. The Silver Peak appliance can be connected to an existing or newly configured subinterface on the router via a VLAN trunk such that a spare port on the LAN switch can be used for the physical connection. 80 PN Rev L

89 Overview Chapter 4 Out-of-Path with WCCP Summary Appliance Placement Fail-Safe Behavior IP Addresses Appliance attached in network, reachable by WAN router Appliance wan0 interface connects to network Do not connect lan0 interface WCCP recognizes failed appliance Appliance removed from WCCP v2 Service Group WAN router resumes forwarding traffic normally according to its routing tables This deployment model requires two IP addresses (on the same or separate subnets) Silver Peak Appliance data path IP address (to originate and terminate tunnels) Silver Peak Management IP Address (for appliance configuration and management) Configure WCCP on the Silver Peak appliance and the WAN router. Service Group IDs on the router and appliance must match. Configure two WCCP v2 Service Groups on the Silver Peak appliance (one for TCP and one for UDP) Configure two WCCP v2 Service Groups on the WAN router (one for TCP and one for UDP) Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. PN Rev L 81

90 Silver Peak NX Series Appliances Network Deployment Guide Overview Summary of Configuration Tasks Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the appliance into the network 2 Configure the Site A router for WCCP 3 Configure Site A s appliance for out-of-path deployment a 4 Configure the WCCP Service Groups on Site A s appliance 5 Configure Site B s appliance for in-line deployment a Saves time and avoids mistakes. Physical appliance: Connect the Site A appliance to the Site A router, and insert the Site B appliance between its WAN edge router and the Ethernet switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. Access the Site A router s command line interface (CLI) to: Configure an Access Control List (ACL) that redirects all traffic from the Site A subnet to the Site B subnet Configure two WCCP Service Groups one for UDP, one for TCP Associate the ACL with the Service Group Enable WCCP on the appropriate router interface Access the Initial Config Wizard to assign Appliance IP and Management IP addresses for Site A s appliance. Reboot the appliance. Create one for UDP and one for TCP. Run the Initial Config Wizard to set up Site B s Silver Peak appliance in Bridge mode. Reboot the appliance. Collecting the Necessary Information on page 83 Silver Peak Appliance Manager Operator s Guide Quick Start Guides Configuring the Site A Router for WCCP on page 84 Using the Initial Config Wizard with Site A s Appliance on page 86 Configuring WCCP on A1 on page 92 Using the Initial Config Wizard with Site B s Appliance on page 97 6 Verify appliance connectivity Ensure that the cable connections are sound and you haven t misconfigured any IP addresses. Do NOT proceed until you have verified connectivity. 7 Enable subnet sharing This prepares each appliance to share local subnets. Verifying Appliance Connectivity on page 103 Enabling Subnet Sharing on page Create a tunnel and Route Policy on Site A s appliance 9 Test the connectivity from both ends Use the Appliance Manager. Verify that the tunnel is up and that flows are being optimized. Creating Tunnels and Updating the Subnet Table on page 107 Verifying Traffic on page 111 a. IMPORTANT: The WAN Next Hop IP Address must be the IP address of the WAN edge router. This may or may not be the same as the Management Interface Next Hop IP Address for hosts on the LAN side of your network. If in doubt, check with your network administrator. 82 PN Rev L

91 Overview Chapter 4 Out-of-Path with WCCP Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default, auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance IP. Table 4-1 Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using WCCP Hostname A B Mode Router / Out-of-Path Bridge / In-Line Admin Password: Old admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt1 IP Address / Mask / mgmt0 IP Address / Mask a / /24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / /24 Appliance data path Next-hop IP / /24 LAN Next-hop IP Address (optional) b not applicable --- WCCP Service Groups 53 (TCP) (UDP WCCP Weight (default) 100 not applicable a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. PN Rev L 83

92 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Site A Router for WCCP Configuring the Site A Router for WCCP To gain access to the CLI, access the router via the console port or a Telnet session. Outbound Redirection and Enabling WCCP To optimize traffic, the appliance must intercept both the inbound and outbound packets of a flow. Therefore, whenever you place an appliance out-of-path, you must direct traffic from the client to the appliance. Outbound (or LAN side) redirection is required whether you re using subnet sharing, TCP-based or IP-based auto-optimization, or manually creating a Route Policy entry. To configure a Cisco router for WCCP In this section, we ll configure WCCP on the router and set up redirection for the traffic that originates on the local LAN. The end devices and servers point to their local router/l3 switch interface on the LAN as the next hop. The router must be configured to send traffic to the Silver Peaks, which are on a different interface and subnet from the end devices, per recommended best practice. The example below was done with a Cisco router. You may need to modify the input for other routers. 1 Create an Access Control List (ACL) to redirect all traffic from Site A s /24 subnet to Site B s /24 subnet. CSR-1>enable CSR-1># CSR-1(config)# configure terminal CSR-1(config)# access-list 101 permit ip Note If there were additional local subnets from which traffic originated, we would need to create additional rules to make sure the ACL matched that traffic also. 2 Since you ll be using two protocols, you ll need two service groups. Therefore, create two WCCP service groups (as placeholders) and associate the ACL with it. Here, we ll create 53 to use (later) with TCP and 54 to use (later) with UDP. Service Groups can be numbers between 51 and 255, inclusive. CSR-1(config)# ip wccp 53 redirect-list 101 CSR-1(config)# ip wccp 54 redirect-list 101 Note that we can reuse the same ACL because it matches traffic based on IP addresses. It s the WCCP service group which redirects traffic based on protocol. Note On a Cisco Catalyst 6500, WCCP redirection can be done in hardware by adding the keyword, accelerated, at the end of the global command, ip wccp 53 redirect-list 101. The accelerated keyword allows the 6500 to do WCCP redirection (forwarding) in L2. You must also associate the WCCP service group with Site A s LAN-side interface. The interface number below would be for your LAN side interface. CSR-1(config)# interface gigabitethernet <number> CSR-1(config-if)# ip wccp 53 redirect in CSR-1(config-if)# ip wccp 54 redirect in CSR-1(config-if)# end 84 PN Rev L

93 Configuring the Site A Router for WCCP Chapter 4 Out-of-Path with WCCP Inbound Redirection How you plan to optimize traffic affects whether or not you also need inbound redirection from the WAN router (also known as WAN-side redirection): If you enable subnet sharing (which relies on advertising local subnets between Silver Peak appliances) or route policies (which specify destination IP addresses), then you only need outbound redirection. Silver Peak recommends using auto subnet sharing as a best practice. If, instead, you default to TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), then you must set up inbound and outbound redirection on the WAN router. This simply means creating another access list with the source and destinations addresses reversed from the one shown in the last section (since incoming packets on the WAN side are destined to the local LAN), and adding the existing WCCP service groups to the WAN interface that s using the new ACL. Note The best practice recommendation is to use auto subnet sharing (covered elsewhere in this chapter), which does not require WAN side redirects. If you re going to use auto subnet sharing, then you can skip this section. 1 Add an entry to the Access Control List (ACL) to redirect traffic from Site B s /24 subnet to Site A s /24 subnet. This entry will redirect traffic inbound from the other side of the network to the local Silver Peak. This is necessary in cases where subnet sharing is not being used. Note that the source and destination subnets are reversed from the previous example. CSR-1>enable CSR-1# CSR-1(config)# configure terminal CSR-1(config)# access-list 101 permit ip This last entry (access-list 101) redirects inbound WAN-to-LAN traffic from the other side of the network to the local Silver Peak. This is necessary in cases where subnet sharing is not being used. Note You could do this with a new, separate ACL, but it would require the addition of two new service groups on the router and also on the Silver Peak appliances. 2 You must also associate the WCCP service group with Site A s WAN-side interface. The interface number would be the one for your WAN facing interface. CSR-1(config)# interface gigabitethernet <number> CSR-1(config)# ip wccp 53 redirect in CSR-1(config)# ip wccp 54 redirect in CSR-1(config)# end PN Rev L 85

94 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance Using the Initial Config Wizard with Site A s Appliance The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A1 2 For the username and for the password, enter admin. The initial configuration page appears. 86 PN Rev L

95 Using the Initial Config Wizard with Site A s Appliance Chapter 4 Out-of-Path with WCCP Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 87

96 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter. 88 PN Rev L

97 Using the Initial Config Wizard with Site A s Appliance Chapter 4 Out-of-Path with WCCP 7 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. Click Next. If yours is a virtual machine, the following page appears. PN Rev L 89

98 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site A s Appliance 8 Click Show All. Select the MAC addresses for wan0 and mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. For example, in the VMware client, you would check on the Virtual Machine Properties page. 90 PN Rev L

99 Using the Initial Config Wizard with Site A s Appliance Chapter 4 Out-of-Path with WCCP 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 91

100 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 Configuring WCCP on A1 Each Silver Peak appliance has a default weight of 100, which we ll leave unchanged. To configure WCCP on the first appliance, you ll need to use the Appliance Manager s Configuration - WCCP page to do the following: Create a WCCP Service Group for TCP Create a WCCP Service Group for UDP Verify that the state of each WCCP Service Group changes from INIT to ACTIVE. Note ACTIVE - Designated will be the state for one Silver Peak appliance this is the device that owns the communication for WCCP with the routers. To enable WCCP Service 1 From the menus, select Configuration > WCCP. The Configuration - WCCP page appears, with the Service Group tab displayed. 2 At the top of the page, select Enable WCCP. 92 PN Rev L

101 Configuring WCCP on A1 Chapter 4 Out-of-Path with WCCP To create a WCCP Service Group for the TCP protocol 1 Click Add. The page displays the Add WCCP area. To optimize the two most commonly used protocols TCP and UDP you ll create two WCCP service groups in the Silver Peak appliance. If you intend to optimize traffic other than TCP and UDP, create a new service group for that protocol, and select the protocol name from the Protocol drop-down menu when creating the service group. 2 On the Configuration - WCCP page, click Add. The page displays the Add WCCP area. This area is accessible only when you select custom in the Assignment Detail field. In this example, it s not relevant. a In the Service Group ID field, enter the WCCP Service Group number you entered on the router as a placeholder for the TCP protocol. On the router, we entered 53. b In the Admin field, accept the default of up. c In the Protocol field, leave tcp selected. d In the Forwarding Method field, select either. Either allows the appliance and the router to negotiate the best method for assignment. That is, GRE (Generic Routing Encapsulation) or L2. e In the Weight field, keep the max default value of 100. f In the Assignment Method field, leave the default of either. Either allows the appliance and the router to negotiate the best method for assignment. That is, hash or mask. g From the Interface field, select wan0. h For Compatibility Mode, select the option appropriate for your router. If a WCCP group is peering with a router running Nexus OS, then the appliance must adjust its WCCP protocol packets to be compatible. By default, the appliance is IOS-compatible. i In the Router IP Address field, enter the IP address of the WCCP router, j Leave Force L2 Return deselected. PN Rev L 93

102 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 k l In the Password field, optionally enter a password. In the Assignment Detail field, select lan-ingress. If you re not configuring the tunnel traffic for auto-optimization, then accept the default of lan-ingress. This is the assumption made for this example, since all redirection will be from the LAN to the WAN. wan-ingress assignment detail is only required when redirection is needed from the WAN to the LAN, when using TCP/IP auto-optimization. custom is used to provide granular control of flow distribution. Contact Silver Peak Technical Support for assistance. 3 Click Apply. The data entry area disappears, and the table displays the new WCCP Service Group for TCP. 4 Click Save Changes. 94 PN Rev L

103 Configuring WCCP on A1 Chapter 4 Out-of-Path with WCCP To create a WCCP Service Group for the UDP protocol 1 On the Configuration - WCCP page, click Add. The page displays the Add WCCP area. 2 Complete the Add WCCP area. This area is accessible only when you select custom in the Assignment Detail field. In this example, it s not relevant. a In the Service Group ID field, enter the WCCP Service Group number you entered on the router as a placeholder for the UDP protocol. On the router, we entered 54. b In the Admin field, accept the default of up. c In the Protocol field, leave udp selected. d In the Forwarding Method field, select either. Either allows the appliance and the router to negotiate the best method for assignment. That is, GRE (Generic Routing Encapsulation) or L2. e In the Weight field, keep the max default value of 100. f In the Assignment Method field, leave the default of either. Either allows the appliance and the router to negotiate the best method for assignment. That is, hash or mask. g From the Interface field, select wan0. h For Compatibility Mode, select the option appropriate for your router. If a WCCP group is peering with a router running Nexus OS, then the appliance must adjust its WCCP protocol packets to be compatible. By default, the appliance is IOS-compatible. i In the Router IP Address field, enter the IP address of the WCCP router, j Leave Force L2 Return deselected. k In the Password field, optionally enter a password. l In the Assignment Detail field, select lan-ingress. If you re not configuring the tunnel traffic for auto-optimization, then accept the default of lan-ingress. This is the assumption made for this example, since all redirection will be from the LAN to the WAN. PN Rev L 95

104 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 wan-ingress assignment detail is only required when redirection is needed from the WAN to the LAN, when using TCP/IP auto-optimization. custom is used to provide granular control of flow distribution. Contact Silver Peak Technical Support for assistance. 3 Click Apply. The data entry area disappears, and the table displays the new WCCP Service Group for TCP. State changes from INIT to ACTIVE, DESIGNATED. This means that the WCCP protocol is working properly with the router, and that this appliance is Primary and Active. State Definition INIT ACTIVE BACKUP WCCP Service Group initialization Active WCCP Service group Backup WCCP Service group - Designated [Used as a modifier for ACTIVE or BACKUP]. Appliance with the lowest IP address in a WCCP group that notifies Routers how to redirect traffic. 4 Click Save Changes. 96 PN Rev L

105 Using the Initial Config Wizard with Site B s Appliance Chapter 4 Out-of-Path with WCCP Using the Initial Config Wizard with Site B s Appliance The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance B 2 For the username and for the password, enter admin. The initial configuration page appears. PN Rev L 97

106 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B s Appliance Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 98 PN Rev L

107 Using the Initial Config Wizard with Site B s Appliance Chapter 4 Out-of-Path with WCCP 5 Click Next. On this page, select Bridge/In-Line for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. PN Rev L 99

108 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B s Appliance 7 Click Next. The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. 8 Click Next. If yours is a virtual machine, the following page appears. Select a MAC address for wan0 and lan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. 100 PN Rev L

109 Using the Initial Config Wizard with Site B s Appliance Chapter 4 Out-of-Path with WCCP For example, in the VMware client, you would check on the Virtual Machine Properties page. PN Rev L 101

110 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B s Appliance 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 102 PN Rev L

111 Verifying Appliance Connectivity Chapter 4 Out-of-Path with WCCP Verifying Appliance Connectivity Before proceeding, you must verify each appliances s connectivity from its data path address to the next-hop and to the remote devices. This verifies that the cables are appropriately connected and that you haven t misconfigured any of the IP addresses. To verify Appliance A1 s connectivity 1 From Appliance A s menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping Appliance B s data path IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. Depending on your network configuration and addressing scheme, this may give misleading results. To sidestep this issue, use the -I option to specify the local device s data path address as the ping s source address. local appliance IP datapath address [Appliance A1] remote appliance IP datapath address [Appliance B] If the ping fails, verify cabling, configuration, network topology, etc. PN Rev L 103

112 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity 3 To ensure that local routing is working correctly, ping an address on the subnet from which WCCP will be redirecting traffic. To do that, use the same ping screen, specify either an address of a device or the router s address in that subnet, and ping with the -I option, as shown. local appliance IP datapath address [Appliance A1] a host on Site A s LAN If the ping fails, verify cabling, configuration, network topology, etc. Tip Prior to putting a bridge mode appliance in production, it is always a good practice to test connectivity with the appliance in bypass to make sure that the network will function in the event the Silver Peak device fails to wire. 104 PN Rev L

113 Enabling Subnet Sharing Chapter 4 Out-of-Path with WCCP Enabling Subnet Sharing Note Using auto subnet sharing is a recommended best practice. If you choose not to use subnet sharing, you must also configure inbound redirection on the WAN router (or L3 switch) to avoid creating asymmetric flows that cannot be accelerated. For those instructions, refer back to Inbound Redirection on page 85. Subnet information is not shared between appliance until a tunnel comes up between them. In the next few steps, we ll enable subnet sharing on the appliances, but no subnet informations will actually be shared until the tunnels are brought up in the next section. Note You could have selected Auto Subnet Sharing in the Initial Config Wizard, instead of doing this step. We do it here to highlight how the Subnet table changes after tunnels come up. To enable subnet sharing on A 1 On Appliance A, select Configuration > Subnets. The Subnets tab appears. Notice that no subnets are displayed. a b c Select Use shared subnet information. Select Automatically include local subnets. Leave the Metric for automatically added subnets at 50 (the default). 2 Click Apply. The subnet table updates to include the local subnet. If it doesn t, try refreshing the page. 3 Save the changes. PN Rev L 105

114 Silver Peak NX Series Appliances Network Deployment Guide Enabling Subnet Sharing To enable subnets on B We ll repeat the same steps we performed for A. 1 On Appliance B, select Configuration > Subnets. The Subnets tab appears. Set the configuration. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50 (the default). 2 Click Apply. 3 Save your changes. 106 PN Rev L

115 Creating Tunnels and Updating the Subnet Table Chapter 4 Out-of-Path with WCCP Creating Tunnels and Updating the Subnet Table From each appliance, you must create a tunnel to each remote appliance to which it will be sending traffic. We ll create tunnels from Silver Peak A to B. Then we ll create tunnels from B to A. After that, we ll add subnets that aren t directly connected to a datapath interface. To create a tunnel from A to B 1 From a browser, access Appliance A. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a In the Name field, assign a locally significant name for the tunnel. b In the Admin field, accept the default value, Up. c Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. d In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. e In the Remote IP address field, enter the data path IP address of Appliance B. f Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. g Leave the Min BW at its default, 32 [Kbps]. h Click Apply. i Save the changes. The tunnel status won t change to Up until a tunnel is configured at both ends. That is, until after we configure a tunnel from B to A. To create tunnels from B to A 1 From a browser, access Appliance B. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. PN Rev L 107

116 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels and Updating the Subnet Table 3 To add a tunnel to Appliance A, click Add Tunnel. a In the Name field, assign a locally significant name for the tunnel. b In the Admin field, accept the default value, Up. c Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. d In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. e In the Remote IP address field, enter the data path IP address of Appliance A. f Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. g Leave the Min BW at its default, 32 [Kbps]. h Click Apply. i Save the changes. Within a few seconds, the Status of both tunnels should change to Up - active. Click Refresh, if required. Now that the tunnels are up, the appliances can begin advertising subnet information to each other. 108 PN Rev L

117 Creating Tunnels and Updating the Subnet Table Chapter 4 Out-of-Path with WCCP To add non-local subnet information for Appliance A 1 On Appliance B, examine the subnet table by going to Configuration > Subnets. After Appliance B learns the Appliance A s subnets, it automatically send packets destined there into the correct tunnel. Notice that the subnet containing Site A s end devices the subnet does not appear in the table. This is because the Silver Peak at Site A doesn t have an interface with an IP address in the subnet. As a result, the local Silver Peak at Site A can t advertise this subnet to Appliance B. So, we need to specifically configure Appliance A to advertise this subnet to Appliance B. PN Rev L 109

118 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels and Updating the Subnet Table To configure Appliance A to advertise the non-attached subnet We ve already tested connectivity from A to devices on , and know that the default next-hop router can reach them. If that were not the case, we might have to do some additional configuration such as adding a static route to the subnet via a different next-hop router. 1 On Appliance A, go to Configuration > Subnets, and click Add new subnet. a Enter the subnet and mask: /24. b Leave the metric unchanged at 50 (the default). c Verify that Local is selected. d Verify that Advertise to Peers is selected. 2 Click Apply. 3 Save the changes. To verify that Appliance B has learned the subnet 1 Access Appliance B and select Configuration > Subnets. You should see an entry for the subnet, learned from A. Notice that Appliance B learned /24 and /24 from its peer, Appliance A. If Appliance A goes down, the subnets it advertises disappear from the table. The router knows that Appliance A is down and sends the traffic unoptimized to subnet / PN Rev L

119 Verifying Traffic Chapter 4 Out-of-Path with WCCP Verifying Traffic Here, we want to verify that the tunnels are carrying traffic and that flows are being optimized. To verify tunnel status From Appliance B s menu, select Configuration > Tunnels. The Status column indicates whether the tunnels are up. To view tunnel statistics From the menu, select Monitoring > Tunnels. This tab displays the statistics associated with each tunnel. To view WCCP status On Appliance A, select Configuration > WCCP. The WCCP State should be ACTIVE, DESIGNATED. To verify connectivity for pass-through traffic As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. To verify network connectivity Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. PN Rev L 111

120 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic To view flow optimization From the menu, select Monitoring > Current Flows. Status column indicates whether a flow is being optimized or not. Click the icon for more information on which Silver Peak technologies are being applied to the flow. Reduction columns show the bandwidth savings achieved by each flow. 112 PN Rev L

121 Best Practices Chapter 4 Out-of-Path with WCCP Best Practices Tips for Deployment Inbound WCCP redirection is preferred over outbound [also known as ingress/egress] redirection because inbound redirection is less CPU-intensive on the router. Inbound redirection is done in hardware where as outbound is done in software. For Catalyst 6000/76xx deployments, use only inbound redirection to avoid using redirection exclude in, which is not understood by the switch hardware and must be processed in software. For Catalyst 6000/76xx deployments, use L2 redirection for near line-rate redirection. Silver Peak appliances automatically negotiate assignment and forwarding methods with all routers and L3 switches from Cisco to the best possible combination that the router or L3 switch supports. WCCPv2 interception forwards all packets from the router or L3 switch to the appliance. Special care should be taken when traffic redirected to the appliance has to be returned back to the router or L3 switch. For many routers the return traffic is delivered via L2 so there is no CPU impact. However, Catalyst 6000/76xx switches returns via GRE so the CPU can be negatively impacted unless Force L2 return is enabled on the appliance. Force L2 Return should only be enabled when the interface/vlan that the appliance is connected to is not also an interface with the redirection applied to. The appliance should always be connected to an interface/vlan that does not have redirection enabled preferably a separate interface/vlan would be provided for the appliance. The appliance and Catalyst switch negotiate which redirect and return method to use when the service group is formed. There can be many access VLANs on the aggregation switches. Redirection is configured on all VLANs that need optimization. Layer 2 switching ports, including trunk ports, are not eligible for redirection. If Auto Optimization is used for matching traffic to be optimized via the appliance, WCCP redirection must also be applied on the uplinks of the router or L3 switch to the core/wan. If WCCP redirection is needed on both the WAN and the LAN, the preferred configuration on the appliance is to set the WCCP group configured on the WAN to wan-ingress and the group configured on the LAN to lan-ingress. The configuration of wan-ingress and lan-ingress ensures that load balancing is symmetrical in both directions of a flow. wan-ingress uses the destination address for distribution in the router/l3 switch table lan-ingress uses the source address for distribution. If Route Policies are used for matching traffic to be optimized via the appliance, WCCP redirection is not required on the core uplinks, only the access/lan links. If Active/Active redistribution is enabled with route policies, then flow redirection is required to handle asymmetrical flows caused by load balancing. Flow redirection can handle millions of flows and ensures that the owner of a given flow always receives the TCP flow for processing. PN Rev L 113

122 Silver Peak NX Series Appliances Network Deployment Guide Best Practices GRE and L2 Redirection Packet redirection is the process of forwarding packets from the router or L3 switch to the appliance. The router or L3 switch intercepts the packet and forwards it to the appliance for optimization. The two methods of redirecting packets are Generic Route Encapsulation (GRE) and L2 redirection. GRE is processed at Layer 3 while L2 is processed at Layer 2. Silver Peak appliances support both GRE and L2 Redirection. Silver Peak appliances support both Mask and Hash assignments. Additional mask and hash assignment adjustment can help fine-tune the distribution of traffic to the appliances. The advanced configuration for fine-tuning can be found in the custom feature of the WCCP configuration on the appliance. Mask assignments are set up on the appliance. The first appliance that joins the WCCP service group determines the redirection method and masking value this appliance is referred to as the designated appliance. Subsequent appliances that join the group must have the same redirection and mask value setup; otherwise, they are not active participants in the WCCP group. Appliances support both Hash and Mask capabilities for optimal throughput. The preferred WCCP configuration on the appliance is to leave both assignment and forwarding method to either which will allow the preferred negotiation to happen between the appliance and the router or L3 switch when WCCP is first enabled. GRE GRE is a protocol that carries other protocols as its payload: In this case, the payload is a packet from the router to the appliance. GRE works on routing and switching platforms. It allows the WCCP clients to be separate from the router via multiple hops. Because GRE is processed in software, router CPU utilization increases with GRE redirection. Hardware-assisted GRE redirection is available on the Catalyst 6500 with Sup720. L2 Redirection L2 redirection requires the appliance to be in the same subnet as the router or switch (L2 adjacency). The switch rewrites the destination L2 MAC header with the appliance MAC address. The packet is forwarded without additional lookup. L2 redirection is done in hardware and is available on the Catalyst 6500/7600 platforms. CPU utilization is not impacted because L2 redirection is hardware-assisted; only the first packet is switched by the Multilayer Switch Feature Card (MSFC) with hashing. After the MSFC populates the NetFlow table, subsequent packets are switched in hardware. L2 redirection is preferred over GRE because of lower CPU utilization. There are two methods to load balance appliances with L2 redirection: hashing and masking. 114 PN Rev L

123 CHAPTER 5 Out-of-Path with VRRP Peering to a WAN Router Using Subnet Sharing This chapter provides a step-by-step example of a deployment where the Silver Peak appliance uses the Virtual Router Redundancy Protocol (VRRP) to peer with the existing router, when no spare router port is available. In This Chapter Overview See page 116. Using the Initial Config Wizard See page 120. Verifying Appliance Connectivity See page 131. Enabling Subnet Sharing See page 132. Creating Tunnels See page 134. Configuring VRRP on a Cisco Router See page 136. Configuring VRRP on Silver Peak A1 See page 137. Verifying Traffic See page 139. PN Rev L 115

124 Silver Peak NX Series Appliances Network Deployment Guide Overview Overview In this deployment mode, the Silver Peak appliance uses the Virtual Router Redundancy Protocol (VRRP) to peer with the existing router, when no spare router port is available. This requires changing the IP address of the router and adding the VRRP VIP (Virtual IP) address to the router. The VIP address takes the existing router address; this way, you don t need to modify the client s default gateway. The Silver Peak appliance becomes the primary default gateway for all users in that network. In the unlikely event that the Silver Peak appliance fails, the router automatically becomes the default gateway. The remote location is configured In-Line. Network Diagram Before configuring VRRP, the original default gateway was /24. Figure 5-1 Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using Virtual Router Redundancy Protocol (VRRP) In this example, the Silver Peak appliance optimizes traffic to/from /24 and / PN Rev L

125 Overview Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Summary Appliance Placement Failure Method IP Addresses Appliance shares LAN segment with existing equipment Appliance wan0 interface connects to Ethernet LAN switch Do not connect lan0 interface Fails-Open: The appliance behaves as an unconnected port in all failure cases (hardware, software, power) WAN router assumes Virtual IP Address and forwards traffic normally This deployment model requires three IP addresses: Silver Peak Appliance data path IP address (to originate and terminate tunnel) Silver Peak Management IP Address (for appliance configuration and management) Virtual IP Address (VIP) shared by Silver Peak appliance and the WAN router The VIP must be the default gateway for the clients and servers on the LAN subnet. NOTE: Typically, this would be the current default gateway, to avoid client reconfigurations. The Silver Peak appliance must share the default gateway VIP with WAN router using VRRP. The Silver Peak appliance must be configured with higher priority and preemption to ensure VRRP reverts to the appliance. Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. PN Rev L 117

126 Silver Peak NX Series Appliances Network Deployment Guide Overview Summary of Initial Configuration Tasks Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the appliance into the network Saves time and avoids mistakes. Physical appliance: Connect the Site A appliance to the Site A router, and insert the Site B appliance between its WAN edge router and the Ethernet switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. Collecting the Necessary Information on page 119. Silver Peak Appliance Manager Operator s Guide Quick Start Guides 3 Configure the appliance In a browser, access and use the Initial Configuration Wizard to configure each appliance one in Bridge mode, the other in Router mode. Reboot each appliance after finishing the configuration. 4 Verify appliance connectivity Tests data path connectivity. Do NOT proceed until you verify connectivity. 5 Enable subnet sharing This prepares each appliance to share local subnets. Using the Initial Config Wizard on page 120. Verifying Appliance Connectivity on page 131. Enabling Subnet Sharing on page Create a tunnel on each appliance Specify the local and remote endpoints for the tunnel. Afterwards, verify that the tunnels are up and the subnet table has updated. Creating Tunnels on page Configure Site A s router Access the router s command line interface, and configure the router for policy-based routing. Configuring VRRP on a Cisco Router on page Configure VRRP on Site A s appliance 9 Test the connectivity from both ends Use two of the Configuration pages: Deployment and VRRP Verify that the tunnel is up and that flows are being optimized. Configuring VRRP on Silver Peak A1 on page 137 Verifying Traffic on page PN Rev L

127 Overview Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default, auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance IP. Table 5-1 Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using Virtual Router Redundancy Protocol (VRRP) Hostname A1 B Mode Out-of-Path (Router) In-line (Bridge) Admin Password: Old admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt0 IP Address / Mask a / /24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / /24 Appliance data path Next-hop IP / /24 LAN Next-hop IP Address (optional) b not applicable --- VRRP Group ID VRRP Virtual IP Address (VIP) not applicable VRRP Priority 130 not applicable a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. PN Rev L 119

128 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard Using the Initial Config Wizard The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. This section begins with configuring Appliance A1, followed by Appliance B. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A1 2 For the username and for the password, enter admin. The initial configuration page appears. 120 PN Rev L

129 Using the Initial Config Wizard Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 121

130 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter. 122 PN Rev L

131 Using the Initial Config Wizard Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Configure the Next-hop IP to be the physical address that the next-hop router will use not the VRRP virtual IP address. Otherwise, you ll create a routing loop when the Silver Peak is the VRRP Master. 7 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. PN Rev L 123

132 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 8 Click Next. If yours is a virtual machine, the following page appears. Select a MAC address for wan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. For example, in the VMware client, you would check on the Virtual Machine Properties page. 124 PN Rev L

133 Using the Initial Config Wizard Chapter 5 Out-of-Path with VRRP Peering to a WAN Router 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 125

134 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard Appliance B 11 Access Appliance B s login page. For the username and for the password, enter admin. The initial configuration page appears. 12 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 126 PN Rev L

135 Using the Initial Config Wizard Chapter 5 Out-of-Path with VRRP Peering to a WAN Router 13 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 14 Click Next. On this page, select Bridge/In-Line for the deployment mode. PN Rev L 127

136 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 15 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. 16 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page and click Next. 128 PN Rev L

137 Using the Initial Config Wizard Chapter 5 Out-of-Path with VRRP Peering to a WAN Router 17 Click Next. If yours is a virtual machine, the following page appears. 18 Click Show All. Select MAC addresses and wan0 for mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. PN Rev L 129

138 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard 19 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 20 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 130 PN Rev L

139 Verifying Appliance Connectivity Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Verifying Appliance Connectivity Before proceeding, you must verify Appliance A1 s connectivity from its data path address to the next-hop and to the remote devices. This verifies that the cables are appropriately connected and that you haven t misconfigured any of the IP addresses. 1 From Appliance A1 s menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping Appliance B s data path IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. Depending on your network configuration and addressing scheme, this may give misleading results. To sidestep this issue, use the -I option to specify the local device s data path address as the ping s source address. local appliance IP datapath address [Appliance A1] remote appliance IP datapath address [Appliance B] If the ping fails, verify cabling, configuration, network topology, etc. Tip Prior to putting a bridge mode appliance in production, it is always a good practice to test connectivity with the appliance in bypass to make sure that the network will function in the event the Silver Peak device fails to wire. PN Rev L 131

140 Silver Peak NX Series Appliances Network Deployment Guide Enabling Subnet Sharing Enabling Subnet Sharing Subnet information is not shared between appliance until a tunnel comes up between them. In the next few steps, we ll enable subnet sharing on both appliances, but no subnet informations will actually be shared until the tunnels are brought up in the next section. Note You could have selected Auto Subnet Sharing in the Initial Config Wizard, instead of doing this step. We do it here to highlight how the Subnet table changes after tunnels come up. To enable subnets on A1 1 On Appliance A1, select Configuration > Subnets. The Subnets tab appears. Notice that no subnets are displayed. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50. Note that a lower metric has a higher priority. 2 Click Apply. The subnet table updates to include the local subnet. If it doesn t, try refreshing the page. 3 Save the changes. 132 PN Rev L

141 Enabling Subnet Sharing Chapter 5 Out-of-Path with VRRP Peering to a WAN Router To enable subnets on B 1 On Appliance B, select Configuration > Subnets. The Subnets tab appears. Set the configuration. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50 (the default). 2 Click Apply. 3 Save your changes. PN Rev L 133

142 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels Creating Tunnels Create a tunnel between Appliances A1 and B. This involves accessing each appliance, in turn, and creating a tunnel to the other (remote) appliance. After the tunnels are up, we ll verify that the subnet table has updated. To create a tunnel from A1 to B 1 From a browser, access Appliance A1. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a b c d e f g h i In the Name field, assign a locally significant name for the tunnel. In the Admin field, accept the default value, Up. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. Leave the Min BW at its default, 32 [Kbps]. Click Apply. Save the changes. The tunnel status doesn t change to Up until a tunnel is configured at both ends. So, we ll now configure a tunnel from B to A PN Rev L

143 Creating Tunnels Chapter 5 Out-of-Path with VRRP Peering to a WAN Router To create a tunnel from B to A1 1 From a browser, access Appliance B. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a b c d e f g h i In the Name field, assign a locally significant name for the tunnel. In the Admin field, accept the default value, Up. Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. In the Remote IP address field, enter the data path IP address of the remote Silver Peak appliance. Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. Leave the Min BW at its default, 32 [Kbps]. Click Apply. Save the changes. Within a few seconds, the tunnel Status changes to Up - active. Click Refresh, if required. Now that the tunnels are up, the appliances can begin advertising subnet information to each other. To verify that the Subnet table is current On Appliance B, examine the subnet table by going to Configuration > Subnets. Now that Appliance B has learned the remote appliance s subnet(s), it automatically places packets with destinations in learned subnets into the correct tunnels. PN Rev L 135

144 Silver Peak NX Series Appliances Network Deployment Guide Configuring VRRP on a Cisco Router Configuring VRRP on a Cisco Router Next, you need to configure the router for VRRP. Additionally, since you re changing the IP address on the router interface, make sure you re accessing the router via the console port or a different interface that s not dependent upon the interface address you re changing. Also, be aware that the default priority for VRRP on many routers is 100. Refer to your router s user documentation for the exact value. In this example, setting the Silver Peak s default priority value to 130 ensures that it s the Primary VRRP peer. With VRRP, if the Silver Peak and the router are on the same subnet as the local hosts (PCs, servers, etc.), then the virtual IP address of the VRRP group should be the default gateway address for the subnet. The original address of the interface on the router ( in this example) is the default gateway address to which all of the devices on the subnet point. To avoid reconfiguring or rebooting all the devices on the subnet and the DHCP server to point to a new address, we ll readdress the current router interface to a new address ( ) and configure the virtual IP address of the VRRP group with the previous default gateway address. This way, all devices on the subnet that previously pointed to the default gateway address, now point to the VRRP virtual IP as their default gateway. The original default gateway was /24. To configure the [Cisco] router configure terminal interface GigabitEthernet 1 no ip address #ip address vrrp 1 ip vrrp 1 priority 101 vrrp 1 preempt end write mem 136 PN Rev L

145 Configuring VRRP on Silver Peak A1 Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Configuring VRRP on Silver Peak A1 It s helpful to review some concepts before configuring VRRP. Managing the addresses Now we ll configure the Silver Peak s data path next hop address to point to the new physical address of the router interface ( , in this example) and not the old one, which is now the VRRP group s virtual IP address. Failure to do so will cause a routing loop when the Silver Peak is the VRRP Master, since at that point, the Silver Peak will be processing traffic for the virtual IP address. If the next-hop IP for the Silver Peak still points to that virtual address, it will essentially be forwarding traffic to itself, creating the loop. Using VRRP with a single Silver Peak and a router or L3 switch If you use VRRP with a single Silver Peak and its VRRP peer is another device like a router or L3 switch, then you want to configure the Silver Peak to have a higher priority than the router/switch and also enable preemption. This ensures that the Silver Peak always becomes the Master and that the lower priority device (the switch or router) becomes the backup, so the Silver Peak can optimize traffic. Many routers have a default priority of 100. Although the Silver Peak appliance s default value is 128 (and therefore higher by default), in this example we ll change it to 130 for the practice. If the Silver Peak experienced a failure, the router/l3-switch (the backup device) would become the Master, and unoptimized traffic would be routed natively according to its routing tables. After the Silver Peak comes back online, if it has the higher priority and preemption is enabled, it again assumes primary responsibility and would resume optimizing traffic. If you fail to configure the Silver Peak with higher priority, or if preemption is disabled, traffic will not be optimized when the Silver Peak comes back up because the appliance will not become the Master. To configure VRRP on Site A s appliance 1 On Appliance A1, select Configuration > Deployment. 2 Change the next-hop address and click Apply. 3 Go to Configuration > VRRP and click Add. PN Rev L 137

146 Silver Peak NX Series Appliances Network Deployment Guide Configuring VRRP on Silver Peak A1 The Add VRRP area appears. Some fields display default values. a Assign a Group ID number. You ll use the same number for the primary and backup devices. Here, we re using 1. b Leave Interface set to wan0. c Leave Admin set to up. d Leave the Advertisement Timer set to 1. e In the Virtual Address field, enter the virtual IP that you ll be using for both the primary and backup appliances. In our case, it s f Priority and Preemption work together. If two devices come up at the same time, the device with the highest priority becomes the Master, and lower priority devices are backups. If Preemption is enabled and a device with a higher priority comes online in the VRRP group, it becomes the Master even if another device is already acting as Master. The lower priority device then reverts to being a backup. g We ll set our Priority to 130, and enable Preemption. h If you choose to use VRRP s text authentication, then the Authentication String must be specified in all members of the group. In this deployment, that would include Site A s appliance and the peered router. Here, we ll leave it blank. 138 PN Rev L

147 Verifying Traffic Chapter 5 Out-of-Path with VRRP Peering to a WAN Router Verifying Traffic Here, we want to verify that the tunnels are carrying traffic and that flows are being optimized. To verify tunnel status From the menu, select Configuration > Tunnels. The Status column indicates whether the tunnels are up. To view tunnel statistics From the menu, select Monitoring > Tunnels. This tab displays the statistics associated with each tunnel. To view VRRP status 1 On Appliance A1, select Configuration > VRRP. If the appliance is up and participating in the VRRP group, then the VRRP State should be either Master or backup. 2 To test the backup: a On the appliance that is the Master (A1), go to Configuration > VRRP. b Click on the Group ID. PN Rev L 139

148 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic The Modify VRRP dialog appears. Set it administratively down. c Click Apply. All traffic is then be handled by the backup device, which becomes the Master. 3 To verify the router s status, access it and use the show vrrp command. With A1 up and acting as the Master (Cisco is backup) With A1 down and the Cisco as Master Make sure to change the Silver Peak s Admin state back to up when you re done testing. 140 PN Rev L

149 Verifying Traffic Chapter 5 Out-of-Path with VRRP Peering to a WAN Router To view flow optimization From the menu, select Monitoring > Current Flows. Status column indicates whether a flow is being optimized or not. Click the icon for more information on which Silver Peak technologies are being applied to the flow. Reduction columns show the bandwidth savings achieved by each flow. To verify connectivity for pass-through traffic As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. To verify network connectivity Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. PN Rev L 141

150 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic 142 PN Rev L

151 CHAPTER 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Using Subnet Sharing This chapter provides a step-by-step example for configuring high availability. In this example, Site A deploys two redundant appliances out-of-path (Router mode), used as Active and Standby. Site B deploys a single appliance in-line (Bridge mode). The peered appliances at Site A use the Virtual Router Redundancy Protocol (VRRP) to create and share a common IP address, called the Virtual IP address (VIP). In This Chapter Overview See page 144. Using the Initial Config Wizard for Site A See page 148. Configuring VRRP on A1 and A2 See page 161. Configuring Flow Redirection See page 164. Using the Initial Config Wizard with Site B See page 168. Verifying Appliance Connectivity See page 174. Enabling Subnet Sharing See page 177. Creating Tunnels and Updating the Subnet Table See page 179. Configuring A1 and A2 to Advertise Non-Local Subnets See page 182. Configuring the Cisco Router for Policy-Based Routing (PBR) See page 184. Verifying Traffic See page 185. PN Rev L 143

152 Silver Peak NX Series Appliances Network Deployment Guide Overview Overview In this example, Site A deploys two primary appliances out-of-path (Router mode), and Site B deploys a single appliance in-line (Bridge mode). The peered appliances at Site A use the Virtual Router Redundancy Protocol (VRRP) to create and share a common IP address, called the Virtual IP (VIP) address. Configuring for high availability assigns one appliance a higher priority than the other appliance, thereby making it the Master, and the other, the backup. The appliance at Site B has separate tunnels going to each of the two appliances at Site A: If one of the appliances at Site A is down, then Site B only sends traffic to the appliance (tunnel) that is up. If both appliances at Site A are up, then Site B sends traffic to the tunnel (appliance) that has higher VRRP priority. Network Diagram Figure 6-1 Out-of-Path Deployment: Redundant Silver Peak Appliances using Policy-Based-Routing (PBR) The Silver Peak appliances optimize traffic to/from /24 and / PN Rev L

153 Overview Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances The following table summarizes installation considerations: Summary Appliance Placement Both appliances are attached to the same available subnet via an Ethernet LAN switch: Each appliance s wan0 interface connects to the Ethernet switch that is connected to the available WAN interface Do not connect lan0 interface of either appliance Failure Method IP Addresses Fails Open: The failed appliance behaves as unconnected port in all failure cases (hardware, software, power). The redundant Silver Peak appliance assumes the Silver Peak Appliance Virtual IP Address. Remote appliances switch to the redundant appliance. This deployment model requires five IP addresses: Each appliance needs a Silver Peak Appliance IP data path address (to originate and terminate tunnels). The two appliances share one Silver Peak Appliance Virtual IP Address for VRRP. Each appliance needs a Silver Peak Management IP Address (for appliance configuration and management). Configure PBR on WAN router Direct traffic from LAN (subnet/interface) destined for WAN to Silver Peak Appliances Virtual IP Address Do NOT enable this PBR on the interface to which the Silver Peak appliances connect Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. PN Rev L 145

154 Silver Peak NX Series Appliances Network Deployment Guide Overview Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. For all interfaces, speed and duplex are left at the default, which is auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance IP. Table 6-1 Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using Virtual Router Redundancy Protocol (VRRP) Hostname A1 A2 B Mode Router / Out-of-Path Router / Out-of-Path Bridge / In-line Admin Password: Old admin admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt1 IP Address / Mask / / mgmt0 IP Address / Mask a / / /24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / / /24 Appliance data path Next-hop IP / / /24 LAN Next-hop IP Address (optional) b not applicable not applicable --- VRRP Group ID VRRP Virtual IP Address (VIP) not applicable VRRP Priority not applicable a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. 146 PN Rev L

155 Overview Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Summary of Configuration Tasks Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the appliance into the network 3 Configure the peer appliances at Site A 4 Configure VRRP for the Site A peers 5 Configure flow redirection for the Site A peers Saves time and avoids mistakes. Physical appliance: Connect both appliances to the same available subnet via an Ethernet LAN switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. In a browser, access and use the Initial Configuration Wizard to configure each appliance. Reboot the appliances after finishing the configuration. You ll configure one appliance to be the Master, and the other to be the Backup. When you create a cluster, the peers keep track of which appliance owns each flow. If the path between client and server isn t the same in both directions, the flow is redirected to the appliance that first saw it and owns it. Collecting the Necessary Information on page 146. Silver Peak Appliance Manager Operator s Guide Quick Start Guides Using the Initial Config Wizard for Site A on page 148 Configuring VRRP on A1 and A2 on page 161 Configuring Flow Redirection on page Configure Site B s appliance In a browser, access and use the Initial Configuration Wizard to configure the appliance. Reboot the appliance after finishing the configuration. 7 Verify appliance connectivity Tests data path connectivity. Do NOT proceed until you verify connectivity. 8 Enable subnet sharing This prepares each appliance to share local subnets. Using the Initial Config Wizard with Site B on page 168 Verifying Appliance Connectivity on page 174 Enabling Subnet Sharing on page Create a tunnel on each appliance 10 Manually add Site A s non-local subnets Specify the local and remote endpoints for the tunnel. Manually add subnets that aren t directly connected to an appliance interface so they can be advertised. Creating Tunnels and Updating the Subnet Table on page 179 Configuring A1 and A2 to Advertise Non-Local Subnets on page Configure the router Access the router s command line interface, and configure the router for policy-based routing. Configuring the Cisco Router for Policy-Based Routing (PBR) on page Test the connectivity from both ends Verify that the tunnel is up and that flows are being optimized. Verifying Traffic on page 185 PN Rev L 147

156 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A Using the Initial Config Wizard for Site A The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. This section begins with configuring Appliance A1, followed by Appliances A2. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A1 2 For the username and for the password, enter admin. The initial configuration page appears. 148 PN Rev L

157 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 149

158 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter. 150 PN Rev L

159 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Configure the Next-hop IP to be the physical address that the next-hop router will use not the VRRP virtual IP address. Otherwise, you ll create a routing loop when the Silver Peak is the VRRP Master. 7 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. PN Rev L 151

160 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A Click Next. If yours is a virtual machine, the following page appears. 8 Click Show All. Select the MAC addresses for wan0 and mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. 152 PN Rev L

161 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances For example, in the VMware client, you would check on the Virtual Machine Properties page. PN Rev L 153

162 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 154 PN Rev L

163 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Appliance A2 11 For the username and for the password, enter admin. The initial configuration page appears. 12 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. PN Rev L 155

164 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A 13 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 14 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 15 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. 156 PN Rev L

165 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Configure the Next-hop IP to be the physical address that the next-hop router will use not the VRRP virtual IP address. Otherwise, you ll create a routing loop when the Silver Peak is the VRRP Master. 16 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. PN Rev L 157

166 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A Click Next. If yours is a virtual machine, the following page appears. 17 Click Show All. Select the MAC addresses for wan0 and mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. 158 PN Rev L

167 Using the Initial Config Wizard for Site A Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances For example, in the VMware client, you would check on the Virtual Machine Properties page. PN Rev L 159

168 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard for Site A 18 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 19 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 160 PN Rev L

169 Configuring VRRP on A1 and A2 Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Configuring VRRP on A1 and A2 You ll want to make one appliance the Master, and make the other Site A appliance (on the same subnet) the Backup. On the Configuration - VRRP page, you ll start to set this up by using Virtual Router Redundancy Protocol (VRRP) to assign the primary appliance a higher priority than you assign the secondary appliance. Since this is the primary appliance, set the priority to 130. This will be higher than the secondary (backup) appliance, which remains set to the default of 128. Using VRRP with two Silver Peaks acting as Master and Backup If either Silver Peak acting as Master fails, the Backup assumes the role of Master and begins optimizing traffic. Because we want our network to behave deterministically to minimize the amount of flow redirection that is needed we will configure A1 with a priority of 130, and A2 with a priority of 128. With A1 having the higher priority, it becomes the Master when both appliances are up. Check the Preemption checkbox. This ensures that A1 becomes Master whenever it is up because it has the higher priority. A2, if it was acting as Master, reverts to backup when A1 assumes the role of Master. If preemption is not enabled, then whichever appliance is Master remains Master, even if a device in that VRRP group has a higher priority. We always want A1 (which has a higher priority) to be the Master, so we enable preemption.. To configure VRRP on Appliance A1 1 On Appliance A1, go to Configuration > VRRP and click Add. The Add VRRP area appears. Some fields display default values. a Assign a Group ID number. You ll use the same number for the primary and backup devices. Here, we re using 1. PN Rev L 161

170 Silver Peak NX Series Appliances Network Deployment Guide Configuring VRRP on A1 and A2 b Leave Interface set to wan0. c Leave Admin set to up. d Leave the Advertisement Timer set to 1. e In the Virtual Address field, enter the virtual IP that you ll be using for both the primary and backup appliances. In our case, it s f Priority and Preemption work together. If two devices come up at the same time, the device with the highest priority becomes the Master, and lower priority devices are backups. If Preemption is enabled and a device with a higher priority comes online in the VRRP group, it becomes the Master even if another device is already acting as Master. The lower priority device then reverts to being a Backup. g We ll set our Priority to 130, and enable Preemption. h If you choose to use VRRP s text authentication, then the Authentication String must be specified in all members of the group. In this deployment, that would include both of Site A s appliances. Here, we ll leave it blank. 2 Click Apply. The summary should appear. Initially, the appliance shows up as a backup, but if it s the first appliance in the group to come online, it assumes the role of Master. To refresh the page, reselect Configuration > VRRP from the menu. 3 To store your configuration, make sure to click Save Changes. 162 PN Rev L

171 Configuring VRRP on A1 and A2 Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances To configure VRRP on Appliance A2 This configuration is identical to A1 s, except the Priority on A2 is set to 128 (a lower priority) so that whenever A1 is up, A2 becomes the backup. After you click Apply, A2 s VRRP list refreshes. PN Rev L 163

172 Silver Peak NX Series Appliances Network Deployment Guide Configuring Flow Redirection Configuring Flow Redirection Why would you do flow redirection with VRRP? To provide Network Acceleration, Silver Peaks require symmetric TCP flows. A network is asymmetric when a client request and its server response don t use the same path through the network. Flow redirection removes asymmetry locally by merging the traffic of an asymmetric flow into a single appliance. When peer appliances are configured as a cluster, they keep track of which appliance first saw a flow and consequently owns that flow. If a return flow arrives at a peer that doesn t own it, the flow is forwarded to the rightful owner via the mgmt1 interfaces. Note IMPORTANT When configuring for flow redirection, the mgmt1 interfaces need to be in a separate subnet from the mgmt0 interfaces. An appliance that handles both directions of traffic for a flow can then optimize the flow properly. Specifically, this sets the stage for TCP acceleration and CIFS acceleration. This sequence of four diagrams illustrates how the need for flow redirection arises, and is resolved. At Site A, the router uses PBR (Policy-Based Routing) to direct outbound traffic arriving at its interface to the VRRP Master, A PN Rev L

173 Configuring Flow Redirection Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Appliance B advertises its reachability to Appliances A1 and A2. At A1, the flow is placed in the tunnel to Site B. Appliances A1 and A2 are advertising their subnet s reachability to Appliance B. Because A1 and A2 are in the same subnet, they re equally likely to receive the return flow. Appliance B doesn t know that the two Silver Peaks at Site A are doing VRRP, or which is Master. If Appliance B places the flow in the tunnel to A1, the flow will be symmetric. If Appliance B places the flow in the tunnel to A2, this might result in an asymmetric flow. However, having been configured into a flow redirection cluster, the peers know that A1 owns the flow and forward it there. A1 returns the flow to the server. Since both directions traversed A1, the flow is symmetric and able to be TCP optimized. PN Rev L 165

174 Silver Peak NX Series Appliances Network Deployment Guide Configuring Flow Redirection To configure flow redirection on Appliance A1 1 From A1 s menu, select Configuration > Interfaces. The Configuration - Interfaces page appears. 2 Configure the IP address for mgmt1 on A1. The mgmt1 interface shipped with a default IP address, to make initial configuration easy. You don t need this any longer, so we ll reconfigure it to use as a cluster interface for flow redirection. a Change the default address to /30. b Change Admin to up. c Click Apply. d Save the changes. 3 Select Configuration > Flow Redirection. The Flow Redirection page appears. a Select Enable. b In the Interface field, select mgmt1. c Click Add Peer, and configure the IP address of mgmt1 on A2. In this example, it s d Click Apply. e Save the changes. 166 PN Rev L

175 Configuring Flow Redirection Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances To configure flow redirection on Appliance A2 1 From A2 s menu, select Configuration > Interfaces. The Configuration - Interfaces page appears. 2 Configure the IP address for mgmt1 on A2. a Change the default address to /30. b Change Admin to up. c Click Apply. d Save the changes. 3 Select Configuration > Flow Redirection. The Flow Redirection page appears. a Select Enable. b In the Interface field, select mgmt1. c Click Add Peer, and configure the IP address of mgmt1 on A1. In this example, it s d Click Apply. e Save the changes. 4 To verify that flow redirection is working, look to see that the State changes to OK, indicating that the interfaces and flow redirection are configured properly on both sides. PN Rev L 167

176 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B Using the Initial Config Wizard with Site B The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance B 2 For the username and for the password, enter admin. The initial configuration page appears. 168 PN Rev L

177 Using the Initial Config Wizard with Site B Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 169

178 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B 5 Click Next. On this page, select Bridge/In-Line for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. 170 PN Rev L

179 Using the Initial Config Wizard with Site B Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances 7 Click Next. The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. 8 Click Next. If yours is a virtual machine, the following page appears. Select a MAC address for wan0 and lan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. PN Rev L 171

180 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with Site B For example, in the VMware client, you would check on the Virtual Machine Properties page. 172 PN Rev L

181 Using the Initial Config Wizard with Site B Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 173

182 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity Verifying Appliance Connectivity Before proceeding, you must verify each appliances s connectivity from its data path address to the next-hop and to the remote devices. This verifies that the cables are appropriately connected and that you haven t misconfigured any of the IP addresses. Tip Prior to putting a bridge mode appliance in production, it is always a good practice to test connectivity with the appliance in bypass to make sure that the network will function in the event the Silver Peak device fails to wire. To verify Appliance A1 s connectivity 1 From Appliance A1 s menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping Appliance B s data path IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. Depending on your network configuration and addressing scheme, this may give misleading results. To sidestep this issue, use the -I option to specify the local device s data path address as the ping s source address. local appliance IP datapath address [Appliance A1] remote appliance IP datapath address [Appliance B] If the ping fails, verify cabling, configuration, network topology, etc. 174 PN Rev L

183 Verifying Appliance Connectivity Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances 3 To ensure that local routing is working correctly, ping an address on the subnet from which PBR (Policy-Based Routing) will be redirecting traffic. Here, that subnet is /24. To do that, use the same ping screen, specify either an address of a device or the router s address in that subnet, and ping with the -I option, as shown. local appliance IP datapath address [Appliance A1] a host on Site A s LAN If the ping fails, verify cabling, configuration, network topology, etc. PN Rev L 175

184 Silver Peak NX Series Appliances Network Deployment Guide Verifying Appliance Connectivity To verify Appliance A2 s connectivity 1 From Appliance A2 s menu bar, select Maintenance > ping/traceroute/tcpdump. 2 Ping Appliance B s data path IP address. By default, Silver Peak uses the mgmt0 IP address as the source address for a ping. Depending on your network configuration and addressing scheme, this may give misleading results. To sidestep this issue, use the -I option to specify the local device s data path address as the ping s source address. local appliance IP datapath address [Appliance A1] remote appliance IP datapath address [Appliance B] If the ping fails, verify cabling, configuration, network topology, etc. 3 Ping a device on the PBR subnet. local appliance IP datapath address [Appliance A1] a host on Site A s LAN If the ping fails, verify cabling, configuration, network topology, etc. 176 PN Rev L

185 Enabling Subnet Sharing Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Enabling Subnet Sharing Subnet information is not shared between appliance until a tunnel comes up between them. In the next few steps, we ll enable subnet sharing on the appliances, but no subnet informations will actually be shared until the tunnels are brought up in the next section. Note You could have selected Auto Subnet Sharing in the Initial Config Wizard, instead of doing this step. We do it here to highlight how the Subnet table changes after tunnels come up. To enable subnet sharing on A1 1 On Appliance A1, select Configuration > Subnets. The Subnets tab appears. Notice that no subnets are displayed. a Select Use shared subnet information. b Select Automatically include local subnets. c Change the Metric for automatically added subnets to 40. Setting the metric to 40, which is lower than the default, causes A1 s advertised subnets to be preferred over A2 s (which are advertised with the default metric of 50). 2 Click Apply. The subnet table updates to include the local subnet. If it doesn t, try refreshing the page. 3 Save the changes. PN Rev L 177

186 Silver Peak NX Series Appliances Network Deployment Guide Enabling Subnet Sharing To enable subnets on A2 1 On Appliance A2, select Configuration > Subnets. The Subnets tab appears. Set the configuration. a b c Select Use shared subnet information. Select Automatically include local subnets. Leave the Metric for automatically added subnets at 50 (the default). A lower metric has a higher priority. Setting the metric to 50, which is higher than A1 s metric, causes A1 s advertised subnets to be preferred over A2 s (which are advertised with the default metric of 50). 2 Click Apply. 3 Save your changes. To enable subnets on B 1 On Appliance B, select Configuration > Subnets. The Subnets tab appears. Set the configuration. a Select Use shared subnet information. b Select Automatically include local subnets. c Leave the Metric for automatically added subnets at 50 (the default). 2 Click Apply. 3 Save your changes. 178 PN Rev L

187 Creating Tunnels and Updating the Subnet Table Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Creating Tunnels and Updating the Subnet Table From each appliance, you must create a tunnel to each remote appliance to which it will be sending traffic. We ll create tunnels from Appliances A1 and A2 to B. Then we ll create tunnels from B to A1 and to A2. After that, we ll add subnets that aren t directly connected to a datapath interface. To create a tunnel from A1 to B 1 From a browser, access Appliance A1. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a In the Name field, assign a locally significant name for the tunnel. b In the Admin field, accept the default value, Up. c Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. d In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. e In the Remote IP address field, enter the data path IP address of Appliance B. f Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. If you wanted to configure this manually, then you would deselect Auto Max BW and, in the Max BW field, enter the maximum bandwidth for this tunnel. The value must be less than or equal to the upstream bandwidth of your WAN connection. g Leave the Min BW at its default, 32 [Kbps]. h Click Apply. i Save the changes. The tunnel status won t change to Up until a tunnel is configured at both ends. That is, until after we configure a tunnel from B to A1. PN Rev L 179

188 Silver Peak NX Series Appliances Network Deployment Guide Creating Tunnels and Updating the Subnet Table To create a tunnel from A2 to B 1 From a browser, access Appliance A2. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 Click Add Tunnel. a In the Name field, assign a locally significant name for the tunnel. b In the Admin field, accept the default value, Up. c Leave Auto MTU selected. This allows the tunnel MTU to be discovered and negotiated automatically. When selected, this overrides the MTU setting. d In the Local IP field, the Appliance Manager prefills the IP address for the local appliance. e In the Remote IP address field, enter the data path IP address of Appliance B. f Leave Auto Max BW selected, so the appliance uses the lower of the two system bandwidths. g Leave the Min BW at its default, 32 [Kbps]. h Click Apply. i Save the changes. The tunnel status won t change to Up until a tunnel is configured at both ends. So, we ll now configure a tunnel from B to A1. To create tunnels from B to A1 and to A2 1 From a browser, access Appliance B. 2 From the menu bar, select Configuration > Tunnels. The Tunnels page appears. 3 To add a tunnel to Appliance A1, click Add Tunnel. a b c In the Name field, assign a locally significant name for the tunnel. Enter the Remote IP address (that is, the data path IP address of Appliance A1). Click Apply. 180 PN Rev L

189 Creating Tunnels and Updating the Subnet Table Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances 4 To add a tunnel to Appliance A2, click Add Tunnel. a b c d In the Name field, assign a locally significant name for the tunnel. Enter the Remote IP address (that is, the data path IP address of Appliance A2). Click Apply. Save the changes. Within a few seconds, the Status of both tunnels should change to Up - active. Click Refresh, if required. Now that the tunnels are up, the appliances can begin advertising subnet information to each other. PN Rev L 181

190 Silver Peak NX Series Appliances Network Deployment Guide Configuring A1 and A2 to Advertise Non-Local Subnets Configuring A1 and A2 to Advertise Non-Local Subnets On Appliance B, examine the subnet table by going to Configuration > Subnets. Now that Appliance B has learned the remote appliances subnets, it automatically places packets with destinations in the learned subnets into the correct tunnels. Notice that the subnet where Site A s end devices reside the subnet does not appear in the table. This is because the Silver Peaks at Site A don t have an interface with an IP address in that subnet. As a result, the local Silver Peaks at Site A can t advertise this subnet to Appliance B. We need to configure A1 and A2 to advertise this subnet to other Silver Peaks. To configure A1 to advertise the non-attached subnet. We ve already tested connectivity from A1 and A2 to devices on and know that the default next-hop router can reach the devices. If that were not the case, we might have to do some additional configuration like adding a static route to the subnet via a different next hop router. 1 On Appliance A1, select Configuration > Subnets. The Subnets tab appears. 2 Click Add new subnet. a Input the subnet and mask: /24 b To ensure that it s advertised with a lower priority than the default, set Metric to 40. c Select Is Local. d Select Advertize to peers. e Click Apply f Save the changes. 182 PN Rev L

191 Configuring A1 and A2 to Advertise Non-Local SubnetsChapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances To configure A2 to advertise the non-attached subnet. Here, all the steps are the same as for A1, except for the Metric value. 1 On Appliance A1, select Configuration > Subnets. The Subnets tab appears. 2 Click Add new subnet. a Input the subnet and mask: /24 b Leave Metric at 50 (the default). This ensures that A1 s advertisement for this subnet is preferred over A2 s. c Select Is Local. d Select Advertise to peers. e Click Apply f Save the changes. To verify that Appliance B learned the subnets correctly 1 On Appliance B, select Configuration > Subnets. In the Subnets table, you should see two entries for the subnet one learned from each of the appliances at Site A. Notice that subnets learned from peer ( A1) have a metric of 40, while others were learned with a metric of 50. When Appliance B has a choice of two routes to a subnet, it will prefer to send packets to the device having the lower metric. For subnet , Appliance B will always route packets to A1 because it has the lower metric. If Appliance A1 goes down, the subnets it advertises disappear from the table, and Appliance B will use the route advertised by peer A2 ( ). PN Rev L 183

192 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Cisco Router for Policy-Based Routing (PBR) Configuring the Cisco Router for Policy-Based Routing (PBR) To gain access to the CLI, access the router via the console port or a Telnet session. configure terminal access-list 101 permit ip route-map sp-vrrp permit 10 match ip address 101 set ip next-hop exit interface gigabitethernet 3 ip route-cache policy ip policy route-map sp-vrrp end write mem 184 PN Rev L

193 Verifying Traffic Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances Verifying Traffic Here, we want to verify that the tunnels are carrying traffic and that flows are being optimized. To verify tunnel status From Appliance B s menu, select Configuration > Tunnels. The Status column indicates whether the tunnels are up. To view tunnel statistics From the menu, select Monitoring > Tunnels. This tab displays the statistics associated with each tunnel. You would expect the majority of the traffic to be in the tunnel to the VRRP Master, assuming it has been the Master for an extended period of time. If there has been a recent change in Masters, this might not be the case. PN Rev L 185

194 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic To view VRRP status Select Configuration > VRRP. If the appliance is up and participating in the VRRP group, then the VRRP State should be either Master or backup. Appliance A1 Appliance A2 To test the VRRP backup 1 On the appliance that is the Master (A1), go to Configuration > VRRP. 2 Click on the Group ID. The Modify VRRP dialog appears. Set it administratively down. 3 Click Apply. All traffic is then be handled by the backup (A2), which becomes the Master. Any flows that were going through the previous Master (A1) are redirected to that appliance by the current Master (A2). This can be seen in the Flow Redirection statistics (see below). If the previous Master (A1) had actually gone down (instead of having VRRP administratively disabled), then those flows would have to be reestablished. As a result, they would flow through the current Master (A2) and redirection would not take place. 186 PN Rev L

195 Verifying Traffic Chapter 6 Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances To view flow optimization From the menu, select Monitoring > Current Flows. Status column indicates whether a flow is being optimized or not. Click the icon for more information on which Silver Peak technologies are being applied to the flow. Reduction columns show the bandwidth savings achieved by each flow. To verify flow redirection If any flows are redirected, their statistics appear in the Flows redirected from or Flows redirected to columns. When the connection to the peer is functioning, the State column displays OK. To verify connectivity for pass-through traffic As a best practice, always verify connectivity for all devices in the network. For example, if you ve configured a route policy to cause certain traffic from certain devices to be handled as pass-through or pass-through unshaped, you should also verify connectivity for these devices. To verify network connectivity Test network connectivity by using your applications. For example, do a CIFS mount or an FTP transfer. PN Rev L 187

196 Silver Peak NX Series Appliances Network Deployment Guide Verifying Traffic 188 PN Rev L

197 CHAPTER 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Using Subnet Sharing This chapter provides a step-by-step example for setting up HA (high availability) Silver Peak appliances by using Web Cache Communications Protocol (WCCP) service with a Cisco router. If one appliance goes down, the other then handles all the traffic. In an Active/Active deployment, the peered appliances are also load balancing. In this example, Site A deploys two active, redundant appliances (named A1 and A2) out-of-path (Router mode) and, remotely, Site B deploys a single appliance (named B), in-line (Bridge mode). The focus of this chapter is on the HA appliances; in practice, the remote appliance can be in either bridge or router mode. In This Chapter Overview See page 190. Configuring the Site A Router for WCCP See page 195. Using the Initial Config Wizard with A1 See page 197. Configuring WCCP on A1 See page 204. Using the Initial Config Wizard with A2 See page 209. Configuring WCCP on A2 See page 215. Configuring Flow Redirection See page 216. Using the Initial Config Wizard with B See page 220. Verifying Appliance Connectivity See page 226. Enabling Subnet Sharing See page 229. Creating Tunnels See page 231. Configuring A1 and A2 to Advertise Non-Local Subnets See page 234. Verifying Traffic See page 236. Best Practices See page 238. PN Rev L 189

198 Silver Peak NX Series Appliances Network Deployment Guide Overview Overview Web Cache Communications Protocol (WCCP) supports the redirection of any TCP or UDP connections to appliances participating in WCCP Service Groups. The appliance intercepts only those packets that have been redirected to it. The appliance accelerates traffic flows that match its Route Policy; all other traffic passes through the appliance unmodified. The two active Silver Peak appliances participating in the WCCP service group must be deployed out-of-path (Router mode). In this example, those appliances are at Site A. For the purposes of this specific example, Site B at the remote end deploys the appliance in-line (Bridge mode); there is no inherent restriction on what mode it needs to be. WCCP at Site A Each of the peered appliances at headquarters uses WCCP to redirect traffic from the router to the appliances. WCCP redirects all traffic that is in a WCCP Service Group shared by the appliance and router. A service group consists of a set of WCCP-enabled routers and appliances that exchange WCCP messages. The routers send traffic to the appliances in the service group. The configuration of the service group determines how traffic is distributed to appliances in the service group. To use WCCP, you must create a separate WCCP Service Group for each protocol (TCP and UDP) used in the SiteA-to-SiteB tunnel. 190 PN Rev L

199 Overview Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Network Diagram Figure 7-1 Out-of-Path Deployment: Redundant Silver Peak Appliances peered with an L3 router using WCCP The Silver Peak appliances optimize traffic to/from /24 and /24. PN Rev L 191

200 Silver Peak NX Series Appliances Network Deployment Guide Overview Summary Appliance Placement Fail-Safe Behavior IP Addresses Both appliances are attached in network, reachable by WAN router Each appliance s wan0 interface connects to network Do not connect lan0 interface of either appliance WCCP recognizes the failed appliance: Failed appliance is removed from WCCP Service Group WCCP forwards all traffic to the redundant Silver Peak appliance Remote appliances switch to the redundant appliance This deployment model requires four IP addresses: Each appliance needs a Silver Peak Appliance IP data path address (to originate and terminate tunnels) Each appliance needs a Silver Peak Management IP Address (for appliance configuration and management) Configure WCCP on Site A s Silver Peak Appliances and the WAN router. Service Group IDs on the router and appliance must match. Configure two WCCP Service Groups on each Silver Peak appliance (one for TCP and one for UDP) Configure two WCCP Service Groups on the WAN router (one for TCP and one for UDP) Fail-Safe Behavior Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases: 1 With the appliance in bypass state 2 With the appliance powered off 3 With the tunnels administratively down. 192 PN Rev L

201 Overview Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Summary of Configuration Tasks Task Notes For detailed instructions, see... 1 Gather all the IP addresses needed for setup 2 Install the Appliance A into the network 3 Configure the Site A router for WCCP Saves time and avoids mistakes. Physical appliance: Connect both appliances to the same available subnet via an Ethernet LAN switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces. Access the Site A router s command line interface (CLI) to: Configure an Access Control List (ACL) that redirects all traffic from the Site A subnet to the Site B subnet Configure two WCCP Service Groups one for UDP, one for TCP Associate the ACL with the Service Group Enable WCCP on the appropriate router interface Collecting the Necessary Information on page 194. Silver Peak Appliance Manager Operator s Guide Quick Start Guides Configuring the Site A Router for WCCP on page Configure Appliance A1 In a browser, access and use the Initial Configuration Wizard to configure the appliance. Reboot the appliance after finishing the configuration. Using the Initial Config Wizard with A1 on page Configure the WCCP Service Groups on Appliance A1 Create one for UDP and one for TCP. Configuring WCCP on A1 on page Configure Appliance A2 In a browser, access and use the Initial Configuration Wizard to configure the appliance. Reboot the appliance after finishing the configuration. Using the Initial Config Wizard with A2 on page Configure the WCCP Service Groups on Appliance A2 8 Configure flow redirection for the Site A peers Create one for UDP and one for TCP. When you create a cluster, the peers keep track of which appliance owns each flow. If the path between client and server isn t the same in both directions, the flow is redirected to the appliance that first saw it and owns it. Configuring WCCP on A2 on page 215 Configuring Flow Redirection on page Configure Appliance B In a browser, access and use the Initial Configuration Wizard to configure the appliance. Reboot the appliance after finishing the configuration. 10 Verify appliance connectivity Tests data path connectivity. Do NOT proceed until you verify connectivity. Using the Initial Config Wizard with B on page 220 Verifying Appliance Connectivity on page Enable subnet sharing This prepares each appliance to share local subnets. Enabling Subnet Sharing on page Create a tunnel on each appliance Specify the local and remote endpoints for the tunnel. Creating Tunnels on page Manually add Site A s non-local subnets 14 Test the connectivity from both ends Manually add subnets that aren t directly connected to an appliance interface so they can be advertised. Verify that the tunnel is up and that flows are being optimized. Configuring A1 and A2 to Advertise Non-Local Subnets on page 234 Verifying Traffic on page 236 PN Rev L 193

202 Silver Peak NX Series Appliances Network Deployment Guide Overview Collecting the Necessary Information The example makes the following assumptions: You re not using DHCP. Speed and duplex for all interfaces are left at the default, auto-negotiation. Although it isn t a requirement, it s considered a best practice to use different subnets for mgmt0 and the Appliance IP. Table 7-1 Out-of-Path Deployment: Redundant Silver Peak Appliances peered with an L3 router using WCCP Hostname A1 A2 B Mode Router / Out-of-Path Router / Out-of-Path Bridge / In-Line Admin Password: Old admin admin admin Admin Password: New / Confirm Time Zone NTP Server IP Address License (for virtual appliance only) mgmt1 IP Address / Mask / / mgmt0 IP Address / Mask a / / /24 mgmt0 Next-hop IP Address Appliance data path IP Address / Mask / / /24 Appliance data path Next-hop IP / / /24 LAN Next-hop IP Address (optional) b not applicable not applicable --- WCCP Service Groups 53 (TCP) 53 (TCP) (UDP 54 (UDP WCCP Weight (default) not applicable a. In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it s likely that mgmt0 IP addresses are in different subnets. b. LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address. 194 PN Rev L

203 Configuring the Site A Router for WCCP Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Configuring the Site A Router for WCCP The router configuration that follows is in line with the deployment diagram, which shows the router and the redundant Silver Peak appliances sharing two Service Groups one for TCP and another for UDP. After that example, we briefly discuss the advantages of creating two Service Groups for each protocol. To configure a Cisco router for WCCP The example below was done with a Cisco router. You may need to modify the input for other routers. 1 To gain access to the CLI, access the router via the console port or a Telnet session. 2 Create an Access Control List (ACL) to redirect all traffic from the Site A s /24 subnet to the Site B s /24 subnet. CSR-1>enable CSR-1># CSR-1(config)# configure terminal CSR-1(config)# access-list 101 permit ip Since you ll be using two protocols, you ll need two service groups. Therefore, create two WCCP service groups (as placeholders) and associate the ACL with it. Here, we ll create 53 to use (later) with TCP and 54 to use (later) with UDP. Service Groups can be numbers between 51 and 255, inclusive. CSR-1(config)# ip wccp 53 redirect-list 101 CSR-1(config)# ip wccp 54 redirect-list 101 Note that we can reuse the same ACL because it matches traffic based on IP addresses. It s the WCCP service group that redirects traffic based on protocol. Note On a Cisco Catalyst 6500, WCCP redirection can be done in hardware by adding the keyword, accelerated, at the end of the global command, ip wccp 53 redirect-list 101. The accelerated keyword allows the 6500 to do WCCP redirection (forwarding) in L2. 4 You must also associate the WCCP service group with Site A s LAN-side interface. In this chapter s example, you d need to replace gigabitethernet <port_number> with CSR-1(config)# interface gigabitethernet <port_number> CSR-1(config-if)# ip wccp 53 redirect in CSR-1(config-if)# ip wccp 54 redirect in CSR-1(config-if)# end Note You can choose not to use an ACL on the Cisco router, thereby allowing all traffic to be redirected to the appliance. The appliance will send back any traffic that doesn t match its policies. PN Rev L 195

204 Silver Peak NX Series Appliances Network Deployment Guide Configuring the Site A Router for WCCP An Alternative Practice It s considered a best practice to use separate inbound and outbound ACLs to guarantee maximum flexibility in configuring redirection. Since a Service Group can only point to one redirect list, and we are using a pair of service groups (one for TCP and one for UDP), that would require the use of a total of four service groups if you are also doing inbound (WAN-to-LAN) redirection. Here is a sample configuration for that scenario:! Example with separate ACLs for WAN and LAN side redirects CSR-1(config)# configure terminal! ACL for the LAN-to-WAN traffic CSR-1(config)# access-list 101 permit ip ! ACL for the WAN-to-LAN traffic CSR-1(config)# access-list 102 permit ip ! Service groups for LAN-to-WAN traffic CSR-1(config)# ip wccp 61 redirect-list 101 CSR-1(config)# ip wccp 62 redirect-list 101! Service groups for the WAN-to-LAN traffic CSR-1(config)# ip wccp 63 redirect-list 102 CSR-1(config)# ip wccp 64 redirect-list 102! on the LAN facing interface: CSR-1(config)# interface gigabitethernet <number> CSR-1(config)# ip wccp 61 redirect in CSR-1(config)# ip wccp 62 redirect in CSR-1(config)# exit! on the WAN facing interface: CSR-1(config)# interface gigabitethernet <number> CSR-1(config)# ip wccp 63 redirect in CSR-1(config)# ip wccp 64 redirect in CSR-1(config)# end Then, later, when you re configuring WCCP on the redundant Silver Peaks, it s useful to force the same flow to the same Silver Peak in both directions to avoid asymmetry. So, for each protocol (TCP, UDP), a given flow would have an outbound Service Group s Assignment Detail configured for lan-ingress, and an inbound Service Group s configured for wan-ingress. Again, this brings the total number of Service Groups to four. 196 PN Rev L

205 Using the Initial Config Wizard with A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Using the Initial Config Wizard with A1 The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A1 2 For the username and for the password, enter admin. The initial configuration page appears. PN Rev L 197

206 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A1 Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 198 PN Rev L

207 Using the Initial Config Wizard with A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. Although it s not technically necessary to deselect either one, we have chosen to do so for tutorial purposes later in the chapter. PN Rev L 199

208 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A1 Configure the Next-hop IP to be the physical address that the next-hop router will use not the VRRP virtual IP address. Otherwise, you ll create a routing loop when the Silver Peak is the VRRP Master. 7 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. 200 PN Rev L

209 Using the Initial Config Wizard with A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Click Next. If yours is a virtual machine, the following page appears. 8 Click Show All. Select the MAC addresses for wan0 and mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. PN Rev L 201

210 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A1 For example, in the VMware client, you would check on the Virtual Machine Properties page. 202 PN Rev L

211 Using the Initial Config Wizard with A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 203

212 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 Configuring WCCP on A1 Each Silver Peak appliance has a default weight of 100, which we ll leave unchanged. To configure WCCP on the first appliance, you ll need to use the Appliance Manager s Configuration - WCCP page to do the following: Create a WCCP Service Group for TCP Create a WCCP Service Group for UDP Verify that the state of each WCCP Service Group changes from INIT to ACTIVE. Note ACTIVE - Designated will be the state for one Silver Peak appliance this is the device that owns the communication for WCCP with the routers. To enable WCCP Service 1 From the menus, select Configuration > WCCP. The Configuration - WCCP page appears, with the Service Group tab displayed. 2 At the top of the page, select Enable WCCP. 204 PN Rev L

213 Configuring WCCP on A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances To create a WCCP Service Group for the TCP protocol 1 Click Add. The page displays the Add WCCP area. To optimize the two most commonly used protocols TCP and UDP you ll create two WCCP service groups in the Silver Peak appliance. If you intend to optimize traffic other than TCP and UDP, create a new service group for that protocol, and select the protocol name from the Protocol drop-down menu when creating the service group. 2 On the Configuration - WCCP page, click Add. The page displays the Add WCCP area. This area is accessible only when you select custom in the Assignment Detail field. In this example, it s not relevant. a In the Service Group ID field, enter the WCCP Service Group number you entered on the router as a placeholder for the TCP protocol. On the router, we entered 53. b In the Admin field, accept the default of up. c In the Protocol field, leave tcp selected. d In the Forwarding Method field, select either. Either allows the appliance and the router to negotiate the best method for assignment. That is, GRE (Generic Routing Encapsulation) or L2. e In the Weight field, keep the max default value of 100. f In the Assignment Method field, leave the default of either. Either allows the appliance and the router to negotiate the best method for assignment. That is, hash or mask. g From the Interface field, select wan0. h For Compatibility Mode, select the option appropriate for your router. If a WCCP group is peering with a router running Nexus OS, then the appliance must adjust its WCCP protocol packets to be compatible. By default, the appliance is IOS-compatible. i In the Router IP Address field, enter the IP address of the WCCP router, j Leave Force L2 Return deselected. PN Rev L 205

214 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 k l In the Password field, optionally enter a password. In the Assignment Detail field, select lan-ingress. If you re not configuring the tunnel traffic for auto-optimization, then accept the default of lan-ingress. This is the assumption made for this example, since all redirection will be from the LAN to the WAN. wan-ingress assignment detail is only required when redirection is needed from the WAN to the LAN, when using auto-optimization. custom is used to provide granular control of flow distribution. Contact Silver Peak Technical Support for assistance. 3 Click Apply. The data entry area disappears, and the table displays the new WCCP Service Group for TCP. 4 Click Save Changes. 206 PN Rev L

215 Configuring WCCP on A1 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances To create a WCCP Service Group for the UDP protocol 1 On the Configuration - WCCP page, click Add. The page displays the Add WCCP area. 2 Complete the Add WCCP area. This area is accessible only when you select custom in the Assignment Detail field. In this example, it s not relevant. a In the Service Group ID field, enter the WCCP Service Group number you entered on the router as a placeholder for the UDP protocol. On the router, we entered 54. b In the Admin field, accept the default of up. c In the Protocol field, leave udp selected. d In the Forwarding Method field, select either. Either allows the appliance and the router to negotiate the best method for assignment. That is, GRE (Generic Routing Encapsulation) or L2. e In the Weight field, keep the max default value of 100. f In the Assignment Method field, leave the default of either. Either allows the appliance and the router to negotiate the best method for assignment. That is, hash or mask. g From the Interface field, select wan0. h For Compatibility Mode, select the option appropriate for your router. If a WCCP group is peering with a router running Nexus OS, then the appliance must adjust its WCCP protocol packets to be compatible. By default, the appliance is IOS-compatible. i In the Router IP Address field, enter the IP address of the WCCP router, j Leave Force L2 Return deselected. k In the Password field, optionally enter a password. l In the Assignment Detail field, select lan-ingress. If you re not configuring the tunnel traffic for auto-optimization, then accept the default of lan-ingress. This is the assumption made for this example, since all redirection will be from the LAN to the WAN. PN Rev L 207

216 Silver Peak NX Series Appliances Network Deployment Guide Configuring WCCP on A1 wan-ingress assignment detail is only required when redirection is needed from the WAN to the LAN, when using auto-optimization. custom is used to provide granular control of flow distribution. Contact Silver Peak Technical Support for assistance. 3 Click Apply. The data entry area disappears, and the table displays the new WCCP Service Group for TCP. State changes from INIT to ACTIVE, DESIGNATED. This means that the WCCP protocol is working properly with the router, and that this appliance is Primary and Active. State Definition INIT ACTIVE BACKUP WCCP Service Group initialization Active WCCP Service group Backup WCCP Service group - Designated [Used as a modifier for ACTIVE or BACKUP]. Appliance with the lowest IP address in a WCCP group that notifies Routers how to redirect traffic. 4 Click Save Changes. 208 PN Rev L

217 Using the Initial Config Wizard with A2 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Using the Initial Config Wizard with A2 The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance A2 2 For the username and for the password, enter admin. The initial configuration page appears. PN Rev L 209

218 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A2 Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). 210 PN Rev L

219 Using the Initial Config Wizard with A2 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 5 Click Next. On this page, select Router/Out-of-Path for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care of these features later. Configure the Next-hop IP to be the physical address that the next-hop router will use not the VRRP virtual IP address. Otherwise, you ll create a routing loop when the Silver Peak is the VRRP Master. PN Rev L 211

220 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A2 7 The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. Click Next. If yours is a virtual machine, the following page appears. 212 PN Rev L

221 Using the Initial Config Wizard with A2 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 8 Click Show All. Select the MAC addresses for wan0 and mgmt1. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. For example, in the VMware client, you would check on the Virtual Machine Properties page. PN Rev L 213

222 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with A2 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. 214 PN Rev L

223 Configuring WCCP on A2 Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Configuring WCCP on A2 This is identical to configuring it on A1. Earlier, on the Configuration - WCCP page, we accepted the default weight of 100 for Site A s appliance, A1, at IP address To ensure that this appliance (IP address ) shares the traffic equally with A1, we ll also accept the default weight of 100. Of course, you ll be using the same Router IP Address ( ) To configure WCCP on A2 You ll be completing the same steps as you did for configuring the A1 appliance. For a review, see Configuring WCCP on A1 on page Go to Configuration - WCCP and complete the following steps: a Select Enable WCCP. b Create a WCCP Service Group for TCP. As you did with the A1 appliance and the router, create Service Group 53 for TCP. For Weight, accept the value of 100. This sets up load balancing and enables both appliances to be equally active. c Create a WCCP Service Group for UDP. For Weight, accept the value of 100. As you did with the A1 appliance and the router, create Service Group 54 for UDP. 2 Verify that the State of each WCCP Service Group changes from INIT to ACTIVE. PN Rev L 215

224 Silver Peak NX Series Appliances Network Deployment Guide Configuring Flow Redirection Configuring Flow Redirection Why would you do flow redirection with WCCP? To provide Network Acceleration, Silver Peaks require symmetric TCP flows. A network is asymmetric when a client request and its server response don t use the same path through the network. Flow redirection removes asymmetry locally by merging the traffic of an asymmetric flow into a single appliance. When peer appliances are configured as a cluster, they keep track of which appliance first saw a flow and consequently owns that flow. If a return flow arrives at a peer that doesn t own it, the flow is forwarded to the rightful owner via the mgmt1 interfaces. Note IMPORTANT When configuring for flow redirection, the mgmt1 interfaces need to be in a separate subnet from the mgmt0 interfaces. An appliance that handles both directions of traffic for a flow can then optimize the flow properly. Specifically, this sets the stage for TCP acceleration and CIFS acceleration. This sequence of four diagrams illustrates how the need for flow redirection arises, and is resolved. At Site A, the router load balances outbound flows to A1 and A2 based on the WCCP weights assigned. 216 PN Rev L

225 Configuring Flow Redirection Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Appliance B advertises its reachability to Appliances A1 and A2. At A1, the flow is placed in the tunnel to Site B. Appliances A1 and A2 are advertising their subnet s reachability to Appliance B. Because A1 and A2 are in the same subnet, they re equally likely to receive the return flow. Appliance B doesn t know that the two Silver Peaks at Site A are doing WCCP or how the loads are being balanced. If Appliance B places the flow in the tunnel to A1, the flow will be symmetric. If Appliance B places the flow in the tunnel to A2, this might result in an asymmetric flow. However, having been configured into a flow redirection cluster, the peers know that A1 owns the flow and forward it there. A1 returns the flow to the server. Since both directions traversed A1, the flow is symmetric and able to be TCP optimized. PN Rev L 217

226 Silver Peak NX Series Appliances Network Deployment Guide Configuring Flow Redirection To configure flow redirection on Appliance A1 1 From A1 s menu, select Configuration > Interfaces. The Configuration - Interfaces page appears. 2 Configure the IP address for mgmt1 on A1. The mgmt1 interface shipped with a default IP address, to make initial configuration easy. You don t need this any longer, so we ll reconfigure it to use as a cluster interface for flow redirection. a Change the default address to /30. b Change Admin to up. c Click Apply. d Save the changes. 3 Select Configuration > Flow Redirection. The Flow Redirection page appears. a Select Enable. b In the Interface field, select mgmt1. c Click Add Peer, and enter the IP address of mgmt1 on A2. In this example, it s d Click Apply. e Save the changes. 218 PN Rev L

227 Configuring Flow Redirection Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances To configure flow redirection on Appliance A2 1 From A2 s menu, select Configuration > Interfaces. The Configuration - Interfaces page appears. 2 Configure the IP address for mgmt1 on A2. a Change the default address to /30. b Change Admin to up. c Click Apply. d Save the changes. 3 Select Configuration > Flow Redirection. The Flow Redirection page appears. a Select Enable. b In the Interface field, select mgmt1. c Click Add Peer, and configure the IP address of mgmt1 on A1. In this example, it s d Click Apply. e Save the changes. 4 To verify that flow redirection is working, look to see that the State changes to OK, indicating that the interfaces and flow redirection are configured properly on both sides. PN Rev L 219

228 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with B Using the Initial Config Wizard with B The Initial Config Wizard prompts you for the information that you collected at the beginning of this document. To access the Initial Config Wizard 1 Access the appliance login page. If you re using a physical Silver Peak NX appliance: a Connect your workstation or laptop to the Ethernet port labeled mgmt1. Ensure that your workstation or laptop s network adapter is set for DHCP. Wait for DHCP to time out and for your workstation or laptop to assign itself an IP address in the x.x subnet. b Open a browser and enter the IP address, The login page appears. If you re using a virtual machine: a Install the virtual machine according to the appropriate Silver Peak Quick Start Guide for your hypervisor and deployment mode. For Bridge (In-Line) or Router (Out-of-Path) mode, follow the directions to add the required virtual interfaces (vnics). Record the IP and MAC addresses for reference. b Open a browser and enter the mgmt0 IP address. The login page appears. Appliance B 2 For the username and for the password, enter admin. The initial configuration page appears. 220 PN Rev L

229 Using the Initial Config Wizard with B Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances Note At any future time, you can always access the Initial Config Wizard by going to the Configuration menu and selecting Initial Config Wizard from the drop-down menu. 3 Read it, and click Next. The first of two pages for management settings appears. Complete the fields. 4 Click Next. The second page appears. Configure the time zone, NTP server, and license (if using a virtual appliance). PN Rev L 221

230 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with B 5 Click Next. On this page, select Bridge/In-Line for the deployment mode. 6 Click Next. On this page, configure the appliance data path IP, next-hop router address, and max WAN bandwidth. Leave Auto Tunnel and Auto Subnet Sharing deselected. We ll take care these features in later steps. 222 PN Rev L

231 Using the Initial Config Wizard with B Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 7 Click Next. The Add Remote Silver Peak page appears. We ll manually add remote appliances and create tunnels later, so ignore this page. 8 Click Next. If yours is a virtual machine, the following page appears. Select a MAC address for wan0 and lan0. Make sure that the addresses match the MAC addresses associated with the vnics in the hypervisor client. PN Rev L 223

232 Silver Peak NX Series Appliances Network Deployment Guide Using the Initial Config Wizard with B For example, in the VMware client, you would check on the Virtual Machine Properties page. 224 PN Rev L

233 Using the Initial Config Wizard with B Chapter 7 Out-of-Path with WCCP Redundant (Active/Active) Appliances 9 Click Next. The summary page appears. Review the content for accuracy. If you need to make corrections, use the Back button. If all is correct, click Apply. 10 When the dialog box asks for confirmation to reboot, accept it. The appliance reboots. After rebooting, the home page displays the new hostname and mgmt0 IP address in the upper right corner. PN Rev L 225