EXINDA NETWORKS Deployment Topologies September 2005 :: Award Winning Application Traffic Management Solutions :: :: www.exinda.com :: Exinda Networks :: info@exinda.com :: 2005 Exinda Networks Pty Ltd. All rights reserved. Exinda Networks, Exinda Optimizer are registered trademarks or trademarks of Exinda Networks Pty Ltd. All other trademarks, trade names, service marks and images mentioned and/or used belong to their respective owners.
Table of Contents OPERATION MODES... 3 FULLY BRIDGED MODE... 3 MANAGEMENT PORT MODE... 3 DUAL BRIDGE WITH MANAGEMENT PORT MODE... 4 DUAL BRIDGE MODE... 4 BRIDGE MODE EXINDA COMPRESSOR ONLY... 4 MAIN SITE INTERNET LINK TOPOLOGY... 5 REASON FOR THIS TOPOLOGY... 5 INSTALLATION... 5 CAPABILITIES... 5 LIMITATIONS... 5 SUGGESTIONS... 5 MAIN SITE WAN LINK TOPOLOGY... 6 REASON FOR THIS TOPOLOGY... 6 INSTALLATION... 6 CAPABILITIES... 6 LIMITATIONS... 6 SUGGESTIONS... 6 DISTRIBUTED BRANCH TOPOLOGY... 7 REASON FOR THIS TOPOLOGY... 7 INSTALLATION... 7 CAPABILITIES... 7 LIMITATIONS... 7 TOPOLOGIES WITH FIREWALLS... 8 DMZ... 8 INSTALLATION... 8 TOPOLOGIES WITH VPNS... 9 INSTALLATION... 9 CAPABILITIES... 9 LIMITATIONS... 10 TOPOLOGIES WITH MULTIPLE LANS... 10 SUGGESTIONS... 10 MONITOR ONLY ON-LAN... 11 REASON FOR THIS TOPOLOGY... 11 INSTALLATION... 11 CAPABILITIES... 12 LIMITATIONS... 12 SUGGESTIONS... 12 HIGH AVAILABILITY TOPOLOGY 1... 13 INSTALLATION... 13 CAPABILITIES... 14 SUGGESTIONS... 14 HIGH AVAILABILITY TOPOLOGY 2... 15 INSTALLATION... 16 CAPABILITIES... 16 SUGGESTIONS... 16 HIGH AVAILABILITY TOPOLOGY 3... 17 INSTALLATION... 19 CAPABILITIES... 19 SUGGESTIONS... 19-2
Operation Modes Exinda version 4.60 supports multiple modes of network operation allowing for flexible deployments. Operation modes are selected when configuring the IP address for the system. Ensure that you understand the target network environment before selecting an operation mode. The default Fully Bridged Mode below caters for most simple deployments. Fully Bridged Mode This is the default mode and typically used when installing inline with an IP address shared across all ports. All interfaces are bridged and have the same IP address. Only a single WAN port is supported here. Fully Bridged Mode Bridge Ports 0, 1, 2 and 3 are all bridged and share a single IP address. Bridge IP 255.255.255.0 (/24) Netmask 0 LAN 1 LAN 2 LAN 3 WAN Management Port Mode Used for a single WAN with port 0 assigned as a management port. The IP address is only assigned to port 0. This mode is also used in an ON-LAN topology to monitor using a hub or a switch mirror port. Management Port Mode Port 0 is reserved as a Management Port which is assigned a single IP address while Ports 2 and 3 are bridged. Port 3 has the option to operate in mirror mode. Bridge Management IP 255.255.255.0 (/24) Netmask 0 Mgmt 1 2 LAN 3 WAN/ Mirror Port 3 Operates as a Mirror Port - 3
Dual Bridge with Management Port Mode Used when customers want to monitor and control two different WAN links and have a Network Extension Module (NEM) installed on the optimizer. The optimizer can only be accessed via the NEM port which has an IP address. Dual Bridge Mode with Management Port Bridge 0 Bridge 1 NEM (rear) Ports 0 and 1 are bridged seperately to ports 2 and 3. Port 4 (Network Expansion Module) is reserved as a Management Port which is assigned a single IP address. 0 LAN 1 WAN 2 LAN 3 WAN 4 Mgmt 5 Management IP Netmask 255.255.255.252 (/30) Dual Bridge Mode Used when customers want to monitor and control two different WAN links without having a Management Network Interface Card (MNIC) installed on the optimizer. Each bridge will need its own IP address for management access. Dual Bridge Mode Ports 0 and 1 are bridged seperately to ports 2 and 3. Both bridges have seperate, single IP addresses. Bridge 1 Bridge 2 Bridge 1 IP 255.255.255.0 (/24) Netmask 0 LAN 1 2 LAN 3 WAN Bridge 2 IP Netmask 255.255.255.0 (/24) Bridge Mode Exinda Compressor only This mode is available only on Exinda Compressor. Compressor must be installed in inline mode. It has a total of two ports 1xLAN and 1xWAN. - 4
Main Site Internet Link Topology Main site with internet link and branch offices. Applications hosted in Main Site where branch offices connect to via the internet. Reason for this topology This topology is used when customers need to monitor and control internet and branch traffic to and from the Main Site. The optimizer can guarantee performance of critical applications such as voice, VPN and Extranet, monitor internet usage and control P2P applications. Main Site eth3 (WAN) Internet/VPN Branch switch Branch Installation The Optimizer should be plugged in-line between the switch and router or firewall. If you have a VPN refer to Topologies with VPN. 1. Connect Optimizer port 3 into your router/firewall using the crossover cable supplied 2. Connect port 2 into the LAN switch. Optimizer ports 2&3 will provide ethernet bypass in the event of hardware failure. Capabilities In this topology Exinda Optimizer can Monitor all traffic utilisation and all applications to the internet. You can distinguish between business relevant traffic and traffic used for personal purposes. Monitor usage of Internet and VPN branch traffic. E.g. how much of the link is being used by each branch network. Control all traffic traversing the link. Allocate some bandwidth to VPN branch offices and respective priorities for internet applications or sites. Limitations With this topology, its not possible monitor and control branch traffic and their respective internet links as each branch has direct access to the internet. WAN compression is not possible with a single Optimizer device. Suggestions Disable direct access to internet for branch offices. Route internet traffic via the Main Site if possible Use Exinda Optimizer at the branch offices to monitor and control traffic and increase WAN capacity with Exinda s compression. - 5
Main Site WAN Link Topology Single site with internet link and separate WAN link to branch offices. Reason for this topology This topology is used when customers need to monitor and control Internet and WAN traffic in the main site and WAN traffic from branch offices. The optimizer can guarantee traffic for the WAN and treat applications and user from different branch offices with different priorities. Main Site eth3 (WAN) Internet/VPN Branch switch Branch Installation The Optimizer should be plugged in-line between the switch and router or firewall. Connect Optimizer port 3 into your router/firewall and port 2 into your LAN switch. Optimizer ports 2&3 will provide ethernet bypass in the event of hardware failure. Capabilities In this topology Exinda Optimizer can Monitor all traffic utilisation and all applications to the internet. You can distinguish between business relevant traffic and traffic used for personal purposes. Monitor usage of Internet and WAN traffic. E.g. how much of the link is being used by the internet and each branch office. Monitor and control individual applications & users from each branch office Control all traffic traversing the link. Allocate bandwidth to WAN and internet applications. Limitations WAN compression is not possible with a single Optimizer device. If a branch office decided to connect to internet directly, the branch link cannot to be monitored and controlled. Suggestions - 6
Distributed Branch Topology A distributed topology of Exinda appliances offers the most flexible control. Such topology is also required for customers using Exinda s compression technology. Reason for this topology This topology is used to monitor and control all nodes in a distributed branch office environment. As both WAN and Internet can be accessed directly from each office an optimizer is used to monitor and manage the performance of each node. Main Site Branch switch eth3 (WAN) Internet Branch Installation An Optimizer is required at all branch offices connecting to the WAN. Optimizer will need to be installed in inline mode at each office. Compression needs to be configured between each office pair. To configure compression between Main site and branch offices: 1. Create two Virtual Circuits (VCs) with the destination of each branch subnet 2. Any policies in each VC must have compression enabled. You can also choose not to compress particular traffic. 3. In each branch Optimizer create a VC with the main site subnet as the destination. Enable compression in the policies of that VC 4. Start the optimizer for changes to take effect. 5. To compress traffic between branch offices add a VC to each branch office optimizer with the target office subnet as the destination. Capabilities In this topology Exinda Optimizer can Monitor and control all traffic to Internet and WAN Compress traffic between all WAN sites Monitor distribution of application traffic between all sites Prioritise and manage application performance in a fully meshed environment. Control or block P2P and music/radio streaming applications. Limitations None - This is the most flexible topology. - 7
Topologies with Firewalls Firewall topologies can vary significantly. Typically customers will place the optimizer between the switch and internal interface of the firewall. This ensures that the optimizer can see all hosts on the LAN. eth3 (WAN) Internet Firewall Placing the optimizer between the router and external interface of the optimizer will only monitor application and IP addresses present on the external interface of the firewall. DMZ If a customer wants to also monitor and control traffic between DMZ and Internet/WAN the optimizer must be used in Dual Bridge Mode. Dual Bridge Mode eth3 (WAN) Internet DMZ Firewall Installation 1. Set the Optimizer to Dual Bridge Mode 2. Connect Optimizer port 3 into your router/firewall using the crossover cable supplied 3. Connect port 2 into the LAN switch. 4. Connect optimizer port 0 into the DMZ switch using a straight cable 5. Connect optimizer port 1 in the DMZ interface of the firewall using a crossover cable - 8
Topologies with VPNs Scenario 1: Typically customers will place the Optimizer between the internal LAN switch and VPN terminator. This allows for monitoring and optimization of traffic before it gets encrypted and transported down the VPN tunnel. Installation 1. Set the Optimizer to Full Bridge or Management port mode. 2. Connect Optimizer port 3 into the internal interface of the VPN terminator using the crossover cable supplied 3. Connect port 2 into the LAN switch. 4. If in Management Port mode, connect exinda port 0 into your switch to manage the Optimizer. Internet VPN Firewall Scenario 2: There are scenarios where the Optimizer can only plug in between the VPN terminator and the router. In this scenario only encrypted tunnel traffic will be monitored. Typically traffic of the GRE protocol will be present. Internet VPN Firewall Capabilities In VPN scenario 2, Exinda Optimizer can: Monitor and control traffic to the WAN and Internet Monitor and prioritise traffic between other VPN terminator sites. Only a single IP address per site. - 9
Limitations In VPN scenario 2, Exinda Optimizer cant: Monitor and prioritise traffic by application, internal hosts and servers Topologies with multiple LANs In Full Bridge mode the Optimizer can support up to 3 separate LANs. Main Site eth3 (WAN) Internet LAN 2 LAN 3 Suggestions 1. Connect port 3 into router/firewall 2. Connect port 0,1 & 2 into appropriate LANs 3. Create Networks Object to represent each LAN - 10
Monitor Only ON-LAN The Optimizer can work in ON-LAN mode with any hub or switch. Reason for this topology This topology is used when customers need to monitor only without installing the optimizer in in-line mode. The Optimizer will monitor and report on all applications presented on the SPAN port. This is regularly used to perform network audits as it provides great flexibility in restricted and complex network environments. Installation Example 1. ON-LAN using port mirroring from the switch. 1. Configure the Optimizer to use management Port eth0 2. Plug Optimizer port eth0 into the switch. This will be the management port. 3. Setup up port mirroring from the port that is connected to the router, port X, to be mirrored onto port Y (Span port). 4. Plug Optimizer port eth1 into switch port Y. 5. On the optimizer set WAN port eth1 to mirror mode Management Port (eth0) SPAN/Mirror port (eth3) 1. Configure Exinda into Management Mirror Mode 2. Set IP address on eth 0. 3. Setup up port mirroring from the port that is connected to the router, port X, to be mirrored onto port Y (Span port). 4. Plug Optimizer interface eth3 into switch port Y. - 11
Example 2. ON-LAN using a hub 1. Configure Optimizer with IP address. 2. Plug Optimizer port eth3 into the hub. This will be the monitoring and management port. 3. On the optimizer set WAN port eth3 to mirror mode Management & Monitoring port Hub Capabilities Optimizer in ON-LAN mode can: Work with any SPAN ports, mirrored switched ports or hub connecting to multiple hosts Can potentially monitor traffic from up to 3 different segments (ports 1,2 &3). Limitations Interface Statistics will report inbound traffic only. Suggestions Be cautious when use SPAN and port mirror. If you don t set eth0 as a management the mirrored traffic can end up being presented back to the switch. This will create a switch loop and will interrupt the operation of the switch. For version 450-hf2 you must use the optimizer in mode Setup Network Objects to define the subnets you wish to monitor as all the traffic is incoming to a single port. - 12
High Availability Topology 1 The High Availability feature allows two Optimizers to be connected in redundant router topology. For this topology two Exinda Optimizer appliances with the Network Expansion Module installed are required. R1p1 R2p1 S1p1 S2p1 With Exinda Optimizers installed the above topology will look as below: Data Path Management 4 5 Ports 4 & 5 available via extension module R1p1 R2p1 4 5 4 5 Unit 1 Unit 2 S1p1 S2p1 The two units are directly connected to each other. Both units will capture the same data. The units that receives the data directly will forward the traffic to the other unit which will monitor it the same way. However the copied traffic will not be forwarded onto the LAN. Exinda s HA process is also responsible for synchronising configuration settings between the units. Installation 1. Connect ports 5 on each units with crossover cable - 13
2. Power up Unit 1. After 1 minute power up Unit 2. (The Optimizers will auto-negotiate Ethernet communications) 3. Connect Unit 1 eth2 into switch 1 (S1p1) 4. Connect Unit 1 eth3 into router 1 (R1p1) 5. Connect Unit 2 eth2 into switch 2 (S2p1) 6. Connect Unit 2 eth3 into router 2 (R2p1) 7. Connect Unit 1 eth4 into switch 2 (Redundant Management Port) 8. Connect Unit 2 eth4 into switch 1 (Redundant Management Port) Capabilities Monitoring of both links. Optimization for both links Redundancy of Exinda appliances. Suggestions Use Exinda s Adaptive Response to accommodate for link failures. If the primary 2MBit link fails the Optimizer can change its optimization policies to accommodate for the change in total link bandwidth. - 14
High Availability Topology 2 Similar to the previous topology but in this case the routers are configure for load balancing. Both links in this topology act as failover and load balancing. R1p2 R2p2 R1p1 R2p1 S1p1 S1p2 S2p2 S2p1 With Exinda Optimizers installed the above topology will look as below: Management 4 5 Ports 4 & 5 available via extension module R1p2 R2p2 R1p1 R2p1 4 5 4 5 Unit 1 Unit 2 S1p1 S1p2 S2p2 S2p1 In this topology both optimizers are connected to both routers. As in the High Availability topology, direct traffic reaching one optimizer is copied to the second optimizer but is not forwarded on. - 15
Installation 1. Connect ports 5 on each units with crossover cable 2. Power up Unit 1. After 1 minute power up Unit 2. (The Optimizers will auto-negotiate Ethernet communications) 3. Connect Unit 1 eth2 into switch 1 (S1p2) 4. Connect Unit 1 eth3 into router 1 (R2p2) 5. Connect Unit 1 eth0 into switch 1 (S1p1) 6. Connect Unit 1 eth1 into router 1 (R1p1) 7. Connect Unit 2 eth2 into switch 2 (S2p1) 8. Connect Unit 2 eth3 into router 2 (R2p1) 9. Connect Unit 2 eth0 into switch 2 (S2p2) 10. Connect Unit 2 eth1 into router 2 (R1p2) 11. Connect Unit 1 eth4 into switch 2 (Redundant Management Port) 12. Connect Unit 2 eth4 into switch 1 (Redundant Management Port) Capabilities Monitoring of both links. Optimization for both links Redundancy of Exinda appliances. Suggestions Use Exinda s Adaptive Response to accommodate for link failures. If the primary 2MBit link fails the Optimizer can change its optimization policies to accommodate for the change in total link bandwidth. - 16
High Availability Topology 3 When Redundancy is not present but you would like to still configure the Exinda solutions in High Availability mode use the configuration below. R1p1 S1p1 With Exinda Optimizers installed the above topology will look as below: R1p1 Management 4 5 Ports 4 & 5 available via extension module S2p1 S2p2 4 5 4 5 Unit 1 Unit 2 S1p1 S1p2 In this topology both optimizers are connected via a WAN switch. As in the High Availability topology, direct traffic reaching one optimizer is copied to the second optimizer but is not forwarded on. IMPORTANT NOTE: Your WAN switch and LAN switch must support Spantree otherwise this configuration wont work. Setup spantree to disable port S2p2 when S2p1 is enabled. If the link at S2p1 goes down (eg the Exinda loses power) then the switch will enable S2p2. Primary Data Path: S2p1 to S1p1 Secondary Data Path: S2p2 to S1p2-17
Alternate HA3 configuration R1p1 Management 4 5 Ports 4 & 5 available via extension module S2p3 S2p1 S2p2 4 5 4 5 Unit 1 Unit 2 S1p1 S1p2 S1p3 In this topology both optimizers are connected via a WAN switch. As in the High Availability topology, direct traffic reaching one optimizer is copied to the second optimizer but is not forwarded on. IMPORTANT NOTE: Your WAN switch and LAN switch must support Spantree otherwise this configuration wont work. Setup spantree to disable port S2p2 when S2p1 is enabled. If the link at S2p1 goes down (eg the Exinda loses power) then the switch will enable S2p2. Primary Data Path: S2p1 to S1p1 (S2p2 and S2p3 disabled automatically via Spantree) Secondary Data Path: S2p2 to S1p2 (S2p3 disabled automatically via Spantree) Third Data Path: S2p3 to S1p3-18
Installation 1. Connect ports 5 on each units with crossover cable 2. Power up Unit 1. After 1 minute power up Unit 2. (The Optimizers will auto-negotiate Ethernet communications) 3. Connect Unit 1 eth0 into switch 1 (S1p1) 4. Connect Unit 1 eth1 into switch 2 (S2p1) 5. Connect Unit 2 eth0 into switch 1 (S1p2) 6. Connect Unit 2 eth1 into switch 2 (S2p2) 7. Connect Unit 1 eth4 into switch 1 (Redundant Management Port) 8. Connect Unit 2 eth4 into switch 1 (Redundant Management Port) Capabilities Monitoring data available on both Exinda units Optimization available via Unit 1 or Unit 2 Redundancy of Exinda appliances Suggestions Use Exinda s Adaptive Response to accommodate for link failures. If the primary 2MBit link fails the Optimizer can change its optimization policies to accommodate for the change in total link bandwidth. - 19