Posts
Steelhead Virtual In-Path Deployment with Alteon
Posted On Jul 29, 2008 at at 4:38 PM by DophiThe virtual in-path deployment is usually used for multiple Steelheads which are virtually in the path between clients and servers. It uses packet redirection mechanism to redirect packets to Steelheads and there are many ways to deploy it such as Policy Based Routing (PBR) and Web cache communications protocol (WCCP). However, those deployments are usually concerned as Cisco proprietary and not flexible. So I prefer to use a L4 switch co-operating with Steelhead appliances to deploy virtual in-path architecture. This provides not only stability but redundancy.
For this lab, I prepare an Alteon switch and two Steelheads. The topology is listed as below. Only WAN interface of a Steelhead is connected to Alteon and the Steelhead
appliance is configured to send and receive data through that interface.
Steps for Client Site: There is nothing different with the in-path deployment.
Steps for Server Site:
1. Enable L4/PBR/WCCP Support
- GUI: Configure > Optimization > General Service Setting, Enable L4/PBR/WCCP Support on Interface wan0_0
- CLI:
amnesiac > en
amnesiac # config t
amnesiac (config) # in-path oop enable
2. Restart Service:
- GUI: Configure > Maintenance > Services
- CLI:
amnesiac (config) # restart
Steps for Alteon:
1. Create real servers mapped to Steelheads and assign them into a group:
>> Layer 4# real 1
------------------------------------------------------------
[Real Server 1 Menu]
adv - Real Server Advanced Menu
layer7 - Layer 7 Command Menu
ids - IDS Command Menu
ipver - Set IP version
rip - Set IP addr of real server
name - Set real server name
weight - Set weight for real server
maxcon - Set maximum number of connections
tmout - Set minutes inactive connection remains open
backup - Set backup real server
inter - Set interval between health checks
retry - Set number of failed attempts to declare server DOWN
restr - Set number of successful attempts to declare server UP
overflo - Enable/Disable backup on overflow
addport - Add real port to server
remport - Remove real port from server
ena - Enable real server
dis - Disable real server
del - Delete real server
cur - Display current real server configuration
>> Real Server 1 # rip 192.168.10.223
Current real server IP address: 0.0.0.0
New pending real server IP address: 192.168.10.223
>> Real Server 1 # en
Current status: disabled
New status: enabled
>> Real Server 1 # ..
------------------------------------------------------------
[Layer 4 Menu]
real - Real Server Menu
group - Real Server Group Menu
virt - Virtual Server Menu
filt - Filtering Menu
port - Layer 4 Port Menu
gslb - Global SLB Menu
layer7 - Layer 7 Resource Definition Menu
wap - WAP Menu
sync - Config Synch Menu
adv - Layer 4 Advanced Menu
linklb - Inbound Linklb Menu
advhc - Layer 4 Advanced Health Check Menu
pip - Proxy IP Address Menu
peerpip - Peer Proxy IP Address Menu
wlm - Workload Manager Menu
on - Globally turn Layer 4 processing ON
off - Globally turn Layer 4 processing OFF
cur - Display current Layer 4 configuration
>> Layer 4# real 2
------------------------------------------------------------
[Real Server 2 Menu]
adv - Real Server Advanced Menu
layer7 - Layer 7 Command Menu
ids - IDS Command Menu
ipver - Set IP version
rip - Set IP addr of real server
name - Set real server name
weight - Set weight for real server
maxcon - Set maximum number of connections
tmout - Set minutes inactive connection remains open
backup - Set backup real server
inter - Set interval between health checks
retry - Set number of failed attempts to declare server DOWN
restr - Set number of successful attempts to declare server UP
overflo - Enable/Disable backup on overflow
addport - Add real port to server
remport - Remove real port from server
ena - Enable real server
dis - Disable real server
del - Delete real server
cur - Display current real server configuration
>> Real Server 2 # rip 192.168.10.224
Current real server IP address: 0.0.0.0
New pending real server IP address: 192.168.10.224
>> Real Server 2 # en
Current status: disabled
New status: enabled
>> Real Server 2 # apply
------------------------------------------------------------------
Apply complete; don't forget to 'save' updated configuration.
>> Real Server 2 # ..
------------------------------------------------------------
[Layer 4 Menu]
real - Real Server Menu
group - Real Server Group Menu
virt - Virtual Server Menu
filt - Filtering Menu
port - Layer 4 Port Menu
gslb - Global SLB Menu
layer7 - Layer 7 Resource Definition Menu
wap - WAP Menu
sync - Config Synch Menu
adv - Layer 4 Advanced Menu
linklb - Inbound Linklb Menu
advhc - Layer 4 Advanced Health Check Menu
pip - Proxy IP Address Menu
peerpip - Peer Proxy IP Address Menu
wlm - Workload Manager Menu
on - Globally turn Layer 4 processing ON
off - Globally turn Layer 4 processing OFF
cur - Display current Layer 4 configuration
>> Layer 4# group 1
------------------------------------------------------------
[Real Server Group 1 Menu]
ipver - Set IP version
metric - Set metric used to select next server in group
rmetric - Set metric used to select next rport in server
content - Set health check content
health - Set health check type
backup - Set backup real server or group
name - Set real server group name
realthr - Set real server failure threshold
idsrprt - Set Intrusion Detection Port
advhlth - Set an advance group health check formula
mhash - Set minmisses hash parameter
wlm - Set Workload Manager number
viphlth - Enable/disable VIP health checking in DSR mode
ids - Enable/disable Intrusion Detection
idsfld - Enable/disable Intrusion Detection Group Flood
oper - Enable/disable the access to this group for operator
ena - Enable real server in this group
dis - Disable real server in this group
add - Add real server
rem - Remove real server
del - Delete real server group
cur - Display current group configuration
>> Real Server Group 1# add 1
Real server 1 added to real server group 1.
>> Real Server Group 1# add 2
Real server 2 added to real server group 1.
>> Real Server Group 1# apply
2. Create a filter for client side access and assign it to port 1:
>> Layer 4# filt 1
------------------------------------------------------------
[Filter 1 Menu]
adv - Filter Advanced Menu
name - Set filter name
smac - Set source MAC address
dmac - Set destination MAC address
ipver - Set Filter IP version
sip - Set source IP address
smask - Set source IP mask
dip - Set destination IP address
dmask - Set destination IP mask
proto - Set IP protocol
sport - Set source TCP/UDP port or range
dport - Set destination TCP/UDP port or range
action - Set action
group - Set real server group for redirection
rport - Set real server port for redirection
nat - Set which addresses are network address translated
vlan - Set vlan id
invert - Enable/disable filter inversion
ena - Enable filter
dis - Disable filter
del - Delete filter
cur - Display current filter configuration
>> Filter 1 # name redirect_clinet
Current filter name:
New filter name: redirect_clinet
>> Filter 1 # act redir
Current action: allow
Pending new action: redir
>> Filter 1 # group 1
Current real server group: 1
New pending real server group: 1
>> Filter 1 # dip 192.168.10.202
Current destination address: any
New pending destination address: 192.168.10.202
>> Filter 1 # dmask 255.255.255.255
Current destination mask: 0.0.0.0
New pending destination mask: 255.255.255.255
>> Filter 1 # en
Current status: disabled
New status: enabled
>> Filter 1 # adv
------------------------------------------------------------
[Filter 1 Advanced Menu]
8021p - 802.1p Advanced Menu
tcp - TCP Advanced Menu
ip - IP Advanced Menu
layer7 - Layer 7 Advanced Menu
proxyadv - Proxy Advanced Menu
redir - Redirection Advanced Menu
security - Security Menu
icmp - Set ICMP message type
cont - Set BW contract
revcont - Set BW contract for the reverse session
tmout - Set NAT or L7 lookup session timeout
idsgrp - Set IDS server group for intrusion detection SLB
idshash - Set hash parameter for intrusion detection SLB
thash - Set hash parameter for Filter
mcvlan - Set MCAST NAT egress VLAN Id
goto - Set GOTO filter ID
reverse - Enable/disable creating session for reverse side traffic
cache - Enable/disable caching sessions that match filter
log - Enable/disable logging
mirror - Enable/disable session mirroring
nbind - Enable/disable subnet binding for redirection
cur - Display current advanced filter configuration
>> Filter 1 Advanced# cache dis
Current session caching: enabled
New session caching: disabled
>> Filter 1 Advanced# /c/slb/port 1
------------------------------------------------------------
[SLB Port 1 Menu]
client - Enable/disable client processing
server - Enable/disable server processing
rts - Enable/disable RTS processing
hotstan - Enable/disable hot-standby processing
intersw - Enable/disable inter-switch processing
proxy - Enable/disable use of PIP for ingress traffic
filt - Enable/disable filtering
add - Add filter to port
rem - Remove filter from port
idslb - Enable/disable intrusion detection server load balancing
symantec - Enable/disable symantec processing
cur - Display current port configuration
>> SLB Port 1# filt en
Current port 1 filtering: disabled
New port 1 filtering: enabled
>> SLB Port 1# add 1
Filter 1 added to port 1.
>> SLB Port 1# apply
------------------------------------------------------------------
Apply complete; don't forget to 'save' updated configuration.
Note: The cache option of a filter has to be turned off. This option caches sessions that match the filter and corrupts Steelhead optimization.
3. Create a filter for server response and assign it to port 8:
>> Layer 4# filt 2
------------------------------------------------------------
[Filter 2 Menu]
adv - Filter Advanced Menu
name - Set filter name
smac - Set source MAC address
dmac - Set destination MAC address
ipver - Set Filter IP version
sip - Set source IP address
smask - Set source IP mask
dip - Set destination IP address
dmask - Set destination IP mask
proto - Set IP protocol
sport - Set source TCP/UDP port or range
dport - Set destination TCP/UDP port or range
action - Set action
group - Set real server group for redirection
rport - Set real server port for redirection
nat - Set which addresses are network address translated
vlan - Set vlan id
invert - Enable/disable filter inversion
ena - Enable filter
dis - Disable filter
del - Delete filter
cur - Display current filter configuration
>> Filter 2 # name direct_server
Current filter name:
New filter name: direct_server
>> Filter 2 # sip 192.168.10.202
Current source address: any
New pending source address: 192.168.10.202
>> Filter 2 # smask 255.255.255.255
Current source mask: 0.0.0.0
New pending source mask: 255.255.255.255
>> Filter 2 # act redir
Current action: allow
Pending new action: redir
>> Filter 2 # group 1
Current real server group: 1
New pending real server group: 1
>> Filter 2 # adv
------------------------------------------------------------
[Filter 2 Advanced Menu]
8021p - 802.1p Advanced Menu
tcp - TCP Advanced Menu
ip - IP Advanced Menu
layer7 - Layer 7 Advanced Menu
proxyadv - Proxy Advanced Menu
redir - Redirection Advanced Menu
security - Security Menu
icmp - Set ICMP message type
cont - Set BW contract
revcont - Set BW contract for the reverse session
tmout - Set NAT or L7 lookup session timeout
idsgrp - Set IDS server group for intrusion detection SLB
idshash - Set hash parameter for intrusion detection SLB
thash - Set hash parameter for Filter
mcvlan - Set MCAST NAT egress VLAN Id
goto - Set GOTO filter ID
reverse - Enable/disable creating session for reverse side traffic
cache - Enable/disable caching sessions that match filter
log - Enable/disable logging
mirror - Enable/disable session mirroring
nbind - Enable/disable subnet binding for redirection
cur - Display current advanced filter configuration
>> Filter 2 Advanced# cache dis
Current session caching: enabled
New session caching: disabled
>> Filter 2 Advanced# ..
------------------------------------------------------------
[Filter 2 Menu]
adv - Filter Advanced Menu
name - Set filter name
smac - Set source MAC address
dmac - Set destination MAC address
ipver - Set Filter IP version
sip - Set source IP address
smask - Set source IP mask
dip - Set destination IP address
dmask - Set destination IP mask
proto - Set IP protocol
sport - Set source TCP/UDP port or range
dport - Set destination TCP/UDP port or range
action - Set action
group - Set real server group for redirection
rport - Set real server port for redirection
nat - Set which addresses are network address translated
vlan - Set vlan id
invert - Enable/disable filter inversion
ena - Enable filter
dis - Disable filter
del - Delete filter
cur - Display current filter configuration
>> Filter 2 # en
Current status: disabled
New status: enabled
>> Filter 2 # /c/slb/port 8
------------------------------------------------------------
[SLB Port 8 Menu]
client - Enable/disable client processing
server - Enable/disable server processing
rts - Enable/disable RTS processing
hotstan - Enable/disable hot-standby processing
intersw - Enable/disable inter-switch processing
proxy - Enable/disable use of PIP for ingress traffic
filt - Enable/disable filtering
add - Add filter to port
rem - Remove filter from port
idslb - Enable/disable intrusion detection server load balancing
symantec - Enable/disable symantec processing
cur - Display current port configuration
>> SLB Port 8# filt en
Current port 8 filtering: disabled
New port 8 filtering: enabled
>> SLB Port 8# add 2
Filter 2 added to port 8.
>> SLB Port 8# apply
------------------------------------------------------------------
Apply complete; don't forget to 'save' updated configuration.
Action to test: Initial a CIFS session from a client and copy a 26MB file from the server. This should be a raw copy at first time. After it, copy the same file again.
Test Result: The CIFS session is optimized with 98% reduction.
