6 Replies Latest reply: Jan 27, 2017 2:46 AM by rgirdlestone . RSS

Pass-through rule for Virtual In-path deployment

PROSEN G

Dear Folks,

 

Please help me to short out the below issue. I have two data center DC1 and DC2. Both data center are connected via MPLS private cloud. Physical connectivity is pretty simple at both side and which is mentioned below. Due to some testing request from application team I am asked to pass-through the traffic between Source (10.122.32.8/24) and destination server (10.223.64.10/24). Both Steelhead are deployed in Virtual in-path mode (Only WAN interface is connected to the switch). So my questions are mentioned below.

 

(a) Is it required to configure pass-through rule at both side or if I configure the rule at any side it will work as there will not be any SYN packet?

(b) as both the Data center Steelhead are deployed in Virtual in-path (Only WAN0_0) interface is connected will it be a Peering rule at DC1 side? or Inpath pass through rule at DC1 ?

  • Re: Pass-through rule for Virtual In-path deployment
    Alton Yu

    You configure the pass-through rule on the client side. No need to configure it on the server side.

     

    I'm not understanding your second question.

  • Re: Pass-through rule for Virtual In-path deployment
    rgirdlestone .

    Hi

    Just to be clear on this the Virtual in-path deployment will process SYNs on the "Virtual LAN" interface, which now, as you said faces the WAN interface.  It only knows LAN or WAN side traffic if you tell it which is which using "subnet side rules".  If you don't it will process all SYNs.  Therefore Alton is entirely correct.  You need a passthrough rule where you see the SYN.  Do not use peering rules for this purpose.

     

    Incidentally, if you do not do subnet side rules and a SYN appears WAN side, for whatever reason, without a probe.  The SH will still process it, as it doesn't know.  You will get spurious error codes like "no SH on path to server"

     

    Regards

     

    Rupert

    • Re: Pass-through rule for Virtual In-path deployment
      PROSEN G

      Hi mate,

       

      Thanks for your reply. Still I have doubt, kindly clarify.

      (1) in Virtual inpath only WAN port is connected with Steelhead no Lan port. In that case all the source side optimization request will be terminated on WAN interface of Steelhead only. Then why it is required to configure Inpath Passthrough rule?

       

      (2) In other side if I dont configure any rules at source side riverbed, instead I configure other side of DC (in my case it is DC2) can I configure Peer rule here?

       

      Regards

      Prosen

      • Re: Pass-through rule for Virtual In-path deployment
        rgirdlestone .

        In virtual in-path deployments, as soon as you apply the command on the General Service Settings, the LAN interface is downed.  However it still exists in a virtual form, facing the physical WAN interface.  Therefore the in-path rules are still valid.  Remember:  In-path rules are how you deal with SYNs on the LAN interface, peering rules are how you deal with PROBES on ANY interface (LAN or WAN).

         

        As such you need a pass-thru rule at the DC where you expect to see the SYN from the initiator of the connection for it to be processed.

         

        The order of in-path rules is important.  A SYN is processed by EXACTLY ONE in-path rule.  It is the FIRST one that takes effect, similar in many ways to an ACL in routing.

         

        Hope this clears it up, please let me know otherwise.

         

        Cheers

        Rupert