Riverbed Deployment Options

Part A: In-path & Out-of-Path

Part B: Advanced Design
 2

Module Objectives

At the end of this module you will be able to:
• Describe the different Riverbed deployment models available on both the client
side and also the server side
• Configure peering rules

© 2006-2010 Riverbed Technology. Duplication Prohibited.

Riverbed Deployment Options
Part A: In-Path (Client-Side)
 4

Bridging Model

The Steelhead is deployed as a network bridge in most situations

Typically it bridges between a LAN switch and the WAN hardware (WAN
router, firewall, or VPN box)

Unaccelerated traffic passes through with very low delay (such as VoIP,
video streaming, telnet, SSH)

Fail-through models act ‘as a wire’ in case of error

Ports and protocols can be configured

In all cases, there is an additional Steelhead network connection to the
LAN for management access

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 5

Remote Office Infrastructure: Typical, Before Riverbed…

Branch Office Branch Office

WAN/VPN
NAS Regional File Tape Regional File Tape
Mail Servers Backup Mail Servers Backup
Server Server

Headquarters

Mail NAS Tape

File Servers
Storage Server Backup

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 6

…and After Riverbed Deployment

Branch Office Branch Office

Steelhead Steelhead
WAN/VPN
File Servers
(Optional)

Headquarters

Steelhead CMC

Mail NAS Tape

File Servers
Storage Server Backup

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 7

Multi-Site Deployment: Hub & Spoke, Partial/Full Mesh, Etc.

Steelhead

Steelhead
WAN
(VPN/MPLS/ File Servers
Steelhead (Optional)
etc.)

Steelhead
Headquarters
Steelhead Steelhead
CMC CLI or
GUI

Mail NAS Tape

File Servers
Storage Server Backup

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 8

Multi-Site Deployment with Interceptor

Branch Office

Data Center
Steelhead
CMC (Optional)
Servers
Interceptor
(Optional)
WAN
Branch Office

Steelhead
Tape NAS File Mail Storage
Cluster
Backup Servers Server

(Serverless)
Steelhead

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 9

Networking at a Site

When determining how to place the Steelhead in a network, there are
several different factors to consider:
• Size of office (in terms of remote bandwidth use)
• Number of sessions
• If the appliance is to support users, servers, or both

Covered in more detail later in this lesson

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 10

Many Network Design Options

In-path Advanced Deployment

In-path 1 Options (Logical In-path)

In-path 1:1
WCCP

In-path 2
Load Balanced (Layer-4)

4-port/6-port card(s)
Policy-based Routing (PBR)

In-path clustering
Logical In-path (VLAN bridge)
Out-of-path (OOP) Advanced Considerations

Out-of-Path 1 & 1:1
Server-Side Connection Forwarding

Out-of-Path with Static Clustering
Client-Side Connection Forwarding

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 11

Remote Office Deployment Detail (Simple)

In-Path Deployment
Branch Office
LAN

WAN/VPN
Router L2
Firewall Steelhead Switch
or VPN Appliance

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 12

In-path Clustering: Peering Rules Review

LAN
Serial In-path Deployment Steelhead
Appliances 2, 3, 4, …

WAN
or VPN
Router Router L2 Switch
Firewall
Or VPN

CLI or
Web-based Mgmt.

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 13

Active-Active Sync (RiOS 4.0 & Above)

Active-Active Sync works by enabling both the Sync Client and Sync Server on each
Steelhead
• Configure one as primary and another as secondary (Master/Backup)
• Backup will take on Store_id of master

In this way the Steelheads can send and receive new Segment Pages

Three parts to Active-Active
• Catch-up – Where Master sends data segstore information to the backup Steelhead
• Keep-up – Sharing of new data as one of them adds it to their stores
• Peer Exchange – Where the Sync Client gets the Sync Server’s peer table

Data Center X
sync Same warm performance
Branch Office

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 14

Enabling Active/Active Data Store Sync

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 15

In-Path 1:1 Failover Active/Active (4.0+): Data Center or Remote Site

In-Path Deployment LAN

Steelhead
Appliances
WAN
or VPN
Router L2 Switch
Firewall
Or VPN

CLI or
Web-based Mgmt.

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 16

Enabling Active/Passive Failover Support

[no] failover enable

[no] failover master
[no] failover port <port>

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 17

In-Path 2 A

LAN
Steelhead Appliances

WAN/VPN NAS

File Servers

Offices with two WAN routing points, no asymmetric CMC

Mail Server
routing and redundant Steelheads

Traffic optimized even in case of error, works with
CLI/Web-
traffic load balancing Based Mgmt.

Router IGP configuration required Storage

DANGEROUS, use alternatives!

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 18

In-Path 2 Employing 4-Port Card

LAN
Steelhead
Appliance

NAS
WAN/VPN

File Servers

CMC
Mail Server

Models 30XX and above can use multiple cards

CLI/Web-
Based Mgmt.
Storage

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 19

In-Path 2:2 Employing 4-Port Card with Redundancy

LAN

Steelhead Appliances

WAN/VPN NAS

File Servers

CMC
Mail Server

Better way to have redundancy CLI/Web-

Based Mgmt.
Storage

© 2006-2010 Riverbed Technology. Duplication Prohibited.

Riverbed Deployment Options
Part A: Server Side
 21

Design Templates: Data Centers

Designs for serving data centers
• Out-of-path 1
• Server-side in-path
• Out-of-path 1:1
• Out-of-path with static clustering
• In-path 2 with connection forwarding

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 22

Server-Side Out-of-Path (SSOOP)

LAN I/F WAN I/F

WAN
Client-side PRI IP SRC=S-SH
Steelhead
Fixed-target Rule

Server-side
Steelhead

The server-side Steelhead is physically out-of-path and is connected to the network through its
Primary interface

A Steelhead can be configured to act simultaneously as a client-side and server-side out-of-path
Steelhead, connected to the network through its WAN and Primary interfaces

Transparent for clients, non-transparent for servers

Client-side Steelhead requires fixed-target rule to learn about server-side out-of-path Steelhead

Only Correct Addressing

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 23

Out-of-path Packet Flow

Client SH1 SH2 Server

IP(C)→IP(S):SYN SEQ1
IP(SH1)→IP(SH2):SYN
Listening on
IP(SH2)→IP(SH1):SYN/ACK port 7810
IP(SH1)→IP(SH2):ACK

Setup Information
IP(SH2)→IP(S):SYN SEQ2

IP(S)→IP(SH2):SYN/ACK
Connect Result IP(SH2)→IP(S):ACK
IP(S)→IP(C):SYN/ACK
Connect result is
IP(C)→IP(S):ACK cached until failure

20x

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 24

Enabling SSOOP

Server-side Steelhead
• interface primary ip address 192.168.41.80 /24
• ip default-gateway "192.168.41.20"
• hostname "ServerSH"
• out-of-path enable

Client-side Steelhead
• Same configurations as basic in-path with fixed-target rule now pointing to the pri intf addr of
the server-side Steelhead
» in-path rule fixed-target srcaddr 0.0.0.0/0 dstaddr
192.168.41.64/26 dstport 0 target-addr 192.168.41.80 target-
port 7810

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 25

Scalable SSOOP Data Center Deployment

Data Center
Out-of-Path Deployment LAN

WAN/VPN NAS

Steelhead
Appliances
File Servers
A
CMC

B Mail Server

CLI/Web-
C Based Mgmt.

Storage
D

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 26

Data Center, Server-Side In-Path

Data Center
LAN

WAN/VPN NAS

Steelhead File Servers

Appliance

Applications where the speedup of a single server Mail Server

(or server subnet is desired)

Simple to manage, fail-through on error, LAN
traffic is passed-through Storage

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 27

Connection Forwarding

Steelhead LAN
Appliances

WAN/VPN NAS

File Servers

CMC

Mail Server

Offices with two WAN routing points, server-side CLI/Web-

Based Mgmt.

Redundant Steelheads
Storage

Asymmetric routes

If a neighbor is lost, all new traffic is passthrough

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 28

Connection Forwarding Illustration A

SH <= SH1 SH => SH1 C => S

Remote Office Data Center
SH => SH1
Steelhead SH1
SH <= SH1 C => S

S=>SH1
C => S SH => SH1
WAN
or VPN L2 C <= S
Switch
L2 Switch Steelhead SH
C <= S
C <= S SH <= SH1

Steelhead SH2

Addresses need for optimizing traffic in following environment

• Asymmetric paths
• Links are not at same physical site (or 4-port card would be preferable)
• Set default gateway to LAN side
• Set a static route to LAN
• Use simplified routing

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 29

Enabling Connection Forwarding

Port used for Connection Forwarding

[no] in-path neighbor name <name> additional-ip <IP addr> ip <IP addr> port <port>

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 30

Connection Forwarding Statistics & Alarms

This feature helps verify the status of
Connection Forwarding

It includes:
• Alarms to alert the customer to problems such
as a connection failure, a keep-alive timeout, or
when connection latency has exceeded a set
threshold
• Statistics and counters related to neighbor
connections and latency

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 31

Asymmetric Routing: Configuration

Detection and passthrough can be enabled or disabled (enabled by
default)

Can remove cached entries manually

in-path asymmetric routing detection enable

in-path asymmetric routing pass-through enable
show in-path asym-route-tab Shows asymmetric route table of currently cached entries
show in-path ar-circbuf Show circular buffer of all asymmetric connections the Steelhead has seen
in-path asym-route-tab remove <entry (e.g., 1.1.1.1-2.2.2.2)>
in-path asym-route-tab flush

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 32

Review: Where Should Peering Rules Go? A

SH1 SH3 SH4

WAN WAN

Site A Site C
10.0.0.x/24 11.0.0.x/24

SH2
Site B
12.0.0.x/24

Given a cascade in-path scenario with sites A, B, and C

Traffic goes from A ↔ B ↔ C and A ↔ C; traffic will transit Steelhead
B in route to A and C

We want traffic between A and C to use Steelheads at site A and C

Where should peering rules go?

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 33

Peering Rules Answer A

SH1 SH3 SH4

WAN WAN

Site A Site C
10.0.0.x/24 11.0.0.x/24

SH2
Site B
12.0.0.x/24

Peering rules might look something like this:

• On site B, SH2 peering rules:
» in-path peering rule pass src 0.0.0.0/0 dest 11.0.0.0/24 dest-port all peer
0.0.0.0 description "To pass traffic in route to 11.0.0.x network" rulenum 1
» in-path peering rule pass src 0.0.0.0/0 dest 10.0.0.0/24 dest-port all peer
0.0.0.0 description "To pass traffic in route to 10.0.0.x network" rulenum 2
• On site C, SH3 peering rules:
» in-path peering rule pass src 0.0.0.0/0 dest 0.0.0.0/0 dest-port all peer
11.0.0.4 description "Never accept a probe from SH4" rulenum 1
• On site C, SH4 peering rules:
» in-path peering rule pass src 0.0.0.0/0 dest 0.0.0.0/0 dest-port all peer
11.0.0.3 description "Never accept a probe from SH3" rulenum 1

Another possible solution
• Enhanced auto-discovery can be used since it will automatically terminate at the last SH (closest to the
server)
» Will this solve my problem?
• What happens to traffic bound from A to C or C to A if SH 1 or 3 is down?
» Best practice: do not put Steelheads where they can see transit traffic!

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 34

Exercises: Out-of-Path & NetFlow

Objective
• Configure Steelheads in an out-of-path deployment and then measure the
performance

Steps
• Configure your network for an out-of-path deployment
• Measure the performance for out-of-path
• Configure your network for NetFlow
• Use a NetFlow Collector and analyze the statistics

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 35

Lab Topology: Out-of-Path

Out-of-Path Network
shxbranch
In-path 10.1.x.20/27
In-path Def g/w=.25 shxdc
Net1
10.1.x.25/27
WAN Sim
WAN X
PRI PRI
Net2 10.1.41.2x/24
10.1.x.30/27
LAN 10.1.41.x/24 Def g/w=10.1.41.x
Def g/w=.25
S S S S
Switch Switch
X
S S
Instructor Switch
S
Server (Shared)
Client1 Client2 10.1.41.70 (Optimized)
10.1.x.10/27 10.1.x.11/27 10.1.41.71 (Unoptimized)
Def g/w=.25 Def g/w=.25

© 2006-2010 Riverbed Technology. Duplication Prohibited.

Riverbed Deployment Options
Part B: Advanced Design
 37

Clustering with Interceptor Appliance

Logical In-Path Deployment
LAN
Interceptor

WAN/VPN

CLI/Web-

Typically for data centers Based Mgmt.

Interceptor re-directs traffic to clustered

Steelhead appliances

Dynamic load balancing among clustered
Steelheads Steelhead Appliance
Cluster

Add more clustered Steelheads “on demand”

Peer affinity

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 38

Design Templates: Custom Modes

Custom modes
• Policy-based Routing (PBR)
• Web Cache Control Protocol (WCCP)
• Hybrid in-path and out-of-path
• Logical in-path (VLAN bridge)
• Design for remote backup

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 39

Logical In-Path Deployment Topologies

Auto-discovery

PBR or WCCP
Redirect IN
LAN I/F WAN I/F
WAN
Client-side
Steelhead WAN I/F

Server-side
Client & Server Fixed-target Rule Steelhead

PBR or WCCP
Redirect IN
LAN I/F WAN I/F
WAN
Client-side
Steelhead WAN I/F

Server-side
Steelhead

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 40

Logical In-Path

Client Out-of-path, Auto-discovery

PBR or WCCP PBR or WCCP

Redirect IN Redirect IN

WAN

WAN I/F WAN I/F

Client-side Server-side
Steelhead Steelhead

Covered more thoroughly in the “Steelhead Appliance Advanced Deployment &

Troubleshooting” Riverbed training course

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 41

Policy-Based Routing (PBR)

L3
Switch

WAN/VPN
Router
Firewall
or VPN LAN

Steelhead
Appliance

It is sometimes desirable to be “out-of-path” on the client side. The Steelhead may be

physically out-of-path, but logically in-path through PBR.

Router configuration required in addition to Steelhead configuration

Steelhead check mechanisms
• EEM (Embedded Event Manager)
• IP SLA
• TCL scripts, macro scripts, etc.

Not as many IOS concerns as WCCP

Does not cluster well; static nature of rules is undesired

Requires recent IOS levels to properly handle a possible Steelhead failure

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 42

Web Cache Control Protocol (WCCP)

L3
Switch

WAN/VPN
Router
Firewall
or VPN LAN

Steelhead
Appliance

Offices with one or more WAN routing point(s) who don’t want in-path simplicity

Most cost-effective, simple to manage, handles complex WAN interfaces by getting out
of the way (fiber, dual routers, no switch-router link, etc)

Un-optimized (fail-through) on error automatically

Many Cisco bugs, check router/IOS version with Cisco

Cisco-centric

Covered more thoroughly in the “Steelhead Appliance Advanced Deployment &
Troubleshooting” Riverbed training course

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 43

WCCPv2 Control Messages

WCCPv2 uses four control messages:
• HERE_I_AM
• I_SEE_YOU
• REDIRECT_ASSIGNMENT
• REMOVAL_QUERY

Each WCCP protocol message is carried in a UDP packet with a
destination port of 2048
• You can use UDP port 2048 to filter out WCCP messages in tcpdump traces

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 44

WCCPv2 Steelhead Configuration: Step 1

1. Enable logical in-path support.

This will also “shutdown” lan0_0

Apply, then Save

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 45

WCCPv2 Steelhead Configuration: Steps 2 to 4

4. Enable WCCPv2 Support (LAN is then disabled)

Click on Apply

2. Define Service Group ID

3. Define Unicast Router ID (You can

define up to 32 routers)

Click on Add

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 46

Router Considerations: WCCPv2 Router Configuration

R1(config)# ip wccp 90 redirect-list 100

1. This command enables

WCCPv2 globally on the 2. Define Service Group 3. “Tie” redirect-list to extended
router Number as 90 access-list 100

R1(config)# access-list 100 permit tcp host 10.2.22.99 host 10.2.29.88

R1(config)# access-list 100 permit tcp host 10.2.29.88 host 10.2.22.99

4. Define extended access-list 100 to match on TCP

traffic between client 10.2.22.99 and server 10.2.29.88

R1(config)# interface FastEthernet0/0

R1(config-if)# ip wccp 90 redirect in

5. This command specifies that inbound redirection for

service group 90 is to be applied to interface FastEthernet0/0

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
© 2006-2010 Riverbed Technology. Duplication Prohibited.
 47

Hybrid In-Path & Out-of-Path

DMZ

WAN/VPN
Router L2
Firewall Steelhead Switch
or VPN Appliance LAN

Offices with one WAN routing point and users, but that must be
referenced from remote sites as out-of-path (to avoid mistaken auto-
discovery or to jump over intermediary Steelheads for example)

Handles odd network configurations; useful for pre-warming in data center

Unoptimized (fail-through) on error (1:1 redundancy supported as well)

Add fixed-target rules on remote side to primary IP and port 7810

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 48

In-Path VLAN Bridge

L3 Switch/Router

WAN/VPN
Router VLAN10 VLAN20
Firewall
or VPN

Steelhead
Appliance

Offices with one WAN routing point, who don’t want in-path physically. Place the office
network on one VLAN, bridge it to the router which is on another VLAN (Steelhead is
on both). Disable fast switching.

Handles complex WAN interfaces by getting out of the way (fiber, dual routers, no
switch-router link, etc)

Unoptimized (fail-through) on error

Not supported on all routers (especially not low end Cisco 2xxx 3yyy or with sup)

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 49

Network Integration Tips: Layer 2 WAN

The problem with Layer 2 WAN networks is that they might broadcast
the probe to multiple sites with Steelheads, but only the Steelhead in
front of the server should answer

sport kernel bcast-support
• Checks that the server is on the LAN side of a Steelhead before that Steelhead
answers a probe request

Note you will likely want to use fixed-target rules to identify the
optimization subnets

Do not enable simplified routing

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 50

Static Routing Steelhead (Controlled Environment Only!)

L2 Switch

WAN/VPN
Router
Firewall
or VPN LAN

Steelhead
Appliance

Some network designs can best be solved by changing the default

gateway from the Router to the Steelhead

Handles extremely odd network configurations

Static routing only; single point of failure; no HSRP support; no regular
router management; must change client configuration

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 51

Optimization Configuration via CLI

in-path enable
• In-path
• Logical in-path (VLAN bridge)

in-path oop enable
• WCCP, PBR, L4, Interceptor, routing

out-of-path enable
• Server-side out-of-path

out-of-path enable and in-path enable
or in-path oop enable
• Hybrid

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 52

How Are They Wired?

In-Path

Logical In-Path Client-OOP

(WCCP, PBR, L4)

Server-side Out-of-path

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 53

And More!

There are more possible deployments – there are a *lot* of different
network designs out there

To customize:
• What are the requirements?
• Use some templates from this module – but adapt to the requirements
• Call in Riverbed Professional Services as needed

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 54

Module Summary

By now you should be able to:
• Describe the different Riverbed deployment models available on both the client
side and also the server side
• Configure peering rules

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 55

Exercises: WCCP

Objective
• Configure WCCP for your lab environment

Steps
• WCCP setup (Logical in-path deployment)
• WCCP redirection of all traffic & LAN/WAN auto-discovery
• (Optional): WCCP redirect lists, WAN-side fixed-target rules, & LAN-only
redirection
• (Optional): WCCP dynamic service groups, WAN-side fixed-target rules, & LAN-
only redirection

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 56

Lab Topology

Logical In-Path Network

shxbranch shxdc
In-path 10.1.x.20/27 In-path 10.1.x.80/27
WAN Sim
In-path Def g/w=.25 Def g/w=.85
Configured in
Bridge Mode
Net1
WAN X
PRI WAN
LAN
10.1.x.30/27 S Net2
Def g/w=.25 PRI
10.1.x.90/27
S S S S Def g/w=.85
X
Switch Instructor Switch Switch
X S
S
f0.x f0.1x

10.1.x.25/27 10.1.x.85/27
Client-10 Server-70
10.1.x.10/27 10.1.x.70/27
Def g/w=.25 Def g/w=.85

© 2006-2010 Riverbed Technology. Duplication Prohibited.

Module Appendix: NAT
Correct Addressing
 58

In-path First Connection Packet Flow (Source NAT in Client Side)

Ca  Cb
OK WA1
WA1a  WA1b
WA2
Ca Client-Side Private NAT Public Server-Side S
Client Steelhead Steelhead Switch(L2) Server

Probe result is cached

For 10 seconds

Listening on port
7800

Connect result is
cached until failure

CSH send “Setup Information : Original Client, Server IP” to SSH

So, SSH re-assemble Original Client, Server IP and send it to Server

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 59

In-path First Connection Packet Flow (Source NAT in Both Sides)

Ca  Cb
WA1a  WA1b Sb  Sa
OK WA1 Private
NAT
Public WA2 Public
NAT
Private
Ca Client-Side Server-Side Sa
Steelhead Steelhead Router or Firewall Server
Client

IP(Ca) IP(Sb) SYN IP(Ca) IP(Sb) SYN + IP(Cb) IP(Sb) SYN +

Probe WA1a address Probe WA1a address

IP(Sb) IP(Ca) SYN/ACK + Probe IP(Sb) IP(Cb) SYN/ACK + Probe

Response WA2 address Response WA2 address
Probe result is cached
For 10 seconds
IP(WA1a) IP(WA2) IP(WA1b) IP(WA2)
SYN port 7800 SYN Port 7800 Listening on port
7800

IP(WA2) IP(WA1a) IP(WA2) IP(WA1b)

SYN/ACK port 7800 SYN/ACK Port 7800

IP(WA1a) IP(WA2) IP(WA1b) IP(WA2)

ACK Port 7800 ACK Port 7800

Setup Info

IP(Ca) IP(Sb) SYN IP(Ca) IP(Sa) SYN

IP(Sb) IP(Ca) SYN/ACK IP(Sa) IP(Ca) SYN/ACK

IP(Ca) IP(Sb) ACK IP(Ca) IP(Sa) ACK

CSH send “Setup Information : Original Client, Server IP” to SSH
So, SSH re-assemble Original Client, Server IP and send it to Server

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 60

In-path First Connection Packet Flow (Source NAT in Both Sides)

Ca  Cb Sb  Sa
No WA1a  WA1b WA2b  WA2a
NAT NAT
WA1 Private Public Public Private WA2
Ca Client-Side Server-Side Sa
Client Steelhead Steelhead Server

Auto-Discovery

IP(Ca) IP(Sb) SYN

IP(Ca) IP(Sb) SYN + IP(Cb) IP(Sb) SYN + IP(Cb) IP(Sa) SYN +
Probe WA1a address Probe WA1a address Probe WA1a address

IP(Sb) IP(Ca) SYN/ACK + Probe IP(Sb) IP(Cb) SYN/ACK + Probe IP(Sa) IP(Cb) SYN/ACK + Probe
Response WA2a address Response WA2a address Response WA2a address
Probe result is cached
For 10 seconds
IP(WA1a) IP(WA2a) IP(WA1b) IP(WA2a)
SYN port 7800 SYN Port 7800 Listening on port
7800

SSH IP is not public but private so connections between

CSH and SSH will be half-opened and fail

© 2006-2010 Riverbed Technology. Duplication Prohibited.

 61

In-path First Connection Packet Flow (Source NAT in Both Sides)

Ca  Cb Sb  Sa
No WA1a  WA1b WA2b  WA2a
NAT NAT
WA1 Private Public Public Private WA2
Ca Client-Side Server-Side Sa
Client Steelhead Steelhead Server

Fixed-Target

IP(Ca) IP(Sb) SYN

IP(WA1a) IP(WA2b) IP(WA1b) IP(WA2b) IP(WA1b) IP(WA2a)
SYN port 7800 SYN Port 7800 SYN Port 7800 Listening on port
7800
IP(WA2b) IP(WA1a) IP(WA2b) IP(WA1b) IP(WA2a) IP(WA1b)
SYN/ACK port 7800 SYN/ACK Port 7800 SYN/ACK Port 7800
Probe result is cached
for 10 seconds IP(WA1a) IP(WA2b) IP(WA1b) IP(WA2b) IP(WA1b) IP(WA2a)
ACK Port 7800 ACK Port 7800 ACK Port 7800

Setup Info

IP(Ca) IP(Sb) SYN

Destination IP is not private but public by

CSH send “Setup Information : Original Client, Server IP” to SSH
Setup Info.. So half-opened.
So, SSH re-assemble Original Client, Server IP and send it to Server

© 2006-2010 Riverbed Technology. Duplication Prohibited.