Interceptor® Appliance Deployment Guide June 2014 © 2014 Riverbed Technology, Inc. All rights reserved. Riverbed®, SteelApp™, SteelCentral™, SteelFusion™, SteelHead™, SteelScript™, SteelStore™, Steelhead®, Cloud Steelhead®, Virtual Steelhead®, Granite™, Interceptor®, Stingray™, Whitewater®, WWOS™, RiOS®, Think Fast®, AirPcap®, BlockStream™, FlyScript™, SkipWare®, TrafficScript®, TurboCap®, WinPcap®, Mazu®, OPNET®, and Cascade® are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners. Akamai® and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Juniper Networks and Junos are registered trademarks of Juniper Networks, Incorporated in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Inc. in the United States and in other countries. This product includes Windows Azure Linux Agent developed by the Microsoft Corporation (http://www.microsoft.com/). Copyright 2012 Microsoft Corporation. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. The Virtual Steelhead Mobile Controller includes VMware Tools. Portions Copyright © 1998-2013 VMware, Inc. All Rights Reserved. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. This documentation is furnished “AS IS” and is subject to change without notice and should not be construed as a commitment by Riverbed. This documentation may not be copied, modified or distributed without the express authorization of Riverbed and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as “commercial computer software documentation” and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Riverbed Technology 680 Folsom Street San Francisco, CA 94105 Phone: 415.247.8800 Fax: 415.247.8801 Part Number Web: http://www.riverbed.com 712-00042-04 Contents Preface.........................................................................................................................................................1 About This Guide..........................................................................................................................................1 Audience..................................................................................................................................................2 Document Conventions.........................................................................................................................2 Additional Resources....................................................................................................................................3 Release Notes..........................................................................................................................................3 Riverbed Documentation and Support Knowledge Base.................................................................3 Online Documentation...........................................................................................................................3 Contacting Riverbed......................................................................................................................................3 Internet.....................................................................................................................................................3 Technical Support...................................................................................................................................4 Professional Services..............................................................................................................................4 Documentation........................................................................................................................................4 What Is New...................................................................................................................................................4 Chapter 1 - Overview of the Interceptor Appliance.................................................................................5 Overview of the Interceptor Appliance......................................................................................................5 Comparing WCCP, PBR, and Layer-4 Redirection Without Steelhead Appliances.............................7 Chapter 2 - Interceptor Appliance Deployment Design..........................................................................9 Physical In-Path Interceptor Appliance Deployment...............................................................................9 Overview of Physical In-Path Interceptor Appliance.....................................................................10 Cabling and Duplex.............................................................................................................................12 IP Address and Gateway Selection....................................................................................................12 Default Gateway and Routing Configuration..................................................................................13 EtherChannel and LACP.....................................................................................................................15 802.1Q VLAN Trunks...........................................................................................................................16 Physical In-Path Interceptor Appliance Failure Modes..................................................................18 Interceptor Appliance Link State Propagation.................................................................................19 Virtual In-Path Interceptor Appliance Deployment...............................................................................19 Overview of Virtual In-Path Interceptor Appliance........................................................................20 Unsupported Virtual In-Path Interceptor Appliance Deployment...............................................21 Interceptor Appliance Deployment Guide iii Contents In-Path Interceptor Appliance Failure Modes..................................................................................22 Overview of Redirection and Optimization............................................................................................22 Deployment Verification.............................................................................................................................25 GRE, MPLS, and VRF..................................................................................................................................25 QoS in an Interceptor Appliance Deployment........................................................................................26 Chapter 3 - Interceptor Appliance Clusters...........................................................................................27 Steelhead Appliance Placement and Configuration...............................................................................27 LAN-Side Versus WAN-Side Steelhead Appliance Placement......................................................28 Layer-2 Versus Layer-3 Connectivity.................................................................................................29 Multiple Steelhead Appliance Link Support....................................................................................29 Multiple Steelhead Appliance Support.............................................................................................30 Firewall and Monitoring Interaction.........................................................................................................32 Relative Placement of a Firewall, Steelhead Appliance, and Interceptor Appliance.........................32 Disruptive Firewall Placements..........................................................................................................33 Firewall Placement Best Practices......................................................................................................34 Interceptor Appliance Relationships........................................................................................................35 Deploying Failover Interceptor Appliances.....................................................................................35 Deploying Interceptor Appliances in Clusters.................................................................................37 Unsupported Deployments.................................................................................................................38 Cluster Member Failures............................................................................................................................39 Standard Cluster Types...............................................................................................................................41 Deploying Series Interceptor Appliances.........................................................................................43 Deploying Parallel Interceptor Appliances with Fail-to-Block......................................................45 Deploying Quad Interceptor Appliances..........................................................................................47 Deploying a Virtual In-Path Interceptor Appliance Cluster..........................................................50 Choosing a Cluster Type.............................................................................................................................52 Connection Forwarding Settings for Allow-Failure...............................................................................53 Chapter 4 - Traffic Redirection................................................................................................................55 Overview of Traffic Redirection.................................................................................................................55 Hardware-Assisted Pass-Through.....................................................................................................57 In-Path Rules.........................................................................................................................................57 Load-Balance Rules..............................................................................................................................58 Intra-Cluster Latency..................................................................................................................................62 Chapter 5 - VLAN Segregation................................................................................................................65 Overview of VLAN Segregation................................................................................................................65 Use Cases......................................................................................................................................................66 VLAN Segregation Interceptor Appliance Cluster Virtualization.......................................................67 Feature Compatibility and Limitations....................................................................................................69 iv Interceptor Appliance Deployment Guide Contents Deploying VLAN Segregation...................................................................................................................70 Single Interceptor Appliance in VLAN Segregation.......................................................................72 Interceptor Appliance Cluster in VLAN Segregation Mode..........................................................75 Chapter 6 - Authentication and Security................................................................................................83 Overview of Security...................................................................................................................................83 Vulnerability Management.........................................................................................................................85 Overview of Authentication.......................................................................................................................86 Authentication Features..............................................................................................................................86 Configuring a RADIUS Server...................................................................................................................87 Configuring a RADIUS Server with FreeRADIUS..........................................................................87 Configuring RADIUS Authentication in the Interceptor Appliance............................................88 Configuring RADIUS CHAP Authentication...................................................................................89 Configuring a TACACS+ Server................................................................................................................90 Configuring TACACS+ with Cisco Secure Access Control Servers..............................................91 Configuring TACACS+ Authentication in the Interceptor Appliance.........................................91 Securing Interceptor Appliances...............................................................................................................91 Overview of Securing Interceptor Appliances.................................................................................92 Best Practices for Securing Access to Interceptor Appliances.......................................................92 Best Practices for Enabling Interceptor Appliance Security Features...........................................97 Best Practices for Security Monitoring..............................................................................................99 Configuring SSL Certificates for Web User Interface....................................................................100 Configuring SNMP v3 Authentication and Privacy.............................................................................100 Chapter 7 - Best Practices for Interceptor Appliance Deployments..................................................105 General Best Practices...............................................................................................................................105 Best Practices for VLAN Segregation......................................................................................................107 Installation and Verification Best Practices............................................................................................107 Installing an Interceptor Appliance.................................................................................................108 Verifying the Configuration..............................................................................................................109 Index........................................................................................................................................................111 Interceptor Appliance Deployment Guide v Contents vi Interceptor Appliance Deployment Guide Preface Welcome to the Interceptor Appliance Deployment Guide. Read this preface for an overview of the information provided in this guide, the documentation conventions used throughout, additional resources, and contact information. This preface includes the following sections: “About This Guide” on page1 “Additional Resources” on page3 “Contacting Riverbed” on page3 “What Is New” on page4 About This Guide The Interceptor Appliance Deployment Guide describes the Interceptor appliance, including how to design and deploy an Interceptor and Steelhead appliance cluster. Riverbed products names have changed. At the time of publication, the user interfaces of the products described in this guide have not changed, and the original names are used in the text. For the product naming key, see http://www.riverbed.com/products/ ?pid=Home_Hero:+New+Product+Names#Product_List. This guide includes information relevant to the following products: RiOS system (RiOS system) Riverbed Steelhead appliance (Steelhead appliance) Riverbed Steelhead CX appliance (Steelhead CX) Riverbed Steelhead EX appliance (Steelhead EX) Riverbed Virtual Steelhead (VSH) Riverbed Cloud Steelhead (CSH) Central Management Console (CMC) Central Management Console Virtual Edition (CMC-VE) Riverbed Steelhead Mobile software (Steelhead Mobile) Riverbed Steelhead Mobile Controller (Mobile Controller) Interceptor Appliance Deployment Guide 1 Preface About This Guide Riverbed Steelhead Mobile Client (Mobile Client) Riverbed Interceptor appliance (Interceptor appliance) Riverbed Virtual Services Platform (VSP) Riverbed Services Platform (RSP) Audience This guide is written for storage and network administrators familiar with administering and managing WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS. You must also be familiar with: the Interceptor appliance. For details, see the Interceptor Appliance User’s Guide and the Interceptor Appliance Installation Guide. the Management Console. For details, see the Steelhead Appliance Management Console User’s Guide. connecting to the RiOS CLI. For details, see the Riverbed Command-Line Interface Reference Manual. the installation and configuration process for the Steelhead appliance. For details, see the Steelhead Appliance Installation and Configuration Guide. Important: The Interceptor appliance CLI commands used in the configuration examples use Interceptor v3.0 and later. For information about Interceptor appliance versions prior to v3.0, see the appropriate version of the Interceptor Appliance User’s Guide and the Riverbed Command-Line Interface Reference Manual. Document Conventions This guide uses the following standard set of typographical conventions. Convention Meaning italics Within text, new terms, emphasized words, and REST API URIs appear in italic typeface. boldface Within text, CLI commands, CLI parameters, and REST API properties appear in bold typeface. Courier Code examples appears in Courier font: amnesiac > enable amnesiac # configure terminal < > Values that you specify appear in angle brackets: interface <ipaddress> [ ] Optional keywords or variables appear in brackets: ntp peer <addr> [version <number>] { } Required keywords or variables appear in braces: {delete <filename>} | The pipe symbol represents a choice to select one keyword or variable to the left or right of the symbol. The keyword or variable can be either optional or required: {delete <filename> | upload <filename>} 2 Interceptor Appliance Deployment Guide Additional Resources Preface Additional Resources This section describes resources that supplement the information in this guide. It includes the following: “Release Notes” on page3 “Riverbed Documentation and Support Knowledge Base” on page3 “Online Documentation” on page3 Release Notes The online software release notes supplement the information in this manual. The release notes are available in the Software section of the Riverbed Support site at https://support.riverbed.com. The following table describes the release notes. Release Notes Purpose <product>_<version_number> Describes the product release and identifies fixed problems, known problems, <build_number>.pdf and workarounds. This file also provides documentation information not covered in the manuals or that has been modified since publication. Examine this file before you begin the installation and configuration process. It includes important information about this release of the Steelhead appliance. Riverbed Documentation and Support Knowledge Base For a complete list and the most current version of Riverbed documentation, go to the Riverbed Support site at https://support.riverbed.com. The Riverbed Knowledge Base is a database of known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at https://support.riverbed.com. Online Documentation The Riverbed documentation set is periodically updated with new information. To access the most current version of Riverbed documentation and other technical information, consult the Riverbed Support site at https://support.riverbed.com. Contacting Riverbed This section describes how to contact departments within Riverbed. Internet You can learn about Riverbed products at http://www.riverbed.com. Interceptor Appliance Deployment Guide 3 Preface What Is New Technical Support If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888- RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States. You can also go to https://support.riverbed.com. Professional Services Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, email [email protected] or go to http://www.riverbed.com/us/ products/professional_services/. Documentation The Riverbed Technical Publications team continually strives to improve the quality and usability of Riverbed documentation. Riverbed appreciates any suggestions you might have about its online documentation or printed materials. Send documentation comments to [email protected]. What Is New Since the last release of the Interceptor Appliance Deployment Guide (July 2013), the following changes have been made: Updated - “Overview of Redirection and Optimization” on page22 Updated - “Deploying Quad Interceptor Appliances” on page47 New - “Authentication and Security” on page83 4 Interceptor Appliance Deployment Guide
Description: