Riverbed Certified Solutions Associate

WAN Optimization (RCSA-W 101-01) notes

November 28, 2011

RiOS Riverbed Optimization System

SMC Steelhead Mobile Controller

CMC Central Management Console

RSP Riverbed Services Platform

PBR Policy-based routing

WCCP Web Cache Communication Protocol

GRE Generic routing encapsulation

DNAT Destination Network Address Translation

SDR Scalable Data Referencing

The Riverbed QoS system is based on a patented version of Hierarchical Fair Service Curves
(HFSC). HFSC allows bandwidth allocation for multiple application of varying sensitivity
elimination issues of jitter and starvation caused by other QoS techniques. This allows
Riverbed to deliver low latency to traffic without wasting bandwidth and deliver high
bandwidth to delay-insensitive traffic without disrupting delay-sensitive traffic.

CIFS and HTTP Prepopulation

CIFS and HTTP prepopulation is for warming the Steelhead appliance with data not yet
requested by end users, and can only be configured on the Primary interface of the client-side
Steelhead appliance.
The traffic leaves the Primary interface and it must traverse a client-side in-path connection
(for example, LAN0_0/WAN0_0 for an inline deployment, or WAN0_0 for a logical in-path
deployment) before reaching the server-side Steelhead appliance. Prepopulation does not
work if the Primary interface bypasses client-side optimization first.

The traffic for RiOS data store synchronization is transferred through either the Steelhead
appliance
primary or auxiliary network interfaces, not the in-path interfaces.

You can always restart the configuration wizard and change your answers by entering
configuration jump-start

at the system prompt.

General System Status

Healthy Indicates that all systems are functioning properly.

Degraded Indicates that a system alarm has been triggered.

Critical Indicates conditions that affect the functionality.

Design Fundamentals
The causes for slow throughput in WANs are well known: high delay (round-trip time or
latency), limited bandwidth, and chatty application protocols.

RiOS is the software that powers the Steelhead appliance and Steelhead Mobile. With RiOS,
you can solve a range of problems affecting WANs and application performance, including:

insufficient WAN bandwidth.

inefficient transport protocols in high-latency environments.

inefficient application protocols in high-latency environments.

RiOS uses the following optimization techniques:

Data Streamlining

Transport Streamlining

Application Streamlining

Management Streamlining

All Steelhead appliance models have the following specifications that are used to determine
the amount of traffic that a single Steelhead appliance can optimize:

Number of concurrent TCP connections Each Steelhead appliance model

can optimize a certain number of concurrent TCP connections. When planning
corporate enterprise deployments, Riverbed recommends that you use ratios of
5-15 connections per user if full optimization is desired, depending on the
applications being used.

WAN bandwidth rating Each Steelhead appliance model has a limit on the
rate at which it pushes optimized data towards the WAN. This limit does not
apply to pass-through traffic.
 Datastore size Each Steelhead appliance model has a fixed amount of disk
space available for RiOS SDR. For the best optimization possible, the
Steelhead appliance datastore must be large enough to hold all of the
commonly accessed data at a site.

Deployment modes available for the Steelhead appliances include:

Physical In-Path the Steelhead appliance is physically in the direct path

between clients and servers. A Steelhead appliance LAN interface connects to
a LAN-side device (typically a switch), and a corresponding Steelhead
appliance WAN interface connects to a WAN connecting device (typically a
router).

Virtual In-Path a redirection mechanism (like WCCP, PBR, or Layer-4

switching) is used to place the Steelhead appliance virtually in the path
between clients and servers. Traffic moves in and out of the same WAN
interface, and the LAN interface is not used.

Out-of-Path the Steelhead appliance acts as a proxy. This type of

deployment might be suitable for locations where physical in-path or virtual in-
path configurations are not possible. Only the Primary interface is required to
connect to the network and uses its primary IP address when communicating to
the server. The Steelhead appliance can be connected anywhere in the LAN.
Fixed-target in-path rules configured for the client-side Steelhead appliance.
The fixed-target in-path rules point to the primary IP address of the out-of-path
Steelhead appliance. The remote Steelhead appliance must be deployed either
in a physical or virtual in-path mode.

RiOS v6.0 and later offer the following options for configuring WAN visibility modes:

Correct Addressing WAN-side connections use Steelhead appliance IP

addresses and Steelhead
appliance server ports.

Port Transparency WAN-side connections use Steelhead appliance IP

addresses but use TCP server ports that mirror the LAN-side connection.

Full Transparency WAN-side connections mirror all IP addresses and TCP

ports used on the LANside connection.

Full Transparency with Forward Reset The same as Full Transparency,

plus adds an additional packet during auto-discovery to aid with integration of
stateful network devices on the WAN.

Steelhead Appliance
In-Path rules In-path rules determine the action a Steelhead appliance takes when a
connection is initiated, usually by a client.
 Auto Use the auto-discovery process to determine if a remote Steelhead
appliance is able to optimize the connection attempting to be created by this
SYN packet.

Pass-through Allow the SYN packet to pass through the Steelhead

appliance. No optimization is performed on the TCP connection initiated by
this SYN packet.

Fixed-Target Skip the auto-discovery process and use a specified remote

Steelhead appliance as an optimization peer. Fixed-target rules require the
input of at least one remote target Steelhead appliance; an optional backup
Steelhead appliance might also be specified.

Deny Drop the SYN packet and send a message back to its source.

Discard Drop the SYN packet silently.

Peering rules Peering rules determine how a Steelhead appliance reacts when it sees a
probe query.

Pass The receiving Steelhead appliance does not respond to the probing
Steelhead appliance, and allows the SYN+ probe packet to continue through
the network.

Accept The receiving Steelhead appliance responds to the probing Steelhead

appliance and becomes the remote-side Steelhead appliance (that is, the peer
Steelhead appliance) for the optimized connection.

Auto If the receiving Steelhead appliance is not using enhanced auto-

discovery, this has the same effect as the Accept peering rule action. If
enhanced auto-discovery is enabled, the Steelhead appliance only becomes the
optimization peer if it is the last Steelhead appliance in the path to the server.

Riverbed Services Platform

RSP uses VMware Server v2.0 as the virtualization platform. Both 32- and 64-bit versions of
the RSP installation image are available.
RSP offers branch-office-in-a-box services with the following benefits:

A VMware-based virtualization platform that provides the benefits of the most

commonly deployed and advanced virtualization tool set

Support for running up to five different additional services simultaneously on a

single Steelhead appliance, depending on the service and Steelhead appliance
model

Support for more services and types of services, including in-band packages
located in-line with optimization such as the Universal Threat Management
 (UTM) security services, proxy solutions such as video or network monitoring
services, and improved support for out-of-band packages such as Windows
Active Directory, DNS and DHCP management software, and print services.

A comprehensive, integrated user interface that provides granular control of

RSP, including setup, reporting, and the definition of the data flow between
services

2 GB additional memory on the Steelhead appliance is required for RSP.

You can perform high availability (HA) data synchronization only between Steelhead
appliances of the same model. RSP HA is only supported on Steelhead appliance models x50
and xx50.

Destination Network Address Translation (DNAT) rules are used for in-path proxy-based
solutions. You can add only DNAT rules for virtual in-path optimization VNIs.

Interceptor Appliance
The Interceptor is an in-path clustering solution used to provide virtual in-path clustering and
load balancing for Steelhead appliances that are physically deployed out of path.

Prior to Interceptor v3.0, the IC9350 supports up to 12 Gbps of total system throughput.
Interceptor v3.0 introduces a software-packet-processing enhancement feature called Xbridge.
Xbridge, when using 10 Gbps interfaces, provides up to 40 Gbps of total throughput: 20 Gbps
inbound and 20 Gbps outbound (enable Xbridge with the CLI command xbridge enable).
Pass-through traffic that is hardware-assisted (using the 10 Gbps interface network cards)
does not count towards this total. The IC9350 supports clusters up to 25 Steelheads, and can
redirect 1,000,000 simultaneous TCP connections.

The Interceptor does not perform optimization itself.

Central Management Console

The CMC facilitates administration tasks for groups of Steelhead appliances:

Configuration automatically configure new Steelhead appliances or to send

configuration settings to appliances in remote offices. The CMC uses policies
and groups to facilitate centralized configuration and reporting.

Monitoring provides both high-level status and detailed statistics of the

performance of Steelhead appliances and enables to configure event
notification for managed Steelhead appliances.

Management enables to start, stop, restart, and reboot remote Steelhead

appliances.

The CMC uses appliance policies and appliance groups to facilitate centralized configuration
and reporting of remote Steelhead appliances.
Although an individual Steelhead appliance may be a member of only one group at any time,
groups are hierarchicalan appliance may inherit settings from a parent group.

The following policy types are available:

Optimization Policy Use optimization policies to manage optimization

features such as the datastore, in-path rules, and SSL settings, in addition to
many others.

System Settings Policy Use system settings policies to organize and manage
system setting features such as alarms, announcements, email notifications, log
settings, and others.

Networking Policy Use networking policies to manage networking features

such as asymmetric routing, DNS settings, host settings, QoS settings, and
others.

Security Policy Use security policies to manage appliances in which security

is a key component.

Branch Services Policy Use branch services policies to control DNS

caching, RSP slots, and RSP data flow in branch Steelhead appliances.

Steelhead Mobile Controller

A Steelhead Mobile deployment consists of the following components:

Steelhead Mobile Controller Each Mobile Controller supports up to 4000

concurrent users. The Mobile Controller can be either a Steelhead Mobile
Controller appliance or Virtual Steelhead Mobile Controller.

Mobile Client

Steelhead Appliance

When you start the Mobile Client, it accesses the specified Mobile Controller to obtain a
license and a policy.

The endpoint client maintains a connection with the Mobile Controller to allow new policies
and updates to be downloaded from the Mobile Controller. This also enables the Mobile
Controller to monitor your endpoint clients and to upload logs from them.

License Consumption

A branch Mobile Client v2.0 connecting to a v2.0 or later Steelhead Mobile Controller does
not consume a license.
Branch clients have mobile service enabled but the client detected a local Steelhead appliance
using Location Awareness. The branch clients will use the local Steelhead for optimization
instead of using a Steelhead Mobile license.

Mobile Controller Administration Tasks

The Mobile Controller facilitates the following administration tasks for your Mobile Clients:

Configuration The Mobile Controller enables you to install, configure, and

update Mobile Clients in groups. The Mobile Controller uses endpoint policies,
acceleration policies, packages, and deployment groups to facilitate centralized
configuration and reporting.

Monitoring The Mobile Controller provides both high-level status and

detailed statistics on Mobile Client performance, and enables you to configure
alerts for managed Mobile Clients.

Management The Mobile Controller enables you to schedule software

upgrades and configuration changes to groups of Mobile Clients, or to collect
logs from Mobile Clients.

Policies

Policies are sets of common configuration options that can be shared among different
Steelhead appliances and Steelhead Mobile Clients independently or through group
membership. A policy can be specific to a single Steelhead appliance or Steelhead Mobile
Client, or it can represent settings for all of the Mobile Clients and Steelhead appliances in
your enterprise environment.

The following policy types are available:

Acceleration Policies Configuration templates you can use to configure

groups of Mobile Clients that have the same performance requirements.
Acceleration policy settings include In-path rules, MAPI settings, CIFS
settings, HTTP optimization, SSL optimization, and Location Awareness.

Endpoint Policies Determine computer-specific software settings for

endpoint clients (that is, Windows or Mac PCs) in your network, such as the
datastore size and the Mobile Controller that the client connects to.