Table Of ContentInterceptor® Appliance Deployment Guide
June 2014
© 2014 Riverbed Technology, Inc. All rights reserved.
Riverbed®, SteelApp™, SteelCentral™, SteelFusion™, SteelHead™, SteelScript™, SteelStore™, Steelhead®, Cloud Steelhead®,
Virtual Steelhead®, Granite™, Interceptor®, Stingray™, Whitewater®, WWOS™, RiOS®, Think Fast®, AirPcap®, BlockStream™,
FlyScript™, SkipWare®, TrafficScript®, TurboCap®, WinPcap®, Mazu®, OPNET®, and Cascade® are all trademarks or
registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any
Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to
their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed
or their respective owners.
Akamai® and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of
Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a
registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and
SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and
AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Juniper
Networks and Junos are registered trademarks of Juniper Networks, Incorporated in the United States and other countries. Linux
is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet
Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and
JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a
registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware,
ESX, ESXi are trademarks or registered trademarks of VMware, Inc. in the United States and in other countries.
This product includes Windows Azure Linux Agent developed by the Microsoft Corporation (http://www.microsoft.com/).
Copyright 2012 Microsoft Corporation.
This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech
AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
The Virtual Steelhead Mobile Controller includes VMware Tools. Portions Copyright © 1998-2013 VMware, Inc. All Rights
Reserved.
NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such
SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included
within the downloaded files.
For a list of open source software (including libraries) used in the development of this software along with associated copyright
and license agreements, see the Riverbed Support site at https//support.riverbed.com.
This documentation is furnished “AS IS” and is subject to change without notice and should not be construed as a commitment
by Riverbed. This documentation may not be copied, modified or distributed without the express authorization of Riverbed and
may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification,
disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to
civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation
qualifies as “commercial computer software documentation” and any use by the government shall be governed solely by these
terms. All other use is prohibited. Riverbed assumes no responsibility or liability for any errors or inaccuracies that may appear
in this documentation.
Riverbed Technology
680 Folsom Street
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801 Part Number
Web: http://www.riverbed.com 712-00042-04
Contents
Preface.........................................................................................................................................................1
About This Guide..........................................................................................................................................1
Audience..................................................................................................................................................2
Document Conventions.........................................................................................................................2
Additional Resources....................................................................................................................................3
Release Notes..........................................................................................................................................3
Riverbed Documentation and Support Knowledge Base.................................................................3
Online Documentation...........................................................................................................................3
Contacting Riverbed......................................................................................................................................3
Internet.....................................................................................................................................................3
Technical Support...................................................................................................................................4
Professional Services..............................................................................................................................4
Documentation........................................................................................................................................4
What Is New...................................................................................................................................................4
Chapter 1 - Overview of the Interceptor Appliance.................................................................................5
Overview of the Interceptor Appliance......................................................................................................5
Comparing WCCP, PBR, and Layer-4 Redirection Without Steelhead Appliances.............................7
Chapter 2 - Interceptor Appliance Deployment Design..........................................................................9
Physical In-Path Interceptor Appliance Deployment...............................................................................9
Overview of Physical In-Path Interceptor Appliance.....................................................................10
Cabling and Duplex.............................................................................................................................12
IP Address and Gateway Selection....................................................................................................12
Default Gateway and Routing Configuration..................................................................................13
EtherChannel and LACP.....................................................................................................................15
802.1Q VLAN Trunks...........................................................................................................................16
Physical In-Path Interceptor Appliance Failure Modes..................................................................18
Interceptor Appliance Link State Propagation.................................................................................19
Virtual In-Path Interceptor Appliance Deployment...............................................................................19
Overview of Virtual In-Path Interceptor Appliance........................................................................20
Unsupported Virtual In-Path Interceptor Appliance Deployment...............................................21
Interceptor Appliance Deployment Guide iii
Contents
In-Path Interceptor Appliance Failure Modes..................................................................................22
Overview of Redirection and Optimization............................................................................................22
Deployment Verification.............................................................................................................................25
GRE, MPLS, and VRF..................................................................................................................................25
QoS in an Interceptor Appliance Deployment........................................................................................26
Chapter 3 - Interceptor Appliance Clusters...........................................................................................27
Steelhead Appliance Placement and Configuration...............................................................................27
LAN-Side Versus WAN-Side Steelhead Appliance Placement......................................................28
Layer-2 Versus Layer-3 Connectivity.................................................................................................29
Multiple Steelhead Appliance Link Support....................................................................................29
Multiple Steelhead Appliance Support.............................................................................................30
Firewall and Monitoring Interaction.........................................................................................................32
Relative Placement of a Firewall, Steelhead Appliance, and Interceptor Appliance.........................32
Disruptive Firewall Placements..........................................................................................................33
Firewall Placement Best Practices......................................................................................................34
Interceptor Appliance Relationships........................................................................................................35
Deploying Failover Interceptor Appliances.....................................................................................35
Deploying Interceptor Appliances in Clusters.................................................................................37
Unsupported Deployments.................................................................................................................38
Cluster Member Failures............................................................................................................................39
Standard Cluster Types...............................................................................................................................41
Deploying Series Interceptor Appliances.........................................................................................43
Deploying Parallel Interceptor Appliances with Fail-to-Block......................................................45
Deploying Quad Interceptor Appliances..........................................................................................47
Deploying a Virtual In-Path Interceptor Appliance Cluster..........................................................50
Choosing a Cluster Type.............................................................................................................................52
Connection Forwarding Settings for Allow-Failure...............................................................................53
Chapter 4 - Traffic Redirection................................................................................................................55
Overview of Traffic Redirection.................................................................................................................55
Hardware-Assisted Pass-Through.....................................................................................................57
In-Path Rules.........................................................................................................................................57
Load-Balance Rules..............................................................................................................................58
Intra-Cluster Latency..................................................................................................................................62
Chapter 5 - VLAN Segregation................................................................................................................65
Overview of VLAN Segregation................................................................................................................65
Use Cases......................................................................................................................................................66
VLAN Segregation Interceptor Appliance Cluster Virtualization.......................................................67
Feature Compatibility and Limitations....................................................................................................69
iv Interceptor Appliance Deployment Guide
Contents
Deploying VLAN Segregation...................................................................................................................70
Single Interceptor Appliance in VLAN Segregation.......................................................................72
Interceptor Appliance Cluster in VLAN Segregation Mode..........................................................75
Chapter 6 - Authentication and Security................................................................................................83
Overview of Security...................................................................................................................................83
Vulnerability Management.........................................................................................................................85
Overview of Authentication.......................................................................................................................86
Authentication Features..............................................................................................................................86
Configuring a RADIUS Server...................................................................................................................87
Configuring a RADIUS Server with FreeRADIUS..........................................................................87
Configuring RADIUS Authentication in the Interceptor Appliance............................................88
Configuring RADIUS CHAP Authentication...................................................................................89
Configuring a TACACS+ Server................................................................................................................90
Configuring TACACS+ with Cisco Secure Access Control Servers..............................................91
Configuring TACACS+ Authentication in the Interceptor Appliance.........................................91
Securing Interceptor Appliances...............................................................................................................91
Overview of Securing Interceptor Appliances.................................................................................92
Best Practices for Securing Access to Interceptor Appliances.......................................................92
Best Practices for Enabling Interceptor Appliance Security Features...........................................97
Best Practices for Security Monitoring..............................................................................................99
Configuring SSL Certificates for Web User Interface....................................................................100
Configuring SNMP v3 Authentication and Privacy.............................................................................100
Chapter 7 - Best Practices for Interceptor Appliance Deployments..................................................105
General Best Practices...............................................................................................................................105
Best Practices for VLAN Segregation......................................................................................................107
Installation and Verification Best Practices............................................................................................107
Installing an Interceptor Appliance.................................................................................................108
Verifying the Configuration..............................................................................................................109
Index........................................................................................................................................................111
Interceptor Appliance Deployment Guide v
Contents
vi Interceptor Appliance Deployment Guide
Preface
Welcome to the Interceptor Appliance Deployment Guide. Read this preface for an overview of the information
provided in this guide, the documentation conventions used throughout, additional resources, and contact
information. This preface includes the following sections:
“About This Guide” on page1
“Additional Resources” on page3
“Contacting Riverbed” on page3
“What Is New” on page4
About This Guide
The Interceptor Appliance Deployment Guide describes the Interceptor appliance, including how to design and
deploy an Interceptor and Steelhead appliance cluster.
Riverbed products names have changed. At the time of publication, the user interfaces of the products
described in this guide have not changed, and the original names are used in the text. For the product
naming key, see http://www.riverbed.com/products/
?pid=Home_Hero:+New+Product+Names#Product_List.
This guide includes information relevant to the following products:
RiOS system (RiOS system)
Riverbed Steelhead appliance (Steelhead appliance)
Riverbed Steelhead CX appliance (Steelhead CX)
Riverbed Steelhead EX appliance (Steelhead EX)
Riverbed Virtual Steelhead (VSH)
Riverbed Cloud Steelhead (CSH)
Central Management Console (CMC)
Central Management Console Virtual Edition (CMC-VE)
Riverbed Steelhead Mobile software (Steelhead Mobile)
Riverbed Steelhead Mobile Controller (Mobile Controller)
Interceptor Appliance Deployment Guide 1
Preface About This Guide
Riverbed Steelhead Mobile Client (Mobile Client)
Riverbed Interceptor appliance (Interceptor appliance)
Riverbed Virtual Services Platform (VSP)
Riverbed Services Platform (RSP)
Audience
This guide is written for storage and network administrators familiar with administering and managing
WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS.
You must also be familiar with:
the Interceptor appliance. For details, see the Interceptor Appliance User’s Guide and the Interceptor
Appliance Installation Guide.
the Management Console. For details, see the Steelhead Appliance Management Console User’s Guide.
connecting to the RiOS CLI. For details, see the Riverbed Command-Line Interface Reference Manual.
the installation and configuration process for the Steelhead appliance. For details, see the Steelhead
Appliance Installation and Configuration Guide.
Important: The Interceptor appliance CLI commands used in the configuration examples use Interceptor v3.0 and later.
For information about Interceptor appliance versions prior to v3.0, see the appropriate version of the Interceptor
Appliance User’s Guide and the Riverbed Command-Line Interface Reference Manual.
Document Conventions
This guide uses the following standard set of typographical conventions.
Convention Meaning
italics Within text, new terms, emphasized words, and REST API URIs appear in italic typeface.
boldface Within text, CLI commands, CLI parameters, and REST API properties appear in bold
typeface.
Courier Code examples appears in Courier font:
amnesiac > enable
amnesiac # configure terminal
< > Values that you specify appear in angle brackets: interface <ipaddress>
[ ] Optional keywords or variables appear in brackets: ntp peer <addr> [version <number>]
{ } Required keywords or variables appear in braces: {delete <filename>}
| The pipe symbol represents a choice to select one keyword or variable to the left or right of
the symbol. The keyword or variable can be either optional or required: {delete <filename> |
upload <filename>}
2 Interceptor Appliance Deployment Guide
Additional Resources Preface
Additional Resources
This section describes resources that supplement the information in this guide. It includes the following:
“Release Notes” on page3
“Riverbed Documentation and Support Knowledge Base” on page3
“Online Documentation” on page3
Release Notes
The online software release notes supplement the information in this manual. The release notes are
available in the Software section of the Riverbed Support site at https://support.riverbed.com. The
following table describes the release notes.
Release Notes Purpose
<product>_<version_number> Describes the product release and identifies fixed problems, known problems,
<build_number>.pdf and workarounds. This file also provides documentation information not
covered in the manuals or that has been modified since publication.
Examine this file before you begin the installation and configuration process. It includes important
information about this release of the Steelhead appliance.
Riverbed Documentation and Support Knowledge Base
For a complete list and the most current version of Riverbed documentation, go to the Riverbed Support
site at https://support.riverbed.com.
The Riverbed Knowledge Base is a database of known issues, how-to documents, system requirements, and
common error messages. You can browse titles or search for keywords and strings. To access the Riverbed
Knowledge Base, log in to the Riverbed Support site at https://support.riverbed.com.
Online Documentation
The Riverbed documentation set is periodically updated with new information. To access the most current
version of Riverbed documentation and other technical information, consult the Riverbed Support site at
https://support.riverbed.com.
Contacting Riverbed
This section describes how to contact departments within Riverbed.
Internet
You can learn about Riverbed products at http://www.riverbed.com.
Interceptor Appliance Deployment Guide 3
Preface What Is New
Technical Support
If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your
channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-
RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States.
You can also go to https://support.riverbed.com.
Professional Services
Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign,
project management, custom designs, consolidation project design, and custom coded solutions. To contact
Riverbed Professional Services, email [email protected] or go to http://www.riverbed.com/us/
products/professional_services/.
Documentation
The Riverbed Technical Publications team continually strives to improve the quality and usability of
Riverbed documentation. Riverbed appreciates any suggestions you might have about its online
documentation or printed materials. Send documentation comments to [email protected].
What Is New
Since the last release of the Interceptor Appliance Deployment Guide (July 2013), the following changes have
been made:
Updated - “Overview of Redirection and Optimization” on page22
Updated - “Deploying Quad Interceptor Appliances” on page47
New - “Authentication and Security” on page83
4 Interceptor Appliance Deployment Guide
Description:Technical Support GRE, MPLS, and VRF. The Riverbed Technical Publications team continually strives to improve the quality and usability of.
