Interceptor Appliance User s Guide. Version April 2012

Transcription

1 Interceptor Appliance User s Guide Version April 2012

2 2012 Riverbed Technology. All rights reserved. Riverbed, Cloud Steelhead, Granite, Interceptor, RiOS, Steelhead, Think Fast, Virtual Steelhead, Whitewater, Mazu, Cascade, Cascade Pilot, Shark, AirPcap, SkipWare, TurboCap, WinPcap, Wireshark, and Stingray are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iseries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. You must log in to Riverbed Support to view this information. This documentation is furnished AS IS and is subject to change without notice and should not be construed as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as commercial computer software documentation and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation. Riverbed Technology 199 Fremont Street San Francisco, CA Phone: Fax: Web: Part Number

3 Contents Preface...1 About This Guide...1 Audience...1 Document Conventions...1 Product Dependencies and Compatibility...2 Hardware and Software Dependencies...3 Steelhead Appliance Compatibility...3 Ethernet Network Compatibility...3 SNMP-Based Management Compatibility...4 Antivirus Compatibility...4 Additional Resources...5 Release Notes...5 Riverbed Documentation and Support Knowledge Base...5 Contacting Riverbed...5 Internet...5 Technical Support...6 Professional Services...6 Documentation...6 Chapter 1 - Overview of the Interceptor Management Console...7 Connecting to the Interceptor Management Console...7 Home Page...9 Interceptor Appliance Command-Line Interface...11 Navigating in the Interceptor Management Console...11 Basic Procedures...13 Saving Your Configuration...13 Printing Pages and Reports...13 Restarting the Interceptor Service...13 Logging Out...13 Next Steps...14 Getting Help...14 Interceptor Appliance User s Guide iii

4 Contents Displaying Online Help...15 Chapter 2 - Configuring the Interceptor Appliance...17 Configuring Network Settings...17 Configuring Host Settings...18 Configuring the Base Interfaces...22 Configuring In-path...25 Configuring WCCP...28 Setting Port Labels...34 Configuring Interceptor-to-Interceptor Communication...37 Configuring Interceptor-to-Steelhead Communication...43 Configuring the Xbridge Feature...49 Configuring Optimization and Load Balancing...49 Overview: Configuring Traffic Redirection...50 Configuring General Service Settings...52 Configuring In-Path Rules...53 Setting Load-Balancing Rules...55 Setting Connection Tracing Rules...62 Configuring Hardware Assist Rules...63 Configuring System Settings...66 Creating Announcements...67 Setting Alarm Parameters...68 Setting SNMP Parameters and Trap Receivers...70 Creating SNMP v3 Users...72 Configuring Authentication and Access Control...74 Setting Up Notifications...78 Configuring Logging...79 Configuring Security Settings...84 Configuring General Security Settings...84 Managing User Permissions...85 Configuring RADIUS Server Authentication...86 Configuring TACACS+ Server Authentication...88 Configuring Web Settings...90 Maintaining Your System...91 Stopping, Starting, and Restarting the Service...91 Displaying Scheduled Jobs and Job Status...92 Managing Licenses...94 Upgrading Your Software...95 Rebooting and Shutting Down the Interceptor Appliance...96 Changing the Administrative Password...96 Managing Configuration Files...97 Chapter 3 - Displaying and Customizing Reports Displaying Networking Reports Displaying the Interceptors Report Displaying the Steelheads Report iv Interceptor Appliance User s Guide

5 Contents Displaying the Interface Counters Report Displaying Diagnostics Reports Displaying Alarm Status Reports Displaying Connection Tracing Reports Displaying CPU Utilization Reports Displaying Memory Paging Reports Viewing Logs Downloading Logs Viewing the System Dumps List Viewing the Process Dumps List Viewing the TCP Dumps List Exporting Report Data Appendix A - Interceptor MIB Accessing MIB Files SNMP Traps Index Interceptor Appliance User s Guide v

6 Contents vi Interceptor Appliance User s Guide

7 Preface Welcome to the Interceptor Appliance User s Guide. Read this preface for an overview of the information provided in this guide and the documentation conventions used throughout, hardware and software dependencies, additional reading, and contact information. This preface includes the following sections: About This Guide on page 1 Product Dependencies and Compatibility on page 2 Additional Resources on page 5 Contacting Riverbed on page 5 About This Guide The Interceptor Appliance User s Guide describes how to configure and monitor the Interceptor appliance using the Management Console. Audience This guide is written for storage and network administrators familiar with administering and managing WANs using common network protocols such as TCP, CIFS, HTTP, FTP, and NFS. You must also be familiar with administering and managing a network of deployed Steelhead appliances as described in the Steelhead Appliance Installation and Configuration Guide. Document Conventions This guide uses the following standard set of typographical conventions. Convention italics boldface Courier Meaning Within text, new terms and emphasized words appear in italic typeface. Within text, CLI commands and GUI controls appear in bold typeface. Code examples appear in Courier font: amnesiac > enable amnesiac # configure terminal Interceptor Appliance User s Guide 1

8 Preface Product Dependencies and Compatibility Convention Meaning < > Values that you specify appear in angle brackets: interface <ipaddress> [ ] Optional keywords or variables appear in brackets: ntp peer <addr> [version <number>] { } Required keywords or variables appear in braces: {delete <filename> upload <filename>} The pipe symbol represents a choice between the keyword or variable to the left or right of the symbol (the keyword or variable can be either optional or required): {delete <filename> upload <filename>} Product Dependencies and Compatibility This section provides information about product dependencies and compatibility. It includes the following information: Hardware and Software Dependencies on page 3 Steelhead Appliance Compatibility on page 3 Ethernet Network Compatibility on page 3 SNMP-Based Management Compatibility on page 4 Antivirus Compatibility on page 4 2 Interceptor Appliance User s Guide

9 Product Dependencies and Compatibility Preface Hardware and Software Dependencies The following tables summarize the hardware and software requirements for the Interceptor appliance. Riverbed Component Interceptor appliance Interceptor Management Console Hardware and Software Requirements 19-inch (483 mm) two- or four-post rack. Any computer that supports a Web browser with a color image display. The Management Console has been tested with Mozilla Firefox v3.6 and Microsoft Internet Explorer v7 and v8. JavaScript and cookies must be enabled in your Web browser. Riverbed CLI Hardware Requirements One of the following: An ASCII terminal or emulator that can connect to the serial console (9600 baud, 8 bits, no parity, 1 stop bit, and no flow control) A computer with a Secure Shell (ssh) client that is connected by an IP network to the appliance primary interface Software and Operating System Requirements Secure Shell (ssh). Free ssh clients include PuTTY for Windows computers, OpenSSH for many UNIX and UNIX-like operating systems, and Cygwin. Steelhead Appliance Compatibility The Interceptor appliance is compatible with Steelhead appliance version 2.1.x and later. Ethernet Network Compatibility The Interceptor appliance supports the following Ethernet networking standards: Ethernet Logical Link Control (LLC) (IEEE ) Fast Ethernet 100 Base-TX (IEEE ) Gigabit Ethernet over Copper 1000 Base-T and Fiber 1000 Base-SX (LC connector) and Fiber 1000 Base LX (IEEE ) 10 Gigabit Ethernet over Fiber 10GBase-LR Single Mode and 10GBase-SR Multimode (IEEE ) The Interceptor appliance ports support the following connection types and speeds: Primary - 10/100/1000 Base-T, auto-negotiating Auxiliary - 10/100/1000 Base-T, auto-negotiating LAN - 10/100/1000 Base-TX or 1000 Base-SX or 1000 Base-LX or 10GBase-LR or 10GBase-SR, depending on configuration WAN - 10/100/1000 Base-TX or 1000 Base-SX or 1000 Base-LX or 10GBase-LR or 10GBase-SR, depending on configuration The Interceptor appliance supports VLAN Tagging (IEEE 802.1Q ). It does not support the ISL protocol. Interceptor Appliance User s Guide 3

10 Preface Product Dependencies and Compatibility All copper interfaces are auto-sensing for speed and duplex (IEEE ). The Interceptor appliance auto-negotiates speed and duplex mode for all data rates and supports full duplex mode and flow control (IEEE ). The Interceptor appliance with a Gigabit Ethernet card supports jumbo frames on in-path and primary ports. SNMP-Based Management Compatibility The Interceptor appliance supports a proprietary Riverbed MIB accessible through SNMP. SNMPv1 (RFCs 1155, 1157, 1212, and 1215), SNMPv2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418), and SNMPv3 are supported, although some MIB items might only be accessible through SNMPv3 and SNMPv2. SNMP support allows the Steelhead appliance to be integrated into network management systems such as Hewlett Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management tools. Antivirus Compatibility Because it does not process TCP sessions, the Interceptor appliance has no compatibility issues with antivirus software. The Steelhead appliance has been tested with the following antivirus software with no impact on performance: Network Associates (McAfee) VirusScan v7.0.0 Enterprise on the server Network Associates (McAfee) VirusScan v7.1.0 Enterprise on the server Network Associates (McAfee) VirusScan v7.1.0 Enterprise on the client Symantec (Norton) AntiVirus Corporate Edition v8.1 on the server The Steelhead appliance has been tested with the following antivirus software with moderate impact on performance: F-Secure Anti-Virus v5.43 on the client F-Secure Anti-Virus v5.5 on the server Network Associates (McAfee) NetShield v4.5 on the server Network Associates VirusScan v4.5 for multiple platforms on the client Symantec (Norton) AntiVirus Corporate Edition v8.1 on the client 4 Interceptor Appliance User s Guide

11 Additional Resources Preface Additional Resources This section describes resources that supplement the information in this guide. It includes the following information: Release Notes on page 5 Riverbed Documentation and Support Knowledge Base on page 5 Release Notes The following online file supplements the information in this guide. It is available on the Riverbed Support site at Online File <product>_<version_number> <build_number>.pdf Purpose Describes the product release and identifies fixed problems, known problems, and work-arounds. This file also provides documentation information not covered in the guides or that has been modified since publication. Examine this file before you begin installation and configuration. It contains important information about this release of the Steelhead appliance. Riverbed Documentation and Support Knowledge Base For a complete list and the most current version of Riverbed documentation, log in to the Riverbed Support site at The Riverbed Knowledge Base is a database of known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at Contacting Riverbed This section describes how to contact departments within Riverbed. Internet You can learn about Riverbed products at Interceptor Appliance User s Guide 5

12 Preface Contacting Riverbed Technical Support If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling RVBD-TAC ( ) in the United States and Canada or outside the United States. You can also go to Professional Services Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, proserve@riverbed.com or go to Documentation The Riverbed Technical Publications team continually strives to improve the quality and usability of Riverbed documentation. Riverbed appreciates any suggestions you might have about its online documentation or printed materials. Send documentation comments to techpubs@riverbed.com. 6 Interceptor Appliance User s Guide

13 CHAPTER 1 Overview of the Interceptor Management Console This chapter provides an overview of the Interceptor Management Console. It includes the following sections: Connecting to the Interceptor Management Console on page 7 Interceptor Appliance Command-Line Interface on page 11 Navigating in the Interceptor Management Console on page 11 Basic Procedures on page 13 In the menu bar, click Logout to end your session. on page 13 Getting Help on page 14 Connecting to the Interceptor Management Console You can connect to the Interceptor Management Console through any supported Web browser. To connect to the Interceptor Management Console, you must know the URL for the Interceptor appliance primary interface and administrator password that you assigned during the initial setup of the Interceptor appliance. Note: Cookies and JavaScript must be enabled in your Web browser. To log in 1. Enter the URL for the Interceptor Management Console in the location box of your Web browser. The format of the URL is <protocol>://<ip-address>, specified as follows: For <protocol>, specify http or https. HTTPS uses the SSL protocol to ensure a secure environment. If you use HTTPS to connect, you are prompted to inspect and verify the SSL key. For <ip-address>, specify the IP address for the primary interface of the Interceptor appliance. Interceptor Appliance User s Guide 7

14 Overview of the Interceptor Management Console Connecting to the Interceptor Management Console The Interceptor Management Console appears, displaying a login dialog box. Figure 1-1. Login Page 2. Specify the user login: admin, monitor, or a login from a RADIUS or TACACS+ database. The default login is admin. Users with administrator (admin) privileges can configure and administer the Interceptor appliance. Users with monitor (monitor) privileges can display Interceptor appliance reports and system logs. 3. Specify the password you assigned when you performed the initial setup. The Interceptor appliance is shipped with the default password: password. 4. Click Login to display the Home page. The Home page summarizes the current status of your system and provides links to alarms, system logs, and Riverbed Technical Support information. 8 Interceptor Appliance User s Guide

15 Connecting to the Interceptor Management Console Overview of the Interceptor Management Console Home Page When you first log in, the Interceptor Management Console displays the Home page. Figure 1-2. Welcome Page The Home page provides the following status on the Interceptor system. Field System Up Time Service Up Time Temperature CMC Displays the total time the system has been active. Displays the state of the Interceptor service: System Up Time - The total time the Interceptor appliance has been running. Not Running - To restart the Interceptor service, see Stopping, Starting, and Restarting the Service on page 91. The temperature of the appliance in Centigrade. Displays the CMC hostname and IP address (if you have one in your network). Interceptor Appliance User s Guide 9

16 Overview of the Interceptor Management Console Connecting to the Interceptor Management Console Field Interceptors Steelheads Displays information about this Interceptor appliance and any other local Interceptor appliances in your network: Name - The name of an Interceptor appliance appears in this field. Contact - The state of the control connection between the Interceptor appliance and either its failover Interceptor, a connection forwarding Interceptor, or a Steelhead appliance in the cluster is one of the following values: Active - The Interceptor appliance is currently forwarding connections. Connected - The Interceptor appliance is able to forward connections. Handshake Resyncing. A connection has been established and the Interceptor appliance is receiving the state information from the Steelhead appliances. Connecting - The Interceptor appliance is in the process of establishing a connection with the cluster appliance. Incompatible. Disconnected - The Interceptor appliance is not connected to a cluster appliance (another Interceptor in the same cluster or a local Steelhead) for which a connection has been configured. Displays information about the local cluster Steelhead appliances for which this Interceptor appliance monitors capacity and balances load: Name. Displays the name of a Steelhead appliance. Version. Displays the number of the software version running on the Steelhead appliance. Connections. Displays the ratio of the other Steelhead appliance s optimized connections to its admission control limit after capacity reduction (an Interceptor strategy for relieving or avoiding pressure) is applied to the Steelhead appliance. The ratio displayed represents the capacity remaining after pressure penalties are factored in. Pressure. Displays the pressure value of the other Steelhead appliance. Pressure parameters that are measured include available memory, CPU utilization, disk load, and number of connections. All pressures are treated equally, and the Interceptor sends a consolidated message to indicate one of the following states: normal, high, or severe. Contact. Displays the state of the control connection between the Steelhead appliance and this Interceptor appliance. 10 Interceptor Appliance User s Guide

17 Interceptor Appliance Command-Line Interface Overview of the Interceptor Management Console Interceptor Appliance Command-Line Interface The Interceptor appliance has a subset of CLI commands available for configuring the system. For details, see the Riverbed Command-Line Interface Reference Manual. Note: The Interceptor CLI cannot be used to configure supported Steelhead appliances. It can only be used to configure the Interceptor appliance. Navigating in the Interceptor Management Console Navigate to the tools and reports available to you in the Interceptor appliance by using cascading menus. To display cascading menus 1. Click the item in the menu bar to display the submenus. For example, click Reports to display the submenus Networking, Diagnostic, and Export submenus. The menu item that is currently active is differentiated by a different tone of color. 2. To go to a page, slide your mouse down to the submenu item you want to display and click the menu name. For example, under Configure > Optimization > General Service Settings, choose In-Path Rules to display the General Service Settings page. The following figure illustrates cascading menus in the Interceptor appliance. Figure 1-3. Cascading Menus. Interceptor Appliance User s Guide 11

18 Overview of the Interceptor Management Console Navigating in the Interceptor Management Console The following table summarizes the cascading menus. Menu Home Configure Submenus Displays the Home page. Networking - Configure host settings (hostname, DNS servers, hosts, proxies, and the date and time) and network interfaces (primary interface and routing). Define Interceptor appliances and Steelhead appliances and failover settings. For details, see Configuring Network Settings on page 17. Optimization - Configure in-path rules, load balancing rules, connection tracing rules, and hardware assist rules. For details, see Configuring Optimization and Load Balancing on page 49. System Settings - Configure alarm settings, announcements, settings, log settings, monitored ports, SNMP settings, and Web settings from this menu. For details, see Configuring System Settings on page 66. Security - Configure general security parameters, RADIUS, TACACS+, and the secure vault from this menu. For details, see Configuring Security Settings on page 84. Maintenance - Start and stop system services, schedule jobs, upgrade software, backup configurations, and reboot or shut down the appliance from this menu. For details, see Maintaining Your System on page 91. My Account - Modify administrator user password. For details, see Changing the Administrative Password on page 96. Configurations - Manage configuration files for the system from this menu. For details, see Managing Configuration Files on page 97. Reports Networking - Create and display reports for connection tracing, local Interceptor appliances, local Steelhead appliances and interface statistics from this menu. For details, see Displaying Networking Reports on page 101. Diagnostics - Display and download Steelhead diagnostic reports such as user and system logs, alarms status, system snapshots, system dumps, TCP dumps, and user permissions from this menu. For details, see Displaying Diagnostics Reports on page 109. Export - Export reports from this menu. For details, see Exporting Report Data on page 127. Support Displays online help, contact information for Riverbed Support, appliance details such as the model, revision type, serial number, and software version, and appliance MIB files from this menu. For details, see Getting Help on page Interceptor Appliance User s Guide

19 Basic Procedures Overview of the Interceptor Management Console Basic Procedures This section describes the following basic procedures: Saving Your Configuration on page 13 Printing Pages and Reports on page 13 Restarting the Interceptor Service on page 13 Logging Out on page 13 Saving Your Configuration The Save icon on the menu bar saves the configurations. For details, see Managing Configuration Files on page 97 files. Printing Pages and Reports You can print Interceptor appliance pages and reports using the print option on your Web browser. To print pages and reports Choose File > Print in your Web browser to open the Print dialog box. Restarting the Interceptor Service Some configuration settings apply to the Interceptor service. The Interceptor service is a daemon that executes in the background, performing operations when required. If the new settings require you to restart the Interceptor service, the Restart icon and text in the menu bar display in bold orange as a reminder. For details, see Stopping, Starting, and Restarting the Service on page 91. Tip: Typically, you restart the Interceptor service whenever your configuration changes affect network IP addresses or interface configurations, or when you add a failover Interceptor. Otherwise, you do not need to restart the service. Logging Out In the menu bar, click Logout to end your session. Interceptor Appliance User s Guide 13

20 Overview of the Interceptor Management Console Next Steps Next Steps After you are familiar with the Interceptor Management Console user interface, you can use the subsequent sections in this guide to assist you in completing the following initial deployment steps. Step Reference 1. Configure in-path rules. Order your list so that you pass-through or deny traffic you do not want to optimize first; then list redirect rules for traffic you do want to optimize. Configuring In-Path Rules on page Configure Interceptor-to-Steelhead communication. Configuring Interceptor-to-Steelhead Communication on page Configure Interceptor-to-Interceptor communication (if your deployment includes failover or support for clusters when parallel routes are taken). Configuring Interceptor-to-Interceptor Communication on page Configure load-balancing rules. Setting Load-Balancing Rules on page Review and, if you choose, modify the Interceptor appliance default host and networking settings. Configuring Network Settings on page Configure Steelhead-to-Interceptor communication. Configuring Steelhead-to-Interceptor Communication on page Verify connections among your network devices by viewing Interceptor Management Console reports. Displaying and Customizing Reports on page 101 Tip: From the Interceptor CLI, you can run the following command to check for configuration errors in your deployment: debug validate deployment Getting Help The Support tab provides you with the following options: Online Help - Displays online help and links to documentation on the Riverbed support site. Technical Support - Displays links and contact information for Riverbed Support. Appliance Details - Displays appliance information such as the model number, hardware revision type, serial number, and the software version number currently installed on the appliance. MIB Files - Displays Riverbed and appliance MIB files in text format. 14 Interceptor Appliance User s Guide

21 Getting Help Overview of the Interceptor Management Console Displaying Online Help The Interceptor appliance provides page level help for the appliance. You can also display an online help book for the Interceptor appliance. To display online help in the Interceptor appliance Click the question mark (?) icon next to the page heading. The help for the page appears in a new browser window. To display the online help book 1. Click Support in the menu bar to display the Support page. 2. Click the Book icon for Browser-based online help to display the online help book for the appliance. 3. Go to the item you want to view using the left-pane table of contents. For the most up-to-date documentation for the Interceptor appliance, see the Riverbed Support Web site at Interceptor Appliance User s Guide 15

22 Overview of the Interceptor Management Console Getting Help 16 Interceptor Appliance User s Guide

23 CHAPTER 2 Configuring the Interceptor Appliance This chapter describes how to modify Interceptor appliance settings, manage configurations, upgrade software, and stop and start the Interceptor appliance. It includes the following sections: Configuring Network Settings on page 17 Configuring Optimization and Load Balancing on page 49 Configuring System Settings on page 66 Configuring Security Settings on page 84 Maintaining Your System on page 91 Changing the Administrative Password on page 96 Managing Configuration Files on page 97 Note: This chapter assumes you have installed and performed the initial configuration of the Interceptor appliance. For details, see the Interceptor Appliance Installation and Configuration Guide. Configuring Network Settings The following section describes how to configure network settings in the Interceptor Management Console. It includes the following sections: Configuring Host Settings on page 18 Configuring the Base Interfaces on page 22 Configuring In-path on page 25 Configuring WCCP on page 28 Setting Port Labels on page 34 Configuring Interceptor-to-Interceptor Communication on page 37 Configuring Interceptor-to-Steelhead Communication on page 43 Configuring the Xbridge Feature on page 49 Interceptor Appliance User s Guide 17

24 Configuring the Interceptor Appliance Configuring Network Settings Configuring Host Settings You can view and modify general host settings in the Host Settings page. When you initially run the installation wizard, you set required network host settings for the Interceptor appliance. You can configure or modify the following settings: Name - Modify the hostname only if your deployment requires it. DNS Settings - Riverbed recommends that you use DNS resolution. Hosts - If you do not use DNS resolution, or if the host does not have a DNS entry, you can add additional hosts to the system. Proxies - Configure proxy addresses for Web or FTP proxy access to the Interceptor appliance. Date and Time - Riverbed recommends that you configure NTP time synchronization. To modify general host settings Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-1. Host Settings Page To change the hostname 1. Choose Configure > Networking > Host Settings to display the Host Settings page. 2. Under Name, modify the hostname in the Hostname field, if necessary. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. 18 Interceptor Appliance User s Guide

25 Configuring Network Settings Configuring the Interceptor Appliance To specify DNS settings 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-2. Host Settings Page 2. Under DNS Settings, complete the configuration as described in the following table. Control Primary DNS Server IP Address Secondary DNS Server IP Address Tertiary DNS Server IP Address DNS Domain List Specify the IP address for the primary name server. Optionally, specify the IP address for the secondary name server. Optionally, specify the IP address for the tertiary name server. Specify an ordered list of domain names. If you specify domains, the system automatically finds the appropriate domain for each of the hosts that you specify in the system. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Interceptor Appliance User s Guide 19

26 Configuring the Interceptor Appliance Configuring Network Settings To add a new host 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-3. Host Settings 2. Under Hosts, complete the configuration as described in the following table. Control Add a New Host IP Address Hostname Add Remove Selected Displays the controls for adding a new host. Specify the IP address for the host. Specify a hostname. Adds the host. Select the check box next to the name, and then select Remove Selected. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. To add a proxy 1. Choose Configure > Networking > Host Settings to display the Host Settings page. 2. Under Proxies, complete the configuration as described in the following table. Control Web/FTP Proxy IP Address Port Specify the IP address for the Web/FTP proxy. Specify the port for the Web/FTP proxy. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. 20 Interceptor Appliance User s Guide

27 Configuring Network Settings Configuring the Interceptor Appliance To configure the date and time 1. Choose Configure > Networking > Host Settings to display the Host Settings page. Figure 2-4. Date and Time Settings 2. Under Date and Time, complete the configuration as described in the following table. Control Use NTP Time Synchronization Add a New NTP Server - Click to display the controls to add a server. Hostname or IP Address - Specify the hostname or IP address for the NTP server. Version - Select the NTP server version from the drop-down list: 3 or 4 Enabled - Enables the connection to the NTP server. Add - Adds the NTP server to the table list. Remove Selected - Select the check box next to the name and click Remove Selected. Set Time Manually Date - Specify the date in the following format: YYYY/MM/DD 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Time - Specify the time in the following format: HH:MM:SS Time Zone - Select the time zone from the drop-down list. The default is US/Pacific. If you change the time zone, log messages retain the old time zone until you reboot the system. Interceptor Appliance User s Guide 21

28 Configuring the Interceptor Appliance Configuring Network Settings Important: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file (or Save As any filename you choose). For detailed information about saving configurations, see Managing Configuration Files on page 97. Configuring the Base Interfaces You can view and modify settings for the Primary and Auxiliary interfaces in the Base Interfaces page. On the appliance, the primary interface is the port you connect to the LAN switch. The primary interface is the appliance management interface. You connect to the primary interface to use the Web UI or the CLI. To configure network interface settings 1. Choose Configure > Networking > Base Interfaces to display the Base Interfaces page. Figure 2-5. Base Interfaces Page 2. Under Primary Interface, complete the configuration as described in the following table. Control Enable Primary Interface Obtain IP Address Automatically Enables the primary interface. Specify this option to automatically obtain the IP address from a DHCP server. A DHCP server must be available so that the system can request the IP address from it. Important: The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces cannot share the same network subnet. 22 Interceptor Appliance User s Guide

29 Configuring Network Settings Configuring the Interceptor Appliance Control Specify IP Address Manually Speed Duplex MTU (Bytes) Specify this option if you do not use a DHCP server to set the IP address. Specify the following settings: IP Address - Specify an IP address. Subnet Mask - Specify a subnet mask. Primary Gateway IP - Specify the primary gateway IP address. The primary gateway must be in the same network as the primary interface. You must set the primary gateway for in-path configurations. Select a speed from the drop-down list. The default value is Auto. Select Auto, Full, or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. If they do not match, you might have a large number of errors on the interface when it is in bypass mode, because the switch and the router are not set with the same duplex settings. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Scroll down to the Auxiliary Interface panel. Figure 2-6. Auxiliary Interface panel 4. Under Auxiliary Interface, complete the configuration as described in the following table. Control Enable Aux Interface Obtain IP Address Automatically Enables an auxiliary interface. Specify this option to set the appliance to automatically obtain the IP address. Important: The primary and auxiliary interfaces cannot share the same network subnet. The auxiliary and in-path interfaces cannot share the same subnet. You cannot use the auxiliary port for out-of-path Interceptor appliances. Interceptor Appliance User s Guide 23

30 . Configuring the Interceptor Appliance Configuring Network Settings Control Specify IP Address Manually Speed Duplex MTU (Bytes) Specify the following settings: IP Address - Specify an IP address. Subnet Mask - Specify a subnet mask. Specify this option if you do not use a DHCP server to set the IP address. Select the speed from the drop-down list. The default value is Auto. Select Auto, Full or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is Click Apply to apply the settings to the current configuration. 6. Click Save to save your changes permanently. 7. Under Main Routing Table, you can configure a static routing for out-of-path deployments or if your device management network requires static routes. Figure 2-7. Main Routing Table panel You can add or remove routes from the list as described in the following table. Control Add a New Route Destination IP Address Subnet Mask Gateway IP Address Displays the controls for adding a new route. Specify the destination IP address for the out-of-path appliance or network management device. Specify the subnet mask. Specify the IP address for the gateway. 24 Interceptor Appliance User s Guide

31 Configuring Network Settings Configuring the Interceptor Appliance Control Add Remove Selected Adds the route to the table list. Select the check box next to the name and click Remove Selected. 8. Click Save to save your changes permanently. Configuring In-path You can view and modify settings for the appliance in-path interfaces in the In-Path <slot> page. You configure in-path interfaces for deployments where the Interceptor appliance is in the direct path (the same subnet) as the client and the server in your network. Note: You must select an enabled in-path interface for Interceptor-to-Interceptor communication. This requirement applies whether the appliance is deployed as a failover Interceptor or a cluster Interceptor, or if the appliance is deployed as a single Interceptor appliance that does not communicate with other Interceptor appliances. For more information, see Configuring Interceptor-to-Interceptor Communication on page 37. To display and modify the configuration for in-path interfaces 1. Choose Configure > Networking > Inpath <slot> to display the In-Path <slot> page. Figure 2-8. Inpath 0_0 Page Interceptor Appliance User s Guide 25

32 Configuring the Interceptor Appliance Configuring Network Settings 2. Under inpath0_0 Interface, complete the configuration as described in the following table. Control Obtain IP Address Automatically Specify IP Address Manually LAN Speed and Duplex WAN Speed and Duplex MTU (Bytes) Specify this option to automatically obtain the IP address from a DHCP server. (A DHCP server must be available so that the Interceptor appliance can request the IP address from it.) Important: The primary and in-path interfaces can share the same subnet. The primary and auxiliary interfaces cannot share the same network subnet. Specify the following settings if you do not use a DHCP server to set the IP address: IP Address - Specify an IP address. This IP address is the in-path main interface. Subnet Mask - Specify the subnet mask. In-Path Gateway IP - Specify the IP address for the in-path gateway. If you have a router (or a Layer-3 switch) on the LAN side of your network, specify this device as the in-path gateway. Important: If there is a routed network on the LAN-side of the in-path appliance, the router that is the default gateway for the appliance must not have the ACL configured to drop packets from the remote hosts as its source. The in-path appliance uses IP masquerading to appear as the remote server. Specify the following settings for the LAN and WAN ports: Speed - Select Auto, 1000, 100, or 10 from the drop-down list. The default value is Auto. Duplex - Select Auto, Full, or Half from the drop-down list. The default value is Auto. If your network routers or switches do not automatically negotiate the speed and duplex, be sure to set them on the device manually. The speed and duplex must match (LAN and WAN) in an in-path configuration. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Note: Speed and duplex mismatches can easily occur in a network. For example, if one end of the link is set at half or full-duplex and the other end of the link is configured to auto negotiate (auto), the link defaults to half-duplex, regardless of the duplex setting on the non-auto-negotiated end. This duplex mismatch passes traffic, but it causes interface errors and results in degraded optimization. The following guidelines can help you avoid speed and duplex mismatches when configuring the Interceptor appliance: Routers are often configured with fixed speed and duplex settings. Check your router configuration and set it to match the Interceptor appliance WAN and LAN settings. Make sure your switch has the correct setting. After you finish configuring the Interceptor appliance, check for speed and duplex error messages (crc or frame errors) in the System Log page of the Management Console. If there is a serious problem with the Interceptor appliance and it goes into bypass mode (that is, it automatically continues to pass traffic through your network), a speed and duplex mismatch might occur when you reboot the Interceptor appliance. To avoid a speed and duplex mismatch, configure your LAN external pair to match the WAN external pair. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. Applies to optimized traffic only. The default value is Interceptor Appliance User s Guide

33 Configuring Network Settings Configuring the Interceptor Appliance Control VLAN Tag ID Failure Condition Specify a numeric VLAN Tag ID. When you specify the VLAN Tag ID for the MIP interface, all packets originating from the Interceptor appliance are tagged with that identification number. Specify the VLAN tag that the appliance uses to communicate with other Interceptor appliances in your network. The VLAN Tag ID might be the same value or a different value than the VLAN tag used on the client. A zero (0) value specifies non-tagged (or native VLAN) and is the correct setting if there are no VLANs present. For example, if the in-path interface is in VLAN 200, you would specify tag 200. Note: When the Interceptor appliance communicates with a client or a server it uses the same VLAN tag as the client or the server. If the Interceptor appliance cannot determine which VLAN the client or server is in, it uses its own VLAN until it is able to determine that information. You must also define in-path rules to apply to your VLANs. Specify the failure condition: Block - Enables fail-to-block mode. A failed Interceptor appliance passes through network traffic. Bypass - Enables fail-to-wire mode. A failed Interceptor appliance blocks any network traffic on its path, as opposed to passing them through. The default value is Bypass. The Interceptor appliance supports the same concepts of fail-to-block and fail-towire as the Steelhead appliance. In physical in-path deployments, the Interceptor appliance LAN and WAN ports that traffic flows through are internally connected by circuitry that can take special action in the event of a disk failure, a software crash, a runaway software process, or even loss of power to the Interceptor appliance. If a serious failure occurs on the Interceptor appliance, the appliance either passes traffic through (for fail-to-wire mode) or prevents traffic from passing (for fail-to-block mode). Tip: In a parallel configuration, fail-to-block should be enabled to force all traffic through a cluster Interceptor appliance, thereby enabling optimization to continue. Tip: In a serial or quad configuration, fail-to-wire should be enabled to pass all traffic through to the cluster or failover Interceptor appliance, thereby enabling optimization to continue. Tip: After you apply your settings, you can verify whether changes have had the desired effect by reviewing related reports. When you have verified appropriate changes, you can write the active configuration that is stored in memory to the active configuration file (or you can save it as any filename you choose). For detailed information about saving configurations, see Managing Configuration Files on page Under Routing Table for <interface name>, you can configure a static routing table for in-path interfaces. You can add routes to or remove routes from the list, as described in the following table. Control Add a New Route Destination IP Address Subnet Mask Displays the controls to add a route. Specify the destination IP address. Specify the subnet mask. Interceptor Appliance User s Guide 27

34 Configuring the Interceptor Appliance Configuring Network Settings Control Gateway IP Address Add Remove Selected Specify the IP address for the gateway. The gateway must be in the same network as the in-path interface. Adds the route to the table list. Select the check box next to the name and click Remove Selected. 4. Click Save to save your settings permanently. Configuring WCCP You can enable WCCP service groups in the WCCP page. WCCP enables you to redirect traffic that is not in the direct physical path between the client and the server. To enable WCCP, the Interceptor appliance must join a service group at the router. A service group is a group of routers and Interceptor appliances which define the traffic to redirect, and the routers and Interceptor appliances the traffic goes through. You might use one or more service groups to redirect traffic to the Steelheads for optimization. WCCP configuration allows all the Interceptor appliance in-path interfaces to be individually configured as a WCCP Client. Each configured in-path interface participates in WCCP service groups as an individual WCCP client, providing redundancy and flexibility to balance the redirected traffic load among in-path interfaces. Enabling WCCP is optional. Tip: You can also use the CLI to configure WCCP service groups. For detailed configuration information (including configuring the WCCP router), see the Riverbed Deployment Guide. To enable a WCCP service group Important: Before configuring your WCCP service group, you must enable L4/PBR/WCCP support on the General Service Settings page. For details, see Configuring General Service Settings on page Interceptor Appliance User s Guide

35 Configuring Network Settings Configuring the Interceptor Appliance 1. Choose Configure > Networking > WCCP to display the WCCP page. Figure 2-9. WCCP Page 2. Under WCCP Service Groups, complete the configuration as described in the following table. Control Enable WCCP v2 Support Multicast TTL Enables WCCP v2 support on all groups added to the Service Group list. Specify the TTL boundary for the WCCP protocol packets. The default value is Click Apply to save your settings to the running configuration. Interceptor Appliance User s Guide 29

36 Configuring the Interceptor Appliance Configuring Network Settings To add, modify, or remove a service group 1. Under WCCP groups, complete the configuration as described in the following table. Control Add a New Service Group Interface Service Group ID Protocol Password/Password Confirm Priority Displays the controls for adding a new service group. Select a Interceptor appliance interface to participate in a WCCP service group. You must include an interface with the service group ID. More than one Interceptor appliance in-path interface can participate in the same service group. For WCCP configuration examples, see the Riverbed Deployment Guide. If multiple Interceptor appliances are used in the topology, they must be configured as part of the cluster. Enables WCCP v2 support on all groups added to the Service Group list. Specify a number from 0 to 255 to identify the service group on the router. A value of 0 specifies the standard HTTP service group. Riverbed recommends that you use WCCP service groups 61 and 62. Note: The service group ID is local to the site where WCCP is used. Note: The service group number is not sent across the WAN. Select one of the following traffic protocols: TCP UDP ICMP The default traffic protocol is TCP. Optionally, assign a password to the Interceptor appliance interface. This password must be the same password that is on the router. WCCP requires that all routers in a service group have the same password. Passwords are limited to 8 characters. Specify the WCCP priority for traffic redirection. If a connection matches multiple service groups on a router, the router chooses the service group with the highest priority. The range is The default value is 200. The priority value must be consistent across all Interceptor appliances within a particular service group. 30 Interceptor Appliance User s Guide

37 Configuring Network Settings Configuring the Interceptor Appliance Control Weight Specify the percentage of connections that are redirected to a particular Interceptor appliance interface, which is useful for traffic load balancing and failover support. The number of TCP, UDP, or ICMP connections a Interceptor appliance supports determines its weight. The more connections a Interceptor appliance model supports, the heavier the weight of that model. You can modify the weight for each in-path interface to manually tune the proportion of traffic a Interceptor appliance interface receives. A higher weight redirects more traffic to that Interceptor interface. The ratio of traffic redirected to a Interceptor interface is equal to its weight divided by the sum of the weights of all the Interceptor interfaces in the same service group. For example, if there are two Interceptor appliances in a service group and one has a weight of 100 and the other has a weight of 200, the one with the weight 100 receives 1/3 of the traffic and the other receives 2/3 of the traffic. However, since it is generally undesirable for a Interceptor with two WCCP inpath interfaces to receive twice the proportion of traffic, for Interceptor appliances with multiple in-paths connected, each of the in-path weights is divided by the number of that Interceptor's interfaces participating in the service group. For example, if there are two Interceptor appliances in a service group and one has a single interface with weight 100 and the other has two interfaces each with weight 200, the total weight will still equal 300 ( / /2). The one with the weight 100 receives 1/3 of the traffic and each of the other's inpath interfaces receives 1/3 of the traffic. The range is The default value corresponds to the number of TCP connections your Interceptor appliance supports. Failover Support To enable single in-path failover support with WCCP groups, define the service group weight to be 0 on the backup Interceptor appliance. If one Interceptor appliance has a weight 0, but another one has a nonzero weight, the Interceptor appliance with weight 0 does not receive any redirected traffic. If all the Interceptor appliances have a weight 0, the traffic is redirected equally among them. The best way to achieve multiple in-path failover support with WCCP groups is to use the same weight on all interfaces from a given Interceptor appliance for a given service group. For example, suppose you have Interceptor A and Interceptor B with two in-path interfaces each. When you configure Interceptor A with weight 100 from both inpath0_0 and inpath0_1 and Interceptor B with weight 200 from both inpath0_0 and inpath0_1, RiOS distributes traffic to Interceptor A and Interceptor B in the ratio of 1:2 as long as at least one interface is up on both Interceptor appliances. In a service group, if an interface with a nonzero weight fails, its weight transfers over to the weight 0 interface of the same service group. For detailed information about using the weight parameter to balance traffic loads and provide failover support in WCCP, see the Riverbed Deployment Guide. Interceptor Appliance User s Guide 31

38 Configuring the Interceptor Appliance Configuring Network Settings Control Encapsulation Scheme Assignment Scheme Source Mask Specifies the method for transmitting packets between a router or a switch and a Interceptor interface. Select one of the following encapsulation schemes from the drop-down list: Either - Use Layer 2 first; if Layer 2 is not supported, GRE is used. This is the default value. GRE - Generic Routing Encapsulation. The GRE encapsulation method appends a GRE header to a packet before it is forwarded. This can cause fragmentation and imposes a capacity reduction on the router and switch, especially during the GRE packet de-encapsulation process. This capacity reduction can be too great for production deployments. L2 - Layer-2 redirection. The L2 method is generally preferred from a performance standpoint because it requires fewer resources from the router or switch than the GRE does. The L2 method modifies only the destination Ethernet address. However, not all combinations of Cisco hardware and IOS revisions support the L2 method. Also, the L2 method requires the absence of L3 hops between the router or switch and the Interceptor appliance. Determines which Interceptor interface in a WCCP service group the router or switch selects to redirect traffic to for each connection. The assignment scheme also determines whether the Interceptor interface or the router processes the first traffic packet. The optimal assignment scheme achieves both load balancing and failover support. Select one of the following schemes from the drop-down list: Either - Uses Hash assignment unless the router does not support it. When the router does not support Hash, it uses Mask. This is the default setting. Hash - Redirects traffic based on a hashing scheme and the Weight of the Interceptor interface, providing load balancing and failover support. This scheme uses the CPU to process the first packet of each connection, resulting in slightly lower performance. However, this method generally achieves better load distribution. Riverbed recommends Hash assignment for most Interceptor appliances if the router supports it. The Cisco switches that do not support Hash assignment are the 3750, 4000, and 4500-series, among others. Your hashing scheme can be a combination of the source IP address, destination IP address, source port, or destination port. Mask - Redirects traffic operations to the Interceptor appliances, significantly reducing the load on the redirecting router. Mask assignment processes the first packet in the router hardware, using less CPU cycles and resulting in better performance. Mask assignment supports load-balancing across multiple active Interceptor appliances. This scheme bases load-balancing decisions (for example, which Interceptor appliance in a service group optimizes a given new connection) on bits pulled out, or masked, from the IP address and the TCP port packet header fields. It also supports load-balancing across multiple active Interceptor appliance interfaces in the same service group. The default mask scheme uses an IP address mask of 0x1741, which is applicable in most situations. However, you can change the IP mask by clicking the service group ID and changing the service group settings and flags. For details and best practices for using assignment schemes, see the Riverbed Deployment Guide. IP Mask - Specify the service group source IP mask. The default value is 0x1741. Port Mask - Specify the service group source port mask. 32 Interceptor Appliance User s Guide

39 Configuring Network Settings Configuring the Interceptor Appliance Control Destination Mask Source Hash Destination Hash Ports Mode Ports Router IP Address(es) Add Remove Selected Groups IP Mask - Specify the service group destination IP mask. Port Mask - Specify the service group destination port mask. IP Hash - Specify that the router hash the source IP address to determine traffic to redirect. Port Hash - Specify that the router hash the source port to determine traffic to redirect. IP Hash - Specify that the router hash the destination IP address to determine traffic to redirect. Port Hash - Specify that the router hash the destination port to determine traffic to redirect. Select one of the following modes from the drop-down list: Ports Disabled - Select to disable the ports. Use Source Ports - The router determines traffic to redirect based on source ports. Use Destination Ports - The router determines traffic to redirect based on destination ports. Specify a comma-separated list of up to seven ports that the router will redirect. Use this option only after selecting either the Use Source Ports or the Use Destination Ports mode. Specify a multicast group IP address or a unicast router IP address. You can specify up to 32 routers. Adds the service group. Select the check box next to the name and click Remove Selected Groups. 2. Click Save to save your settings permanently. Interceptor Appliance User s Guide 33

40 Configuring the Interceptor Appliance Configuring Network Settings Setting Port Labels You can create port labels to represent a list of ports in the Port Labels page. You can use a port label to specify a set of ports and then apply a single in-path rule or load-balancing rule to the port label, rather than configuring rules for each port. Using port labels reduces the number of configuration rules in the system. This section covers the following topics: Default Port Labels on page 34 Creating Port Labels on page 35 Modifying Ports in a Port Label on page 36 Default Port Labels The system provides the following types of port labels by default: Interactive - Ports that commonly carry interactive traffic (such as Telnet, TCP ECHO, remote logging, and shell). The Steelhead appliance and other appliances in the system automatically forward traffic carried on these ports. Use the Interactive port label in in-path rules and load-balancing rules to automatically pass through traffic on interactive ports. Port numbers include 7, 23, 37, 107, 179, , 1494, , , 2427, 2598, 2727, 3389, 5060, 5631, , and RBT-Proto - Ports used by the Steelhead appliance and other appliances in the system: 7744 (data store synchronization), (in-path), 7810 (out-of-path), 7820 (failover), 7850 (connection forwarding), 7860 (Interceptor appliance), and 7870 (Steelhead Mobile Controller). Secure - Ports that commonly carry secure traffic (SSH, HTTPS, and SMTPS). The Steelhead appliance and other appliances in the system automatically forward traffic carried on these ports. Use the Secure port label in in-path rules and load-balancing rules to automatically pass through traffic on secure ports. Port numbers include 22, 49, 261, 443, 448, 465, 563, 585, 614, 636, 684, 695, , , 1701, 1723, 2252, , 2482, 2484, 2492, 2679, 2762, 2998, , 3183, 3191, 3220, 3269, 3410, 3424, 3471, 3496, 3509, 3529, 3539, , 3713, 3747, 3864, 3885, , 3995, 4031, 5007, 5061, 7674, 9802, 11751, and All - When you are managing port labels, you can select all port types by selecting the check box in the table header. Specifies ports Note: To apply an in-path rule or a load-balancing rule to all ports, specify All. For details, see Configuring In-Path Rules on page 53 and Setting Load-Balancing Rules on page 55. Specify a port number or port label. To configure a rule to apply to all ports, specify All. Tip: If you order rules so that traffic that is passed through, discarded, or denied is filtered first, All represents all remaining ports. 34 Interceptor Appliance User s Guide

41 Configuring Network Settings Configuring the Interceptor Appliance Creating Port Labels You can create a port label to represent a list of ports in the Port Labels page. To create a port label 1. Choose Configure > Networking > Port Labels to display the Port Labels page. Figure Port Labels Page 2. Complete the configuration as described in the following table. Control Add a New Port Label Name Ports Remove Selected Add Displays the controls to add a new port label. Specify the label name. The following rules apply: Port labels are not case sensitive and can be any string consisting of letters, the underscore ( _ ), or the hyphen ( - ). Spaces are not allowed in port labels. The fields in the various rule pages of the Management Console that take a physical port number also take a port label. To avoid confusion, do not use a number for a port label. Port labels that are used in in-path and other rules, such as QoS and peering rules, cannot be deleted. Port label changes (that is, adding and removing ports inside a label) are applied immediately by the rules that use the changed port labels. Specify a comma-separated list of ports. Select the check box next to the name and click Remove Selected. Adds the port label. 3. Click Save to save your changes to the running configuration. Interceptor Appliance User s Guide 35

42 Configuring the Interceptor Appliance Configuring Network Settings Modifying Ports in a Port Label You can modify ports associated with a port label by clicking on the label value in the list of port labels. To modify ports in a port label 1. Choose Configure > Networking > Port Labels to display the Port Labels page. 2. In the list of port labels, click the name of the port label you want to edit. The list entry expands to display an editable list. 3. Under Ports, add or delete ports in the Ports text box. Figure Port Labels Page 4. Click Apply to apply the modifications or click Cancel to cancel your changes. Note: Port label changes are applied immediately by the rules that use the port labels that you have modified. 5. Click Save to save your changes to the running configuration. 36 Interceptor Appliance User s Guide

43 Configuring Network Settings Configuring the Interceptor Appliance Configuring Interceptor-to-Interceptor Communication This section includes the following topics: Interceptor-to-Interceptor Communication Overview on page 37 Parallel Deployments on page 38 Serial Deployments on page 38 Quad Deployments on page 39 Before You Begin Configuring Interceptor-to-Interceptor Communication on page 39 Setting Up Interceptor-to-Interceptor Communication on page 40 Interceptor-to-Interceptor Communication Overview You use the Interceptors page to configure the Interceptor appliance s connection forwarding settings and Interceptor-to-Interceptor communication list. Connection forwarding settings specify how the appliance is to communicate with the other Interceptor appliance or appliances in the communication list. If you deploy more than one Interceptor appliance per site, you must configure each Interceptor appliance to interact with every other Interceptor in one of two ways: as a failover Interceptor or as a cluster Interceptor. Failover Interceptors are pairs of serially connected Interceptor appliances. You deploy two Interceptor appliances physically in-path on all of the same physical links, and each appliance is configured to act as a backup for the other appliance for the same network links. If one appliance goes down or needs maintenance, the other appliance handles redirections for the connections over those links. Cluster Interceptors are two or more connected Interceptor appliances that are not necessarily serially connected. You configure peer Interceptor appliances to cover different network paths, typically parallel paths. This design enables Interceptor appliances to forward connections in an asymmetrically routed network. An Interceptor appliance communicates with other Interceptor appliances over TCP connections on the enabled in-path logical interface (or all interfaces, if multiple-interface support is configured) that you designate for Interceptor-to-Interceptor communication. This applies to failover Interceptors and to cluster Interceptors. Note: Even if an appliance is deployed as a single Interceptor appliance that does not communicate with other Interceptor appliances, you must select an enabled in-path interface for Interceptor-to-Interceptor communication. If you do not enable the Communicate with Interceptors Using This Interface option and then choose the Interface dropdown list item that specifies an enabled inpath interface, the Interceptor service fails to start. To enable connection forwarding, you must configure the Interceptor-to-Interceptor communication list on both failover Interceptors, or on all cluster Interceptors, so that the respective lists point to the IP address of the Interceptor-to-Interceptor communication interfaces of the other appliance or appliances in the set. Interceptor Appliance User s Guide 37

44 Configuring the Interceptor Appliance Configuring Network Settings Parallel Deployments In networks where servers are physically dispersed, connection requests and responses might take asymmetric paths. To correct this condition, you can deploy Interceptor appliances along each parallel path, as shown in the following figure. Figure Parallel Deployment in Asymmetric Networks When you configure these Interceptor appliances as a cluster, an appliance checks for related packets before forwarding the connection. The first appliance to send the request becomes the one that consolidates all packets for the connection and the only one to forward the connection, thereby eliminating the asymmetric route. The configuration steps are described in Setting Up Interceptor-to-Interceptor Communication on page 40. Serial Deployments To deploy failover, you configure a pair of Interceptor appliances in a serial configuration. Connect the LAN in-path interface of the WAN-side Interceptor appliance using a crossover cable to the WAN in-path interface of the LAN-side Interceptor appliance, as shown in the following figure. Figure Serial Deployment to Provide Failover Support To configure failover, you configure each Interceptor appliance as a failover Interceptor for the other. The configuration steps are described in Setting Up Interceptor-to-Interceptor Communication on page Interceptor Appliance User s Guide

45 Configuring Network Settings Configuring the Interceptor Appliance Quad Deployments A quad deployment offers the highest availability. Each inline Interceptor appliance serves as a failover Interceptor for the other. Both inline Interceptor appliances serve to forward connections for the parallel Interceptor appliances. Connect the LAN in-path interface of the WAN-side Interceptor appliance using a crossover cable to the WAN in-path interface of the LAN-side Interceptor appliance, as shown in the following figure. Figure Quad Deployment to Provide Failover Support Failover eliminates routing convergence if an appliance fails; optimization continues even in the event of router or switch failure. Before You Begin Configuring Interceptor-to-Interceptor Communication Before you configure Interceptor-to-Interceptor communication, check that configuration requirements are met, and note the configuration recommendations. Requirements for Configuring Interceptor-to-Interceptor Communication Before you configure Interceptor-to-Interceptor communication, you must enable the in-path interface or interfaces that will be designated for Interceptor-to-Interceptor communication on this appliance: If you are not enabling multiple-interface support on the Interceptor appliance, you must enable an in-path interface before you can select it as the single Interceptor-to-Interceptor communication interface. If you are enabling multiple-interface support on the Interceptor appliance, you must enable at least one in-path interface. To enable an in-path interface, choose Configure > Networking > Input <slot> to display the In-path <slot> page. For detailed information, see Configuring In-path on page 25. Recommendations for Configuring Interceptor-to-Interceptor Communication Riverbed recommends the following practices for configuring Interceptor-to-Interceptor communication: To ensure that LAN-side next hops reach other Interceptor in-path interfaces on different subnets, Riverbed recommends that you configure at least one of the following settings on the Interceptor appliance: Default gateway IP address Static routes for reaching Interceptor in-path interfaces on different subnets Interceptor Appliance User s Guide 39

46 Configuring the Interceptor Appliance Configuring Network Settings To configure these settings, choose Configure > Networking > Inpath <slot> to display the In-path <slot> page. The setting for the default gateway IP address is under inpath <slot> Interface. The settings for adding static routes are under Routing Table for inpath <slot>. For more information, see Configuring In-path on page 25. When you add to the Interceptor-to-Interceptor communication list an Interceptor appliance that is enabled for multiple-interface support, Riverbed recommends that you specify the IP addresses of all of the enabled in-path interfaces on that appliance. Setting Up Interceptor-to-Interceptor Communication You set up Interceptor-to-Interceptor communication in the Interceptors page. To configure Interceptor-to-Interceptor communication 1. Choose Configure > Networking > Interceptors to display the Interceptors page. Figure Interceptors Page 40 Interceptor Appliance User s Guide

47 Configuring Network Settings Configuring the Interceptor Appliance 2. Under Connection Forwarding Settings, complete the configuration as described in the following table. Control Optimize Connections When Connection Forwarding Interceptor Not Connected Use Multiple Interfaces to Communicate with Interceptors Communicate with Interceptors Using This Interface Interface If this appliance is configured to communicate with another Interceptor appliance in parallel, select this option if you want to enable allow failure mode on this appliance. The allow failure feature causes the appliance to continue to optimize new connections if connection to the cluster Interceptor appliance is lost. By default, the allow failure option is disabled, which means that the appliance stops attempting to optimize new connections if connection to the cluster Interceptor appliance is lost. Note: To enable the allow failure feature, you must select the allow failure option on all Interceptor appliances on the parallel links, and you must select the allow failure option on all Steelhead appliances that point to these Interceptor appliances. If this appliance is to communicate with other Interceptor appliances on multiple interfaces, select this option to enable multiple interface support on this appliance. This option prevents loss of reachability between this Interceptor appliance and the other failover Interceptor or the other cluster Interceptors that communicate with this appliance. Note: When you add this Interceptor appliance to the Interceptor-to-Interceptor communication list on other appliances in the set, Riverbed recommends that you specify the IP addresses of all enabled in-path interfaces on this appliance. If this appliance is not to communicate with other Interceptor appliances on multiple interfaces, you must select one enabled in-path interface for Interceptor-to-Interceptor communication. This requirement applies whether the appliance is deployed as a failover Interceptor or a cluster Interceptor, or if the appliance is deployed is a single Interceptor appliance that does not communicate with other Interceptor appliances. Select this option to enable the Interfaces drop-down list. Note: By default, the inpath0_0 logical interface is selected for Interceptor-to-Interceptor communication, even if that logical interface is not enabled. Select from this drop-down list the enabled in-path interface this appliance is to use for Interceptor-to-Interceptor communication. The inpath0_0 interface is selected by default, even if that logical interface is not enabled. For information about enabling an in-path interface on an Interceptor appliance, see Configuring In-path on page 25. Note: When you add this Interceptor appliance to the Interceptor communication list on the other Interceptor appliance or appliance with which it communicates, you enter the IP address of this interface in the Main Address field. 3. Click Apply to apply the change. 4. Click Save to save your changes to the running configuration. 5. Under Interceptors, add all local Interceptor appliances to the Interceptor communication list using the controls as described in the following table. Control Add a New Interceptor Name Displays the controls for adding a local Interceptor appliance to the Interceptor communication list on the current configuration.if you are configuring a failover Interceptor, add the other failover Interceptor. If you are configuring a cluster Interceptor, add all of the other Interceptor appliances in that cluster. Specify a name for the local Interceptor appliance that you are adding. Interceptor Appliance User s Guide 41

48 Configuring the Interceptor Appliance Configuring Network Settings Control Main Address Port Additional Addresses Use For Failover Add Remove Selected Interceptors Specify the IP address of the local Interceptor appliance s in-path interface that is configured to be used for Interceptor-to-Interceptor communication. Use the following format: Specify a port number for communication with the other failover Interceptor or the other cluster Interceptors. The default value is If you are adding an Interceptor appliance on which multiple interface connection forwarding is enabled, specify additional network addresses for that Interceptor appliance. Note: Riverbed recommends that you specify the IP addresses of all enabled in-path interfaces on that appliance. If you are adding an Interceptor appliance that is in series with the appliance you are configuring, select this option if the Interceptor appliance you are adding is to be the failover appliance for the appliance you are configuring. For details, see Serial Deployments on page 38 and Quad Deployments on page 39. Adds the settings to the running configuration. To remove an Interceptor appliance from the list, select the check box next to the name and click Remove Selected Interceptors. If you remove an Interceptor appliance from this list, make sure that you also remove this appliance from the other Interceptor appliances in the set. 6. Click Save to save your changes to the running configuration. 42 Interceptor Appliance User s Guide

49 Configuring Network Settings Configuring the Interceptor Appliance Configuring Interceptor-to-Steelhead Communication You can manage a list of cluster Steelhead appliances (for which the Interceptor appliance monitors capacity and balances load) and configure Interceptor-to-Steelhead communication in the Steelheads page. The Interceptor appliance continually monitors both TCP traffic and the available capacity of the cluster Steelhead appliances. When a load-balancing rule matches, the Interceptor appliance redirects traffic to a target Steelhead appliance with available capacity. In cases where a target Steelhead appliance is unavailable or in cases where only the default rule matches, the Interceptor appliance redirects traffic to a cluster Steelhead appliance that has not been reserved by a load-balancing rule. To configure the Steelhead appliances for use with the Interceptor appliance, you must add them on this page and run a set of CLI commands from the Steelhead appliance to enable Steelhead-to-Interceptor communication. For details, see Configuring Steelhead-to-Interceptor Communication on page 47. This section includes the following topics: Configuring Connected Steelheads on page 43 Modifying an Existing Steelhead Configuration on page 45 Resuming or Pausing Communication with Cluster Steelheads on page 47 Configuring Steelhead-to-Interceptor Communication on page 47 Configuring Connected Steelheads You configure the cluster Steelheads connected to the Interceptor and Interceptor-to-Steelhead communication in the Steelheads page. To configure Interceptor-to-Steelhead communication 1. Choose Configure > Networking > Steelheads to display the Steelheads page. Figure Steelheads Page Interceptor Appliance User s Guide 43

50 Configuring the Interceptor Appliance Configuring Network Settings 2. Optionally, under Steelhead Connections Settings, configure Multiple Interface Support as described in the following table. Control Use Multiple Interfaces to Communicate with Cluster Steelheads Communicate with Cluster Steelheads Using This Interface Interface Select this option to enable multiple interface support (MIS). MIS prevents the loss of connectivity between an Interceptor appliance and cluster Steelhead appliances and enables Steelhead appliances to connect using multiple WAN interfaces. If you enable multiple interface support, the following constraints apply: v5.0x Steelhead appliances must be running RiOS v5.0.7 or higher. v5.5.x Steelhead appliances must be running RiOS v5.5.2 or higher. Load-balancing rules apply only to the main IP address. Select this option to enable selection of the interface to use for Interceptor-to-Steelhead communication. Use this drop-down list to select a configured in-path interface to use for Interceptor-to- Steelhead communication. For more information, see Configuring In-path on page 25. Observe the following considerations when selecting an interface: You must specify the same in-path interface for all Interceptor-to-Steelhead communication. You must use the same Interceptor in-path interface for communication with all Steelhead appliances. When you configure Steelhead-to-Interceptor communication in Configuring Steelhead-to-Interceptor Communication on page 47, make sure that you configure the Steelhead appliance to communicate with this Interceptor appliance on this interface. 3. Click Apply to apply the change. 4. Click Save to save your changes to the running configuration. 44 Interceptor Appliance User s Guide

51 Configuring Network Settings Configuring the Interceptor Appliance 5. To add or remove a cluster Steelhead appliance use the controls as described in the following table. Control Add a New Steelhead Remove Selected Steelheads Use the following controls to add a new Steelhead: Name - Specify a name by which the cluster Steelhead appliance can be identified. Main Address - Specify the IP address for the Steelhead appliance inpath0_0 interface. Use the following format: Port - Specify a port number for communication with the cluster Steelhead appliance. The default value is Additional Addresses - Optionally, specify additional IP addresses for the new cluster Steelhead appliance. In a deployment scenario with dual-attached Steelhead appliances, these addresses provide a secondary route for connections to reach the target Steelhead appliance. Note: These addresses are ignored if the Use Multiple Interfaces to Communicate with Cluster Steelheads option is not selected. Note: Use the main IP address of the Steelhead appliance when configuring load-balancing rules. Add - Applies the settings to the running configuration. To remove a Steelhead, select the check box next to the name and click Remove Selected Steelhead. Note: When you remove a Steelhead, new connections are not made until you add the Steelhead again and restart the service. If you remove the Steelhead configuration from Interceptor appliance A of an A-B pair, make sure to remove the Steelhead appliance configuration from Interceptor appliance B. 6. Click Save to save your changes to the running configuration. Modifying an Existing Steelhead Configuration You can modify an existing cluster Steelhead appliance definition in the Steelheads page. Interceptor Appliance User s Guide 45

52 Configuring the Interceptor Appliance Configuring Network Settings To modify an existing a Steelhead configuration 1. Choose Configure > Networking > General Steelheads to display the Steelheads page. Figure Steelheads Page 2. In the list under Steelhead, select the name of the appliance to be modified. The listing expands to show buttons for pausing and resuming. 3. To modify the configuration, use the controls as described in the following table. Control Name Main Address Port Additional Addresses Specify a name by which the cluster Steelhead appliance can be identified. Specify the IP address for the Steelhead appliance inpath0_0 interface. Use the following format: Specify a port number for communication with the cluster Steelhead appliance. The default value is Optionally, modify the list additional IP addresses for the selected cluster Steelhead appliance. These addresses are ignored if the Enable Multiple Interface Support check box is not selected. Note: Use the main IP address of the Steelhead appliance when configuring loadbalancing rules. 4. Click Apply to apply the change. 5. Click Save to save your changes to the running configuration. 46 Interceptor Appliance User s Guide

53 Configuring Network Settings Configuring the Interceptor Appliance Resuming or Pausing Communication with Cluster Steelheads You can pause and resume communication with cluster Steelheads in the Steelheads page. To pause or resume communication with a Steelhead 1. Choose Configure > Networking > Steelheads to display the Steelheads page. Figure Steelheads page 2. Under Steelheads, select the name of the cluster Steelhead to be paused or resumed. The listing expands to show buttons for pausing and resuming communication with the Steelhead. 3. Click Pause Sending New Connections or Resume Sending New Connections as appropriate. Configuring Steelhead-to-Interceptor Communication This section describes the procedure for configuring Steelhead-to-Interceptor communication. Each Steelhead appliance must be configured to receive connections only through specified Interceptor appliances. The Steelhead appliance communicates with the Interceptor appliance through Steelhead WAN ports. Important: The Steelhead appliances must not be optimizing traffic before this configuration is enabled. Note: You must be able to provide the IP addresses of the Interceptor appliances that direct connections to the Steelheads. You can obtain the IP address of an appliance by running the show interfaces command in the Riverbed Command-Line Interface. Interceptor Appliance User s Guide 47

54 Configuring the Interceptor Appliance Configuring Network Settings To configure Steelhead-to-Interceptor communication 1. Connect as the administrator user to the CLI for the Steelhead appliance. For details, see the Riverbed Command-Line Interface Reference Manual. 2. Enter configuration mode: enable configure terminal 3. To enable the in-path0_0 interface, enter the following command: in-path enable 4. Enable additional in-path interfaces as necessary, for example: in-path interface inpath0_1 enable 5. To enable the virtual in-path support required for Interceptor deployments, enter the following command: in-path oop enable 6. To enable Steelhead-to-Interceptor communication, enter the following command: in-path neighbor enable 7. Optionally, to enable multiple interface support, enter the following command: in-path neighbor multi-interface enable When using more than one in-path interface connection on the Steelhead, you must enable multiple interface support with this command. This feature is only supported on RiOS 5.0.6c and greater. 8. For each Interceptor, at least one in-path IP address must be specified by entering the following command: in-path neighbor name <Interceptor_name> main-ip <main_ip> where Interceptor_name is the hostname or IP address for the Interceptor in-path interface, and main-ip is the IP address of the Interceptor appliance s inpath0_0 interface. Note: Specify the same in-path interface you set for all Interceptor-to-Steelhead communication in Configuring Connected Steelheads on page 43. For example, if you set Interceptor-to-Steelhead communication on Interceptor inpath0_0, you would specify the IP address for a particular Interceptor inpath0_0 in the above command. 9. Supply additional addresses for the remaining in-path interfaces: in-path neighbor name <Interceptor_name> additional-ip <other_inpath_ip> where Interceptor_name is the hostname or IP address for the Interceptor in-path interface, and additional-ip is the IP address of another of the Interceptor appliance s inpathx_x. interface 10. Repeat for each target Interceptor appliance (if more than one). 11. Repeat for each Steelhead appliance in the network configuration. 48 Interceptor Appliance User s Guide

55 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance Configuring the Xbridge Feature Xbridge is a software-packet-processing enhancement supported on Interceptor appliances that use 10-Gbps interfaces. When it is enabled, Xbridge provides significant line-throughput improvement for optimized and pass-through traffic for 10-Gbps interfaces on an Interceptor appliance. For detailed information about configuring Layer-4 switch, PBR, and WCCP deployments, see the Riverbed Deployment Guide. You can enable or disable the Xbridge feature in the Xbridge page. Note: You must reboot the Interceptor appliance for this configuration change to take effect. To configure the Xbridge feature 1. Choose Configure > Networking > Xbridge to display the Xbridge page. Figure Xbridge Page 2. Under Xbridge Settings, enable Xbridge by selecting the check box. 3. Click Apply to apply the change. 4. Click Save to save your changes to the running configuration. 5. Reboot the Interceptor appliance. Configuring Optimization and Load Balancing This section describes the following configuration settings related to optimization and load balancing: Overview: Configuring Traffic Redirection on page 50 Configuring General Service Settings on page 52 Configuring In-Path Rules on page 53 Setting Load-Balancing Rules on page 55 Setting Connection Tracing Rules on page 62 Configuring Hardware Assist Rules on page 63 Interceptor Appliance User s Guide 49

56 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing Overview: Configuring Traffic Redirection This section describes how the Interceptor appliance redirects traffic to local Steelhead appliances based on in-path rules, load-balancing rules, and other parameters such hardware-assist pass-through rules and fair peering: In-path rules - Control whether locally initiated connections are redirected. In-path rules define the action (redirect, pass, deny, or discard) that the Interceptor appliance takes when a TCP SYN packet arrives through the LAN interface. In-path rules are an ordered list of matching parameters and an action field. The matching parameters can be any of the following: IP source or destination subnets IP source or destination host Destination TCP port VLAN ID For detailed information, see Configuring In-Path Rules on page 53. Load-balancing rules - Control which traffic is redirected and how it is distributed to the Steelhead appliance clusters. Load-balancing rules define the action (pass-through or redirect) that the Interceptor appliance takes on a TCP SYN packet for a connection. Load-balancing redirection rules must also specify at least one Steelhead appliance. For detailed information, see Configuring Load- Balancing Rules on page 58. Peer affinity, fair peering v1, or fair peering v2 - Control how the Interceptor appliance selects the target Steelhead appliance to which traffic is redirected. For detailed information, see Enabling Fair Peering and Pressure Monitoring on page 56. Hardware assist pass-through rules - Control what traffic is passed through in the hardware on supported network bypass cards. Interceptor software release or later supports hardware-assist pass-through traffic forwarding when used with certain bypass cards, specifically the Two-Port LR Single Mode Fiber 10 GigE PCI-E and Two-Port SR Multimode Fiber 10 GigE PCI-E bypass cards. This allows the administrator to statically configure all UDP traffic and selected TCP traffic (identified by subnet pairs or VLANs) to be passed through the Interceptor at close to line-rate speeds. For detailed information, see Configuring Hardware Assist Rules on page 63. Note: For detailed information about applying these rules, see the Riverbed Deployment Guide. The types of redirection control rules control what traffic is redirected and potentially optimized by a Steelhead appliance. Figure 2-20 shows how the control rules are used when a packet arrives on the LAN or WAN interfaces of the Interceptor appliance. The Interceptor appliance first checks whether the packets arriving on a LAN or WAN port match a hardware-assist rule. If they match, the Interceptor appliance bridges the packet in the hardware corresponding to the port. If not, the Interceptor appliance checks whether the packet belongs to a flow being redirected. This could be because the flow is going through auto-discovery, or because the flow previously went through the auto-discovery process and started optimization. 50 Interceptor Appliance User s Guide

57 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance If the packet does not correspond to a redirected flow, the in-path and load-balance rules are used to determine the next action. TCP SYN packets from a LAN interface are processed with the in-path rules and either dropped or passed-through, then forwarded for further processing with the load-balance rules. Figure Overview of Redirection Packet Process Interceptor Appliance User s Guide 51

58 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing Configuring General Service Settings You can set virtual in-path settings in the General Interceptor Settings page. To configure general service settings 1. Choose Configure > Optimization > General Service Settings to display the General Service Settings page. Figure General Service Settings Page 2. Under In-Path Settings, enable configured in-paths by selecting the check box next to the in-path interface name. 3. Under Virtual In-Path Settings, select Enable PBR/WCCP. This option enables virtual in-path support on all the interfaces for networks that use PBR or WCCP. External traffic redirection is supported on only the first in-path interface. The following redirection methods are available: Policy-based routing (PBR) - PBR allows you to define policies to route packets instead of relying on routing protocols. You enable PBR to redirect traffic that you want optimized by an Interceptor appliance that is not in the direct physical path between the client and server. Web Cache Communication Protocol (WCCP) - If your network design requires you to use WCCP, a packet redirection mechanism, it directs packets to RiOS appliances that are not in the direct physical path to ensure that they are optimized. For detailed information about configuring Layer-4 switch, PBR, and WCCP deployments, see the Riverbed Deployment Guide. 4. For a failover deployment that uses PBR rather than WCCP to redirect traffic to a backup Steelhead appliance, select Enable CDP for PBR. You can also override the default CDP values: CDP Hold Time - Specifies the CDP message hold time in seconds. The default value is 180 seconds. CDP Interval - Specifies the CDP message polling interval in seconds. The default value is 10 seconds. 52 Interceptor Appliance User s Guide

59 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance 5. Click Apply to apply the change. 6. Click Save to save your changes to the running configuration. Configuring In-Path Rules You configure in-path rules in the In-Path Rules page. The Interceptor appliance evaluates rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. When the Interceptor appliance intercepts a SYN request to a server, the in-path rules you configure determine the subnets and ports for traffic to be optimized. You can specify in-path rules to pass-through, discard, or deny traffic; or to redirect and optimize it. In the case of a data center, the Interceptor appliance intercepts SYN requests when a data center server establishes a connection with a client that resides outside the data center. To configure in-path rules 1. Choose Configure > Optimization > In-Path Rules to display the In-Path Rules page. Figure In-Path Rules Page Interceptor Appliance User s Guide 53

60 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing 2. Complete the configuration as described in the following table. Control Add a New In- Path Rule Type Position Source Subnet Destination Subnet Port VLAN Tag ID Add Displays the controls for adding a new rule. Select one of the following rule types: Redirect - Redirect rules select traffic that might be redirected. Typically, you configure a redirect rule for source and destination addresses and ports you want to optimize with the Riverbed system. A separate set of load-balancing rules determine the Steelhead appliance to which the connection is to be redirected. Pass Through - Pass-through rules identify traffic that is passed through the network unoptimized. For example, you might choose to pass-through traffic on interactive or secure ports. Discard - Packets for connections that match the rule are dropped silently. Essentially, the Interceptor appliance filters out traffic that matches the discard rules. For example, you might choose to drop connections from an unauthorized source or to an unauthorized target subnet. Deny - packets for connections match the deny rule, the Interceptor appliance actively tries to reset the connection. For example, you might choose to deny connections from an unauthorized source or to an unauthorized target subnet. Select Start, End, or a rule number: In general, filter traffic that is to be unoptimized, discarded, or denied before processing rules for traffic that is to be optimized. For example, order rules as follows: 1. Pass-through. 2. Discard. 3. Deny. 4. Redirect. The default rule, Redirect All (all remaining traffic), is listed automatically and ordered last. Specify the IP address for the source subnet. Use the following format: XXX.XXX.XXX.XXX/XX To configure a rule to apply to all source subnets, specify all. Specify the IP address for the destination subnet. Use the following format: XXX.XXX.XXX.XXX/XX To configure a rule to apply to all destination subnets, specify all. Specify a port number or port label. For detailed information about managing port labels, see Setting Port Labels on page 34. To configure a rule to apply to all ports, specify All. Tip: If you order rules so that traffic that is passed through, discarded, or denied are filtered first, All represents all remaining ports. Optionally, select the VLAN identification number to set the VLAN tag ID. Specify all to specify that the rule applies to all VLANs. Specify untagged to specify that the rule applies to non-tagged connections. Pass-through traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the inpath interfaces that the Interceptor appliance uses to communicate with other Interceptor appliances. Optionally, specify a description to remind you of the purpose or function of the rule. Adds the newly defined rule to the list and applies the settings to the running configuration. 54 Interceptor Appliance User s Guide

61 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance Control Remove Selected Rules Move Selected Rules To remove a rule, select the check box next to the name and click Remove Selected Rules. This action applies the settings to the running configuration. Note: The default rule cannot be removed and is always listed last. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Note: The default rule cannot be reordered and is always listed last. 3. Click Save to save your changes to the running configuration. Setting Load-Balancing Rules You set load-balancing rules in the Load Balancing Rules page. Load-balancing rules define the characteristics by which traffic is selected for load balancing and the availability of LAN-side Steelhead appliance for such traffic. This section includes the following topics: Overview of Load-Balancing Rules on page 55 Enabling Fair Peering and Pressure Monitoring on page 56 Enabling Pressure Monitoring on page 57 Configuring Load-Balancing Rules on page 58 Overview of Load-Balancing Rules Your load-balancing rules list must account for the following conditions: Traffic over all subnets and ports that have been selected for redirection. All Steelhead appliances you have configured as targets of redirect rules or reserved for the automatic load-balancing rule: If a cluster Steelhead appliance is specified as a target for a rule, it is reserved for traffic that matches that rule and is not available to the pool used for automatic load balancing. If a cluster Steelhead appliance is not specified as a target for a rule, it is available for automatic load balancing. Second-preference cases where you would rather pass-through traffic than tax the auto-load balancing pool. Interceptor Appliance User s Guide 55

62 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing The following table describes how the Interceptor appliance processes load-balancing rules. Event Redirect rule matches and target Steelhead appliances are available. Redirect rule matches but none of the target Steelhead appliances for the rule are available. Pass-through rule matches. Redirect rule matches but none of the target appliances are available; and does not match a passthrough rule. No rules match. No rules specified. Interceptor Process Redirects traffic to a Steelhead appliance in the target list. The Interceptor appliance chooses a Steelhead appliance from the list based on a connection distribution algorithm that considers: Peer Affinity - The Interceptor appliance has chosen the target Steelhead appliance before. In cases where the target list includes more than one Steelhead appliance with peer affinity, the Interceptor appliance chooses the Steelhead appliance with the most affinity that is, the appliance to which the Interceptor appliance has forwarded the most connections. Round-Robin - Instead of checking the Steelhead appliances in order of most to least affinity, the Steelhead appliances are checked for availability in round-robin order starting with the one after the Steelhead appliance that received the last connection from that rule. Consults the next rule in list. Pass-through traffic, traversing RiOS routes but unoptimized. The Interceptor appliance chooses a Steelhead appliance from the pool of Steelhead appliances that you have added as part of the cluster but have not assigned as targets in other load-balancing rules. The Interceptor appliance chooses a Steelhead appliance based on the connection distribution algorithm described above. Enabling Fair Peering and Pressure Monitoring You can enable the fair peering feature for each load-balancing rule, including the default rule. When the fair peering feature is enabled for a load-balancing rule, the target Steelhead appliance cannot exceed a dynamically determined maximum number of remote Steelhead appliances. When that maximum is reached, peer connections are reassigned. For example, when the maximum limit for one local Steelhead appliance, the load shifts to another local Steelhead appliance. If a new remote Steelhead appliance comes online, a new maximum value is dynamically computed. As a result, the fair peering feature ensures that all remote Steelhead appliances are always covered. This feature is an alternative to the default load-balancing algorithm which, when a new remote Steelhead appliance is assigned to a local cluster, determines the appropriate local Steelhead appliance to which the new connection should be directed. Prior to using fair peering, be aware of the following limitations: If a load-balancing rule is configured with fair peering enabled, the target Steelhead appliance cannot be targeted in any other load-balancing rule. Load balancing can only occur among Steelhead appliances that are targeted by load-balancing rules with the same fair peering configuration. For detailed information about configuring fair peering, see Configuring Load-Balancing Rules on page Interceptor Appliance User s Guide

63 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance Enabling Pressure Monitoring The pressure monitoring provides more detail about the health of the local Steelhead appliances so that the Interceptor can better manage and balance traffic. Pressure parameters that are measured include available memory, CPU utilization, and disk load. All three pressures are treated equally and the Interceptor sends a consolidated message to indicate one of the following states: normal, high, or severe. The value is determined as follows: Normal - A value of normal is assigned if all three pressures measure normal. High - A value of high is assigned if one or more pressures measures high but none measure severe. Severe - A value of severe is assigned if one or more pressures measures severe. Pressure values are displayed in the Steelheads report. For more information, see Displaying the Steelheads Report on page 105. When the pressure monitoring feature is enabled, pressures are reported but do not necessarily affect the load-balancing functionality of the Interceptor appliance. However, when this feature is enabled together with the fair peering v2 option, the Interceptor appliance implements the pressure measurements into load balancing based on the credits available in each Steelhead appliance. Note: Each Steelhead appliance is assigned credits based on it model number. The credit is equivalent to the Steelhead appliance size used in fair peering. The credits determine the percentage of total load a Steelhead appliance can handle in the cluster. When both fair peering v2 and pressure monitoring are enabled, the pressure data from a Steelhead appliance determines the credits assigned to it, and as a result, the percentage of connections assigned to that Steelhead appliance. For example, if two Steelhead appliances (LSH1 and LSH2) have credits 250 and 750, respectively, then the Interceptor appliance send 25% of the load to LSH1 and 75% to LSH2. Specifically, when pressure data changes, a Steelhead appliance credits are affected as follows: Normal changing to High - Steelhead appliance credits are reduced by 10%. Normal changing to Severe - Steelhead appliance credits are reduced by 20-30%. Severe changing to Normal - Steelhead appliance credits are restored accordingly. Note: Pressure reading are not polled. Rather, Steelhead appliances report only changes to pressure states. Interceptor Appliance User s Guide 57

64 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing Configuring Load-Balancing Rules You configure load-balancing settings and rules in the Load Balancing Rules page. To configure a load-balancing rule 1. Choose Configure > Optimization > Load Balancing Rules to display the Load Balancing Rules page. Figure Load Balancing Rules Page 58 Interceptor Appliance User s Guide

65 . Configuring Optimization and Load Balancing Configuring the Interceptor Appliance 2. Optionally, under Load Balance Settings, configure fair peering as described in the following table. Control Enable Fair Peering v2 (overrides per-rule fair peering when enabled) Enable Pressure Monitoring (takes effect when Fair Peering v2 is enabled) Enable Capacity Adjustment Enable Permanent Capacity Adjustment Select this option to enable the fair peering v2 feature across all loadbalancing rules. The fair peering v2 feature ensures that no local Steelhead appliance exceeds a dynamically determined maximum number of remote peers. By default, the Interceptor appliance selects the target Steelhead appliance on the basis of peer affinity (based on which candidate Steelhead appliance has been used to optimize connections to or from the remote site in the past). Important: If you enable fair peering v2, this global setting overrides any traditional fair peering enabled on a per-rule basis. Note: Fair peering v2 is supported with Interceptor version 3.0 and later and local Steelhead appliances running RiOS or later. Select this option to enable the pressure monitoring feature. When enabled, this feature provides more detailed information about the health of the local Steelhead appliances, to enable the Interceptor to better manage and balance traffic. For details, see Enabling Pressure Monitoring on page 57. Note: Riverbed recommends that you enable pressure monitoring only in conjunction with fair peering v2. If pressure monitoring is enabled, select this option to enable the capacity adjustment feature. When enabled, this feature reduces the number of new connections sent to local Steelhead appliances for which the Interceptor determines a High pressure value. For a local Steelhead appliance with a High pressure value, this feature artificially and temporarily reduces the capacity of the Steelhead appliance for Interceptor loadbalancing calculations. As a result of using a downward-adjusted capacity for a particular Steelhead appliance, the Interceptor appliance moves existing paired peers from that Steelhead appliance to less-used Steelhead appliances. The Interceptor appliance uses the artificially reduced capacity value for that Interceptor appliance in load-balancing calculations until the Steelhead appliance returns to a Normal pressure value. If capacity adjustment is enabled, select this option to cause capacity reduction once triggered for a local Steelhead appliance that reaches a High pressure value to be permanent. Note: To disable permanent capacity adjustment of a Steelhead appliance, you must issue a service restart on the Interceptor appliance. Interceptor Appliance User s Guide 59

66 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing 3. Under Load Balancing Rules, configure load-balancing rules as described in the following table. Control Add A New Load Balancing Rule Type Position Local Target IPs From Remote Steelheads Remote Steelhead IPs Source Subnet Destination Subnet Displays the controls for adding a new rule. Specify one of the following rule types: Redirect - Configure rules of this type for traffic you want to optimize. Pass-Through - Configure rules of this type as a second-preference rule for cases where you want to optimize when connections are available on specified targets, but, in the event targets have reached admission control capacity, you would rather pass through traffic than tax the auto-balance pool. For example, you might use passthrough rules to handle HTTP traffic on port 80. Select the position from the drop-down list: Select Start to insert the rule at the start of the list. Select End inserts the rule at end of the list. Typically, you arrange load-balancing rules in the following order: 1. Redirect rules. 2. Pass-through rules. The default rule, Auto, balances all remaining traffic among cluster Steelhead appliances not specified as targets for any other rule, is listed automatically and ordered last. The rule type of a matching rule determines which action the Interceptor appliance takes on the connection. Specify a comma-separated list of Steelhead appliance IP addresses to which traffic can be redirected. If a rule matches, connections are redirected to the first Steelhead appliance in the list that has capacity for new connections. If no rule matches, peer affinity applies. If there is no existing peer affinity, the connection is redirected to the Steelhead appliance with the least number of current connections. Note: The target Steelhead appliances are called cluster Steelheads. The list you specify here must match the main IP addresses specified in the Steelheads list, described in Configuring Interceptor-to-Steelhead Communication on page 43. Select one of the following options from the drop-down list: Any - Rule applies only when matching any SYN or SYN+ (behavior of loadbalancing rule before peering was added). Probe-only - Match any packet with a probe SYN+. Non-probe - Match only SYN entering from the LAN side. IP Address - Match the given IP address when a SYN+ comes from that Steelhead appliance. If you specify IP Address for the From Remote Steelheads setting, use this field to specify a comma-separated list of Steelhead appliance IP addresses. Specify the IP address for the source network. Use the following format: XXX.XXX.XXX.XXX/XX To configure a rule to apply to all source subnets, specify all. Specify the IP address for the destination network. Use the following format: XXX.XXX.XXX.XXX/XX To configure a rule to apply to all destination subnets, specify all. 60 Interceptor Appliance User s Guide

67 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance Control Port VLAN Tag ID Enable Traditional Fair Peering for this Rule Add Move Selected Rule Remove Selected Rules Specify a port number or port label. For detailed information about managing port labels, see Setting Port Labels on page 34. To configure a rule to apply to all ports, specify All. Tip: If you order rules so that traffic that is passed through, discarded, or denied are filtered first, All represents all remaining ports. Optionally, select the VLAN identification number to set the VLAN tag ID. Specify all to have the rule apply to all VLANs. Select untagged to have the rule apply to non-tagged connections. Note: Pass-through traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. Note: To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the Interceptor appliance uses to communicate with other Interceptor appliances. For detailed information about configuring the in-path interface for the Interceptor appliance, see Configuring In-Path Rules on page 53. Optionally, specify a description to remind you the purpose or function of the rule. Select this option to enable the traditional (v1) fair peering feature for the custom loadbalancing rule. For details, see Enabling Fair Peering and Pressure Monitoring on page 56. Important: If you enable traditional fair peering for this rule, this per-rule setting would be overridden if fair peering v2 is enabled for load balancing. Adds the new rule to the configuration. The new rule displays in the list at the top of the page. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Note: The default rule cannot be reordered and is always listed last. Select the check box next to the name and click Remove Selected Rules. Note: The default rule cannot be removed and is always listed last. 4. Click Save to save your changes to the running configuration. Interceptor Appliance User s Guide 61

68 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing Setting Connection Tracing Rules You configure connection tracing rules in the Connection Tracing Rules page. Connection traces enable you to determine to which Steelhead appliances the Interceptor appliance has redirected specific connections. Connection traces also enable you to debug failing or unoptimized connections. Note: If you manually restart the Interceptor appliance, the connection traces are lost. Prior to restarting, perform a system dump. For details, see Viewing the System Dumps List on page 121. Note: For detailed information about viewing a connection trace report, see Displaying Connection Tracing Reports on page 113. To configure connection tracing rules 1. Choose Configure > Optimization > Connection Tracing Rules to display the Connection Tracing Rules page. Figure Connection Tracing Rules Page 62 Interceptor Appliance User s Guide

69 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance 2. Under Connection Tracing Rules, complete the configuration as described in the following table. Control Add A New Connection Tracing Rule Source Subnet Source Port Destination Subnet Destination Port VLAN Tag ID Add Remove Selected Rules Displays the controls for adding a new rule. Specify an IP address and mask for the traffic source. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Specify the source port. Specify an IP address and mask for the traffic destination. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Specify the destination port. Specify the VLAN ID, if applicable. Adds the new connection tracing rule to the list. The Interceptor appliance refreshes the Connection Tracing Rules table and applies your modifications to the running configuration, which is stored in memory. To remove a rule, select the check box next to the name and click Remove Selected Rules. Important: When you remove a rule, you also remove all traces from the list that resulted from the rule. 3. Click Save to save your changes to the running configuration. Configuring Hardware Assist Rules You configure hardware assist rules in the Hardware Assist Rules page. On Interceptor appliances equipped with one or more Two-Port SR Multimode Fiber 10 Gigabit-Ethernet PCI-E or Two-Port LR Single Mode Fiber 10 Gigabit-Ethernet PCI-E cards, you can configure the Interceptor appliance to automatically bypass all User Datagram Protocol (UDP) connections. You can also configure rules for bypassing specific Transmission Control Protocol (TCP) connections. By automatically bypassing these connections, you can decrease the work load on the local Steelhead appliances. Note: For a hardware assist rule to be applied to a specific Two-Port LR Single Mode Fiber 10 GigE PCI-E or Two-Port SR Multimode Fiber 10 GigE PCI-E bypass card, the corresponding in-path interface must be enabled and have an IP address. Interceptor Appliance User s Guide 63

70 Configuring the Interceptor Appliance Configuring Optimization and Load Balancing To configure hardware assist rules 1. Choose Configure > Optimization > Hardware Assist Rules to display the Hardware Assist Rules page. Figure Hardware Assist Rules Page 2. Under 10G NIC Hardware Assist Rules Settings, enable pass-through traffic as follows: To automatically pass through all UDP traffic, select the Enable Hardware Passthrough of All UDP Traffic check box. To pass through TCP traffic based on the configured rules, select the Hardware Passthrough TCP Traffic... check box. TCP pass through is controlled by rules. The next step describes how to step up hardware assist rules. Note: All hardware assist rules are ignored unless this check box is selected. No TCP traffic will be passed through. 3. Click Apply to apply the settings to the current configuration. 64 Interceptor Appliance User s Guide

71 Configuring Optimization and Load Balancing Configuring the Interceptor Appliance 4. Under Add New Rule, complete the configuration as described in the following table. Control Type Position Subnet A Subnet B VLAN Tag ID Add Move Selected Rule Remove Selected Rules Select one of the following rule types: Accept - Accept rules identify traffic that is optimized Pass-Through - Pass-through rules identify traffic that is passed through the network unoptimized. Select Start, End, or a rule number: In general, filter traffic that is to be unoptimized, discarded, or denied before processing rules for traffic that is to be optimized. Specify an IP address and mask for the subnet that can be both source and destination together with Subnet B. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Specify an IP address and mask for the subnet that can be both source and destination together with Subnet A. Use the following format: XXX.XXX.XXX.XXX/XX Note: You can specify all or /0 as the wildcard for all traffic. Optionally, select the VLAN identification number to set the VLAN tag ID. Select all to specify the rule applies to all VLANs. Select untagged to specify the rule applies to non-tagged connections. Note: Pass-through traffic maintains any pre-existing VLAN tagging between the LAN and WAN interfaces. Note: To complete the implementation of VLAN tagging, you must set the VLAN tag IDs for the in-path interfaces that the Interceptor appliance uses to communicate with other Interceptor appliances. For detailed information about configuring the in-path interface for the Interceptor appliance, see Configuring In-Path Rules on page 53. Optionally, include a description of the rule. Adds the new hardware assist tracing rule to the list. The Interceptor appliance refreshes the Hardware Assist Rules table and applies your modifications to the running configuration, which is stored in memory. Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position. Note: The default rule cannot be reordered and is always listed last. Select the check box next to the name and click Remove Selected Rules. Note: The default rule cannot be removed and is always listed last. Interceptor Appliance User s Guide 65

72 Configuring the Interceptor Appliance Configuring System Settings 5. To modify an existing rule: Click on the value in the Rule column to expand a panel that contains the settings for that rule. Modify as necessary and click Apply. Figure Hardware Assist Rules Page 6. Click Save to save your changes to the running configuration. 7. Click Reset to restore the previous values. Configuring System Settings This section describes how to configure settings to manage the system. It includes the following sections: Creating Announcements on page 67 Setting Alarm Parameters on page 68 Setting SNMP Parameters and Trap Receivers on page 70 Creating SNMP v3 Users on page 72 Configuring Authentication and Access Control on page 74 Setting Up Notifications on page 78 Configuring Logging on page Interceptor Appliance User s Guide

73 Configuring System Settings Configuring the Interceptor Appliance Creating Announcements You can create announcements to appear upon login in the Announcements page. You can create or modify a login message or a message of the day in the Announcements page. The login message appears in the Interceptor Login page. The message of the day appears on the Home page and when you first log in to the CLI. To set an announcement 1. Choose Configure > System Settings > Announcements to display the Announcements page. Figure Announcements Page 2. Use the controls to complete the configuration as described in the following table. Control Login Message MOTD Type a message in the text box to appear on the Login page. Type a message in the text box to appear on the Home page. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Interceptor Appliance User s Guide 67

74 Configuring the Interceptor Appliance Configuring System Settings Setting Alarm Parameters You enable alarms and alerts on the Alarms page. Some alarms have rising and reset thresholds. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. When an alarm reaches the rising threshold, it is activated; it is reset when it reaches the lowest or reset threshold. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. You can also enable alerts that send messages if the specified condition occurs. To set alarm parameters 1. Choose Configure > System Settings > Alarms to display the Alarms page. Figure Alarms Page 68 Interceptor Appliance User s Guide

75 Configuring System Settings Configuring the Interceptor Appliance 2. Under Enable Alarms, use the controls to complete the configuration as described in the following table. Control CPU Utilization Temperature Network Interface Duplex Errors Network Interface Link Errors Fan Error Memory Error Extended Memory Paging Activity System Disk Full Specify this option to trigger an alarm if the average and peak threshold for the CPU utilization is exceeded. When an alarm reaches the rising threshold, it is activated; when it reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. Set the following: Rising Threshold - Specify a whole number to specify a percent of CPU utilization. Reset Threshold - Specify a whole number to specify a percent of CPU utilization. This alarm is enabled by default, with a rising threshold of 90% and a reset threshold of 70%. Triggers an alarm when the CPU temperature exceeds the rising threshold. When the CPU returns to the reset threshold, the rising alarm is cleared. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. Rising Threshold - Specify the rising threshold (º C). When an alarm reaches the rising threshold, it is activated. The default value is 70º C. Reset Threshold - Specify the reset threshold (º C). When an alarm reaches the lowest or reset threshold, it is reset. After an alarm is triggered, it is not triggered again until it has fallen below the reset threshold. The default value is 67º C. Triggers a duplex interface alarm if the system has encountered a large number of packet errors in your network. If you receive this alarm, check the speed and duplex settings on the Interceptor appliances on each side of your network. Make sure the speed and duplex settings on your Interceptor appliances match the settings on your switch and router. Triggers an alarm if network interface link errors are detected. If you receive this alarm, check the status of the interface to begin diagnosing the problem. Triggers an alarm if a cooling fan malfunction is detected. Specify this option to trigger an alarm if ECC memory errors are detected. This includes high rates of corrected errors and any uncorrected errors. Specify this option to trigger an alarm if extended memory paging activity is detected. If 100 pages are swapped every couple of hours, the appliance is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Support at /support.riverbed.com. This alarm is enabled by default. Specify this option to trigger an alarm if the system disk becomes full. Note: This alarm setting appears only on appliance versions of the CMC. Interceptor Appliance User s Guide 69

76 Configuring the Interceptor Appliance Configuring System Settings 3. Under Enable Alerts, use the controls to complete the configuration as described in the following table. Control Category Load Balance Alerts Cluster Alerts Oversubscription Alert Unpaired Steelhead Alert Remote Steelhead Alert Disconnected Steelhead Alert Disconnected Interceptor Alert Steelhead Admission Control Alert Steelhead Capacity Alert Steelhead Permanent Capacity Adjustment Alert Indicates when the total capacity of the remote Steelhead is much greater than the total capacity of the local Steelhead. Indicates when a local Steelhead has no remote peer. Indicates a remote Steelhead is newly discovered. Indicates when a local Steelhead has become disconnected from the current Interceptor. Indicates when another Interceptor in the same cluster has become disconnected from the current Interceptor. Indicates when a local Steelhead enters the admission control state. Indicates when a local Steelhead approaches its capacity. Indicates when the pressure metrics of local Steelhead is penalized. For details, see Enabling Pressure Monitoring on page Click Apply to apply the settings to the current configuration. 5. Click Save to save your settings permanently. Setting SNMP Parameters and Trap Receivers You can set the SNMP server settings and set up SNMP traps in the SNMP Basic page. SNMP traps are messages sent by an SNMP agent that indicate the occurrence of events. The text of the Interceptor MIB is available through the Interceptor Management Console Help tab and described in Appendix A, Interceptor MIB. Note: By default, SNMP is not enabled. 70 Interceptor Appliance User s Guide

77 . Configuring System Settings Configuring the Interceptor Appliance To set general SNMP parameters 1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page. Figure SNMP Basic Page 2. Under SNMP Server Settings, complete the configuration as described in the following table. Control Enable SNMP Traps System Contact System Location Read-Only Community String Select to enable traps. Specify the user name for the SNMP contact. Specify the physical location of the SNMP system. Specify a password-like string to identify the read-only community. For example: public. This community string overrides any VACM settings. 3. Click Apply to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Interceptor Appliance User s Guide 71

78 Configuring the Interceptor Appliance Configuring System Settings To add or remove a trap receiver 1. Under trap Receivers, complete the configuration as described in the following table. Control Add a New Trap Receiver Receiver IP Address Destination Port Receiver Type Community Enable Receiver Add Remove Selected Displays the controls to add a new trap receiver. Specify the destination IP address for the SNMP trap. Specify the destination port. Select v1, v2c, or v3 (User-based Security Model) for SNMP version. For v1 or v2 trap receivers, specify the SNMP community name; for example, public or private v3 trap receivers need a remote user with an authentication protocol, and a password and security level. Enables the trap receiver. Adds the new trap receiver to the list. Removes the selected trap receivers from the list. 2. Click Save to save your settings permanently. To test an SNMP trap 1. Choose Configure > System Settings > SNMP Basic to display the SNMP Basic page. 2. Under SNMP Trap Test, click Run. Creating SNMP v3 Users You configure SNMP v3 users in the SNMP v3 page. SNMP v3 provides additional authentication and access control for message security. For example, you can verify the identity of the SNMP entity (manager or agent) sending the message. Using SNMP v3 is more secure than SNMP v1 or v2; however, it requires more configuration steps to provide the additional security features. Basic Steps 1. Create the SNMP-server users. Users can be authenticated using either a password or a key. 2. Configure SNMP-server views to define which part of the SNMP MIB tree will be visible. 3. Configure SNMP-server groups, which map users to views, allowing you to control who can view what SNMP information. 4. Configure the SNMP-server access policies that contain a set of rules defining access rights. Based on these rules, the entity decides how to process a given request. 72 Interceptor Appliance User s Guide

79 . Configuring System Settings Configuring the Interceptor Appliance To create users for SNMP v3 1. Choose Configure > System Settings > SNMP v3 to display the SNMP v3 page. Figure SNMP v3 Page 2. Under Users, complete the configuration as described in the following table. Control Add a New User User Name Authentication Protocol Authentication Password/Password Confirm Key Add Remove Selected Displays the controls to add a new user. Specify the user name. Select an authentication method from the drop-down list: MD5 - Specifies the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value. SHA - Specifies the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5. Optionally, select either Supply a Password or Supply a Key to use while authenticating users. Specify a password. The password must have a minimum of eight characters. Retype the password in the Password Confirm text box. (Appears only when you select Supply A Key.) Specify a unique authentication key. The key is a MD5 or SHA-1 digest created using md5sum or sha1sum. Adds the user. Select the check box next to the name and click Remove Selected. 3. Click Add to apply your changes to the running configuration. 4. Click Save to save your settings permanently. Interceptor Appliance User s Guide 73

80 Configuring the Interceptor Appliance Configuring System Settings Configuring Authentication and Access Control You configure SNMP authentication and access control on the SNMP ACLs page. The features on this page apply to SNMP v1, v2c, and v3 unless noted otherwise: Security Names - Identify an individual user (v1 or v2c only). Secure Groups - Identify a security-name, security model by a group, and referred to by a groupname. Secure Views - Create a custom view using the View Access Control Model (VACM) that controls who can access which MIB objects under agent management by including or excluding specific object identifiers (OIDs). For example, some users have access to critical read-write control data, while some users have access only to read-only data. For a list of OIDs, see SNMP Traps on page 130. Security Models - A security model identifies the SNMP version associated with a user for the group in which the user resides. Secure Access Policies - Defines who gets access to which type of information. An access-policy is a comprised of <group-name, security-model, security-level, read-view-name>: read-view-name is a preconfigured view that applies to read requests by this security-name. write-view-name is a preconfigured view that applies to write requests by this security-name. notify-view-name is a preconfigured view that applies to write requests to this security-name. An access-policy is the configurable set of rules, based on which, the entity decides how to process a given request. To set secure user names 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure SNMP ACLs Page 74 Interceptor Appliance User s Guide

81 . Configuring System Settings Configuring the Interceptor Appliance 2. Under Security Names, complete the configuration as described in the following table. Control Add a New Security Name Security Name Community String Source IP Address and Mask Bits Add Remove Selected Displays the controls to add a security name. (v1 and v2c only) Specify a name to identify a requestor allowed to issue gets and sets. The security name may make changes to the View Based Access Control Model (VACM) security name configuration. Note: Traps for v1 and v2c are independent of the security name. Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the Interceptor appliance. Note: If you specify a read-only community string (located on the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string. Specify the host IP address and mask bits to which you permit access using the security name and community string. Adds the security name. Select the check box next to the name and click Remove Selected. 3. Click Save to save your settings permanently. To set secure groups 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure SNMP ACLs Page - Groups Interceptor Appliance User s Guide 75

82 .. Configuring the Interceptor Appliance Configuring System Settings 2. Under Groups, complete the configuration as described in the following table. Control Add a New Group Group Name Security Models and Name Pairs Add Remove Selected Displays the controls to add a new group Specify a group name. Select a security model from the first drop-down list: v1 - Select this list item to specify SNMPv1 as the security model, and then select a security name from the second drop-down list. v2c - Select this item to specify SNMPv2 as the security model, and then select a security name from the second drop-down list usm - Select this item to specify SNMPv3 (User-based Security Model), and then select a user from the second drop-down list. To add another Security Model and Name pair, click Add a New Group again. Adds the new groups to the list. Removes the selected groups from the list. 3. Click Save to save your settings permanently. To set secure views 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure SNMP ACLs Page - Views 2. Under Views, complete the configuration as described in the following table. Control Add a New View View Name Displays the controls to add a new view. Specify a descriptive view name to facilitate administration. 76 Interceptor Appliance User s Guide

83 . Configuring System Settings Configuring the Interceptor Appliance Control Includes Excludes Add Remove Selected Specify the object identifiers (OIDs) to include in the view, separated by commas: for example, By default, the view excludes all OIDs. You can specify.iso or any subtree or subtree branch. You can specify an OID number or use its string form: for example,.iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs. Adds the view. Select the check box next to the name and click Remove Selected. 3. Click Save to save your settings permanently. To add an access policy 1. Choose Configure > System Settings > SNMP ACLs to display the SNMP ACLs page. Figure SNMP ACLs Page 2. Under Access Policies, complete the configuration as described in the following table. Control Add a New Access Policy Group Name Security Level Read View Add Remove Selected Displays the controls to add a new access policy. Select a group name from the drop-down list. Determines whether a single atomic message exchange is authenticated. Select one of the following from the drop-down list: No Auth - Does not authenticate packets and does not use privacy. This is the default setting. Auth - Authenticates packets but does not use privacy. Note: A security level applies to a group, not to an individual user. Select a view from the drop-down list. Adds the policy to the policy list. Select the check box next to the name and click Remove Selected. Interceptor Appliance User s Guide 77

84 Configuring the Interceptor Appliance Configuring System Settings 3. Click Save to save your settings permanently. Setting Up Notifications You set notification parameters for events and failures in the page. By default no addresses are specified for event and failure notification. To set event and failure notification 1. Choose Configure > System Settings > to display the page. Figure Page 78 Interceptor Appliance User s Guide

85 Configuring System Settings Configuring the Interceptor Appliance 2. Complete the configuration as described in the following table. Control SMTP Server SMTP Port Report Events via Report Failures via Report Failures to Technical Support Specify a valid SMTP server. External DNS and external access for SMTP traffic is required for this feature to function. Specify the port on the SMTP server. Select this option to report events using . Specify a space-separated list of addresses to which to send notification messages. To complete SNMP settings, see Setting SNMP Parameters and Trap Receivers on page 70. Select this option to report serious failures, such as system crashes, using . Specify a space-separated list of addresses to which to send notification messages. Select this option to report serious failures, such as system crashes, to Riverbed Technical Support. Riverbed recommends that you activate this feature so that problems are promptly corrected. 3. Click Apply to apply your settings to the running configuration. 4. Click Save to save your changes to the running configuration. Configuring Logging You set logging options in the Logging page. This section describes how to modify local logging and how to set remote logging for the Interceptor appliance. It includes the following sections: Setting Up System Logging on page 79 Configuring Remote Log Servers on page 81 Filtering Logs by Application or Process on page 82 Setting Up System Logging You configure logging for the system at the top of the Logging page. Interceptor Appliance User s Guide 79

86 Configuring the Interceptor Appliance Configuring System Settings To set up logging 1. Choose Configure > System Settings > Logging to display the Logging page. Figure Logging Page 2. To rotate the logs immediately, under Log Actions at the bottom of the page, click Rotate Logs. After the logs are rotated, the following message appears: logs have been successfully rotated You can also schedule a log rotation based on time or the amount of disk space the log uses, described next. 3. Under Logging Configuration, complete the configuration as described in the following table. Control Minimum Severity Maximum Number of Log Files Select the minimum severity level for the system log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Steelhead appliance. Error - Conditions that probably affect the functionality of the Steelhead appliance. Warning - Conditions that could affect the functionality of the Steelhead appliance, such as authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Note: This control applies to the system log only. It does not apply to the user log. Specify the maximum number of logs to store. The default value is Interceptor Appliance User s Guide

87 Configuring System Settings Configuring the Interceptor Appliance Control Lines Per Log Page Specify the number of lines per log page. The default value is 100. Rotate Based On Select one of the following rotation options: Time - Select Day, Week, or Month from the drop-down list. Disk Space - Specify how much disk space, in megabytes, the log uses before it rotates. The default value is 16 MB. Note: The log file size is checked at 10 minute intervals. If there is an unusually large amount of logging activity, it is possible for a log file to grow larger than the set disk space limit in that period of time. 4. Click Apply to apply your changes to the running configuration. 5. Click Save to save your settings permanently. Configuring Remote Log Servers You configure remote log servers on the Logging page. To add or remove a log server 1. Choose Configure > System Settings > Logging to display the Logging page. Figure Logging Page 2. Under Remote Log Servers, complete the configuration as described in the following table. Control Add a New Log Server Server IP Displays the controls for configuring new log servers. Specify the server IP address. Interceptor Appliance User s Guide 81

88 Configuring the Interceptor Appliance Configuring System Settings Control Minimum Severity Add Remove Selected Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Interceptor appliance. Error - Conditions that probably affect the functionality of the Interceptor appliance. Warning - Conditions that could affect the functionality of the Interceptor appliance, such as authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Adds the server to the list. Click the check box next to the name and click Remove Selected. 3. Click Save to save your settings permanently. Filtering Logs by Application or Process You can filter a log by one or more applications or one or more processes. This is particularly useful when capturing data at a lower severity level where a Interceptor appliance might not be able to sustain the flow of logging data the service is committing to disk. To filter a log 1. Choose Configure > System Settings > Logging to display the Logging page. Figure Filtering a Log 82 Interceptor Appliance User s Guide

89 Configuring System Settings Configuring the Interceptor Appliance 2. Under Per-Process Logging, complete the configuration as described in the following table. Control Add a New Process Logging Filter Process Minimum Severity Add Remove Selected Displays the controls for adding a process-level logging filter. Select a process to include in the log from the drop-down list: cmcfc - CMC client auto-registration utility. rgpd - CMC client daemon. rgp - CMC process, which handles CMC appliance communication. cli - Riverbed Command-Line Interface. mgmtd - Device control and management, which directs the entire device management system. It handles message passing between various management daemons, managing system configuration and general application of system configuration on the hardware underneath through the hald. hald - Hardware Abstraction Daemon, which handles access to the hardware. pm - Process Manager, which handles launching of internal system daemons and keeps them up and running. sched - Process Scheduler, which handles one-time scheduled events. statsd - Statistics Collector, which handles queries and storage of system statistics. wdt - Watchdog Timer, the motherboard watchdog daemon. webasd - Web Application Process, which handles the Web user interface. Select the minimum severity level for the log messages. The log contains all messages with this severity level or higher. Select one of the following levels from the drop-down list: Emergency - Emergency, the system is unusable. Alert - Action must be taken immediately. Critical - Conditions that affect the functionality of the Interceptor appliance. Error - Conditions that probably affect the functionality of the Interceptor appliance. Warning - Conditions that could affect the functionality of the Interceptor appliance, such authentication failures. Notice - Normal but significant conditions, such as a configuration change. Info - Informational messages that provide general information about system operations. Adds the filter to the list. The process now logs at the selected severity and higher level. Select the check box next to the name and click Remove Selected to remove the filter. 3. Click Save to save your settings permanently. Interceptor Appliance User s Guide 83

90 Configuring the Interceptor Appliance Configuring Security Settings Configuring Security Settings This section describes how to configure security settings for the system. It includes the following sections: Configuring General Security Settings on page 84 Managing User Permissions on page 85 Configuring RADIUS Server Authentication on page 86 Configuring TACACS+ Server Authentication on page 88 Configuring Web Settings on page 90 Configuring General Security Settings You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Configure > Security > General Security Settings page. Important: Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been attempted. Tip: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server: service = rbt-exec { local-user-name = "monitor" } where you replace monitor with admin for write access. For detailed information about setting up RADIUS and TACACS+ servers, see the Riverbed Deployment Guide. To set general security settings 1. Choose Configure > Security > General Security Settings to display the General Security Settings page. Figure General Security Settings Page 84 Interceptor Appliance User s Guide

91 Configuring Security Settings Configuring the Interceptor Appliance 2. Under Authentication Methods, complete the configuration as described in the following table. Control Authentication Methods For RADIUS/ TACACS+, fallback only when servers are unavailable. Apply Specifies an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been attempted. When checked, indicates fallback to a RADIUS or TACACS+ server only when all of the other servers have not responded. This is the default setting. When this feature is disabled, the Interceptor appliance does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure. Applies your settings to the running configuration. 3. Click Save to save your settings permanently. Managing User Permissions You can check or modify the admin and monitor user accounts in the User Permissions page. The administrator user has full privileges in the Interceptor appliance. For example, as an administrator you can set and modify configuration settings, restart the Interceptor service, reboot the appliance, and create and display performance and system reports. A monitor user can display Interceptor reports and system logs; a monitor user cannot make configuration changes to the Interceptor appliance. Note: The default administrator password is password. You can change the administrator or monitor passwords, and define role-based users in the Configure > Security > User Permissions page. The system has two accounts based on what actions the user can take: Admin - The administrator user has full privileges. For example, as an administrator you can set and modify configuration settings, add and delete users, restart and reboot Interceptor services, and create and view performance and system reports. Monitor - A monitor user can view reports. A monitor user cannot make configuration changes or change their own password. Interceptor Appliance User s Guide 85

92 Configuring the Interceptor Appliance Configuring Security Settings To set the administrator or monitor password 1. Choose Configure > Security > User Permissions to display the User Permissions page. Figure User Permissions Page 2. Under Capability Based Accounts, complete the configuration as described in the following table. Control admin/monitor Enable Account Use Password Password Password Confirm Click one of the user names to manage either the administrator or monitor account password. Select or clear this option to enable or disable the administrator or monitor account. Select or clear this option to enable or disable password protection for the administrator or monitor account. If password protection is enabled, you can specify or change the password in the text box. The password must contain a minimum of six characters. Confirm the new administrator or monitor password. 3. Click Apply. 4. Click Save to save your settings permanently. Configuring RADIUS Server Authentication You set up RADIUS server authentication in the Configure > Security > RADIUS page. RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional. For detailed information about setting up RADIUS and TACACS+ servers, see the Riverbed Deployment Guide. Enabling this feature is optional. 86 Interceptor Appliance User s Guide

93 Configuring Security Settings Configuring the Interceptor Appliance To set RADIUS server authentication 1. Choose Configure > Security > RADIUS to display the RADIUS page. Figure RADIUS Page 2. Under Default RADIUS Settings, complete the configuration as described in the following table. Control Set a Global Default Key Global Key Confirm Global Key Enables a global server key for the RADIUS server. Specify the global server key. Confirm the global server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. The default value is Click Apply to apply the settings to the current configuration. Interceptor Appliance User s Guide 87

94 Configuring the Interceptor Appliance Configuring Security Settings 4. To add a new RADIUS server, complete the configuration as described in the following table. l Control Add a Radius Server Server IP Address Displays the controls for defining a new RADIUS server. Specify the server IP address. Authentication Port Specify the port for the server. The default value is Override the Global Default Key Overrides the global server key for the server. Server Key - Specify the override server key. Confirm Server Key - Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default value is 1. Enables the new server. Adds the RADIUS server to the list. Select the check box next to the name and click Remove Selected. Note: If you add a new server to your network and you do not specify these settings at that time, the global settings are applied automatically. 5. Click Apply to apply the settings to the current configuration. 6. Click Save to save your settings permanently. Configuring TACACS+ Server Authentication You set up TACACS+ server authentication in the Configure > Security > TACACS+ page. Enabling this feature is optional. TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system. For detailed information about configuring RADIUS and TACACS+ servers to accept login requests from the Steelhead appliance, see the Riverbed Deployment Guide. 88 Interceptor Appliance User s Guide

95 Configuring Security Settings Configuring the Interceptor Appliance To set a TACACS+ server 1. Choose Configure > Security > TACACS+ to display the TACACS+ page. Figure TACACS+ Page 2. Under Default TACACS+ Settings, complete the configuration as described in the following table. Control Set a Global Default Key Global Key Confirm Global Key Specify this option to enable a global server key for the server. Specify the global server key. Confirms the global server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default value is 3. Retries Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default is Click Apply to apply the settings to the current configuration. Interceptor Appliance User s Guide 89

96 Configuring the Interceptor Appliance Configuring Security Settings 4. To add a TACACS+ server, complete the configuration as described in the following table. Control Add a TACACS+ Server Server IP Address Displays the controls for defining a new TACACS+ server, as described in this table. Specify the server IP address. Authentication Port Specify the port for the server. The default value is 49. Authentication Type Override the Global Default Key Server Key Confirm Server Key Select either PAP or ASCII as the authentication type. Specify this option to override the global server key for the server. Specify the override server key. Confirm the override server key. Timeout (seconds) Specify the time-out period in seconds (1-60). The default is 3. Retries Enabled Add Remove Selected Specify the number of times you want to allow the user to retry authentication. Valid values are 0-5. The default is 1. Enables the new server. Adds the TACACS+ server to the list. Select the check box next to the name and click Remove Selected. 5. If you add a new server to your network and you do not specify these fields at that time, the global settings are applied automatically. 6. Click Save to save your settings permanently. Configuring Web Settings You can modify Web user interface settings in the Configure > Security > Web Settings page. To modify Web settings 1. Choose Configure > Security > Web Settings to display the Web Settings page. Figure Web Settings Page 90 Interceptor Appliance User s Guide

97 Maintaining Your System Configuring the Interceptor Appliance 2. Under Web Settings, complete the configuration as described in the following table. Control Default Web Login ID Web Inactivity Timeout (minutes) Allow Session Timeouts on Auto- Refreshing Pages Specify the user name that appears on the authentication page. The default value is admin. Specify the number of idle minutes before the session times out. The default value is 15. A value of 0 disables this feature. By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear this box to disable the session time-out, remain logged-in indefinitely, and automatically refresh the report pages. Important: Disabling this feature poses a security risk. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Maintaining Your System This section describes how to view job status, upgrade your software, and how to shut down and reboot the system. It includes the following sections: Stopping, Starting, and Restarting the Service on page 91 Displaying Scheduled Jobs and Job Status on page 92 Managing Licenses on page 94 Upgrading Your Software on page 95 Rebooting and Shutting Down the Interceptor Appliance on page 96 Stopping, Starting, and Restarting the Service You can start, stop, and restart the Interceptor service in the Configure > Maintenance > Services page. You can also use this page to reset the service alarm after it has been triggered. The Interceptor service is a daemon that executes in the background, performing operations when required. Many of the Interceptor service commands are initiated at startup. After you make changes to your configuration, it is important to restart the Interceptor service. Important: Restarting the Interceptor service disrupts existing network connections that are proxied through the Interceptor appliance. Stopping the Interceptor service is not persistent across restarts or reboots of the Interceptor appliance. When you stop the Interceptor service, all configured in-path IP addresses and ports are disabled, and this causes optimization of Steelhead appliance traffic to stop. However, the Interceptor service automatically restarts and optimization of Steelhead appliance traffic resumes when you restart or reboot the Interceptor appliance. Interceptor Appliance User s Guide 91

98 Configuring the Interceptor Appliance Maintaining Your System To start, stop, or restart services 1. Choose Configure > Maintenance > Services to display the Services page. Figure Services Page 2. Under Service, click Stop, Start, or Restart. Stopping the Interceptor service is not persistent across restarts or reboots of the Interceptor appliance. When you restart or reboot the Interceptor appliance, the Interceptor service automatically restarts and optimization of Steelhead appliance traffic resumes. 3. Click Save to save your settings permanently. To reset the service alarm 1. Choose Configure > Maintenance > Services to display the Services page. The option to reset the service alarm appears only after the service triggers the Reset Service Alarm. 2. Under Reset Service Alarm, click Reset Service Alarm. 3. Click Save to save your settings permanently. Displaying Scheduled Jobs and Job Status You can view completed, pending, inactive jobs, as well as jobs that were not completed because of an error in the Scheduled Jobs page. Jobs are CLI commands that execute at a time you specify. The only jobs you can schedule using the Interceptor appliance are software upgrades and configuration pushes; for all other jobs, you must use the CLI. For detailed information about scheduling jobs using the CLI, see the Riverbed Command-Line Interface Reference Manual. 92 Interceptor Appliance User s Guide

99 Maintaining Your System Configuring the Interceptor Appliance To display job status 1. Choose Configure > Maintenance > Scheduled Jobs to display the Scheduled Jobs page. Figure Scheduled Jobs Page 2. To cancel a job or to remove a completed job from the list, select the check box next to the entry and click Remove Selected Jobs. 3. Select the Job ID number to display details about the job. 4. Optionally, under Details for Job <#>, complete the configuration as described in the following table. Control Name Comment Interval (seconds) Executes On Enable/Disable Job Apply Changes Cancel This Job Execute Now Remove Selected Jobs Specify a name for the job. Specify a comment. Specify how often the job runs. The default value is 0, which runs the job once. Specify the date on which the job runs. Enables the job. Applies the changes to the current configuration. Cancels the job. Runs the job. Select the check box next to the name and click Remove Selected Jobs. 5. Click Save to save your settings permanently. Interceptor Appliance User s Guide 93

100 Configuring the Interceptor Appliance Maintaining Your System Managing Licenses You can install and manage licenses on the Interceptor appliance in the Licenses page. To install a license 1. Choose Configure > Maintenance > Licenses to display the Licenses page. Figure Licenses Page 2. Under Licenses, complete the configuration as described in the following table. Control Add a New License Licenses Text Box Add Displays the controls to add a new license. Copy and paste the license key provided by Riverbed Support or Sales into the text box. Tip: Separate multiple license keys with a space, Tab, or Enter. Adds the license. 3. Click Save to save your settings permanently. Removing a License Riverbed recommends that you keep old licenses in case you want to downgrade to an earlier software version. To remove a license 1. Choose Configure > Maintenance > Licenses to display the Licenses page. 2. Select the license you want to delete. 3. Click Remove Selected. 4. Click Save to save your settings permanently. 94 Interceptor Appliance User s Guide

101 Maintaining Your System Configuring the Interceptor Appliance Upgrading Your Software You can upgrade or revert to a backup version of the software in the Software Upgrade page. To upgrade or revert software versions 1. Choose Configure > Maintenance > Software Upgrade to display the Software Upgrade page. Figure Software Upgrade Page 2. To revert to a backed up version, click Switch to Backup Version under Software Upgrade. 3. Under Install Upgrade, complete the configuration as described in the following table. Control From URL From Local File Schedule Upgrade for Later Install Cancel Select this option and type the URL. If you specify a URL in the URL text box, the image is uploaded, installed, and the system is rebooted at the time you specify. Select this option and type the path or click Browse to go to the local file directory. If you specify a file to upload in the Local File text box, the image is uploaded immediately, however the image is installed and the system is rebooted at the time you specify. Schedules the upgrade process. Specify the date and time to run the upgrade: Date - Use the following format: YYYY/MM/DD. Time - Use the following format: HH:MM:SS. Installs the software upgrade on your system. Cancels your changes. Interceptor Appliance User s Guide 95

102 Configuring the Interceptor Appliance Changing the Administrative Password 4. Reboot the Interceptor appliance. Rebooting and Shutting Down the Interceptor Appliance You can reboot or shut down the system in the Reboot/Shutdown page. To restart the system, you must manually turn on the appliance. Rebooting the Interceptor appliance does not affect the optimization of the Steelhead appliances. To reboot or shut down the system 1. Choose Configure > Maintenance > Reboot/Shutdown to display the Reboot/Shutdown page. Figure Reboot/Shutdown Page 2. Click Reboot. After you click Reboot, you are logged out of the system and it is rebooted. 3. Click Shutdown to shut down the system. After you click Shutdown, the system is turned off. Changing the Administrative Password You can change the admin password in the My Account page. You must be logged in as the admin user to change the administrator password. To change the admin password 1. Choose Configure > My Account to display the My Account page. Figure My Account Page 96 Interceptor Appliance User s Guide

103 Managing Configuration Files Configuring the Interceptor Appliance 2. Under Password, complete the configuration as described in the following table. Control Change Password New Password Confirm New Password Select this option to change the password. Specify a new password. Confirm the new password. 3. Click Apply to apply the settings to the current configuration. 4. Click Save to save your settings permanently. Managing Configuration Files You can save, activate, and import configurations in the Configurations page. Each Interceptor appliance has an active, running configuration and a written, saved configuration. When you apply your settings in the Interceptor appliance, the values are applied to the active running configuration, but the values are not written to disk and saved permanently. When you save your configuration settings, the values are written to disk and saved permanently. They take effect after you restart the RiOS services to which the configuration was pushed. Each time you save your configuration settings, they are written to the current running configuration, and a backup is created. For example, if the running configuration is myconfig and you save it, myconfig is backed up to myconfig.bak and myconfig is overwritten with the current configuration settings. The Configuration Manager is a utility that enables you to save configurations as backups or to activate configuration backups. Interceptor Appliance User s Guide 97

104 Configuring the Interceptor Appliance Managing Configuration Files To manage configurations 1. Choose Configure > Configurations to display the Configurations page. Figure Configurations Page 2. Under Current Configuration: <name>, use the following controls to view, save, or revert configurations. Control View Running Configuration Save Revert Click to display the running configuration settings in a new browser window. Click to save settings that have been applied to the running configuration. Reverts your settings to the running configuration. 3. Under Save Current Configuration, specify a new filename to save settings that have been applied to the running configuration as a new file, and then click Save. 98 Interceptor Appliance User s Guide

105 Managing Configuration Files Configuring the Interceptor Appliance 4. To import a configuration from another appliance, click Import a New Configuration and complete the configuration as described in the following table. Control IP/Hostname Remote Admin Password Remote Config Name New Config Name Import Shared Data Only Add Remove Selected Specify the IP address or hostname of the Interceptor appliance from which you want to import the configuration. Specify the administrator password for the remote Interceptor appliance. Specify the name of the configuration you want to import from the remote Interceptor appliance. Specify a new, local configuration name. This value is enabled by default. Copies only the following common settings: in-path and out-of-path interface, protocols, CLI and Web, statistics, NTP, SNMP, and alarm settings. The system does not automatically copy the following settings: failover, SNMP (contact and location), log, and network settings. Adds the configuration. The imported configuration appears in the Configuration list but does not become the active configuration until you click Activate. Select the check box next to the name and click Remove Selected. Tip: Click the configuration name to display the configuration settings in a new browser window. 5. To change the currently active configuration, select another configuration from the drop-down list under Change Active Configuration, and click Activate. Important: You must restart the Interceptor appliance for a new configuration to take effect. For details, see Stopping, Starting, and Restarting the Service on page 91. Interceptor Appliance User s Guide 99

106 Configuring the Interceptor Appliance Managing Configuration Files 100 Interceptor Appliance User s Guide

107 CHAPTER 3 Displaying and Customizing Reports This chapter describes how to display and customize Interceptor health, network, and diagnostic reports. It includes the following sections: Displaying Networking Reports on page 101 Displaying Diagnostics Reports on page 109 Exporting Report Data on page 127 Displaying Networking Reports This section describes how to display reports that summarize the current status of the Interceptor appliance. It includes the following procedures: Displaying the Interceptors Report on page 102 Displaying the Steelheads Report on page 105 Displaying the Interface Counters Report on page 107 Interceptor Appliance User s Guide 101

108 Displaying and Customizing Reports Displaying Networking Reports Displaying the Interceptors Report The Interceptors report provides the connection status of all local Interceptor appliances in the same network.the report lists Interceptor appliances deployed in parallel to cover asymmetric routing, as well the Interceptor appliance that functions as a failover Interceptor to the current Interceptor appliance. For detailed information about configuring Interceptor appliances, see Configuring Interceptor-to-Interceptor Communication on page 37. What This Report Tells You The Interceptors report answers the following questions: What software version is running on the cluster Interceptor appliance? What is the network address (IP and port) of the cluster Interceptor appliance? Through which interface are the cluster Interceptor appliances connecting? What is the current connection status? Are all Interceptor appliances running the same software version? To display the Interceptors report Choose Reports > Networking > Interceptors to display the Interceptors page. Figure 3-1. Interceptors Page 102 Interceptor Appliance User s Guide

109 Displaying Networking Reports Displaying and Customizing Reports The report provides the following basic information about each of the local Interceptor appliances. Field Name Interfaces Contact s Displays the names of the Interceptor appliances. Displays the IP address of the Interceptor appliance and the name of the interface through which the appliance communicates with other Interceptor appliances. Displays an icon that indicates the current state of the connection between the Interceptor appliance and other local Interceptor appliances, and also the date and time of the last reconnection with the other local Interceptor appliances. The following list describes the Interceptor-to-Interceptor connection states: Active - The Interceptor appliance is currently forwarding connections. Connected - The Interceptor appliance is able to forward connections. Connecting - The Interceptor appliance is in the process of establishing a connection with the cluster Interceptor appliance. Resyncing - A connection has been established and the Interceptor appliance is receiving the state information from the cluster Interceptor appliance. Disconnected - The Interceptor appliance is not connected to a cluster appliance for which a connection has been configured. To display the details of a specific Interceptor appliance, click the appliance name in the Name column. Figure 3-2. Interceptors Page with Appliance Name Selected The report provides the following details about the selected Interceptor appliance. Field Host Version Communication Type s Displays the hostname of the selected cluster Interceptor appliance. Displays the current software version running on the selected cluster Interceptor appliance. Displays the type of communication (for example, Connection Forwarded) between this Interceptor appliance and the selected cluster Interceptor appliance. Interceptor Appliance User s Guide 103

110 Displaying and Customizing Reports Displaying Networking Reports Field Contacted At Failover Interceptor Interceptor Interfaces s Displays an icon that indicates the current state of the connection between this Interceptor appliance and the selected cluster Interceptor appliance, and it also displays the date and time of the last reconnection with the selected Interceptor appliance. The icon represents one of the following connection states: Active - The selected cluster Interceptor appliance is currently redirecting connections. Connected - The selected cluster Interceptor appliance is able to redirect connections. Connecting - The selected cluster Interceptor appliance is in the process of establishing a connection with the cluster appliance. Resyncing - The selected cluster Interceptor appliance is resynchronizing. Disconnected - The Interceptor appliance is not connected to a cluster Steelhead appliance for which a connection has been configured. Displays the hostname and IP address of the Interceptor appliance that functions as a failover Interceptor to the current appliance, if a failover appliance is configured. Displays the following information about the interfaces through which the appliance communicates: IP - IP address on this Interceptor appliance port - Port number on this Interceptor appliance Contact - Date and time of the last reconnection with this Interceptor appliance 104 Interceptor Appliance User s Guide

111 Displaying Networking Reports Displaying and Customizing Reports Displaying the Steelheads Report The Steelheads report provides the connection status of the pool of Steelhead appliances for which the Interceptor appliance monitors and balances load. For detailed information about configuring Steelhead appliances, see Configuring Interceptor-to- Steelhead Communication on page 43. What This Report Tells You The Steelheads report answers the following questions: What software version is running on the cluster Steelhead appliance? What is the network address (IP and port) of the cluster Steelhead appliance? Through which interface are the cluster Steelhead appliances connecting? What is the current connection status? What is the maximum number of current optimized connections to the cluster Steelhead appliance? When did the cluster Steelhead appliances last connect? To display the Steelheads report 1. Choose Reports > Networking > Steelheads to open the Steelheads page. Figure 3-3. Steelheads Page The report provides the following basic information about cluster Steelheads connections. Field Name Version Interfaces Connections Displays the names of the local Steelhead appliances. Displays the software version for the cluster Steelhead appliance. Displays the IP address and port for the Steelhead appliance, as well as the interface through which the Steelhead appliances communicate. Displays the ratio of the Steelhead appliance s optimized connections to the admission control limit. Interceptor Appliance User s Guide 105

112 Displaying and Customizing Reports Displaying Networking Reports Field Pressure Contact Displays an icon indicating the current burden on the resources (CPU utilization, available memory, and number of connections) of the specified Steelhead appliance. The icons represent the following pressure levels: Normal Pressure, High Pressure, Severe Pressure, Capacity Adjustment, or Paused. For detailed information about pressure, see Enabling Pressure Monitoring on page 57. Displays an icon followed by the date and time of the last reconnection with the Interceptor appliance. The icib indicates the current connection state of the cluster Steelhead appliance: Connected, Handshake, Connecting, Resyncing, or Incompatible. 2. You can open a detailed report for each appliance in the list to view the following information. Field Host Version Control State Contacted at Optimized Connections Admission Control Pressure Total Capacity Reduction Admission Control After Capacity Adjustment Steelhead Interfaces s Displays the network ID of the selected appliance. Displays the current software version. Displays the current control state: Connected, Handshake, Connecting, Resyncing, or Incompatible. Displays a time-stamp for the last reconnection with the cluster Steelhead appliance. Number of optimized connections directed to the Steelhead appliance from the Interceptor appliance. The connection limit specified for the Steelhead appliance. Displays the pressure value of the specified Steelhead appliance. For detailed information about pressure, see Enabling Pressure Monitoring on page 57. Displays the capacity reduction values currently imposed on the specified Steelhead appliance based on the pressures value. For the Pressure Monitoring feature to affect load balancing, it must enabled in conjunction with the Fair Peering v2 feature, For details, see Enabling Pressure Monitoring on page 57. The remaining capacity after pressure penalties are factored in. Displays information about the interface for the selected appliance: IP - IP address of the Interceptor appliance port - Port number of the Interceptor appliance, which is the interface through which the appliances communicate Contact - The date and time of the most recent contact 106 Interceptor Appliance User s Guide

113 Displaying Networking Reports Displaying and Customizing Reports Displaying the Interface Counters Report The Interface Counters report summarizes the statistics for the primary, in-path LAN and WAN, and auxiliary interfaces. It also displays the IP address, speed, duplex, MAC address, and current status for each interface. Tip: For auto-negotiated speed and duplex settings, the Interfaces Statistics report displays the speed at which they were negotiated. Note: If you have multiple dual port or Four-Port Copper Gigabit-Ethernet Bypass cards installed, the Interface Statistics report displays the interface statistics for each LAN and WAN port. What This Report Tells You The Interface Statistics report answers the following questions: How many packets am I transmitting? How many errors are there in each transmission? What is the current status of my interface? Interceptor Appliance User s Guide 107

114 Displaying and Customizing Reports Displaying Networking Reports To display the Interface Counters report Choose Reports > Networking > Interface Counters to display the Interface Statistics page. Figure 3-4. Interface Statistics Page The Interface Counters report displays the following statistics. Counter Interface primary - Specifies the IP address for the primary interface. aux - Specifies the IP address for the auxiliary interface. LANx_x - Specifies the IP address for the specified LAN interface. WANx_x - Specifies the IP address for the specified WAN interface. IP Ethernet Link Receive Packets Transmit Packets Specifies the IP address for the interface. Specifies the MAC address, speed, and duplex setting for the interface. Use this information to troubleshoot speed and duplex problems. Make sure the speed for the Steelhead appliance matches the WAN or LAN interfaces. Riverbed recommends setting the speed to 100 and duplex to full. Specifies true or false to indicate whether the link is up or down. Specifies the total number of packets, packets discarded, errors encountered, packets overrun, frames sent, and multicast packets sent. Specifies the total number packets, packets discarded, errors encountered, packets overrun, carriers used, and collisions encountered. 108 Interceptor Appliance User s Guide

115 Displaying Diagnostics Reports Displaying and Customizing Reports Displaying Diagnostics Reports This section describes how to display Interceptor appliance system files to help diagnose problems. It includes the following sections: Displaying Alarm Status Reports on page 110 Displaying Connection Tracing Reports on page 113 Displaying CPU Utilization Reports on page 114 Displaying Memory Paging Reports on page 115 Viewing Logs on page 116 Downloading Logs on page 120 Viewing the System Dumps List on page 121 Viewing the Process Dumps List on page 122 Viewing the TCP Dumps List on page 123 Interceptor Appliance User s Guide 109

116 Displaying and Customizing Reports Displaying Diagnostics Reports Displaying Alarm Status Reports The Alarm Status report provides an individual alarm status (OK, TRIGGERED, or DISABLED) for each of the Interceptor appliance alarm events. What This Report Tells You The Alarm Status report answers the following question: What is the current status of the Interceptor appliance? To display the Alarm Status report Choose Reports > Diagnostics > Alarm Status to display the Alarm Status page. Figure 3-5. Alarm Status Page The Interceptor appliance alarm events are listed in the following table. Alarm Admission Control - Connection Limit Admission Control - Memory Indicates Whether the Interceptor connection limit has been reached. Additional connections are passed through unoptimized. The alarm clears when the Interceptor appliance moves out of this condition. Indicates when the memory is running out on a local attached Steelhead appliance that is in admission control. 110 Interceptor Appliance User s Guide

117 Displaying Diagnostics Reports Displaying and Customizing Reports Alarm CPU Utilization Duplex Fan Error Hardware Error Link Propagation Link State Load Balance Service Load Balancing Alert Local Interceptors Alert Local Steelheads Alert Indicates Whether the Interceptor CPU threshold has been reached. If the system has reached the CPU threshold, check your settings. For details, see Setting Alarm Parameters on page 68. If your alarm thresholds are correct, reboot the Interceptor appliance. For details, see Rebooting and Shutting Down the Interceptor Appliance on page 96. Whether the Interceptor appliance has encountered a large number of packet errors in your network. Make sure that the speed and duplex settings on your system match the settings on your switch and router. This alarm is enabled by default. Whether the system has detected a problem with the fans. Fans in 3U systems can be replaced. Contact Riverbed Support at support.riverbed.com and file a trouble ticket to order a replacement fan. Procedures for replacing fans are described in the Upgrade and Maintenance Guide. Indicates the system has detected a problem with the Steelhead appliance hardware. The following issues trigger the hardware error alarm: the Steelhead appliance does not have enough disk, memory, CPU cores, or NIC cards to support the current configuration the Steelhead appliance is using a memory Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not qualified by Riverbed an RSP upgrade requires additional memory or a memory replacement other hardware issues The alarm clears when you add the necessary hardware, remove the non-qualified hardware, or resolve other hardware issues. Whether the Interceptor appliance has detected a change in link state and propagated the change to the dynamic routing table. The Interceptor appliance monitors the link state of devices in its path, including routers, switches, interfaces, and in-path interfaces. Whether the system has detected a link that is down. Whether the load-balancing service is properly configured. Indicates when the total capacity of the remote Steelheads is much greater than the total capacity of the local Steelheads (oversubscription). Indicates when a local Interceptor is: disconnected from the current Interceptor appliance nearing or has reached capacity Indicates when a local Steelhead is: disconnected from the Interceptor appliance under admission control nearing or has reached capacity in permanent capacity reduction not paired with a cluster Steelhead Interceptor Appliance User s Guide 111

118 Displaying and Customizing Reports Displaying Diagnostics Reports Alarm Memory Error Memory Paging Network Bypass Power Supply Process Dump Staging Directory Inaccessible RAID Secure Vault System Disk Full Temperature Indicates Whether the system has detected a problem with an appliance memory module. Memory modules in both 1U and 3U appliances can be replaced. Contact Riverbed Support at and file a trouble ticket to order a replacement. Procedures for replacing memory modules are described in the Upgrade and Maintenance Guide. Whether the Interceptor memory paging threshold has been reached. If 100 pages are swapped approximately every two hours, the Interceptor appliance is functioning properly. If thousands of pages are swapped every few minutes, reboot the Interceptor appliance. For details, see Rebooting and Shutting Down the Interceptor Appliance on page 96. If rebooting does not solve the problem, contact Riverbed Technical Support at support.riverbed.com. Whether the system is in bypass mode. If the Interceptor appliance is in bypass mode, restart the Interceptor service. If restarting the service does not resolve the problem, contact Riverbed Technical Support at Whether the system has detected a problem with the power supply. Power supply units in both 1U and 3U appliances can be replaced. Contact Riverbed Support at and file a trouble ticket to order a replacement. Procedures for replacing power supply units are described in the Upgrade and Maintenance Guide. Indicates that the current Interceptor appliance is unable to access the local staging directory for process dumps. Whether the system has encountered RAID errors (for example, missing drives, pulled drives, drive failures, and drive rebuilds). For drive rebuilds, if a drive is removed and then reinserted, the alarm continues to be triggered until the rebuild is complete. Note: Rebuilding a disk drive can take 4-6 hours. Indicates that the secure vault is locked or an error has occurred while initializing the secure vault. When the vault is locked, SSL traffic is not optimized and you cannot encrypt the data store. Whether the system partitions are almost full: for example, /var, which is used to hold logs, statistics, system dumps, tcp dumps, and so forth. Whether the CPU temperature has exceeded the critical threshold. The default value for the rising threshold temperature is 70º C; the default reset threshold temperature is 67º C. 112 Interceptor Appliance User s Guide

119 Displaying Diagnostics Reports Displaying and Customizing Reports Displaying Connection Tracing Reports The Connection Tracing report provides the current status of configured connection traces, showing the Steelhead appliances to which the Interceptor appliance has redirected specific connections. Connection traces also enable users to debug failing or unoptimized connections. For detailed information about configuring connection tracing, see Setting Connection Tracing Rules on page 62. What This Report Tells You The Connection Tracing report answers the following questions: Which redirected connections went to which Steelhead appliances? Which connection tracing rule determined the connection? Was the connection optimized, passed through, redirected, ignored, or dropped? To display the Connection Tracing report Choose Reports > Diagnostics > Connection Tracing to display the Connection Tracing page. Figure 3-6. Connection Tracing Page The report provides the following information about traced connections. Field Time Created Rule Source Destination VLAN State s Timestamp of when the traced connection was made. Displays the connection tracing rule that applies to the entry. Displays the IP address and port number of the source Steelhead appliance. Displays the IP address and port number of the destination Steelhead appliance. Displays the VLAN ID, if applicable. Displays the connection state (optimized, passthrough, redirect, remote, local, ignored, dropped or unknown). Interceptor Appliance User s Guide 113

120 Displaying and Customizing Reports Displaying Diagnostics Reports Displaying CPU Utilization Reports The CPU Utilization report summarizes the percentage of the CPU used on the Interceptor appliance within the time period specified. The report provides an interactive line graph, with the y-axis plotting CPU utilization percentage and the x-axis (or tick mark) plotting time according to the interval you select. What This Report Tells You The CPU Utilization report answers the following questions: How much CPU is being used? Did CPU utilization peak or otherwise behave unexpectedly? To display the CPU Utilization report 1. Choose Reports > Diagnostics > CPU Utilization to display the CPU Utilization page. Figure 3-7. CPU Utilization Page 2. Use the controls to customize the report as described in the following table. Control Period Refresh Go s Select a time period for the graph from the drop-down list. The default time period is Last Week. You can select one of the following time frames: Last Minute, Last 5 Minutes, Last Hour, Last Day, Last Week, Last Month, or (Custom). By default, the Custom time period specifies the last week. To configure the Custom time period for the graph, enter the Start Time and End Time and then click Go. Specify the time using the format YYYY/MM/DD HH:MM:SS. Select a data refresh interval for the graph from the drop-down list. By default, the graph is not refreshed. You can select one of the following refresh intervals: Off, 10 Seconds, 30 Seconds, or 60 Seconds. Click this button to apply your changes to the graph. 114 Interceptor Appliance User s Guide

121 Displaying Diagnostics Reports Displaying and Customizing Reports Displaying Memory Paging Reports The Memory Paging report provides the total number of memory pages, per second, utilized in the time period specified. What This Report Tells You The Memory Paging report answers the following questions: How much memory is being used? Did memory paging peak or otherwise behave unexpectedly? To display the Memory Paging report Choose Reports > Diagnostics > Memory Paging to display the Memory Paging page. Figure 3-8. Memory Paging Page The Memory Paging report includes the following table of statistics that describe memory paging activity for the time period you specify. Field Total Pages Swapped Out Average Pages Swapped Out Peak Pages Swapped Out Peak Pages Swapped Out Occurred At Displays the total number of pages swapped. If 100 pages are swapped approximately every two hours the Interceptor appliance is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Technical Support. Displays the average number of pages swapped. If 100 pages are swapped every couple of hours the Interceptor appliance is functioning properly. If thousands of pages are swapped every few minutes, contact Riverbed Technical Support. Displays the peak number of pages swapped. Displays the time and date that the peak number of pages were swapped. Interceptor Appliance User s Guide 115

122 Displaying and Customizing Reports Displaying Diagnostics Reports Viewing Logs Interceptor appliance log reports provide a high-level view of network activity. You can view both user and system logs. Viewing User Logs on page 116 Viewing System Logs on page 118 Viewing User Logs You can view user logs in the Reports > Diagnostics > User Logs page. The user log filters messages from the system log to display messages that are of immediate use to the system administrator. View user logs to monitor system activity and to troubleshoot problems. For example, you can monitor who logged in, who logged out, and who entered particular CLI commands, alarms and errors. The most recent log events are listed first. To view and customize user logs 1. Choose Reports > Diagnostics > User Logs to display the User Logs page. Figure 3-9. User Logs Page 116 Interceptor Appliance User s Guide

123 Displaying Diagnostics Reports Displaying and Customizing Reports 2. Use the controls to customize the log as described in the following table. Control Show Lines per Page Jump to Filter Go Select one of the archived logs or Current Log from the drop-down list. Specify the number of lines you want to display in the page. Select one of the following options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the time for the log you want to display. Select one of the following filtering options from the drop-down list: Regular expression - Specify a regular expression on which to filter the log. Error or higher - Displays Error level logs or higher. Warning or higher - Displays Warning level logs or higher. Notice or higher - Displays Notice level logs or higher. Info or higher - Displays Info level logs or higher. Displays the report. 3. To print the report, choose File > Print in your Web browser to open the Print dialog box. Tip: You can continuously display new lines as the log grows and appends new data. To view a continuous log 1. Choose Reports > Diagnostics > User Logs to display the User Logs page. 2. Customize the log as described in To view and customize user logs on page Click the Launch continuous log icon in the upper-right corner of the page. Note: If the continuous log does not appear after clicking the icon, a pair of Steelhead appliances might be optimizing HTTP traffic between your Web browser and the primary or auxiliary interface of the Steelhead on which you are viewing the log, and the pair of Steelhead appliances are buffering the HTTP response. To display the continuous log, you can switch to HTTPS because the Steelhead appliances will not optimize HTTPS traffic. Alternatively, you can configure the other Steelhead appliances to pass-through traffic on the primary or auxiliary interfaces for port 80. Interceptor Appliance User s Guide 117

124 Displaying and Customizing Reports Displaying Diagnostics Reports Viewing System Logs You can view system logs in the Reports > Diagnostics > System Logs page. View System logs to monitor system activity and to troubleshoot problems. The most recent log events are listed first. To view and customize system logs 1. Choose Reports > Diagnostics > System Logs to display the System Logs page. Figure System Logs Page 118 Interceptor Appliance User s Guide

125 Displaying Diagnostics Reports Displaying and Customizing Reports 2. Use the controls to customize the log as described in the following table. Control Show Lines per Page Jump to Filter Go Select one of the archived logs or Current Log from the drop-down list. Specify the number of lines you want to display in the page. Select one of the following options from the drop-down list: Page - Specify the number of pages you want to display. Time - Specify the time for the log you want to display. Select one of the following filtering options from the drop-down list: Regular expression - Specify a regular expression on which to filter the log. Error or higher - Displays Error level logs or higher. Warning or higher - Displays Warning level logs or higher. Notice or higher - Displays Notice level logs or higher. Info or higher - Displays Info level logs or higher. Displays the report. 3. To print the report, choose File > Print in your Web browser to open the Print dialog box. Tip: You can continuously display new lines as the log grows and appends new data. To view a continuous log 1. Choose Reports > Diagnostics > System Logs to display the System Logs page. 2. Customize the log as described in To view and customize user logs on page Click the Launch continuous log icon in the upper-right corner of the page. Note: If the continuous log does not appear after clicking the icon, a pair of Steelhead appliances might be optimizing HTTP traffic between your Web browser and the primary or auxiliary interface of the Steelhead on which you are viewing the log, and the pair of Steelhead appliances are buffering the HTTP response. To display the continuous log, you can switch to HTTPS because the Steelhead appliances will not optimize HTTPS traffic. Alternatively, you can configure the other Steelhead appliances to pass-through traffic on the primary or auxiliary interfaces for port 80. Interceptor Appliance User s Guide 119

126 Displaying and Customizing Reports Displaying Diagnostics Reports Downloading Logs This section describes how to download user and system log files. You can download both user and system logs. Downloading User Logs on page 120 Downloading System Logs on page 120 Downloading User Logs You can download user logs in the User Logs Download page. Download user logs to monitor system activity and to troubleshoot problems. To download user logs Choose Reports > Diagnostics > User Logs Download to display the User Logs Download page. Figure User Logs Download Page Downloading System Logs You can download system logs in the System Logs Download page. Download system logs to monitor system activity and to troubleshoot problems. 120 Interceptor Appliance User s Guide

127 Displaying Diagnostics Reports Displaying and Customizing Reports To download system logs 1. Choose Reports > Diagnostics > System Logs Download to display the System Logs Download page. Figure System Logs Download Page 2. Click the name of the log to display the dialog box to display or save the log to disk. 3. Click Rotate Logs to archive the current log to a numbered archived log file and then clear the log so that it is empty again. Viewing the System Dumps List You can display and download system dumps in the System Dump page. A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose problems in the system. Interceptor Appliance User s Guide 121

128 Displaying and Customizing Reports Displaying Diagnostics Reports To view system dump files 1. Choose Reports > Diagnostics > System Dumps to display the System Dumps page. Figure System Dumps Page 2. Select Download Link to view a previously saved system dump. 3. Click the filename to open a file or save the file to disk. 4. Select Include Statistics. 5. Click Generate System Dump to generate a new system dump. Tip: To remove an entry, select the box next to the name and click Remove Selected. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing the Process Dumps List You can display and download process dumps in the Process Dumps page. A process dump is a saved copy of memory including the contents of all memory, bytes, hardware registers, and status indicators. It is periodically taken to restore the system in the event of failure. Process dump files can help you diagnose problems in the system. 122 Interceptor Appliance User s Guide

129 Displaying Diagnostics Reports Displaying and Customizing Reports To view process dump files 1. Choose Reports > Diagnostics > Process Dumps to display the Process Dumps page. Figure Process Dumps Page 2. Click the filename to open a file or save the file to disk. Tip: To remove an entry, select the box next to the name and click Remove Selected. Tip: To print the report, choose File > Print in your Web browser to open the Print dialog box. Viewing the TCP Dumps List You can capture, download, and upload TCP dumps in the Reports > Diagnostics > TCP Dumps page. TCP trace dump files contain summary information for every Internet packet received or transmitted on the interface. TCP trace dump files can help diagnose problems in the system. RiOS provides an easy way to capture and retrieve multiple TCP trace dumps from the Management Console. You can generate trace dumps from multiple interfaces at the same time, limit the size of the trace dump, and schedule a specific date and time to generate a trace dump. Scheduling and limiting a trace dump by time or size allows unattended captures. The top of the TCP Dumps page displays a list of existing TCP trace dumps and the bottom of the page displays controls to create a new trace dump. It also includes the trace dumps that are currently running. The Running Capture Name list includes TCP trace dumps running at a particular time. It includes TCP trace dumps started manually and also any dumps which were scheduled previously and are now running. Interceptor Appliance User s Guide 123

130 Displaying and Customizing Reports Displaying Diagnostics Reports To capture TCP trace dumps 1. Choose Reports > Diagnostics > TCP Dumps to display the TCP Dumps page. Figure TCP Dumps Page 124 Interceptor Appliance User s Guide