Silver Peak WAN Optimization Appliances

Silver PeakWAN Optimization Appliances

Appliance Manager Operator’s Guide

VXOA 6.2

December 2014

PN 200030-001 Rev N

Silver Peak Appliance Manager Operator’s Guide

ii PN 200030-001 Rev N


Document PN 200030-001 Rev N

Date: December 2014

Copyright © 2014 Silver Peak Systems, Inc. All rights reserved. Information in this document is subject to change at any time. Use of this documentation is restricted as specified in the End User License Agreement. No part of this documentation can be reproduced, except as noted in the End User License Agreement, in whole or in part, without the written consent of Silver Peak Systems, Inc.

Trademark Notification

Silver Peak SystemsTM, the Silver Peak logo, Network MemoryTM, and Silver Peak NX-SeriesTM are trademarks of Silver Peak Systems, Inc. All trademark rights reserved. All other brand or product names are trademarks or registered trademarks of their respective companies or organizations.

Warranties and Disclaimers

THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SILVER PEAK SYSTEMS, INC. ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS IN THIS DOCUMENTATION OR OTHER DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS DOCUMENTATION. REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL SILVER PEAK SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OF THIS DOCUMENTATION. THIS DOCUMENTATION MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE DOCUMENTATION. SILVER PEAK SYSTEMS, INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENTATION AT ANY TIME.

Silver Peak Systems, Inc.2860 De La Cruz Boulevard, Suite 100Santa Clara, CA 95050

1.877.210.7325 (toll-free in USA)+ 1.408.935.1850

www.silver-peak.com/support

Contents

PN 200030-001 Rev N i

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Who Should Read This Manual?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Manual Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Appliance Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Chapter 1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Getting Started with Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Deployment Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3How to Adjust the Basic Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Configuring Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Management Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7WAN Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7LAN Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Modifying Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Taking a Quick Look at the System Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Adding SSL Certificates and Keys for Deduplication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Creating Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14How Policies Affect Tunnel Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Tunnel Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Parallel Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Letting the Auto-Tunnel Feature Do the Work for You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Manually Creating a Traffic-Carrying Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Tunnel Compatibility Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Jumbo Frames and MTU Interworking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22What you need to know. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 3 Building Policy Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

What Happens to an Outbound Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26How the Policies are Related . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Default SET Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Understanding MATCH Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Configuring MATCH Criteria in a Map or Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Using ACLs to Summarize Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

How Policies and ACLs Filter Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Managing Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Built-in Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Defining User-Defined Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Creating and Using Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 4 Route Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Choose an Optimization Strategy for the Traffic Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

How to Use Subnet Sharing in Common Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Data Replication and Backup Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Hub and Branch Offices Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52VRRP (Master/Backup) with Subnet Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62VRRP (Master/Master) with Subnet Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68


ii PN 200030-001 Rev N

How TCP-based Auto-Optimization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Handshaking for TCP Auto-Optimization in In-Line Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Handshaking for TCP Auto-Optimization in Out-of-Path Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

How IP-based Auto-Optimization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Determining the Need for Traffic Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72When using subnet sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73When defaulting to TCP-based or IP-based auto-optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74When specifying a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Where the Route Policy Can Direct Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Flow directed to a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Flow designated as auto-optimized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Flow designated as shaped pass-through traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Flow designated as unshaped pass-through traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Flow dropped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Continue option used in Tunnel Down Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Route Policy Page Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 5 Bandwidth Management & QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

What Path a Flow Follows for Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Flow sent to a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Flow sent as pass-through shaped traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Flow sent as unshaped pass-through traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Best Practices for Bandwidth Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Summary of Bandwidth Assessment and Management Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Defining Traffic Classes and Limits with the Shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Traffic Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Configuring Max WAN Bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Configuring Max Bandwidth for Pass-through Shaped Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Role of Tunnel Configuration Values and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

QoS Policy Page Organization and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Handling and Marking Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Applying DSCP Markings to Optimized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Definitions of DSCP Markings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Chapter 6 Optimization Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Network Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105IP Header Compression and Payload Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106TCP Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Protocol Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

When the Appliance Can Apply the Optimization Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Optimization Policy Page Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 7 Using Flow Redirection to Address TCP Asymmetry . . . . . . . . . . . . . . . . . . . . . . 111

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Asymmetrical Networks and Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Removing Asymmetry with Flow Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Redirection for WAN-initiated Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Avoiding Asymmetry in LAN-initiated Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring Flow Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Example #1: Simple Cluster with Two Physically Connected Peers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Flow Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Contents

PN 200030-001 Rev N iii

Chapter 8 Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Why configure VLAN interfaces on a Silver Peak appliance?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122The Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122The Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Behavior without VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125How an outbound packet is processed on the untagged native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Delivering Inbound Packets to the LAN: No VLAN Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Behavior with VLAN Interfaces Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Multiple Logical Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129How an outbound packet is processed for a tagged tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Delivering Inbound Packets to the LAN: VLAN Interfaces Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Cisco VLAN Example with Multiple Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Chapter 9 Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

About Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Understanding Traffic Direction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Viewing Counters Since Last Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Clearing Counters Non-Destructively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Exporting Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Application View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Network View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Viewing Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Packets per Second . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Flow Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Out-of-Order Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Viewing Application Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Table View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Pie View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Viewing Realtime Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Viewing Current Flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152How Current Flows Are Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Customizing Which Columns Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Current Flow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Resetting Flows to Improve Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Viewing QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Viewing Tunnel Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168LAN/WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Flows / Latency / Packet Correction Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Viewing Flow Redirection Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Viewing NetFlow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Viewing Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Viewing Bridge Mode Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Sampling of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Viewing Next-hop Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Chapter 10 Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Setting the Date and Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Adding Domain Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184


iv PN 200030-001 Rev N

Loading SNMP MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Configuring Flow Exports for Netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Pre-Positioning Data for Enhanced Acceleration Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Configuring Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Configuring Authentication, RADIUS, and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Appliance-based User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193What Silver Peak recommends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Configuring Settings for Web Protocols and Web Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Configuring Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Minimum Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Configuring Remote Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Understanding the Events Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Viewing a Log of All Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Viewing the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Managing Debug Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Types of Debug Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Saving Files to a Remote Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Deleting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Chapter 11 System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Upgrading the Appliance Manager Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Installing a New Software Image into a Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Installing the Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Switching to the Other Boot Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Backing Up and Restoring the Appliance Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216Viewing the Appliance Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Saving the Appliance Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Restoring the Appliance Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223Using ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Using traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Using tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Erasing Network Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Restarting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Chapter 12 Monitoring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Understanding Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Categories of Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240Types of Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Viewing Current Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Appendix A Specifications, Compliance, and Regulatory Statements. . . . . . . . . . . . . . . . . 251

Model Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Model-specific Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Fiber Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257NX-Series Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Warning Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Contents

PN 200030-001 Rev N v

Class 1 Laser Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Maintenance Port Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258General Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261FCC Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261ICES-003 statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Requirements for Rack-Mount Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Requirements for Knurled Thumb Screws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

What Ports the NX and the GMS Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Appliance Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266NX-700 [PN 200849] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267NX-1700 AC [PN 200404 and PN 200576] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268NX-1700 DC [PN 200464] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270NX-2600 [PN 200178] / NX-2610 [PN 200193] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271NX-2700 [PN 200401] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272NX-2700 [PN 200697] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274NX-3600 [PN 200349] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275NX-3700 [PN 200400] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276NX-3700 [PN 200698] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278NX-5600 [PN 200231] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279NX-5700 [PN 200399] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281NX-5700 [PN 200699] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283NX-6700 [PN 200828] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284NX-7600 [PN 200225] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285NX-7700 [PN 200398] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287NX-7700 [PN 200702] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289NX-8600 [PN 200181] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290NX-8700 [PN 200397] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292NX-8700 [PN 200767] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295NX-9610 [PN 200362] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297NX-9700 [PN 200396] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299NX-9700 [PN 200768] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302NX-10700 [PN 200519] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304NX-10700 [PN 200769] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306NX-11700 [PN 200711] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Appendix B Power Cords & Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Power Cords by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Fiber Connectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring DB-9 Console Access to the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Appendix C Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327


vi PN 200030-001 Rev N

PN 200030-001 Rev N vii

Preface

The Silver Peak appliances enable branch office infrastructure centralization by delivering applications across a WAN with LAN-like performance.

Who Should Read This Manual?Anyone who wishes to install the NX, VX, or VRX Series appliances should read this manual. Users should have some background in Windows terminology, Web browser operation, and a knowledge of where to find the TCP/IP and subnet mask information for their system.

Manual OrganizationThis section outlines the chapters and summarizes their content.

Chapter 1, “Getting Started,” describes the fundamentals and considerations of setting up a basic first deployment. Additionally, it describes how to work with the routing table, modify network interface parameters, configure gigabit etherchannel bonding, and add SSL certificates and keys for optimizing encrypted traffic.

Chapter 2, “Creating Tunnels,” describes characteristics of tunnels and how their endpoints determine the source and destination IP addresses that go into the tunnel packets. It discusses auto-tunnels and manually created tunnels, as well as jumbo frames and MTU interworking.

Chapter 3, “Building Policy Maps,” describes how the Silver Peak appliance optimizes traffic by allowing you to define flows with MATCH criteria and direct flows with policy maps. It also describes techniques for streamlining your network management by using Access Control Lists (ACLs), user-defined applications, and application groups.

Chapter 4, “Route Policy,” focuses on the SET actions that are specific to the Route policy. It discusses subnet sharing, auto-optimization, and how to determine if you need to configure traffic redirection.

Chapter 5, “Bandwidth Management & QoS Policy,” describes the QoS Policy’s SET actions and how the Shaper defines and manages the traffic classes assigned in the QoS Policy. It also explains how to configure traffic classes in the Shaper for optimized and pass-through traffic, along with providing best practices guidelines for effectively managing bandwidth..

Chapter 6, “Optimization Policy,” describes how the appliance optimizes tunnelized traffic — improving the performance of applications across the WAN.

Chapter 7, “Using Flow Redirection to Address TCP Asymmetry,” describes how flow redirection enables Silver Peak appliances to optimize asymmetrically routed flows by redirecting packets between appliances.

Chapter 8, “Configuring and Managing VLANs,” describes how to configure and manage VLANs .

Chapter 9, “Monitoring Traffic,” describes how to view realtime and historical statistics for applications, current flows, QoS, tunnels, data reduction, bandwidth optimization, flow counts, latency, flow redirection, NetFlow, interfaces, and bridge mode.

Silver Peak Appliance Manager Operator’s Guide Technical Support

viii PN 200030-001 Rev N

Chapter 10, “Administration Tasks,” describes administrative tasks such as configuring log settings, viewing event and alarm logs, managing debug files, pre-positioning file server data into Network Memory, configuring SNMP, managing user accounts, configuring settings for web protocols and web users, and contacting Silver Peak Support.

Chapter 11, “System Maintenance,” describes tasks related to maintaining the hardware, software, and database. This includes tasks such as managing the software images and the configuration files, testing network connectivity, managing the hard disks, erasing Network Memory, and restarting the appliance.

Chapter 12, “Monitoring Alarms,” describes alarms categories and definitions. It also describes how to view and handle alarm notifications.

Appendix A, “Specifications, Compliance, and Regulatory Statements,” lists model specification, warning statements, compliance statements, TCP/IP port usage, and provides annotated diagrams of each hardware model’s interfaces, LEDs, and disk layout.

Appendix B, “Power Cords & Cable Pinouts,” lists and illustrates power cords by country.

Appendix C, “Glossary,” provides definitions of terms related to WAN acceleration technology and equipment.

Technical SupportFor product and technical support, contact Silver Peak Systems at any of the following:

• 1.877.210.7325 (toll-free in USA)

• +1.408.935.1850

• www.silver-peak.com

• [email protected]

We’re dedicated to continually improving the usability of our products and documentation. If you have suggestions or feedback for our documentation, please send an e-mail to [email protected].

For usability suggestions, questions, or issues, please send an e-mail to [email protected].

Appliance Management OptionsSilver Peak provides a variety of ways for you to access and configure the appliances, as well as review statistics and events across a Silver Peak network:

Appliance Manager WebUI: The Silver Peak Appliance can be managed through the web-based Appliance Manager.

Command Line Interface (CLI): You can manage the Silver Peak Appliance through the CLI. You can access the full-featured CLI either locally, through the RS-232 serial (console) port, or remotely, through a Secure Shell (SSH) connection.

Global Management System (GMS): This is a comprehensive platform for deployment, management, and monitoring of a Silver Peak-enabled WAN. In addition to centralizing the administration of the Silver Peak appliances, GMS provides detailed visibility into all aspects of application delivery across a distributed enterprise, including application behavior, WAN performance, Quality of Service (QoS) policies, and bandwidth utilization.

SNMP: The appliances work with standard and proprietary SNMPv2c traps.

PN 200030-001 Rev N 1

C H A P T E R 1

Getting Started

This chapter describes the fundamentals of setting up a basic first deployment.

In This Chapter Getting Started with Deployment See page 2.

Configuring Next-Hops See page 7.

Modifying Interface Configuration See page 9.

Taking a Quick Look at the System Page See page 10.

Adding SSL Certificates and Keys for Deduplication See page 11.

Silver Peak Appliance Manager Operator’s Guide Getting Started with Deployment

2 PN 200030-001 Rev N

Getting Started with Deployment When you first install the appliance and log in via the browser, the Initial Configuration Wizard appears. The wizard guides you through configuring management settings, deployment and network settings, and creating a tunnel to a remote appliance. With simpler deployments, this is enough to start optimizing traffic.

• You can always access the wizard again later by going to the Configuration menu and selecting Initial Config Wizard.

• For more complex deployments, access the Configuration > Deployment page, seen below.

Context-sensitive accessNext-hops for management, LAN, and WAN interfaces

Modify parameters,if needed

Provide next-hop address(es) for LAN-side networks that are not directly connected to an in-line (bridge mode) appliance. Redundant (backup) LAN Next-hop(s) can be created by the second (lan1) next-hop.

Appliance IP VLAN Tag is required if the appliance is installed on a VLAN trunk and an untagged VLAN is unavailable.

Getting Started with Deployment Chapter 1 Getting Started

PN 200030-001 Rev N 3

Deployment Basics

This section discusses the basic in-line and out-of-path deployments.

It also describes common scenarios, considerations when selecting a deployment, redirection concerns, and some adaptations.

For detailed deployment examples, refer to the Silver Peak Network Deployment Guide.

In-Path (Bridge Mode)

Single WAN-side Router

In this deployment, the appliance is in-line between a single WAN router and a single WAN-side switch.

Dual WAN-side Routers

• This is the most common 4-port bridge configuration. 2 WAN egress routers / 1 or 2 subnets / 1 appliance

• 2 separate service providers or WAN services (MPLS, IPsec VPN, MetroEthernet, etc.)

Considerations for In-Path Deployments

• Do you have a physical appliance or a virtual appliance?

• A virtual appliance has no fail-to-wire, so you would need a redundant network path to maintain connectivity if the appliance fails.

• If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a LAN next-hop).

• If the appliance is on a VLAN trunk, then you need to configure VLANs on the Silver Peak so that the appliance can tag traffic with the appropriate VLAN tag.

Out-of-Path (Router/Server Mode)

Single WAN-side Router

• This deployment redirects traffic from a single router (of L3 switch) to a single subnet on the Silver Peak appliance.

• When using two Silver Peaks at the same site, this is also the most common deployment for high availability (redundancy) and load balancing.

Dual WAN-side Routers

This deployment redirects traffic from two routers to two interfaces on a single Silver Peak appliance.

This is also known as Dual-Homed Router Mode.

• 2 WAN egress routers / 2 subnets / 1 appliance

• 2 separate service providers or WAN services (MPLS, IPsec VPN, MetroEthernet, etc.)

Considerations for Out-of-Path Deployments

• Does your router support VRRP, WCCP, or PBR?

• Are you planning to use host routes on the server/end station?

• In the rare case when you need to send inbound WAN traffic to a router other than the WAN next-hop router, use LAN-side routes.


4 PN 200030-001 Rev N

Examining the Need for Traffic Redirection

Whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.

There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side redirection, or outbound redirection):

• PBR (Policy-Based Routing) — configured on the router. No other special configuration required on the appliance. This is also known as FBR (Filter-Based Forwarding).

If you want to deploy two Silver Peaks at the site, for redundancy or load balancing, then you also need to use VRRP (Virtual Router Redundancy Protocol).

• WCCP (Web Cache Communication Protocol) — configured on both the router and the Silver Peak appliance. You can also use WCCP for redundancy and load balancing.

• Host routing — the server/end station has a default or subnet-based static route that points to the Silver Peak appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).

To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant Silver Peak.

How you plan to optimize traffic also affects whether or not you also need inbound redirection from the WAN router (known as WAN-side redirection):

• If you use subnet sharing (which relies on advertising local subnets between Silver Peak appliances) or route policies (which specify destination IP addresses), then you only need LAN-side redirection.

• If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), then you must also set up inbound and outbound redirection on the WAN router.

• For TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric, you need to configure flow redirection among local appliances.

A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:

• If you enable Auto Tunnel, then the initial TCP-based or IP-based handshaking creates the tunnel. That means that the appropriate LAN-side and WAN-side redirection must be in place.

• You can let the Initial Configuration Wizard create the tunnel to the remote appliance.

• You can create a tunnel manually on the Configuration - Tunnels page.

For more detailed information about when and where to set up traffic redirection, see “Determining the Need for Traffic Redirection” in Chapter 4, “Route Policy.”

High availability — as configured with VRRP and WCCP — are covered separately, and in depth, in the Silver Peak NX Series Appliances Network Deployment Guide.

For detailed configuration information, see the Silver Peak Network Deployment Guide.

Getting Started with Deployment Chapter 1 Getting Started

PN 200030-001 Rev N 5

How to Adjust the Basic Deployments

When you choose a deployment, only the appropriate options are accessible.

Note Changing the deployment mode requires a reboot.

Configuring Gigabit Etherchannel Bonding

When using a four-port Silver Peak appliance, you can bond pairs of Ethernet ports into a single port with one IP address. This feature provides the capability to carry 2 Gbps in and out of an NX Series appliance when both ports are in service.

When you configure bonding, the following is true:

• lan0 plus lan1 bond to form blan0, which uses the lan0 IP address.

• wan0 plus wan1 bond to form bwan0, which uses the wan0 IP address.

• The appliances use flow-based load balancing across the links.

• This configuration provides failover in case one link goes down.

• You can view the statistics on the Monitoring - Interfaces page. If you’re using bonding, you’ll see statistics for blan0 and bwan0, as well as for the interfaces that comprise them (lan0, lan1, wan0, and wan1).

• If a WCCP or VRRP deployment already exists, then you must reconfigure the deployment on the bonding interface. In other words, if you previously configured on wan0, then after bonding you must reconfigure on bwan0.

• Rollback to non-bonding mode returns the intact, non-bonded configuration.

• Enabling/disabling bonding requires an appliance reboot.

Option Description

Bonding • When using an NX appliance with four 1Gbps Ethernet ports, you can bond like pairs into a single 2Gbps port with one IP address. For example, wan0 plus wan1 bond to form bwan0. This increases throughput on a very high-end appliance and/or provides interface-level redundancy.

• For bonding on a virtual appliance, you would need configure the host instead of the appliance. For example, on a VMware ESXi host, you would configure NIC teaming to get the equivalent of etherchannel bonding.

• Whether you use a physical or a virtual appliance, etherchannel must also be configured on the directly connected switch/router.

For more information, see “Configuring Gigabit Etherchannel Bonding” on page 5.

Use mgmt0 for datapath traffic (server mode)

On virtual appliances, you can optimize traffic and manage the appliance using a single interface — mgmt0.

10G ports Choose this when you want to enable 10Gbps ports on a physical appliance that also has 1Gbps non-management ports.

Propagate Link Down Forces the WAN interface to go down when the corresponding LAN interface goes down, or vice versa.

4-port single bridge This is a corner case. Here, four ports form a single bridge with a single WAN next-hop. This is in contrast to having dual WAN routers with two separate bridges.


6 PN 200030-001 Rev N

To configure etherchannel bonding

To enable bonding, you need to configure both the appliance and the router for bonding.

1 Access the Configuration - Deployment page. The three available bonding modes are:

a Out-of-path (Router/Server mode) with a single WAN-side router

b Out-of-path (Router/Server mode) with dual WAN-side routers

c In-path (Bridge mode) with dual WAN-side routers

2 Complete the various fields and click Apply.

3 When prompted, reboot the appliance.

4 Now, configure the Cisco router. Following is an example of the commands, where angle brackets indicate variables:

config tinterface range <g1/0/6-7>channel-group <1> mode on

show etherchannelshow interface port-channel <1>

Configuring Next-Hops Chapter 1 Getting Started

PN 200030-001 Rev N 7

Configuring Next-HopsUse the Configuration > Routes page to configure next-hops for management, LAN, and WAN interfaces.

Management Next-Hops

Management routes specify the default gateways and local IP subnets for the management interfaces.

In a Dual-Homed Router Mode configuration, you may need to add a static management route for flow redirection between appliances paired for redundancy at the same site.

The management routes table shows the configured static routes and any dynamically created routes. If you use DHCP, then the appliance automatically creates appropriate dynamic routes. A user cannot delete or add dynamic routes.

WAN Next-Hops

WAN next-hops provide next-hop addresses for optimized traffic.

In an in-line deployment (bridge mode), the wan0 interface displays as bvi0, for bridge virtual interface.

When two WAN next-hops are configured Active/Active in 4-port bridge mode:

• lan0 ingress traffic is routed to the wan0 next-hop.

• lan1 ingress traffic is routed to the wan1 next-hop.

Silver Peak Appliance Manager Operator’s Guide Configuring Next-Hops

8 PN 200030-001 Rev N

When two WAN next-hops are configured Active/Active in Dual-Homed Router Mode:

• wan0 ingress traffic is routed to the wan0 next-hop.

• lan0 ingress traffic is routed to the lan0 next-hop.

LAN Next-Hops

LAN routes provide next-hop addresses for traffic going to LAN-side networks that are not directly connected to an in-line (bridge mode) appliance.

You can create redundant (backup) LAN routes by specifying another next-hop with a larger metric value.

For example, to specify 1.1.1.2 as a backup next-hop for 1.1.1.1, the table would contain:

• default 1.1.1.1 10

• default 1.1.1.2 20

Selecting Inter-VLAN Routing enables the appliance to route packets over another VLAN when the originally specified VLAN is unavailable.

Modifying Interface Configuration Chapter 1 Getting Started

PN 200030-001 Rev N 9

Modifying Interface ConfigurationUse this page if you want to change interface parameters such as.

• whether an interface is admin up or down

• mgmt1 IP address

• whether or not an IP address is static, or dynamically assigned with DHCP

• speed and duplex

• MTU (Mean Transmission Unit) size

• MAC address

WARNING DHCP (Dynamic Host Configuration Protocol) can dynamically assign a new IP address to the appliance. This may result in traffic loss because previously configured tunnel endpoints would now be incorrect. If you elect to use DHCP, allocate the appliance’s IP address manually in the DHCP server. This prevents the possibility of lost traffic due to the DHCP server dynamically changing the IP address.

Overall, Silver Peak recommends statically assigning IP addresses.

Silver Peak Appliance Manager Operator’s Guide Taking a Quick Look at the System Page

10 PN 200030-001 Rev N

Taking a Quick Look at the System PageOdds are, you won’t need to make any changes to this page.

Before deciding whether or not to use the Auto Tunnel feature, refer to “Letting the Auto-Tunnel Feature Do the Work for You” on page 16.

For virtual appliances only

Adding SSL Certificates and Keys for Deduplication Chapter 1 Getting Started

PN 200030-001 Rev N 11

Adding SSL Certificates and Keys for DeduplicationBy supporting the use of SSL certificates and keys, Silver Peak provides deduplication for Secure Socket Layer (SSL) encrypted WAN traffic:

Silver Peak decrypts SSL data using the configured certificates and keys, optimizes the data, and transmits data over an IPSec tunnel. The peer Silver Peak appliance uses configured SSL certificates to re-encrypt data before transmitting.

Peers that exchange and optimize SSL traffic must use the same certificate and key.

Use this page to directly load the certificate and key into this appliance.

• You can add either a PFX certificate (generally, for Microsoft servers) or a PEM certificate.

• The default is PEM when PFX Certificate File is deselected.

• If the key file has an encrypted key, enter the passphrase needed to decrypt it.

Silver Peak supports X509 Privacy Enhanced Mail (PEM), Personal Information Exchange (PFX), and RSA key 1024-bit and 2048-bit certificate formats.

Silver Peak appliances support:

• Protocol versions: SSLv3, SSLv3.3, TLS1.0, TLS1.1, TLS1.2

• Cipher algorithms: AES128, AES256, RC4, 3DES

• Digests: MD5, SHA1

Before installing the certificates, you must do the following:

1 Configure the tunnels bilaterally for IPSec mode.To do so, access the Configuration > Tunnels page, select the tunnel, and for Mode, select ipsec.

2 Verify that TCP acceleration and SSL acceleration are enabled.To do so, access the Configuration > Optimization Policy page, and review the Set Actions.

Silver Peak Appliance Manager Operator’s Guide Adding SSL Certificates and Keys for Deduplication

12 PN 200030-001 Rev N

PN 200030-001 Rev N 13

C H A P T E R 2

Creating Tunnels

The appliance only optimizes traffic that the Route Policy directs to a tunnel. This chapter characterizes tunnels and their management.

The discussion of creating tunnels for high availability with VRRP and WCCP is beyond the scope of this document. For those specifics, see the Silver Peak Appliances Network Deployment Guide.

In This Chapter Overview See page 14.

Letting the Auto-Tunnel Feature Do the Work for You See page 16.

Manually Creating a Traffic-Carrying Tunnel See page 17.

Tunnel Compatibility Mode See page 21.

Jumbo Frames and MTU Interworking See page 22.

Silver Peak Appliance Manager Operator’s Guide Overview

14 PN 200030-001 Rev N

OverviewTo optimize traffic, Silver Peak appliances send traffic to one another via tunnels. A tunnel connects a pair of appliances.

At each appliance, a tunnel is terminated/originated at a data-plane L3 (Layer 3) interface. An L3 interface is an interface that has an IP address assigned to it.

A data-plane interface is an interface that carries user data, as opposed to management data. So mgmt0 is not a data-plane interface. On a dual-home router-mode (DHRM) appliance, for example, wan0 and lan0 are data-plane L3 interfaces. On a bridge-mode appliance, lan0 and wan0 are not L3 interfaces, but bvi0 is. VLANs are also data-plane L3 interfaces.

IP addresses of a tunnel's endpoints determine the source and destination IP addresses that go into the tunnel packets. These IP addresses, in turn, determine how tunnel packets are routed from one appliance to the other.

By default, the route map’s default (last) entry, has the SET action, [auto optimized]:

• When subnet sharing is enabled (that is, Use shared subnet information is selected), then the first packet sent triggers a lookup in the subnet table and assigns the tunnel and IP address. Because appliances communicate to learn about each others subnets, a tunnel must exist before subnet sharing can proceed.

• When subnet sharing is disabled (that is, Use shared subnet information is not selected) or subnet sharing is enabled but no subnet is found in the subnet table, then the initial TCP-based or IP-based handshaking triggers tunnel creation (which you can then save) and determines the path. However, this requires the appropriate outbound and inbound redirection to already be in place.

For more information about when to set up redirection, see Chapter 4, “Route Policy.”

You can create a tunnel in any one of three ways:

• If you enable Auto Tunnel (on the Configuration - System page) on both appliances, then the initial TCP-based or IP-based handshaking creates the tunnel. This requires the appropriate outbound and inbound redirection to be in place.

• If the auto-tunnel feature is disabled, then you must do one of the following. Either:

• You can let the Initial Configuration Wizard manually create the tunnel to the remote appliance.


How Policies Affect Tunnel Traffic

The Route Policy’s MATCH criteria and SET actions determine if a flow is directed to a tunnel. If so:

The appliance encapsulates the flow’s packets, according to the tunnel configuration. The default is UDP. The other options are GRE or IPsec.

The tunnel may be shaped to a specified maximum bandwidth to avoid overrunning downstream bottlenecks.

• Maximum bandwidth is configured on the Configuration - Tunnels page

• The QoS Policy assigns a traffic class. Traffic classes are defined in the Shaper.

• The QoS Policy honors or changes the DSCP markings to request appropriate per-packet treatment by the network.

The Optimization Policy applies optimization, compression, and acceleration techniques to enhance application performance.

Overview Chapter 2 Creating Tunnels

PN 200030-001 Rev N 15

Tunnel Characteristics

Each Silver Peak tunnel:

Is bidirectional (or consists of a pair of unidirectional tunnels). The tunnel does not become operational until connectivity is established in both directions.

Is specified by a source IP address and destination IP address, owned by the two terminating Silver Peak appliances.

Can have the terminating appliances automatically negotiate for maximum bandwidth. Or, you can set it manually.

By default, uses the User Datagram Protocol (UDP) protocol to interconnect Silver Peak appliances.

Runs a keepalive protocol so that a tunnel failure can be detected rapidly and appropriate recovery actions initiated.

Parallel Tunnels

Silver Peak appliances that have multiple data-plane L3 interfaces can support parallel tunnels. As a result, tunnels with different source endpoints can reside on the same appliance.

Parallel tunnels are useful for providing redundancy and for load balancing. The deployments that can be used for this are:

• Standard 4-port bridge

• Dual-homed router mode (DHRM)

• Appliances with VLANs

To take advantage of parallel tunnels you must:

1 Configure “standard” 4-port bridge or DHRM (or VLANs).

2 Manually create parallel tunnels from the Appliance Manager.

3 Manually create route policies that use the parallel tunnels.

For information about deploying in standard 4-port bridge and DHRM modes, see the Silver Peak Appliances Network Deployment Guide.

Silver Peak Appliance Manager Operator’s Guide Letting the Auto-Tunnel Feature Do the Work for You

16 PN 200030-001 Rev N

Letting the Auto-Tunnel Feature Do the Work for YouIf you want the auto-tunnel feature to automatically build tunnels for you, it must be enabled for each appliance involved.

This feature is useful when setting up a basic Proof of Concept.

It is not recommended if you:

• Have multiple IP addresses per appliance

• Would be creating an excess of unnecessary tunnels, based on having a large volume of appliances

• Need to configure parallel tunnels

• Want a non-standard or more complex tunnel configuration — for example, configuring for IPsec or for FEC (Forward Error Correction).

To verify the state of the auto-tunnel feature

1 From the Configuration menu, select System. The Configuration - System page appears.

2 Make sure that Auto Tunnel is selected on this appliance, and on its peer.

When bilateral traffic begins to flow, the Appliance Manager constructs the tunnel and begins optimizing traffic.

Note This feature requires that any necessary outbound and inbound redirection is already configured. For more information, see Chapter 4, “Route Policy.”

Manually Creating a Traffic-Carrying Tunnel Chapter 2 Creating Tunnels

PN 200030-001 Rev N 17

Manually Creating a Traffic-Carrying TunnelIf this is the first tunnel on a physical appliance, Silver Peak recommends that you put the local and remote appliances in System Bypass until you’ve created the tunnel(s) and tuned the policies — Route, QoS, and Optimization — for the local and remote appliances. Then, when you’re done, take the appliances out of System Bypass.

This serves a number of purposes:

• It keeps things “quiet” until you’re done. Specifically because tunnels default to Admin Up.

• It tests Fail To Wire.

This step is recommended, but not required.

You won’t be able to put a virtual appliance into System Bypass mode.

To put the appliance in System Bypass when creating the first tunnel

1 From the Configuration menu, select System. The Configuration - System page appears.

2 Before creating the first tunnel, select System Bypass and click Apply.

3 Repeat for the appliance at the remote end.

Silver Peak Appliance Manager Operator’s Guide Manually Creating a Traffic-Carrying Tunnel

18 PN 200030-001 Rev N

To create a traffic-carrying tunnel

Access the Configuration > Tunnels page, click Add Tunnel, and make your selections.

Use this page to view, add, and delete tunnels.

To create a tunnel, click Add Tunnel and edit within the new row.

You cannot edit a Local IP or Remote IP on an existing tunnel.

Definitions (alphabetically)

Field Definition/Content

Admin State Allows you to admin Up (or admin Down) a tunnel.

Auto Discover MTU Enabled

Allows the tunnel MTU to be discovered automatically. When selected, this overrides the MTU setting.

Auto Max BW Enabled Allows the appliances to negotiate the maximum tunnel bandwidth based upon the lower of the two system bandwidths of the two appliances.

For more information about this feature, see “Tunnel Auto BW” on page 93.

FEC (Forward Error Correction)

Reconstructs lost packets (as reported by the remote appliance). The options are disable, enable, and auto.

• When set to enable, FEC reconstructs lost tunnel packets at the destination appliance. FEC achieves this by injecting redundant (called parity) packets in the tunnel traffic. The specified FEC ratio determines the number of parity packets relative to data packets (for example, at 1:5 ratio, a parity packet is added for every 5 data packets).

• When set to auto, it adjusts dynamically based on network conditions, with the upper limit being capped by the FEC Ratio value you choose.

FEC Ratio Ratio of parity packets relative to data packets (for example, at 1:5 ratio, a parity packet is added for every 5 data packets). The selectable values include disable, auto, 1:2, 1:5, 1:10, and 1:20. A FEC Ratio of 1:2 is very aggressive and should only be utilized with great care in networks with extremely high loss (10% or greater).

Local IP A local address on the appliance

Max BW Kbps Maximum bandwidth for this tunnel, in kilobits per second. This must be equal to or less than the upstream bandwidth of your WAN connection.

Manually Creating a Traffic-Carrying Tunnel Chapter 2 Creating Tunnels

PN 200030-001 Rev N 19

Min BW Kbps Minimum bandwidth for this tunnel, in kilobits per second.

For more information about prudently setting bandwidths, see Chapter 5, “Bandwidth Management & QoS Policy.”

Mode Indicates whether the tunnel protocol is udp, gre, or ipsec. The default is udp.

If you select ipsec, the page prompts you for any other required information.

MTU (700..9000) Bytes. Maximum Transmission Unit. is the maximum tunnel packet size including its payload and Layer-3 header. By default, MTU is automatically discovered because Auto Discover MTU is enabled. When setting this value manually, set it to the largest value that won't result in tunnel packets being fragmented by networking equipment in the WAN.

Name A unique string identifying this tunnel

Remote IP IP address for the remote appliance

Status Indications are as follows:

• Down = The tunnel is down. This can be because the tunnel administrative setting is down, or the tunnel can't communicate with the appliance at the other end. Possible causes are:

• Lack of end-to-end connectivity / routability (test with iperf)

• Intermediate firewall is dropping the packets (open the firewall)

• Intermediate QoS policy (be packets are being starved. Change control packet DSCP marking)

• Mismatched tunnel mode (udp / gre / ipsec)

• IPsec is misconfigured: (1) enabled on one side (see show int tunnel configured), or (2) mismatched pre-shared key

• Down - In progress = The tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.

• Down - Misconfigured = The two appliances are configured with the same System ID. (see show system)

• Up - Active = The tunnel is up and active. Traffic destined for this tunnel will be forwarded to the remote appliance.

• Up - Active - Idle = The tunnel is up and active but hasn't had recent activity in the past five minutes, and has slowed the rate of issuing keep-alive packets.

• Up - Reduced Functionality = The tunnel is up and active, but the two endpoint appliances are running mismatched software releases that give no performance benefit.

• UNKNOWN = The tunnel status is unknown. This can be because the appliance is unable to retrieve the current tunnel status. Try again later.

The modifier, – idle, can be added to any tunnel state (for example, up – active - idle). Idle means that there has been no traffic in either direction on the tunnel for five minutes, and that as a result, the periodic sending of keepalives has been reduced to once a minute.

Uptime How long since the tunnel came up

Field Definition/Content (Continued)

Silver Peak Appliance Manager Operator’s Guide Manually Creating a Traffic-Carrying Tunnel

20 PN 200030-001 Rev N

Advanced Tunnel Options

Type Field Definition/Content

General IPSec Pre-shared Key A shared, secret string of Unicode characters that is used for authentication of an IPSec connection between two parties. If you select Default, the appliance makes the key; if you select Custom (recommended), the user specifies the key.

IPSec Anti-replay window IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. The decryptor keeps track of which packets it has seen on the basis of these numbers. The default window size is 64 packets. Increase this value for networks with a lot of jitter (out-of-order packets).

UDP destination port Tunnel traffic will be transmitted in a UDP protocol packet using this destination port address. Only valid when the tunnel mode is set to UDP.

UDP flows Number of flows over which to spread tunnel traffic.

Packet Coalescing Enabled Whether or not to coalesce smaller packets into larger packets. Default = ON. Packet coalescing is particularly beneficial for web applications, VoIP, and interactive applications, like Citrix

Coalescing Wait (ms) Determines how long the appliance should hold packets while attempting to coalesce smaller packets into larger packets. Default = 0.

Reorder Wait (0..500 ms) Maximum time the appliance holds an out-of-order packet when attempting to reorder. The 100ms default value should be adequate for most situations. FEC may introduce out-of-order packets if the reorder wait time is not set high enough.

Tunnel Health Retry Count Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down. Keep-alive packets are sent once per second. Default = 30.

DSCP DSCP value for the tunnel control packets

Tunnel Compatibility Mode Chapter 2 Creating Tunnels

PN 200030-001 Rev N 21

Tunnel Compatibility ModeTunnel Compatibility Mode enables two nodes with mismatched software versions to keep the tunnel up and offer some basic services.

Because some optimizations are disabled as a result, the tunnel Status flags this as reduced functionality.

Check the Release Notes to verify software version compatibility.

Preserved Functionalities Disabled Optimizations

Tunnel encapsulation (including IPsec, if applicable)

QoS shaping and marking

Forward Error Correction [FEC]

Packet Order Correction [POC]

packet coalescing

statistics gathering

network path behavior

Network Memory

Payload Compression

TCP Acceleration

CIFS Acceleration

SSL Acceleration

SRDF Acceleration

Silver Peak Appliance Manager Operator’s Guide Jumbo Frames and MTU Interworking

22 PN 200030-001 Rev N

Jumbo Frames and MTU InterworkingSilver Peak provides support for MTUs (Maximum Transmission Units) up to 9000 bytes. Because of pps (packets per second) limits on the LAN-side, using 9000-byte MTUs can lead to significant performance improvements in LAN-side throughput for applications such as storage replication.

More importantly, the appliances support interworking. You can configure 9000-byte MTUs on storage arrays even if the replication protocol is running over a WAN with standard (1500-byte) MTUs. This is important because not all service providers allow for jumbo frames on the WAN.

Efficient MTU interworking scenarios include the following:

What you need to know

CAUTION Across all network devices, you must configure all interfaces on the same subnet to have the same MTU.

1 For the Interface MTU, you must configure each pair of lan and wan interfaces on the appliance to have the same MTU value. For example, you’d configure both lan0 and wan0 to have a value of 9000 MTU. These are accessible via Configuration > Interfaces.

Local Interface MTU (bytes)

[Configuration > Interfaces]

Tunnel MTU (bytes)

[Configuration > Tunnels]

Remote Interface MTU (bytes)

[Configuration > Interfaces]

1500 1500 1500

9000 9000 9000

9000 1500 9000

1500 9000 1500

9000 1500 1500

Jumbo Frames and MTU Interworking Chapter 2 Creating Tunnels

PN 200030-001 Rev N 23

2 To configure the tunnel MTU, access the Configuration - Tunnels page.

3 If either end host has an MTU of 9000 and the tunnel MTU is 1500, then you need to disable the Adjust MSS to Tunnel MTU feature on both appliances. This prevents appliances from lowering higher MSS values negotiated by end stations to match the lower MTU of the tunnel.

4 To disable this feature, go to the Optimization Policy, and in the TCP Accel Details column, click the icon to open the Advanced TCP Options.

For more information, see “TCP Acceleration” on page 106, and check with Silver Peak Support, if necessary.

Deselect this option

Silver Peak Appliance Manager Operator’s Guide Jumbo Frames and MTU Interworking

24 PN 200030-001 Rev N

PN 200030-001 Rev N 25

C H A P T E R 3

Building Policy Maps

This chapter describes how MATCH criteria and SET actions, respectively, filter packets and process flows.

It also describes how to create Access Control Lists (ACLs), user-defined applications, and application groups as reusable components in MATCH criteria.

In This Chapter What Happens to an Outbound Packet See page 26.

Understanding MATCH Criteria See page 28.

How Policies and ACLs Filter Traffic See page 31.

Managing Applications and Application Groups See page 33.

Silver Peak Appliance Manager Operator’s Guide What Happens to an Outbound Packet

26 PN 200030-001 Rev N

What Happens to an Outbound PacketMATCH criteria and SET Actions are the building blocks of policy maps. Maps use prioritized entries, known as rules, to sort traffic.

The appliance pairs MATCH criteria with SET Actions to filter outbound packets into flows and then process them appropriately.

MATCH criteria define flows in policy maps, Access Control Lists (ACL), and user-defined applications. Wherever they are, MATCH criteria all have the same possible components.

SET Actions determine how the flow is processed. The possible actions are specific to the type of policy. For ACLs, the possible actions are Permit and Deny.

How the Policies are Related

The Appliance Manager has separate policies for routing, optimization, and QoS (Quality of Service) functions. You can create multiple versions (maps) for each policy, but only the active map is applied.

By default, each of the three policies has one active map, map1. However, there is no relationship between map names across different policies.

The Route Policy does the first screening and determines whether an individual flow is ultimately:

• directed to a tunnel, shaped, and optimized

• processed as shaped, pass-through (unoptimized) traffic

• processed as unshaped, pass-through (unoptimized) traffic

• continued to the next applicable Route Policy entry if a tunnel goes down, or

• dropped.

When a flow is not directed to a tunnel, then

• the Optimization Policy is not applied, and

• the QoS Policy processes pass-through shaped and unshaped traffic for DSCP markings, and only pass-through shaped traffic for traffic class assignment.

What Happens to an Outbound Packet Chapter 3 Building Policy Maps

PN 200030-001 Rev N 27

Default SET Actions

Within a policy, the appliance searches the Priorities in ascending order. When it finds a match for the outbound packet, it executes the associated SET action(s). If no entries match, it applies the policy’s default entry.

Each map has one default entry. It’s always the last entry, with a Priority of 65535.

Following are the SET actions available for each policy. The default value is highlighted in blue:

• The Route map automatically optimizes all IP flows — TCP and non-TCP.

• The QoS map places all traffic in Traffic Class #1 and trusts the existing DSCP markings.

• The Optimization map applies all optimizations to tunnelized flows — Network Memory, IP header compression, payload compression, TCP acceleration, and protocol-specific accelerations (CIFS and SSL).

Policy Parameters for SET actions Options For more information, see...

Route Tunnel • [a specific tunnel]

• Auto optimized

• Pass-through shaped

• Pass-through unshaped

• Drop

Chapter 4, “Route Policy”

Tunnel Down Action • Pass-through shaped

• Pass-through unshaped

• Drop

• Continue

QoS Traffic Class • Default is Traffic Class 1. Traffic classes are defined in the Shaper.

Chapter 5, “Bandwidth Management & QoS Policy”

LAN QoS trust-lan(plus other DSCP markings)

WAN QoS trust-lan(plus other DSCP markings)

Optimization Network Memory

IP Header Compression

Payload Compression

TCP Acceleration

Protocol Accelerationa

Default = Balanced

Default = ON

Default = ON

Default = ON

Defaults = CIFS, SSL

Chapter 6, “Optimization Policy”

a. SRDF and Citrix optimizations are also available. By default, they’re not enabled because you need to configure the most appropriate port for your circumstances.

Silver Peak Appliance Manager Operator’s Guide Understanding MATCH Criteria

28 PN 200030-001 Rev N

Understanding MATCH CriteriaThe rest of this section describes the basic building blocks of filtering traffic into flows:

• Configuring MATCH Criteria in a Map or Policy See page 28.

• Specifying Protocols in MATCH Criteria See page 29.

Configuring MATCH Criteria in a Map or Policy

MATCH criteria are universal across all maps — Route, QoS, and Optimization.

If you expect to use the same MATCH criteria in different maps, you can create an ACL (Access Control List), which is a named, reusable set of MATCH criteria.

MATCH criteria are based on the 5-tuple, and also provide some additional criteria:

• A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number, and the protocol in use.

• Specifying an application by name is a shorter way of representing a protocol paired with source and/or destination port(s).

• MATCH criteria also let you filter on an outbound flow’s DSCP markings and VLAN tags.

MATCH criteria are organized in a ordered table with prioritized entries. A packet “scans” the entries, starting with the lowest number (which is the highest priority).

As soon as the outbound packet finds an entry it matches, the scan stops and the SET action associated with the entry is performed.

Therefore, best practice is to prioritize entries from most restrictive matches to the least restrictive.

An Access Control List (ACL) is a reusable set of MATCH criteria.For more information, see “Using ACLs to Summarize Match Criteria” on page 30.

Entries are assigned Priority in intervals of 10 (ten), making it easy to insert another entry later.

To reorder a Priority, edit the number.

The Protocol you select determines whether these two fields are necessary and accessible.For more information, see “Specifying Protocols in MATCH Criteria” on page 29.

Understanding MATCH Criteria Chapter 3 Building Policy Maps

PN 200030-001 Rev N 29

Specifying Protocols in MATCH Criteria

The Protocol you specify determines whether the Application or Source:Destination Ports are accessible as MATCH criteria. When the column is greyed out, its contents are unavailable.

If you select IP from the Protocol field, then you must select an Application.

The Application drop-down list classifies applications as Built-in, User-Defined, or user-defined Application Groups. You can also use the default, any.

The Appliance Manager filters for the application’s source or destination port.

• To create a user-defined application, see “Defining User-Defined Applications” on page 40.

• To create an application group, see “Creating and Using Application Groups” on page 42.

If you select TCP or UDP from the Protocol field, then you must specify a Source Port and a Destination Port.

If you select any other protocol (see list below), then the Application and Source:Destination Port fields are unavailable.

Src:Dst Port Means to match on...

0:0 any source port and any destination port

0:100 any source port and only destination port 100

100:0 only source port 100 and any destination port

100:100 only source port 100 and only destination port 100

This last case (100:100) is not OR. The only way to match on 100 for either source or destination port is to use two different MATCH entries (0:100, 100:0).

ah etherip idpr-cmtp ip-mobility iso-ip pim vrrp

egp fc idrp ipip iso-tp4 rdp 1-255

eigrp gre igmp ipip4 l2tp rsvp

encap icmp igp ipx-in-ip mhrp sctp

esp idpr ip-comp irtp ospf tlsp

Silver Peak Appliance Manager Operator’s Guide Understanding MATCH Criteria

30 PN 200030-001 Rev N

Using ACLs to Summarize Match Criteria

If you want to reuse the same MATCH criteria across multiple maps, you can create an Access Control List (also called an Access List). An ACL is a set of one or more prioritized rules.

Silver Peak ACLs have the following characteristics:

Rules process sequentially, based on their priority number. A low number has a higher priority.

You can reorder a rule by changing its priority.

Each access control rule is composed of two parts:

• The first part is the filter, as specified by the MATCH criteria. The rule only applies to a packet if all the filter criteria match.

• The second part specifies the action — either Permit or Deny.

• Deny prevents further processing of the flow by that ACL, specifically. The appliance then goes to the next entry in the policy — Route, QoS, or Optimization. For an explanatory diagram, see “Scenario #3 — Traffic matches ACL with Deny” on page 32.

• Permit allows the matching traffic flow to proceed on to the policy entry’s associated SET action(s). The default is Permit.

For more information, see “How Policies and ACLs Filter Traffic” on page 31.

When creating ACL rules, list the Deny statements first. Also, it’s best to prioritize less restrictive rules ahead of more restrictive rules.

You can modify ACLs (and policies) without deactivating the policy. Changes don’t affect existing flows, only new ones.

Note You can see a list of existing flows by going to the Monitoring menu and selecting Current Flows.

To delete an ACL, you must first remove it from any associated map(s).

ACL’s name

ACL rules

Look here to see if any maps are using this ACL. However, it won’t tell you whether or not those maps are active. For that information, check the specific policy’s page.

How Policies and ACLs Filter Traffic Chapter 3 Building Policy Maps

PN 200030-001 Rev N 31

How Policies and ACLs Filter TrafficThe following three scenarios illustrate how policies and ACLs interact to isolate flows:

• Scenario #1 — Policy with no ACLs in MATCH Criteria See page 31.

• Scenario #2 — Traffic matches ACL with Permit See page 31.

• Scenario #3 — Traffic matches ACL with Deny See page 32.

It’s important to remember that ACLs are only applied when called out for use in a policy’s MATCH criteria.

Scenario #1 — Policy with no ACLs in MATCH Criteria

Scenario #2 — Traffic matches ACL with Permit

a The traffic comes to entry 30 in the policy, where ACL-1 defines the MATCH criteria. ACL-1 has three rules.

b The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.

c ACL Rule 20 has a Permit action, so the appliance applies the SET actions for Policy entry 30.

Here, the traffic doesn’t fit the MATCH criteria of the first two entries, but it does match the third (Priority = 30).

The policy applies the SET Actions for entry 30.

Silver Peak Appliance Manager Operator’s Guide How Policies and ACLs Filter Traffic

32 PN 200030-001 Rev N

Scenario #3 — Traffic matches ACL with Deny

a The traffic arrives at entry 30 in the policy, where ACL-2 is the MATCH criteria. ACL-2 has three rules.

b The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.

c ACL Rule 20 has a Deny action, so it prevents further processing of that ACL. Traffic looks for a match with the next policy entry.

d No other user-configured policy entries fit, so the Default entry processes the traffic.

Managing Applications and Application Groups Chapter 3 Building Policy Maps

PN 200030-001 Rev N 33

Managing Applications and Application GroupsThe Appliance Manager provides you with many ways to define and organize the applications you use. These include the following:

• Built-in Applications See page 33.

• Defining User-Defined Applications See page 40.

• Creating and Using Application Groups See page 42.

Built-in Applications

Silver Peak appliances have over 120 built-in applications. For the latest information regarding default port numbers, see http://www.iana.org/assignments/port-numbers.

When you create MATCH criteria in policies or ACLs, you have access to these applications via a drop-down list.

Name TCP Port Number(s)

UDP Port Number(s)

Description and Inclusions

3par 5781–5783, 5785 5781–5783, 5785 3PAR

aol 5191–5193 -- America Online [AOL]

aol_im 4443, 5190 -- AOL/ICQ Instant Messenger

AOL/ICQ Image Transfer

aspera 33001 33001 Aspera

avamar 7778, 27000, 28001–28002, 29000

-- EMC Avamar[override ms_zone 29000]

backweb -- 370 Backweb is a generic, background downloading tool that software vendors can incorporate into their product to download data (for example, product updates) to the user's PC.

bit_torrent 6881–6999 -- BitTorrent

bluearc 32963 -- HDS BlueArc

celerra 5085, 8888 -- EMC Celerra Replicator

8888 replication

5085 session management

centera 3218, 3682 3218 EMC Centera

3218 data

3682 management

cifs_smb 139, 445 -- Microsoft’s Common Internet File System/Server Message Block protocol

cisco_skinny 2000 2000 Cisco Skinny (SCCP) Control

(override MeterFlow DPI failure)

citrix 1494, 2512–2513, 2598

1604 • TCP 1494 is MeterFlow matched• UPD 1604 is MeterFlow matched

Citrix

Citrix - ICA WinFrame Server

commvault 8400–8403 8400–8403 CommVault

http://www.iana.org/assignments/port-numbers

Silver Peak Appliance Manager Operator’s Guide Managing Applications and Application Groups

34 PN 200030-001 Rev N

cuseeme 7648–7649 7648–7652, 24032

Cu-SeeMe Videoconferencing

cvs 2401 -- CVS [Concurrent Versions System]

datadomain 2051, 4126 4126 EMC Data Domain

ddm 446–447 446–447 Distributed Data Management (DB)

ddm_ssl 448 448 DDM over SSL

dns 53 53 Domain Name Services

Domain Name Service (DNS) over TCP (RFC 793)

doom 666 -- DOOM Game - Id Software

doubletake 1100, 1106, 6320, 6325

1100, 1105, 6320 NSI Double-Take

1100 old data

6320 new data

echo 7 7 Echo Protocol (RFC 863)

edonkey 4661–4662 4665 eDonkey2000 Server

fcip 3225–3228 -- FCIP [FCIP iana port 3225 only]

filenet 32768–32771 32768–32771 FileNet TMS Transfer Management System

FileNet RPC Remote Procedure Call

FileNet NCH Network Clearinghouse

FileNet RMI Remote Method Invocation

ftp 20–21 -- File Transfer Protocol - Control Port (RFC 959)

File Transfer Protocol - Data Port (RFC 959)

ftps 989–990 -- Secure FTP Data Port (FTP Data Port over SSL)

Secure FTP Control Port (FTP Control Port over SSL)

gnutella 6346–6347 6346–6347 Gnutella Server

Gnutella Router

h_323 1720 1718–1719 H.323 Videoconferencing Call Signaling & Control

hadoop 8020–8021, 9000–9001, 50010, 50020, 50030, 50060, 50070, 50075, 50090, 50100, 50105, 50470, 500475

-- Hadoop ports for http web mgmt and IPC communication among servers

hostname 101 -- NIC Internet Hostname Server Protocol (RFC 953)

http 80, 591, 8008, 8080

-- WWW Hypertext Transfer Protocol (HTTP - RFC 1945, 2068, 2069, 2109, 2145)

HTTP Alternate (see Port 80 for HTTP)

https 443 -- Secure HTTP (HTTP over SSL)

ibm_db2 523, 3700-3701 -- IBM DB2 Administration Server

IBM-DB2 Connection Service

IBM-DB2 Interrupt Connection Service


UDP Port Number(s)



PN 200030-001 Rev N 35

ifcp 3420 3420 iFCP (Internet Fibre Channel Protocol)

imap 143, 220 -- 143 IMAP2 and IMAP4

220 IMAP3

Internet Message Access Protocol (IMAP)

Internet Message Access Protocol (IMAP) (v2 - RFC 1064, v4 - RFC 1730)

Internet Message Access Protocol (IMAP) (v3 - RFC 1203)

imap4s 585, 993 -- Secure IMAPv4 (IMAPv4 over SSL)

585 secure IMAP (IMAP4-SSL)

993 IMAP4 over SSL (IMAPS)

ipsec -- -- A collection of IP security measures that comprise an optional tunneling protocol for IPv6; IP protocol AH and ESP

irc 194 194 Internet Relay Chat Protocol (RFC 1459)

irc_ssl 994 994 Secure IRC Chat (IRC Chat over SSL)

isakmp -- 500 Internet Security Association and Key Management Protocol (ISAKMP)

iscsi 860, 3260 860, 3260 860 iSCSI system port

3260 used for iSCSI connections

isns 3205 3205 internet Storage Name Service (associated with iSCSI)

ivisit -- 9943, 9945, 56768 iVisit - Internet Video CHAT

kazaa 1214 1214 Kazaa-Morpheus-Grokster P2P File Sharing

Kazaa P2P File Sharing - File Download

kerberos -- 88 Kerberos

l2tp -- 1701 Layer 2 Tunneling Protocol

ldap 389 389 Lightweight Directory Access Protocol (LDAP over TCP - RFC 1777)

ldaps 636 636 Secure LDAP (LDAP over SSL)

lotus_cc_mail 3264 3264 Lotus cc:Mail

lotus_notes 1352 1352 Lotus NOTES

matip 350–351 -- MATIP (RFC 2351)

ms_exchange 135 -- Microsoft Exchange Server (detected from ms_rpc)

ms_media 1755 -- Microsoft Media Player

Microsoft Media Streaming Payload

ms_messenger 1863, 6891–6901 1863, 6901, 7001 MSN Messenger

MSN Messenger File Transfer

MSN Messenger Voice

ms_odbc -- -- Microsoft Open DataBase Connectivity (detected from Oracle)

ms_ole -- -- Microsoft Object Linking and Embedding (detected from Oracle)

ms_rpc 135 -- Microsoft Remote Procedure Call


UDP Port Number(s)



36 PN 200030-001 Rev N

ms_sql 1433–1434 -- 1433 Microsoft SQL Server

1434 Microsoft SQL Monitor

ms_terminal_services 3389 -- Microsoft Terminal Services

Microsoft Terminal Server

ms_zone 6073, 28800–28999, 29001–29100, 47624

-- • 29000 overridden by avamar

MSN Zone

MSN Zone DirectX 7.0 Control

MSN Zone DirectX 8.0 Control

nameserver -- 42 Name Server

ndmp 10000 10000 Network Data Management Protocol (used by SnapVault and others)

netbios 137 137 Network Basic Input/Output System

NetBIOS-over-TCP/UDP - Datagram Service (RFC 1001, 1002)

NetBIOS-over-TCP/UDP - Name Service, WINS (RFC 1001, 1002)

NetBIOS-over-TCP/UDP - Session Service (RFC 1001, 1002)

nfs 2049 2049 Sun Network File System

nntp 119 -- Network News Transfer Protocol (NNTP - RFC 977)

nntps 563 -- Secure NNTP (NNTP over SSL) or TLS [Transport Layer Security]

novell 524 524 Novell NCP [Netware Core Protocol]

ntp -- 123 Network Time synchronization Protocol -- protocol providing time across a network with precise clocks; implemented over TCP and UDP

openwindows 2000 2000 Open Windows

oracle 1521, 1525–1527, 1529, 1571, 1575, 1600, 1610, 1620, 1754, 1808–1809, 2481–2484

2481–2484 Oracle Co-Author Database

Oracle Enterprise Manager

Oracle Names Database

Oracle Remote Database

Oracle Server

Oracle TNS Server

Oracle VP

pcanywhere 5631 5632 pcANYWHERE

pcANYWHERE - Data

pcmail 158 -- PCMail

PCMail Server (RFC 1056)

pcoip 4172, 50002 4172, 50002 PCoIP (PC-over-IP — VMware)

peoplesoft -- -- PeopleSoft enterprise application software[detected from Oracle]

pop 109-110 110 Post Office Protocol

Post Office Protocol - Version 2 (RFC 937)

Post Office Protocol - Version 3 (RFC 1725)

pop3s 995 995 Secure POP3 Mail (POP3 Mail over SSL)


UDP Port Number(s)



PN 200030-001 Rev N 37

pptp 1723 -- Microsoft Point-to-Point Tunneling Protocol (PPTP)

printer 515 -- Printer Spooler

printer_pdl 9100 9100 Printer PDL (Page Description Language)

quake 26000 26000 Quake

Quake-II

recoverpoint 5020, 5040 5020, 5040 EMC Recover Point

rlogin 513 -- BSD RLOGIN (remote login a la telnet)

routing 179, 201 -- 179 BGP Border Gateway Protocol

201 RTMP Routing Table Messaging Protocol

• Includes IP protocols for:

EGP Exterior Gateway Protocol

OSPF Open Shortest Path First

IGP Interior Gateway Protocol

IGRP Interior Gateway Routing Protocol

EIRGP Enhanced Interior Gateway Routing Protocol

rtcp -- 5005 Real Time Transport Control Protocol

rtsp 554, 8554 -- Real Time Stream Control Protocol (RTSP - RFC 2326)

sap 3200, 330–3388, 3390–3399, 3600–3681, 3683–3699

-- Service Advertising Protocol (a NetWare protocol)

SAP R/3

[3682 overridden by centera]

sgcp -- 440 Simple Gateway Control Protocol

sgmp 153, 160 153, 160 Signaling Gateway Monitoring Protocol

shell 514 -- RCMD, RSH (Remote execution; like exec, but automatic)

silverpeak_comm 4164 4164 Silver Peak Communication Protocol

[Redirection cluster (should never be seen in current flows); added for completeness]

silverpeak_gms 3011–3020 -- Silver Peak GMS (Global Management System)

silverpeak_internal 4321 -- Reconcile (valid for 3.X; gone with 4.X)

silverpeak_iperf 5001 5001 Silver Peak iperf

silverpeak_peer -- 4163 UDP tunnels (should never see in current flows); added for completeness

silverpeak_tcpperf 2153–2154 -- Silver Peak tcpperf (default tcpperf server ports)

sip -- 5060 Session Initiated Protocol, or Session Initiation Protocol, an application-layer control protocol; a signaling protocol for Internet Telephony

sip_tls 5061 -- SIP over Transport Layer Security

smtp 25 -- Simple Mail Transfer Protocol (SMTP - RFC 821)

smtps 465 -- Secure SMTP (SMTP over SSL)


UDP Port Number(s)



38 PN 200030-001 Rev N

snapmirror 10565–10569 -- NetApp SnapMirror

• async uses 10566• sync and semi-sync use 10565–10569

snmp 161-162 161-162 Simple Network Management Protocol (RFC 1902, 1905)

Simple Network Management Protocol - Traps (RFC 1902, 1905)

sql 118, 150, 156 118, 150 • all iana

SQL (Structured Query Language)

118 SQL Services

150 Oracle SQL*NET

156 SQL Service

srdf 1748 -- EMC SRDF

• overrride Oracle (iana 1748 for Oracle)

ssh 22 -- SSH (Secure Shell) Remote Login Protocol

sshell 614 -- Secure shell (shell over SSL)

sun_rpc 111, 2049 111, 2049 Sun Remote Procedure Call (RFC 1831)

sybase 1498, 2638 -- Sybase SQL Anywhere (v6.0)

Sybase SQL Anywhere (v5.x & older)

syslog -- 514 Syslog

t_120 1503 -- T.120 Whiteboarding

tacacs 49, 65 -- Login Host Protocol (TACACS)

TACACS - Default Server Port (RFC 1492)

telnet 23 -- Telnet (RFC 854)

telnets 992 -- Secure TELNET (TELNET over SSL)

tftp -- 69 Small, simple FTP used primarily in booting diskless systems

timbuktu 407, 1417–1420 407, 1419 Timbuktu

time 37 37 Time Protocol (RFC 868)

uucp 540 -- UUCP (Unix-to-Unix copy protocol) over TCP

UUCP Path Service (RFC 915)

vnc 5500, 5800, 5900 -- VNC

• match on 1 VNC display only (ignore 5801/5901 ...)• iana for 5900• 5500 for server-initiated connection• 5800 for Java VNC viewer on web browser

vplex 11000 EMC VPLEX

vvr 4145, 8199, 8989 4145 Veritas Volume Replicator (VVR iana port 4145)

xwindows 6000–6063 -- X Window (x11) System


UDP Port Number(s)



PN 200030-001 Rev N 39

To view the list of built-in applications

In the menu bar, click Configuration > Application > Built-in to access the Configuration - Built-in

Application page.

yahoo_games 11999 -- Yahoo Games

yahoo_im 5000–5001, 5050, 5100–5101

5000–5010, 5055 Yahoo Instant Messenger

Yahoo Instant Messenger file transfer

Yahoo Instant Messenger voice

Yahoo Instant Messenger webcam


UDP Port Number(s)


Link to a helpful document that opens in a separate browser tab.


40 PN 200030-001 Rev N

Defining User-Defined Applications

You can also define custom applications, by associating an application name with a protocol and a port number. For more granularity in the definitions, the standard MATCH criteria parameters are available:

• priority

• protocol

• source IP address, subnet, and port(s)

• destination IP address, subnet, and port(s)

• DSCP

• VLAN

User-defined applications (UDA) are available in the Match Criteria when configuring any of the traffic maps (Route, Optimization, QoS), Access [Control] Lists (ACLs), or application groups.

Tip Notice that custom applications look like ACLs, but without the SET Action (Permit/Deny).

Important Considerations for Statistical Reports

When creating a custom application on one appliance, you must create the same application on each corresponding device so that there is reporting symmetry. Doing so ensures that if an application has a name on one appliance, it isn’t listed as unassigned application on another, paired appliance.

When it comes to flow and application statistics reports, user-defined applications are always checked before built-in applications.

Ports are unique. If a port or a range includes a built-in port, then the custom application is the one that lays claim to it.

If two distinctly named user-defined applications have a port number in common, then report results will be skewed, depending on the priority assigned to the custom applications. A port is only counted once.

To create a user-defined application

In the menu bar, click Configuration > Application > User-Defined to access the Configuration -

User-Defined Applications page.


PN 200030-001 Rev N 41

• Each application consists of at least one rule.

• You can create an application that uses the same port with tcp and with udp. In that case, use the option, tcp/udp.

• If you select tcp, udp, or tcp/udp, then you can access the Port field. If you don’t select one of those three specific protocols, then the Port field(s) are unavailable.

• A warning displays if you reach the maximum number of rules, ports, or addresses allowed.

• If a UDA is in use, deleting it deletes all the dependent entries. A warning message appears before deletion.

• Multiple UDAs can have the same name. Whenever that name is referenced, the software sequentially matches against each UDA definition having that name. So, dependent entries are only deleted when you delete the last definition of that UDA.

• You’ll only be able to rename an application if it’s not used in a policy or ACL.

• Source IP / Destination IP:

• An IP address can specify a subnet - for example: 10.10.10.0/24.

• An IP address can specify a range - for example: 10.10.10.20-30.

• To allow any IP address, use 0.0.0.0/0.

• Ports are available only for the protocols tcp, udp, and tcp/udp.

• Specify either a single port or a range of ports - for example: 1234-1250.

• To allow any port, use 0.


42 PN 200030-001 Rev N

Creating and Using Application Groups

If your ACLs or policy maps contain MATCH conditions that involve multiple applications, you can simplify the MATCH criteria with application groups.

For example, an application group, secure, might include SSH, HTTPS, and SFTP.

Application groups have the following properties:

• Any built-in or user-defined application can belong to multiple groups.

• An application group cannot contain an application group.

• You can modify the contents of an application group even when it’s used by an ACL or policy map. But you can’t rename it if it’s being used.

• If an application group is in use, deleting it deletes all the dependent entries. A warning message appears before deletion.

When creating an application group on one appliance, you must create the same application group on each corresponding device so that there is reporting symmetry. Doing so ensures that if an application group has a name on one appliance, it isn’t listed as unassigned application on another, paired appliance.

To create an Application Group

1 In the menu bar, click Configuration > Application > Groups to access the Configuration -

Application Groups page.


PN 200030-001 Rev N 43

2 After you click Add Groups, you can name the group and select from a list of filterable applications.

• The Group Name cannot be empty or have more than 64 characters.

• Group names are not case-sensitive.

• A group can be empty or contain up to 128 applications.


44 PN 200030-001 Rev N

PN 200030-001 Rev N 45

C H A P T E R 4

Route Policy

This chapter describes the Route Policy.

Because MATCH criteria work the same way across all policies, the discussions focus on the SET actions that are specific to the Route policy. Where applicable, they also provide context relative to the Optimization and QoS policies.

Because the default is to auto-optimize all traffic, the Route Policy only requires rules for flows that are to be:

• sent pass-through (shaped or unshaped)

• dropped

• configured for a specific high-availability deployment

• routed based on application, VLAN, DSCP, or ACL (Access Control List)

Because you must ensure that the appliance intercepts the packets from inbound and outbound flows, this chapter also examines how to appropriately redirect traffic when you deploy the appliance out-of-path (Router Mode).

In This Chapter Choose an Optimization Strategy for the Traffic Path See page 46.

How to Use Subnet Sharing in Common Deployments See page 47.

How TCP-based Auto-Optimization Works See page 69.

How IP-based Auto-Optimization Works See page 71.

Determining the Need for Traffic Redirection See page 72.

Where the Route Policy Can Direct Flows See page 76.

Route Policy Page Organization See page 81.

Silver Peak Appliance Manager Operator’s Guide Choose an Optimization Strategy for the Traffic Path

46 PN 200030-001 Rev N

Choose an Optimization Strategy for the Traffic PathThe Route Policy specifies where to direct flows.

By default, the Route Policy auto-optimizes all IP traffic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization.

The three strategies that auto-optimization uses are subnet sharing, TCP-based auto-opt, and IP-based auto-opt. By default, all three are enabled.

Subnet sharing is the appliance’s first choice for auto-optimization. When subnet sharing is disabled, the appliance defaults to using TCP-based auto-opt and IP-based auto-opt.

When might you choose to disable subnet sharing? If your network has numerous non-local LAN-side routers, you would need to manually enter each one into the appliance’s subnet table. With TCP-based or IP-based auto-opt, this is unnecessary; however, you would need to configure inbound redirection using either Policy-Based Routing (PBR), Filter-Based Forwarding (FBF), or Web Cache Communication Protocol (WCCP).

For a discussion of when you need inbound and outbound redirection, see “Determining the Need for Traffic Redirection” on page 72.

Auto-optimization uses different mechanisms for TCP versus non-TCP traffic. Because both mechanisms ultimately require an exchange of packets between two appliances, unidirectional IP traffic will not trigger auto-optimization.

You can, if you choose, modify the default entry’s SET action of auto-optimized.

The Route Policy, then, only requires entries for flows that are to be:


• dropped

• configured for a specific high-availability deployment.

• routed based on application, VLAN, DSCP, or ACL (Access Control List)

Note IMPORTANT — A tunnel must exist before subnet sharing can proceed.

Create tunnels in one of three ways:

If you enable auto-tunnel (on the Configuration - System page), then the initial TCP-based or IP-based handshaking creates the tunnel. This requires the appropriate outbound and inbound redirection to be in place.

You can let the Initial Configuration Wizard create the tunnel to the remote appliance.

You can create a tunnel manually on the Configuration - Tunnels page.

The next few sections discuss each of the auto-optimization mechanisms.

How to Use Subnet Sharing in Common Deployments Chapter 4 Route Policy

PN 200030-001 Rev N 47

How to Use Subnet Sharing in Common DeploymentsThis section introduces you to the components of the subnet table and illustrates how to use subnet sharing in the following deployments:

Data Replication and Backup Deployment See page 49.

Hub and Branch Offices Deployment See page 52.

VRRP (Master/Backup) with Subnet Sharing See page 62.

VRRP (Master/Master) with Subnet Sharing See page 68.

How is subnet sharing implemented?

Each appliance builds a subnet table from entries added automatically by the system or manually by a user. When two appliances are connected by a tunnel, they exchange this information ("learn" it) and use it to route traffic to each other.

When would you need to use a Route Policy?

Subnet sharing takes care of optimizing IP traffic based on the destination IP address alone.

Use a Route Policy (or when using the Global Management System (GMS), use and apply a Route Policy template) for flows that are to be:


• dropped

• configured for a specific high-availability deployment

• routed based on application, ports, VLAN, DSCP, or ACL (Access Control List)

What are the components of the subnet table?

This section introduces the components of Appliance Manager’s Configuration - Subnets page.

see definitions belowglobal tags

Silver Peak Appliance Manager Operator’s Guide How to Use Subnet Sharing in Common Deployments

48 PN 200030-001 Rev N

The following are global tags, which apply at a system level:

• Use shared subnet information enables subnet sharing on the appliance.If deselected, the subnet table is not used or available for auto-optimization.

• Automatically include local subnets adds the local subnet(s) of the appliance's interfaces to the subnet table. A local subnet is a subnet that includes one of the appliance IP addresses.

If deselected, the system doesn't create entries for the appliance's local subnets. If these subnets aren't listed, they cannot be shared with peer appliances for auto-optimization.

• Metric for automatically added subnets indicates the priority (0 to 100) of a given subnet. The default priority is 50.

These fields apply to individual subnets:

Column Name Definition/Content

Subnet/Mask Specifies the actual subnet to be shared/advertised so it can be learned by a peer appliance.

Metric Value must be between 0 and 100. When an appliance finds that more than one peer appliance is advertising the longest matching subnet, it chooses the peer that advertises the subnet with the lowest metric value — that is, lower metrics have priority.

Is Local Specifies if the subnet is local to this site.

The appliance sets this parameter for automatically added subnets because those subnets are directly attached to an appliance interface, and therefore are most likely local to the appliance.

Also, you can select the parameter when manually adding a subnet:

• Select this option for a manually added subnet if all the IP addresses in the subnet are known to be local.

• Deselect this option if the subnet is so large (for example, 0.0.0.0/0) that it may include IP addresses that are not local to this appliance..

If a subnet is too wide, and it’s marked local, then the stats will count any pass-through packets with an IP address within that range as WAN-to-LAN.

Advertise to Peers Selecting this shares the subnet information with peers. Peers then learn it.

To add a subnet to the table without divulging it to peers, yet, deselect this option.

Type [of subnet] • Auto (added by system) Automatically added subnets of interfaces on this appliance

• Added by user Manually added/configured subnets for this appliance

• Learned from peer Subnets added as a result of exchanging information with peerappliances

Learned from Peer Identifies the peer appliance that advertised this subnet information.


PN 200030-001 Rev N 49

Data Replication and Backup Deployment

An excellent opportunity for using subnet sharing is with data protection (replication and backup) deployments, where storage personnel seek to optimize their replication, and backup, workloads and improve RPO (Recovery Point Objective). Just put the Silver Peak appliance in the same subnet, and either add a static route or change the default gateway to be the Silver Peak appliance. This, in fact, eliminates the requirement for WAN-side redirection on the routers, saving storage personnel the need to coordinate with network engineers.

Figure 4-1

To configure the subnets

Configure the subnet table at Replication Site 1, followed by the subnet table at Replication Site 2.

1 From the menu, access Configuration > Subnets. The empty Configuration - Subnets page appears.

Repl

icat

ion

Site

1


50 PN 200030-001 Rev N

2 Do the following:

a Select Use shared subnet information.

b Select Automatically include local subnets.

c Click Apply. The appliance automatically adds its subnet and will share the information with its peers.

Now, configure Replication Site 2’s appliance.

3 From the menu, access Configuration > Subnets. The Configuration - Subnets page appears and displays the subnet learned from its peer at the other site.

Repl

icat

ion

Site

1Re

plic

atio

n Si

te 2


PN 200030-001 Rev N 51

4 Do the following:


b Select Automatically include local subnets.

c Click Apply. The appliance automatically adds its own subnet and shares the information with its peers.

5 To verify that the information has been shared, return to the Replication Site 1’s subnet table and view the results.

The process is now complete.

Traffic originating from a replication site is sent to the Silver Peak appliance, which is the default gateway. Once traffic reaches the appliance, it uses the subnet table information to route traffic into the correct tunnel, thereby overcoming the need for inbound (WAN-side) redirects on the router.

Repl

icat

ion

Site

2Re

plic

atio

n Si

te 1


52 PN 200030-001 Rev N

Hub and Branch Offices Deployment

In this example, the branches can only access the Internet via the Hub appliance. We direct and optimize Internet traffic between the branch offices and the hub site.

Figure 4-2

This example assumes the following facts before configuring the subnet tables:

• The tunnels already exist between hub and branches, and also between branches.

• All out-of-path traffic is redirected using VRRP (Virtual Router Redundancy Protocol), WCCP (Web Cache Communication Protocol), or PBR (Policy-Based Routing).


PN 200030-001 Rev N 53


First, configure the subnet table on the Hub appliance, then configure the subnet table on branch-2, and finally configure the subnet table on branch-1.


2 Do the following:


b The subnet 10.1.166.0/24 is not in the same subnet as the Hub appliance. Therefore, you must manually add it to the appliance’s subnet table.

• Select Is Local, to indicate that the subnet is local to this site.

• Select Advertise to Peers.

c Click Apply.

Hub

Hub


54 PN 200030-001 Rev N

Now, configure the appliance, branch-2.

3 From the menu, access branch-2’s Configuration - Subnets page. The Configuration - Subnets page appears.

Notice that Hub’s shared information appears as an entry.

4 Do the following:


b Select Automatically include local subnets. This ensures that the appliance automatically learns its own subnet, 10.1.155.0/24.

c Click Apply. The subnet table updates.

Next, configure the appliance, branch-1.

bran

ch-2

bran

ch-2


PN 200030-001 Rev N 55

5 From the menu, access branch-1’s Configuration - Subnets page. The Configuration - Subnets page appears.

Notice that branch-1 has already learned subnets from the configurations performed on Hub and branch-2.

Do the following:


b Select Automatically include local subnets. This ensures that the appliance automatically learns its own subnets, 10.1.237.0/24 and 10.10.237.0/24.

bran

ch-1


56 PN 200030-001 Rev N

c Click Apply. The subnet table updates.

You can refer to Hub’s subnet table to verify that all the appropriate entries are there.

Next, separately test the connections and use branch-2’s Monitoring - Current Flows page to verify that traffic from client A, 10.1.155.85, in Branch Office 2, is being optimized correctly as it flows:

• to client B, 10.1.237.85, in Branch Office 1, and

• to client C, 10.1.166.85, in the Main Office.

Because of VLAN 10 (see diagram), the appliance is able to learn this subnet automatically.

bran

ch-1

Hub


PN 200030-001 Rev N 57

6 To verify communication between the branches, access branch-2. From the Monitoring menu, select Current Flows. One by one, the results were as follows:

• from client A, 10.1.155.85, in Branch Office 2, to client B, 10.1.237.85, in Branch Office 1

• from client A, 10.1.155.85, in Branch Office 2, to client C, 10.1.166.85, in the Main Office

The tunnel from branch-2 to branch-1 is 2-branch-1, and it’s traffic is being optimized successfully.

bran

ch-2

The tunnel from branch-2 to Hub is 2-hub, and it’s traffic is being optimized successfully.

bran

ch-2


58 PN 200030-001 Rev N

• from client A, 10.1.155.85, in Branch Office 2, to client D, 128.242.109.85, in the Internet Client D has no configured or advertised subnet(s).

The traffic has been sent through pass-through, that is, unoptimized:

• branch-2 subnet sharing failed because there is no subnet entry match for client D.

• Without a known subnet, the Silver Peak software determines the correct tunnel by using other optimization strategies, such as TCP-based auto-opt and IP-based auto-opt. These failed because of the lack of WAN-side redirection at the Hub site for traffic intended for client D.

The end result is that the traffic goes pass-through.

An ALERT is visible when traffic is not being optimized successfully.

This host lives in the internet.

bran

ch-2


PN 200030-001 Rev N 59

7 To overcome these issues and to successfully optimize internet traffic, create a “wild card” (0.0.0.0/0) entry on Hub’s subnet table, and give it the highest value metric so that it’s accessed last.

Note Exercise caution before configuring a wild card (0.0.0.0/0) subnet entry on the hub. This will cause the branches to steer traffic that is destined to unknown (that is, not in the subnet tables) subnets to the hub. Also, if you add a new network to a site, make sure to add that subnet to the appropriate appliance as a local subnet.

Since subnet 0.0.0.0/0 may include IP addresses that are not local, deselect the “Is Local” option.

Hub


60 PN 200030-001 Rev N

8 Go to branch-2’s subnet table, and notice that it has learned the subnet.

If Internet subnet is not among the previous entries, it will always go to Hub.

bran

ch-2


PN 200030-001 Rev N 61

9 Go to branch-2’s Monitoring - Current Flows table to see that traffic from A to D is now being optimized between branch-2 and Hub.

The process is now complete.

This demonstrates how subnet sharing can be used to auto-optimize internet traffic to and from a branch office, where the branch office’s only access to the internet is via the hub appliance.

If 128.242.109.0/24 is in the Internet, then branch-2’s internet access is now via Hub.

This assumes that the firewall translates the internal IP address to a public address.

Now the bidirectional view ...

A D

Traffic is flowing in both directions.

bran

ch-2

bran

ch-2


62 PN 200030-001 Rev N

VRRP (Master/Backup) with Subnet Sharing

In this example, Site A deploys two appliances out-of-path (Router mode), and Site B deploys a single appliance in-line (Bridge mode).

The peered appliances at Site A use the Virtual Router Redundancy Protocol (VRRP) to create and share a common IP address, called the Virtual IP (VIP) address (not shown here). Configuring for high availability assigns one appliance a higher priority than the other, thereby making it the master appliance, and the other, the backup.

Figure 4-3

Before configuring the subnet tables:

• The tunnels must already exist.

• For each appliance in Site A, configure VRRP by using the Configuration > VRRP menu. Be sure to give your Master appliance the greater Priority value (for example, 130 for the Master, and 128 for the Backup).

• Configure Site A’s WAN router to send traffic to the VRRP IP address.


First, configure Site A’s Master appliance (vrrp2), and then the Backup appliance (vrrp1).


PN 200030-001 Rev N 63


2 Do the following:


b The subnets 10.1.166.0/24 and 10.1.167.0/24 are not in the same subnet as the appliance. Therefore, you must manually add them to the appliance’s subnet table.

• Since this is the Master appliance, change the Metric to a smaller number to give its subnets precedence. Here, we’ve changed it from the default, 50, to 10.



c Click Apply.

Now, configure Site A’s Backup appliance, vrrp1.

Mas

ter [vrrp2]

Lower number = higher priority

Mas

ter [

vrrp2]


64 PN 200030-001 Rev N

3 From the menu, access vrrp1’s Configuration - Subnets page. The empty Configuration - Subnets page appears.

4 Do the following:


b The subnets 10.1.166.0/24 and 10.1.167.0/24 are not in the same subnet as vrrp1. Therefore, you must manually add them to the appliance’s subnet table.

• Since this is the Backup appliance, accept the default Metric value of 50. Since you changed vrrp2’s Metric to 10, vrrp2 has priority. With subnet metrics, the lower the number, the higher the priority.



c Click Apply. The table updates.

Now, we’ll configure Site B’s appliance.

5 From the menu, access Site B’s appliance’s Configuration - Subnets page. The empty Configuration

- Subnets page appears.

Back

up [v

rrp1

]Ba

ckup

[vrrp1

]


PN 200030-001 Rev N 65

6 Do the following:


b Select Automatically include local subnets. This assures that the appliance, 10.1.155.3, automatically adds the subnet (10.1.155.0/24) that’s local to its interface.

c Because it’s not in the same subnet as the appliance, you must manually add 10.10.155.0/24 to the appliance’s subnet table.



d Click Apply.

Site B’s subnet table now also includes those subnets advertised by the peers in Site A.

Site

B

vrrp2, the Master applianceMaster

Backup

same subnet(VRRP)

Site

B


66 PN 200030-001 Rev N

If you now examine the subnet tables for vrrp2 and vrrp1, you’ll see that both have learned Site B’s subnets.

7 To verify that traffic is flowing from Site B to the Master appliance, vrrp2, at Site A, go to Site B’s menus and access Monitoring > Current Flows.

Mas

ter [vrrp2]

Back

up [v

rrp1

]

This shows that the tunnel carrying traffic is the one that goes to vrrp2.

Site

B


PN 200030-001 Rev N 67

In the event that the Master appliance goes down, the first thing to verify is whether the Backup, vrrp1, has successfully become the Master appliance.

8 In vrrp1’s user interface, access the Configuration - VRRP page and verify the state.

When the original Master goes down, its learned entries disappear from Site B’s subnet table.

9 View Site B’s Monitoring - Current Flows page to verify that the traffic is now flowing from host 10.1.155.85 to 10.1.166.85 through tunnel, 2-vrrp1.

The process is now complete. This demonstrates how VRRP subnet sharing can be used in auto-optimization mode to correctly steer traffic to the Master appliance.

Back

up [v

rrp1

]

vrrp1, the new master

Site

BSi

te B


68 PN 200030-001 Rev N

VRRP (Master/Master) with Subnet Sharing

For Active/Active style deployments, we need to configure two VRRP groups/instances.

• Each VRRP group/instance will look similar to the one in Active-Backup setup (shown in Figure 4-3).

• Only one VRRP group/instance is active on each appliance (shown in Figure 4-4).

• In this deployment, Silver Peak recommends that you set up flow redirection between appliances. This helps avoid traffic not being optimized due to asymmetry.

Figure 4-4

All of the above deployments demonstrate how subnet sharing effectively helps the user achieve his goal for that specific topology and use case.

Some of the examples, like VRRP, show how to integrate subnet sharing with other features. Subnet sharing is not limited to these deployments. You can apply it to other different deployments, based on requirements and topology.

How TCP-based Auto-Optimization Works Chapter 4 Route Policy

PN 200030-001 Rev N 69

How TCP-based Auto-Optimization WorksIn the context of TCP traffic, auto-optimization begins with the sending of TCP control packets that—in the process of handshaking—determine which tunnel to use as they open the connection.

Basic TCP handshaking consists of three ordered steps:

1 The client sends a SYN packet to the server, as “hello”.

2 The server receives the SYN packet and acknowledges it by sending a SYN/ACK packet .

3 The client receives the SYN/ACK packet. The connection is established. The client then sends an ACK packet, along with the data, known as a TCP flow.

During this process, the appliances interact with the control packets to set up auto-optimization.

Handshaking for TCP Auto-Optimization in In-Line Deployments

Beginning at the top and progressing to the bottom, this diagram summarizes the sequence of activities during handshaking in in-line deployments.

Silver Peak Appliance Manager Operator’s Guide How TCP-based Auto-Optimization Works

70 PN 200030-001 Rev N

Handshaking for TCP Auto-Optimization in Out-of-Path Deployments

Beginning at the top and progressing to the bottom, this diagram summarizes the sequence of activities during handshaking in out-of-path deployments.

How IP-based Auto-Optimization Works Chapter 4 Route Policy

PN 200030-001 Rev N 71

Note The appliance tries to override asymmetric route policy settings. It emulates Auto-opt behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN packet.

Enabled by default (in the Optimization Policy, under TCP Accelerations Details, this feature needs to be disabled if the asymmetric route policy setting is necessary to correctly route packets. In such a case, other features like flow redirection might need to be employed to ensure TCP optimization of the flow.

How IP-based Auto-Optimization WorksIP-based (non-TCP) auto-optimization requires that at least 12 packets are transmitted in each direction to auto-optimize the flow.

Therefore, unidirectional non-TCP traffic will not trigger auto-optimization.

Silver Peak Appliance Manager Operator’s Guide Determining the Need for Traffic Redirection

72 PN 200030-001 Rev N

Determining the Need for Traffic RedirectionTo optimize traffic, the appliance must intercept both the inbound and outbound packets for the flow.

Therefore, whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.

There are three methods for redirecting outbound packets from the client to the appliance (known as LAN-side redirection, or outbound redirection):

• PBR (Policy-Based Routing) — configured on the router. No other special configuration required on the appliance. This is also known as FBF (Filter-Based Forwarding).

If you want to deploy two Silver Peaks at the site, for redundancy or load balancing, then you also need to use VRRP (Virtual Router Redundancy Protocol).

• WCCP (Web Cache Communication Protocol) — configured on both the router and the Silver Peak appliance. You can also use WCCP for redundancy and load balancing.

• Host routing — the server/end station has a default or subnet-based static route that points to the Silver Peak appliance as its next hop. Host routing is the preferred method when a virtual appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).

To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between the appliance and a router, or the appliance and another redundant Silver Peak.

How you plan to optimize traffic affects whether or not you also need inbound redirection from the WAN router (also known as WAN-side redirection):

• If you enable subnet sharing (which relies on advertising local subnets between Silver Peak appliances) or route policies (which specify destination IP addresses), then you only need outbound redirection.

• If, instead, you default to TCP-based or IP-based auto-optimization (which relies on initial handshaking outside a tunnel), then you must set up inbound and outbound redirection on the WAN router.

• Additionally, for TCP flows to be optimized, both directions must travel through the same client and server appliances. If the TCP flows are asymmetric —as could occur in a high-availability deployment — you need to configure clusters for flow redirection among local appliances.

For more about flow redirection, see Chapter 7, “Using Flow Redirection to Address TCP Asymmetry.”

A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:

• If you enable auto-tunnel on the Configuration - System page, then TCP-based or IP-based handshaking creates the tunnel. That requires outbound and inbound redirection to be in place.

• You can let the Initial Configuration Wizard create the tunnel to the remote appliance.


The following diagrams show where redirection is required and which methods you can use:

• when subnet sharing is enabled

• when using TCP-based or IP-based auto-optimization (that is, subnet sharing is not enabled)

• when directed to a specific tunnel by the Route Policy

Determining the Need for Traffic Redirection Chapter 4 Route Policy

PN 200030-001 Rev N 73

When using subnet sharing

Enable subnet sharing on both the local and remote appliances.

For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or host routing.

Host routing only requires configuration on the client — not on the router or appliance.

Figure 4-5

Silver Peak Appliance Manager Operator’s Guide Determining the Need for Traffic Redirection

74 PN 200030-001 Rev N

When defaulting to TCP-based or IP-based auto-optimization

Initial handshaking between appliances happens outside the tunnel, requiring inbound redirection for packet routing.

For inbound and outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF) or WCCP.

Figure 4-6

Determining the Need for Traffic Redirection Chapter 4 Route Policy

PN 200030-001 Rev N 75

When specifying a tunnel

For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or host routing.

With host routing, the outbound redirection is configured on the client, as opposed to on the router and/or appliance.

Host routing only requires configuration on the client — not on the router or appliance.

Figure 4-7

Silver Peak Appliance Manager Operator’s Guide Where the Route Policy Can Direct Flows

76 PN 200030-001 Rev N

Where the Route Policy Can Direct FlowsThe Route Policy’s SET actions determine:

• where the appliance directs the traffic, and

• how traffic is managed if a tunnel is down.

These actions correlate with what you choose for the options in Tunnel and Tunnel Down Action. The following diagrams illustrate the consequences for each:

• Flow directed to a tunnel See page 76.

• Flow designated as auto-optimized See page 77.

• Flow designated as shaped pass-through traffic See page 78.

• Flow designated as unshaped pass-through traffic See page 78.

• Flow dropped See page 79.

• Continue option used in Tunnel Down Action See page 80.

Flow directed to a tunnel

The most important thing to remember is that the only way to optimize traffic is to direct flows to tunnels, either by specifying the tunnel or selecting auto-optimization.

This diagram shows how the appliance processes a flow assigned to a tunnel by the Route Policy. The QoS and Optimization policies are shown only in the interest of providing a broader context for interested users.

1 First, the Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.

2 The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to Tunnel A. Once traffic matches an entry, no subsequent entries are examined.

Where the Route Policy Can Direct Flows Chapter 4 Route Policy

PN 200030-001 Rev N 77

3 Before the flow reaches Tunnel A, the QoS Policy checks against its entries and

• applies the DSCP marking specified for LAN QoS, and

• assigns the flow to a traffic class. (Traffic classes are defined in and processed by the Shaper.)

4 The appliance passes the flow to the Optimization Policy.

Only flows directed to tunnels are subject to the Optimization Policy.

5 The appliance queues the flow into Traffic Class #1 in the Shaper.

6 After shaping, the QoS Policy applies the DSCP markings for the WAN QoS.

7 The appliance queues the optimized flow into Tunnel A as it exits the physical WAN interface.

Flow designated as auto-optimized

When a Route Policy entry has a SET action of auto optimized — as is the case with the default entry — the appliance uses one of three strategies — subnet sharing, TCP-based auto-opt, or IP-based (non-TCP) auto-opt — to direct a flow to the appropriate tunnel.

Once the appliance determines the appropriate tunnel, it processes the flow in the same way as a flow directed to a specific tunnel.


78 PN 200030-001 Rev N

Flow designated as shaped pass-through traffic

Flows tagged by the Route Policy as shaped, pass-through traffic follow this path:

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. Entry 40 matches the traffic and tells the appliance to process the flow as shaped, pass-through traffic.

2 The QoS Policy checks against its entries and

• ignores the DSCP marking specified for LAN QoS, and

• assigns the flow to a traffic class.

3 After shaping, the QoS Policy applies the DSCP markings for the WAN QoS.

4 The appliance queues the flow to exit the physical WAN interface.

Flow designated as unshaped pass-through traffic

Flows marked by the Route Policy as unshaped, pass-through traffic follow this path:

Where the Route Policy Can Direct Flows Chapter 4 Route Policy

PN 200030-001 Rev N 79

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. The first three entries don’t match the traffic, but Entry 40 does.

2 In this case, the flow is to be processed as unshaped, pass-through traffic.

3 The QoS Policy only applies the DSCP marking specified for WAN QoS.

4 The appliance queues the flow to exit the physical WAN interface.

Flow dropped

Flows that have a SET action of drop follow this path:

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.

2 With a SET action of drop, the appliance stops all processing on the flow.


80 PN 200030-001 Rev N

Continue option used in Tunnel Down Action

The Continue option in the Tunnel Down Action field enables the appliance to read ensuing entries in the Route Policy in the event that the tunnel used in a previous entry goes down.

Flows that have a Tunnel Down SET action of Continue follow this path:(We’ve simplified this last diagram, skipping over the sequenced application of Optimization and QoS Policies. To refresh your memory, see “Flow directed to a tunnel” on page 76.)

1 First, the Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.

2 The policy applies the entry’s SET actions to the identified flow. In this case, it sends the flow to Tunnel A. Once any traffic matches an entry, no subsequent entries are examined.

3 If Tunnel A goes down, the Route Policy refers back to the policy entry’s Tunnel Down Action. The action prescribed is to continue to the next applicable MATCH criteria, which is Entry 50, putting all traffic into Tunnel B.

This configuration provides redundancy for high availability environments:

• If Tunnel A is subsequently restored, the Route Policy directs new flows matching Entry 30 to Tunnel A.

• Flows that were continued from Entry 30 to Entry 50 (and Tunnel B) persist until complete.

Route Policy Page Organization Chapter 4 Route Policy

PN 200030-001 Rev N 81

Route Policy Page OrganizationThe Route Policy page allows you to:

• add, delete, activate, and rename maps

• add, edit, and delete rules

The following shows the SET actions:

To switch to another route map, select from the drop-down menu and click Activate. Any change governs all new flows.

The following options are available when configuring the Tunnel:

• auto optimized

• the name of any tunnel from the Configuration - Tunnels page

• pass-through [shaped]

• pass-through-unshaped, and

• drop

The default rule is always last.

The last column is only accessible if the Tunnel entry is a specific tunnel.

Tunnel Down Action has the following options:

• pass-through [shaped]

• pass-through-unshaped

• drop, and

• continue

Hyperlinks

Silver Peak Appliance Manager Operator’s Guide Route Policy Page Organization

82 PN 200030-001 Rev N

PN 200030-001 Rev N 83

C H A P T E R 5

Bandwidth Management & QoS Policy

This chapter describes the QoS Policy’s SET actions and how the Shaper defines and manages the traffic classes assigned in the QoS Policy.

It also explains how to configure traffic classes in the Shaper for optimized and pass-through traffic, along with providing best practices guidelines for effectively managing bandwidth.


What Path a Flow Follows for Shaping See page 84.

Best Practices for Bandwidth Management See page 88.

Defining Traffic Classes and Limits with the Shaper See page 89.

QoS Policy Page Organization and Management See page 94.

Handling and Marking Packets See page 95.


84 PN 200030-001 Rev N

OverviewWhen the network gets congested or you start to run out of bandwidth, your QoS policy determines how to allocate the available resources.

In a well-designed network, QoS helps manage every potential bottleneck point. It’s important to implement QoS in the WAN acceleration appliance for the following reasons:

• It can offload the router.

• It’s the only element that collects real-time metrics — such as packet loss and delay — for pre-optimization and post-optimization views of the traffic.

In the event that demand exceeds available bandwidth, QoS gives preferential treatment to selected flows, while slowing down or delaying others.

The QoS Policy assigns each flow to a queue that’s associated with a traffic class, for processing and transmission across the WAN:

• The configuration of the traffic classes determines how likely packets are to get WAN bandwidth at any point in time.

• Traffic Class definitions are part of the Shaper configuration.

• The appliance’s WAN interface supports 10 traffic classes.

• Traffic class definitions, and QoS Policy settings apply to both optimized and pass-through shaped traffic. By default, both share the same limit for maximum bandwidth. However, you can set a lower maximum bandwidth for pass-through traffic than for optimized traffic.

A QoS policy asks:

• How to you want to use traffic classes to prioritize and shape your traffic?

• How should the DSCP markings be treated? Trust the incoming LAN or re-mark for the WAN?

• Do you want to use DSCP markings to prioritize traffic downstream?

The default QoS Policy honors incoming DSCP tags. It also prepopulates the QoS policy table with rules to send traffic to predefined traffic classes (2 - real-time, 3 - interactive, 4 - best-effort) and sends the remaining flows to Traffic Class 1 - default. For the majority of users, the need to adjust this will be a “corner case”.

What Path a Flow Follows for ShapingThe QoS Policy’s SET actions determine two things:

• what traffic class a shaped flow — whether optimized or pass-through — is assigned

• how to handle DSCP markings for all flows leaving the appliance’s WAN interface, whether the marking is for over-the-WAN or for the LAN on the remote side.

The following diagrams illustrate the consequences for each:

• Flow sent to a tunnel See page 85.

• Flow sent as pass-through shaped traffic See page 86.

• Flow sent as unshaped pass-through traffic See page 87.

What Path a Flow Follows for Shaping Chapter 5 Bandwidth Management & QoS Policy

PN 200030-001 Rev N 85

Flow sent to a tunnel

This diagram shows how the appliance applies QoS to a flow that’s been directed to a tunnel.

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria. Entries 10 and 20 don’t match the traffic, but Entry 30 does.

2 The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to Tunnel C. Once any traffic matches an entry, no subsequent entries are examined.

3 Before the flow reaches Tunnel C, the QoS Policy checks against its entries and


• assigns the flow to a traffic class. Here, the application, ssh, matches to the pre-defined application group, interactive, so the appliance assigns the flow to Traffic Class 3.

• passes the flow to the Optimization Policy for optimizations, accelerations, and compressions. The Optimization Policy only applies to tunnelized traffic.

4 After optimization, the flow queues to Traffic Class 3 for shaping.

5 QoS Policy applies the DSCP markings for the WAN QoS.

6 The optimized flow exits the WAN interface.

If the Route Policy’s Set Action is auto-optimized and the local appliance initiates either TCP-based or IP-based handshaking, then the remote appliance determines which tunnel to use, based on information it receives in the first packets from the local appliance.

Also, auto-optimization relies on deploying the appliance such that it intercepts outbound and inbound flows. For an out-of-path (Router Mode) appliance, this requires traffic redirection.

For more information about auto-optimization, see Chapter 4, “Route Policy.”

Handling of DSCP markings is further explained in “Applying DSCP Markings to Optimized Traffic” on page 95.

Silver Peak Appliance Manager Operator’s Guide What Path a Flow Follows for Shaping

86 PN 200030-001 Rev N

Flow sent as pass-through shaped traffic

Flows tagged by the Route Policy as pass-through shaped traffic follow this path:

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its prioritized entries. Entry 20 matches and designates the flow for pass-through shaped traffic.

2 The QoS Policy checks against its entries and

• ignores the DSCP marking specified for LAN QoS (because packets are not encapsulated), and

• because the flow matched no earlier entries, assigns the flow to the default, Traffic Class 1. Note that the same traffic classes process both optimized and pass-through shaped traffic. Unless you configure pass-through shaped traffic to have a lower maximum bandwidth, the Shaper processes both types of traffic by the same criteria.


4 The QoS Policy applies the DSCP markings for the WAN QoS.

5 The flow exits the WAN interface.

Note The user interface uses the terminology, pass-through, to refer to pass-through shaped. We use the latter terminology here for clarity.

Handling of DSCP markings is further explained in “Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic” on page 98.

What Path a Flow Follows for Shaping Chapter 5 Bandwidth Management & QoS Policy

PN 200030-001 Rev N 87

Flow sent as unshaped pass-through traffic

Flows marked by the Route Policy as unshaped, pass-through traffic follow this path:

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria. The flow matches on Entry 20.

2 The policy applies the entry’s SET actions to the identified flow. In this case, the flow is to be processed as unshaped, pass-through traffic.

3 Because the traffic is set to pass-through unshaped, it is not encapsulated. The QoS Policy checks against its entries and only applies the DSCP marking specified for WAN QoS.

4 The flow exits the WAN interface.

Handling of DSCP markings is further explained in “Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic” on page 98.

Silver Peak Appliance Manager Operator’s Guide Best Practices for Bandwidth Management

88 PN 200030-001 Rev N

Best Practices for Bandwidth ManagementCongestion is unlikely on either of the LAN segments to which the Silver Peak device connects directly, since these are typically operating at 100Mbps or 1000Mbps.

In a typical deployment, congestion is most likely to arise at the near-end WAN interface.

With wise bandwidth management and QoS, the Silver Peak appliance can guarantee shaping and prioritization for all traffic. For smooth network operation, it’s wisest to consider your overall bandwidth allocation in advance and then to revisit it each time you add, edit, or remove a tunnel.

Summary of Bandwidth Assessment and Management Tasks

The following table summarizes the tasks when configuring multiple tunnels for an appliance and/or more than one traffic class per entity.

Task Notes For detailed instructions, see...

1 Configure the maximum system bandwidth, based on the bandwidth of the WAN link.

Because of where network congestion typically occurs, you want to ensure that the appliance doesn’t deliver more than the WAN can manage.

“Configuring Max WAN Bandwidth” on page 91.

2 Configure traffic classes in the Shaper.

The same traffic classes manage optimized (tunnel) traffic and pass-through shaped traffic.

You can configure up to 10 traffic classes for the physical WAN interface.

“Traffic Class Configuration” on page 90.

3 Configure the tunnel minimum bandwidth

This is a consideration when using Dynamic Rate Control.

“Dynamic Rate Control” on page 93.

4 Let the appliance negotiate tunnel maximum bandwidth(s)

When Auto BW is active (as it is by default), the appliance negotiates maximum bandwidth for each tunnel.

“Tunnel Auto BW” on page 93.

5 Configure your QoS Policy Here you assign flows to the traffic classes you defined in the shaper.

“QoS Policy Page Organization and Management” on page 94.

“Handling and Marking Packets” on page 95.

6 Review your configuration Make sure that you haven’t over- or undersubscribed the link.

Defining Traffic Classes and Limits with the Shaper Chapter 5 Bandwidth Management & QoS Policy

PN 200030-001 Rev N 89

Defining Traffic Classes and Limits with the ShaperThe Shaper is a simplified way of globally configuring QoS (Quality of Service) on the appliances:

• The QoS Policy assigns each packet to a traffic class.

• Traffic Class definitions are part of the Shaper configuration.

• The Shaper defines ten traffic classes, four of which are prescriptively named --- real-time, interactive, default, and best effort.

• It shapes outbound traffic by allocating bandwidth as a percentage of the system bandwidth.

• The Shaper's parameters apply to the WAN interface.

• The system applies these QoS settings globally after compressing (deduplicating) all the outbound tunnelized and pass-through-shaped traffic --- shaping it as it exits to the WAN.

This section discusses the following:

Traffic Class Configuration See page 90.

Configuring Max WAN Bandwidth See page 91.

Configuring Max Bandwidth for Pass-through Shaped Traffic See page 92.

Role of Tunnel Configuration Values and Features See page 92.

Silver Peak Appliance Manager Operator’s Guide Defining Traffic Classes and Limits with the Shaper

90 PN 200030-001 Rev N

Traffic Class Configuration

The Configuration - Shaper page looks like this:

What happens if you change the Minimum Bandwidth values?

• If all minimums are equal to 0%, then Excess Weighting alone determines bandwidth allocation and no traffic class has priority. (Referred to as pure weights.)

Tip When you set a traffic class Minimum Bandwidth to zero, you are explicitly not guaranteeing any bandwidth for that class.

• If the sum of the percentages for the queues in use exceeds 100%, then low-priority traffic classes might not receive their guaranteed bandwidth (starvation).

• If all minimums are equal to 100%, then Priorities alone determine bandwidth allocation. For example, Priority 2 only gets bandwidth if Priority 1 is completely satisfied. (Referred to as pure priorities.)

Priority determines the order in which to allocate each class’s Minimum Bandwidth — 1 being the highest priority, and 10 being the lowest priority. Here, Traffic Class 2 has the highest priority. This becomes critical when you oversubscribe.

Each traffic class is guaranteed this percentage of bandwidth, allocated by Priority. Configure the %, and the Kbps is calculated for you.

After minimums are satisfied, excess bandwidth is distributed among traffic classes in proportion to their weights.

You can limit a traffic class to a maximum percentage of bandwidth.

Packets are dropped if they have been in the system longer than the configured max wait times.


PN 200030-001 Rev N 91

How is Excess Weighting calculated and applied?

• Excess Weighting is a ratio of the weight of one traffic class divided by the sum of the weights of the active traffic classes. So, if all three traffic classes were active in the example above, Traffic Class 2 would get 1000/(100 + 1000 + 1000) = 1000/2100 = 48% of the excess bandwidth.

• If all Minimum Bandwidth values were set to 0 (zero), then ratios would allocate all bandwidth.

Configuring Max WAN Bandwidth

When you configure the Max WAN Bandwidth, you need to consider two things:

• the speed of the appliance WAN interface

• the speeds of the edge router’s WAN links

If you set the Max WAN Bandwidth too low, you may underutilize your links. If you set it too high (oversubscribe), you may overrun the appliance WAN link, or cause congestion and drops on the router.

You can enter this value on either the Configuration - Deployment page or the Configuration - Shaper page.

Best Practices

• Total the speeds of the WAN links on the WAN router, and configure that as the Max WAN

Bandwidth.

• Ideally, set it to your SLA (Service-Level Agreement) value, or less.

• Make sure the appliance has enough bandwidth on its WAN interface to fill a “pipe” that size.

• When using a single appliance with dual WAN routers (two WAN next-hops), use these rules of thumb:

• If the ISPs are configured Active/Active, then use the sum of the two routers’ WAN bandwidths.

• If the ISPs are configured Active/Standby, then use the larger of the two routers’ WAN bandwidths.

Silver Peak Appliance Manager Operator’s Guide Defining Traffic Classes and Limits with the Shaper

92 PN 200030-001 Rev N

Configuring Max Bandwidth for Pass-through Shaped Traffic

By default, the values are the same for Max WAN Bandwidth (for tunnelized traffic) and the Max

Bandwidth for pass-through shaped traffic.

However, you can cap the maximum amount of bandwidth allocated to pass-through shaped traffic by configuring the upper limit at the bottom of the Configuration - Shaper page.

It’s important to note that this is not the same as configuring a percentage of Max WAN BW. This calculation is done after exiting the Shaper, so until that point, all shaped packets have queued through the traffic classes as they arrived. As a result, pass-through packets in a higher priority traffic class have a better chance of getting through in the event that the max is exceeded, or if congestion occurs.

Role of Tunnel Configuration Values and Features

Some tunnel configuration parameters directly affect bandwidth management.

Even though it appears on the Configuration - Tunnels page, as opposed to the Configuration - Shaper page, the Shaper uses the Tunnel Max BW value as it services queues.

After the Max Bandwidth has been met for a given tunnel, the Shaper won’t schedule any more packets for transmission in that tunnel until more bandwidth is available. Since the clock is still ticking for any packets still in a queue for that tunnel, the traffic class Max Wait Time could be exceeded for those packets before bandwidth is available.

The Shaper uses this as the upper limit on the traffic going to this tunnel.

Auto Max BW is recommended.

Not used by the Shaper for calculations, but rather by Dynamic Rate Control (DRC).


PN 200030-001 Rev N 93

Tunnel Auto BW

Each model of appliance has a specific maximum system bandwidth. That is, the amount of bandwidth it can support for optimized traffic at the WAN interface.

By default, all tunnels are set to automatically negotiate tunnel bandwidth to the lowest common value. The following illustrations show this negotiation from the perspective of an NX-8500 with multiple tunnels. The maximum values assume that all options are enabled.

After negotiating bandwidth for all four tunnels, 119 Mbps (1000 minus 881) are left over for shaped pass-through traffic.

Dynamic Rate Control

Auto BW can only negotiate the link between two appliances — A and Hub, and B and Hub. So, here it can negotiate the link down to 100 Mbps. However, if A and B both transmit at 100 Mbps, the hub will be overrun.

Enabling Dynamic Rate Control on the Hub allows it to control the tunnel traffic by lowering each remote appliance’s Tunnel Max Bandwidth. The smallest possible value for A or B is that appliance’s Tunnel Min

Bandwidth.

By default, a tunnel’s Minimum Bandwidth is set to 32 kbps.

DRC is disabled by default and can only be configured in the command line interface.

Silver Peak Appliance Manager Operator’s Guide QoS Policy Page Organization and Management

94 PN 200030-001 Rev N

QoS Policy Page Organization and ManagementThe QoS Policy page allows you to:



The following shows the SET actions for the appliance.

The QoS Policy comes with five default QoS rules.

• Four of the 10 possible traffic classes are predefined in the Shaper configuration.

• It pairs a couple of predefined application groups in the MATCH criteria with predefined traffic classes in the SET actions.

• It pairs a couple of DSCP settings in the MATCH criteria with predefined traffic classes in the SET actions.

• All rules, except 65535, are editable.

The QoS Policy doesn’t apply DSCP markings for LAN QoS if the flows are pass-through shaped or unshaped.

To switch to another route map, select from the drop-down menu and click Activate. Any change governs all new flows.

Hyperlinks

Handling and Marking Packets Chapter 5 Bandwidth Management & QoS Policy

PN 200030-001 Rev N 95

Handling and Marking PacketsAll flows that are not explicitly dropped by the Route Policy are subject to DSCP marking by the QoS Policy. DSCP markings specify end-to-end QoS policies throughout a network.

As with all policies, the appliance searches sequentially through the policy for the first MATCH criteria that applies. If no entries match, then ultimately the default entry applies. For the QoS Policy, the default DSCP values for LAN QoS and WAN QoS are trust-lan.

The appliance encapsulates optimized traffic. This process adds an IP outer header to packets for travel across the WAN. However, because pass-through traffic doesn’t receive this additional header, its handling is different. The following two sections provide illustrated examples:

• Applying DSCP Markings to Optimized Traffic See page 95.

• Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic See page 98.

• Definitions of DSCP Markings See page 100.

Applying DSCP Markings to Optimized Traffic

This section illustrates and explains how the appliance applies the QoS Policy to optimized traffic in the following scenarios:

• LAN and WAN set to trust-lan See page 95.

• LAN setting changed, WAN is trust-lan See page 96.

• LAN is trust-lan, WAN setting changed See page 96.

• LAN setting changed, WAN setting changed See page 97.

LAN and WAN set to trust-lan

1 The source appliance receives the packet from the LAN with a DSCP marking of be (best effort).

2 Based on MATCH criteria, the QoS Policy applies the LAN QoS setting of trust-lan, leaving the LAN DSCP markings as be (best effort). As the packet is encapsulated, this is now part of the IP inner header.

3 Since the WAN QoS is trust-lan, the appliance also sets the WAN QoS bits to be in the encapsulating IP outer header.

4 When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the packet traverses the LAN with the DSCP markings set to be.

Silver Peak Appliance Manager Operator’s Guide Handling and Marking Packets

96 PN 200030-001 Rev N

LAN setting changed, WAN is trust-lan

1 The source appliance receives the packet from the LAN. It has a DSCP marking of be (best effort).

2 Based on MATCH criteria, the QoS Policy changes the LAN QoS setting to ef (express forwarding). As the packet is encapsulated, this is now part of the IP inner header.

3 Since the policy’s WAN QoS is trust-lan, the appliance refers back to the original DSCP markings and sets the WAN QoS bits to be in the encapsulating IP outer header.

4 When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the packet traverses the LAN with the DSCP markings set to ef.

LAN is trust-lan, WAN setting changed

1 The source appliance receives the packet from the LAN.

2 Based on MATCH criteria, the QoS Policy applies the LAN QoS setting of trust-lan, leaving the LAN DSCP markings as be (best effort). As the packet is encapsulated, this is now part of the IP inner header.

3 Since the policy’s WAN QoS action is cs5 (class selector 5), the appliance sets the bits to cs5 in the encapsulating IP outer header.

4 When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the packet traverses the LAN with the DSCP markings set to be.


PN 200030-001 Rev N 97

LAN setting changed, WAN setting changed

1 The source appliance receives the packet from the LAN. It has a DSCP marking of be (best effort).

2 Based on MATCH criteria, the QoS Policy changes the LAN QoS setting to ef. As the packet is encapsulated, this is now part of the IP inner header.

3 Since the policy’s WAN QoS action is cs5, the appliance sets the bits to cs5 in the encapsulating IP outer header.

4 When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the packet traverses the LAN with the DSCP markings set to ef.


98 PN 200030-001 Rev N

Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic

The appliance applies the QoS Policy’s DSCP markings to all pass-through flows — whether shaped or unshaped — in the same way:

• If there is a match, the appliance applies the WAN QoS setting to the packet (in the IP ToS/DSCP field).

• If there is a LAN QoS setting in the policy match, it is ignored.

• If there is a trust-lan setting in the policy match, it is ignored.

To summarize, all pass-through traffic is trust-lan unless it’s modified by the WAN QoS setting. When that’s the case, the packet retains the modified QoS setting as it travels through the WAN to the destination appliance.

The following three examples illustrate how the QoS Policy’s LAN QoS and WAN QoS settings affect a matched flow’s DSCP markings:

• LAN and WAN set to trust-lan See page 98.

• LAN setting changed, WAN is trust-lan See page 99.

• LAN is trust-lan, WAN setting changed See page 99.

LAN and WAN set to trust-lan

1 Because it’s pass-through traffic, the appliance ignores the LAN QoS setting.

2 Since the WAN QoS is trust-lan, the appliance sets the WAN QoS bits to be (best effort).

3 When the packet reaches the destination appliance, it retains the be setting as the LAN receives it.


PN 200030-001 Rev N 99

LAN setting changed, WAN is trust-lan

1 Because it’s pass-through traffic, the appliance ignores the new LAN QoS setting.

2 Since the WAN QoS is trust-lan, the appliance sets the WAN QoS bits to be (best effort).

3 When the packet reaches the destination appliance, it retains the be setting as the LAN receives it.

LAN is trust-lan, WAN setting changed


2 The appliance sets the WAN QoS bits to cs5.

3 When the packet reaches the destination appliance, it retains the cs5 setting as the LAN receives it.


100 PN 200030-001 Rev N

LAN setting changed, WAN setting changed


2 The appliance sets the WAN QoS bits to cs5.

3 When the packet reaches the destination appliance, it retains the cs5 setting as the LAN receives it.

Definitions of DSCP Markings

Following is a list of definitions for the available Differentiated Services Code Point (DSCP) markings, which use a 6-bit value to indicate Per-Hop Behavior (PHB):

DSCP Marking Per-Hop Behavior Group Codepoint Number

be Best Effort 000000 DSCP 0

af11 Assured Forwarding 11 001010 DSCP 10












cs1 Class Selector 1 (precedence 1) 001000 CS1






PN 200030-001 Rev N 101



ef Expedited Forwarding 101110 DSCP 46

DSCP Marking Per-Hop Behavior Group Codepoint Number


102 PN 200030-001 Rev N

PN 200030-001 Rev N 103

C H A P T E R 6

Optimization Policy

This chapter describes how the appliance optimizes tunnelized traffic — improving the performance of applications across the WAN.

In This Chapter Introduction See page 104.

When the Appliance Can Apply the Optimization Policy See page 109.

Optimization Policy Page Organization See page 110.

Silver Peak Appliance Manager Operator’s Guide Introduction

104 PN 200030-001 Rev N

IntroductionThe Optimization Policy applies various compression and acceleration techniques to improve the performance of applications across the WAN.

Note If a flow is not directed to a tunnel, it’s not subject to the Optimization Policy.

The Optimization Policy’s SET actions include:

• Network Memory See page 105.

• IP Header Compression and Payload Compression See page 106.

• TCP Acceleration See page 106.

• Protocol Acceleration See page 108.

For the CIFS and SSL protocols, the Optimization map automatically includes entries that pair protocol-specific accelerations with their default ports.

To preserve data integrity, it’s critical that SRDF optimization be applied only to SRDF traffic. Therefore, the user must manually create an entry to specify the chosen port.

When using Citrix, pick the port(s) based on the Citrix version you’re using.

Changing these settings can affect service!

Consult with Tech Support before editing the default values.

Introduction Chapter 6 Optimization Policy

PN 200030-001 Rev N 105

Network Memory

All Silver Peak appliances are equipped with Network Memory™ technology. Network Memory inspects all inbound and outbound WAN traffic in real-time and stores a single local instance on each appliance.

Before sending information across the WAN, appliances use Network Memory to compare real-time traffic streams to the stored patterns. If a match exists, a short reference pointer is sent to the remote Silver Peak appliance, instructing it to deliver the traffic pattern from its local instance. Repetitive data is never sent across the WAN.

If content is modified, the Silver Peak appliance detects the change at the byte level and updates the network’s “memory”. Only the modifications are sent across the WAN. At the destination, Silver Peak appliances combines these with the original content.

Benefit scenarios

The following scenarios exemplify the benefits of Network Memory.

File Server Even when the file is not identical to the version that was previously downloaded, significant performance improvements are realized by transporting only the incremental changes across the WAN.

Web If a web application is generating dynamic pages (for example, using HTTP), only delta information is transferred. For example, a SharePoint table with many rows updates by just transmitting the delta for the row, rather than the whole page.

Video streaming and Video On Demand If several employees in an office chose to watch the same video (for example, a distance learning module or a taped CEO address), Network Memory eliminates the need to send multiple copies across the WAN. This has the same advantage whether they’re watching the video simultaneously, or at different times.

Software patch distribution and upgrades If employees in an office need to download the same software patch, Network Memory eliminates the need to send multiple copies across the WAN.

Remote backups Once the first backup is completed, future “full” backups are effectively reduced to “incremental backups” as far as WAN traffic is concerned.

Available Settings

You can configure Network Memory on a per-flow (or per-application, or per-ACL) basis.

There are four available Network Memory settings:

Maximize Reduction Optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP, where bandwidth savings are the primary concern.

Minimize Latency Ensures that Network Memory processing adds no latency. This may come at the cost of lower data reduction. This is appropriate for extremely latency-sensitive interactive or transactional traffic. It's also appropriate when the primary objective is to fully utilize the WAN pipe to increase the LAN-side throughput, as opposed to conserving WAN bandwidth.

Balanced This is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most traffic types.

Disabled Turns off Network Memory.


106 PN 200030-001 Rev N

IP Header Compression and Payload Compression

Compression reduces the bandwidth consumed by traffic traversing the WAN. Payload compression uses algorithms to identify relatively short byte sequences that are repeated frequently over time. These sequences are then replaced with shorter segments of code to reduce the size of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find duplication across packets and even across flows.

IP header compression provides additional bandwidth gains by reducing packet header information using specialized compression algorithms.

Silver Peak appliances include state of the art, cross-flow data compression and header compression as part of a broader Local Instance Networking solution. Information gleaned from the compression of one flow can be applied to other flows.

Payload compression is used along with Network Memory to provide compression on “first pass” data.

TCP Acceleration

TCP acceleration uses techniques such as selective acknowledgement, window scaling, and message segment size adjustment to compensate for poor performance on high latency links.

This feature has a set of advanced options with default values.

CAUTION Because changing these settings can affect service, Silver Peak recommends that you do not modify these without direction from Customer Support.

Introduction Chapter 6 Optimization Policy

PN 200030-001 Rev N 107

Following is a brief description of each item.

Adjust MSS to Tunnel MTU Limits the TCP MSS (Maximum Segment Size) advertised by the end hosts in the SYN segment to a value derived from the Tunnel MTU (Maximum Transmission Unit). That is, Tunnel MSS = Tunnel MTU – Tunnel Packet Overhead.

This feature is enabled by default so that the maximum value of the end host MSS is always coupled to the Tunnel MSS. If the end host MSS is smaller than the tunnel MSS, then the former is used instead.

A use case for disabling this feature is when the end host uses Jumbo frames.

Preserve Packet Boundaries Preserves the packet boundaries end to end. If this feature is disabled, then the appliances in the path could coalesce consecutive packets of a flow to utilize bandwidth more efficiently.

It is enabled by default so applications that require the matching packet boundaries don’t fail.

Enable Silver Peak TCP SYN Option Exchange

Controls whether or not Silver Peak forwards its proprietary TCP SYN option on the LAN side. Enabled by default, this feature detects if there are more than two Silver Peak appliances in the flow’s data path and optimizes accordingly.

It needs to be disabled if there is a LAN–side firewall or a third-party appliance that would drop a SYN packet when it sees an unfamiliar TCP option.

Route Policy Override Tries to override asymmetric route policy settings. It emulates Auto-opt behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN packet.

Enabled by default, this feature needs to be disabled if the asymmetric route policy setting is necessary to correctly route packets. In such a case, other features like flow redirection might need to be employed to ensure TCP optimization of the flow.

Auto Reset Flows NOTE: Whether this feature is enabled or not, the default behavior when a tunnel goes Down is to automatically reset the flows.

If enabled, it resets all TCP flows that are not accelerated but should be (based on policy and on internal criteria like Tunnel Up event).

The internal criteria can also include:

Resetting all TCP accelerated flows on a Tunnel Down event.

Resetting all unaccelerated TCP flows that are associated with a normally operating Tunnel, where:

• TCP acceleration is enabled

• SYN packet was not seen (so this flow was either part of WCCP redirection, or it already existed when the appliance was inserted in the data path).


108 PN 200030-001 Rev N

Protocol Acceleration

Protocol-specific acceleration techniques can help minimize latency and improve application response times. The Optimization Map provides configurable protocol acceleration explicitly for CIFS, SRDF, SSL, and Citrix:

• Each Optimization Map includes the default SSL and CIFS ports as “built-in” entries. You can edit or delete these entries.

• CIFS acceleration includes read-aheads, write-behinds, and metadata caching. This reduces the impact of latency on data transfers that use this protocol. CIFS is enabled for ports 139 and 445.

• When you install SSL certificates into Appliance Manager, you’re able to securely decrypt the traffic, optimize it, and re-encrypt the deduped traffic. SSL is enabled for port 443.

• Because SRDF doesn’t use a reserved port, SRDF optimization is disabled by default. If SRDF optimization were run on non-SRDF traffic, it would corrupt the data. So, be sure that the port you associate with this optimization is actually running SRDF traffic.

• The version of Citrix used determines which port(s) to use for Citrix optimization. For a list of Citrix ports, you can check the Configuration - Built-in Applications page.

In a network environment, it’s possible that all appliances don’t have the same protocol-specific optimization configurations. Hence, the side that initiates the flow determines the protocol-specific optimization.

• The initiator is known as the client, and the other as the server.

• Current Flows > Details on the receiving (server) side will indicate if the remote peer has overridden the policy.

WAN Window Scale (1...14)

This is the WAN–side TCP Window scale factor that Silver Peak uses internally for its WAN–side traffic. This is independent of the WAN–side factor advertised by the end hosts.

Slow LAN Defense(0...12, 0=off)

Resets all flows that are consuming a disproportionate amount of buffer and have a very slow throughput on the LAN side. These flows affect the performance of all other flows and as such no flows see improvement in throughput through TCP acceleration due to a few slower end hosts or a lossy LAN. By default, it is enabled and the number relates indirectly to the amount of time the system waits before resetting such slow flows.

WAN Congestion Control Selects the internal Congestion Control parameter.

Optimized This is the default setting. This mode offers optimized performance in almost all scenarios.

Standard In some unique cases it may be necessary to downgrade to Standard performance to better interoperate with other flows on the WAN link.

Aggressive Provides aggressive performance and should be used with caution. Recommended mostly for Data Replication scenarios.

Per-Flow Buffer Settings (Max LAN to WAN Buffer and Max WAN to LAN Buffer)

This setting clamps the maximum buffer space that can be allocated to a flow, in each direction.

When the Appliance Can Apply the Optimization Policy Chapter 6 Optimization Policy

PN 200030-001 Rev N 109

When the Appliance Can Apply the Optimization PolicyThis diagram shows how the appliance processes a flow assigned to a tunnel.

1 The Route Policy checks traffic incoming from the LAN against the MATCH criteria. Entries 10 and 20 don’t match the traffic, but Entry 30 does.

2 The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to Tunnel C. Once any traffic matches an entry, no subsequent entries are examined.

3 Before the flow reaches Tunnel C, the QoS Policy checks against its entries and


• assigns the flow to a traffic class. Here, the application, ssh, matches to the pre-defined application group, interactive, so the appliance assigns the flow to Traffic Class 3.

• passes the flow to the Optimization Policy for optimizations, accelerations, and compressions. The Optimization Policy only applies to tunnelized traffic.


5 QoS Policy applies the DSCP markings for the WAN QoS.

6 The optimized flow exits the WAN interface.

Silver Peak Appliance Manager Operator’s Guide Optimization Policy Page Organization

110 PN 200030-001 Rev N

Optimization Policy Page OrganizationThe Optimization Policy applies to any flow that the Route Policy will place into a tunnel.

This page allows you to:



The following shows the Optimization Policy’s SET actions.

Here, VoIP is a user-created application group that includes h_323 and cisco_skinny.

Those details aren’t apparent on this screen, but you could see them by selecting Configuration > Application > Groups from the main menu bar.

Notice that for the application group, VoIP, Network Memory is disabled.

To switch to another optimization map, select from the drop-down menu and click Activate. Any change governs all new flows.

Hyperlinks

If traffic doesn’t match any user-configured entries, then the default entry applies all optimizations to all flows that the Route Policy is directing to a tunnel.

PN 200030-001 Rev N 111

C H A P T E R 7

Using Flow Redirection to Address TCP Asymmetry

This chapter describes how Flow Redirection allows Silver Peak appliances to optimize asymmetrically routed flows by redirecting packets between appliances.

The flow redirection feature is implemented solely in software, and is available in both bridge and router modes.

In This Chapter Introduction See page 112.

Configuring Flow Redirection See page 115.

Flow Reporting See page 119.


112 PN 200030-001 Rev N

IntroductionA network is asymmetric when a client request and its server response don’t use the same path through the network. This asymmetric network configuration is common for:

• Financial institutions, which virtualize geographically separate data centers for load balancing and redundancy.

• Businesses that have multiple ISP paths across a customer network.

Asymmetrical Networks and Flows

The following diagram shows a sample asymmetric network. In this example, each server appliance sees only one direction of the traffic flow.

For TCP flows to be optimized, both directions must travel through the same client and server appliances.

Removing Asymmetry with Flow Redirection

Flow redirection removes the asymmetry locally by merging the traffic of an asymmetric flow into a single appliance. An appliance that handles both directions of traffic for a flow can then optimize the flow properly. Specifically, this sets the stage for TCP acceleration and CIFS acceleration.

With flow redirection, the appliance that receives the first packet — that is, the TCP SYN packet — owns the flow and eventually receives all of that flow’s traffic. To be able to redirect, appliances are configured into clusters, whereby they communicate with each other and keep track of flows. Any given appliance can own multiple flows and redirect others, depending on whether or not the appliance received the initial TCP SYN packet.

1. The client initiates traffic to the server and sends it through SP1.

2. The traffic traverses the server appliance, SP2.

4. SP3 only sees the traffic returning to the client.

3. The server receives traffic from SP2 but returns it via SP3.

5. The client receives the return traffic from SP3.

Introduction Chapter 7 Using Flow Redirection to Address TCP Asymmetry

PN 200030-001 Rev N 113

The client request — in the form of an initiating SYN packet — may be received from the WAN side or the LAN side. This results in two possible scenarios for evading asymmetry:

• Redirection for WAN-initiated Traffic See page 113.

• Avoiding Asymmetry in LAN-initiated Traffic See page 114.

The assumptions is that flow redirection happens across a LAN environment. Redirection across a WAN is not supported.

Redirection for WAN-initiated Traffic

In this scenario, the WAN initiates the flow. All traffic returned from the server is redirected to the appliance that first received traffic from the WAN.


114 PN 200030-001 Rev N

Avoiding Asymmetry in LAN-initiated Traffic

In this scenario, the LAN initiates the flow.

The default behavior is that all traffic returned from the WAN is always returned to the appliance that first received the traffic from the LAN, regardless of the route policy at the remote appliance.

Configuring Flow Redirection Chapter 7 Using Flow Redirection to Address TCP Asymmetry

PN 200030-001 Rev N 115

Configuring Flow RedirectionIf you have one path from the client to the server and a different path from the server to the client, you need to enable flow redirection and configure the appliances to communicate with each other.

Flow redirection moves packet traffic between appliances that belong to a cluster:

• A cluster may contain just one appliance (in which no redirection occurs), or several appliances (in which redirection may occur between different pairs).

• All the appliances in a cluster are equal peers.

• You can have up to 32 peers in a cluster.

• The Silver Peak Communication Protocol (SPCP) formalizes the peer-to-peer communications in an appliance cluster. SPCP is both a discovery and control protocol. By default, SPCP uses mgmt1 to communicate between appliances.

• This must be a Layer 2 connection. In other words, you want a switch — not a router — between any two peers.

For each peer appliance in a cluster, the process of configuring flow redirection uses three of the Appliance Manager’s pages:

• The [Configuration] Interfaces page, for configuring the mgmt1 IP address.

• The [Configuration] Routes page, for configuring the necessary static route(s).

• The [Configuration] Flow Redirection page, for enabling flow redirection, selecting the management interface, and identifying the peers in the cluster.

Note IMPORTANT — When configuring for flow redirection, the mgmt1 interfaces need to be in a separate subnet from the mgmt0 interfaces.

Tip Typically, you’ll use the mgmt1 interface. However, when the LAN–side is greater than 1 Gbps and your Silver Peak appliance has a 10-Gbps interface, then you may consider using a 10-Gbps interface (tlan0 or twan0) for flow direction.

Following is the complete example:

Example #1: Simple Cluster with Two Physically Connected Peers See page 116.

Because of their physical proximity, a crossover cable connects two peers’ mgmt1 interfaces.

Silver Peak Appliance Manager Operator’s Guide Configuring Flow Redirection

116 PN 200030-001 Rev N

Example #1: Simple Cluster with Two Physically Connected Peers

When you want to cluster two appliances that are in the same subnet (with Layer 2 connectivity), and they’re located in the same room, you can physically cable the two mgmt1 interfaces together, in lieu of setting up an IP static route.

Instead of physically cabling the appliances, you also have the option of connecting the mgmt1 interfaces via the local area network.

Note IMPORTANT — When configuring for flow redirection, the mgmt1 interfaces need to be in a separate subnet from the mgmt0 interfaces.

To configure this scenario

1 Using a crossover cable, physically connect one appliance’s mgmt1 port to the other appliance’s mgmt1 port.

2 From SP1’s Configuration menu, select Interfaces. The Configuration - Interfaces page appears.

The mgmt1 interface shipped with a default IP address, to make initial configuration easy. You don’t need this any longer, so we’ll reconfigure it to use as a cluster interface for flow redirection.

Configuring Flow Redirection Chapter 7 Using Flow Redirection to Address TCP Asymmetry

PN 200030-001 Rev N 117

a Change mgmt1’s IP address to be 10.10.10.1/24.

b Click Apply.

To complete the appliance’s configuration, you’ll enable flow redirection and specify the other peer in the cluster.

3 From the Configuration menu, select Flow Redirection. The Configuration - Flow Redirection page appears.

In the Settings area:

a Click Enable.

b Verify that the default Interface is mgmt1.

c Click Apply and click Save Changes.

Silver Peak Appliance Manager Operator’s Guide Configuring Flow Redirection

118 PN 200030-001 Rev N

4 In the Peers area, click Add. The Add Peer area appears.

a Enter the mgmt1 IP address for the appliance, SP2. Here, it’s 10.10.10.2.

b Click Apply. The Peers table appears, displaying SP2’s mgmt1 interface IP address.

5 Click Save Changes.

Now, repeat the entire procedure for the other appliance. When that’s complete, both cluster interfaces are able to communicate with each other and the State changes to OK.

• State is either Unreachable or OK

• Flow Redirection is either Disabled or Enabled

When you click Enable and Apply, it enables all the peers that are associated with this appliance. To verify, manually refresh the screen and then view State in the table below.

Flow Reporting Chapter 7 Using Flow Redirection to Address TCP Asymmetry

PN 200030-001 Rev N 119

Flow ReportingFor flow redirection, the appliance handles flow reporting as follows:

The reporting mechanism of locally owned flows is unchanged.

When a peer redirects a flow, it does no per-flow reporting. Rather, that traffic’s statistics are maintained by the owner of the flow. That is, the peer appliance to which the flow is redirected.

On the Monitoring - Current Flows page, a flow’s Detail link has a field named, Flow Redirected

From which displays which peer appliance IP is redirecting the flow to this appliance. This field only has an entry if the appliance owns the flow.

For more information, see “Viewing Current Flows” on page 152.

The Monitoring - Flow Redirection page lists the mgmt1 IP address for each peer in the cluster. It also displays statistics for the control packet, number of current flows redirected to/from the appliance, and a cumulative tally of the packets and bytes redirected to/from peers.

For more information, see “Viewing Flow Redirection Statistics” on page 173.

Silver Peak Appliance Manager Operator’s Guide Flow Reporting

120 PN 200030-001 Rev N

PN 200030-001 Rev N 121

C H A P T E R 8

Configuring and Managing VLANs

This chapter discusses issues related to insertion of a Silver Peak appliance on an 802.1q VLAN trunk, explains why this is necessary, and provides a configuration example.

In This Chapter Why configure VLAN interfaces on a Silver Peak appliance? See page 122.

Behavior without VLAN Configuration See page 125.

Behavior with VLAN Interfaces Configured See page 129.

Silver Peak Appliance Manager Operator’s Guide Why configure VLAN interfaces on a Silver Peak appliance?

122 PN 200030-001 Rev N

Why configure VLAN interfaces on a Silver Peak appliance?It may be desirable to deploy a Silver Peak appliance into a network that’s using 802.1q tagging.

An appliance can be inserted in-line between a LAN router/switch and a WAN edge router to bridge an existing VLAN trunk.

In an out-of-path (Router mode) deployment, you can choose to have a trunk between the router and the Silver Peak appliance to preserve traffic segregation (as in an ISP), or to provide a redirect IP address in a VLAN’s domain so as to redirect VLAN tagged traffic.

An appliance deployed with no VLAN configuration can “see” all VLAN tags, and make route-policy decisions accordingly. It can also bridge pass-through traffic, keeping VLAN tags intact. However, without configuration, the appliance has no way of tagging the packets it generates, or tagging decapsulated packets received from the remote-side appliance. Since neighboring routers may drop untagged traffic if a native VLAN is not configured, this creates for both directions of traffic.

The Issues

Outbound LAN-to-WAN Traffic

To optimize traffic, the appliance uses GRE, UDP, or IPSec encapsulation to create a packet that uses IP addresses configured on the appliance. By default, these IP addresses are configured on the bvi0 or wan0 interfaces, and those interfaces reside in the native, or untagged, space. These packets will leave the appliance without an 802.1q tag in the outbound L2W direction.

Why configure VLAN interfaces on a Silver Peak appliance? Chapter 8 Configuring and Managing VLANs

PN 200030-001 Rev N 123

Inbound WAN-to-LAN Traffic

When inbound tunnel packets are received from the remote appliance in the W2L direction, the inner packet has no VLAN information about the local side. The appliance would normally transmit the packet to the LAN side, untagged. If the inner packet is destined for a subnet residing on a particular VLAN, a method of tagging the packet is required. The appliance determines how to tag the packet based upon routing — using either the subnet IPs of the local VLANs we’ve configured, or ip datapath routes.

The Solutions

To address these issues, you can create Layer 3 VLAN interfaces on the Configuration - Deployment page by specifying IP addresses and VLAN tags, which in turn create underlying logical interfaces (for example, lan0.100, wan0.200) capable of tagging packets.

Tagging Outbound LAN-to-WAN Traffic

Tunnels may built off of any logical interface on the appliance.

A tunnel built off of a VLAN interface transmits its encapsulated tunnel traffic toward the default WAN next-hop IP configured for the VLAN interface. This traffic is sent on the VLAN interface’s logical WAN interface (for example, wan0.100). Consequently, the traffic is tagged with the tag associated with the VLAN interface (for example, 100).

Therefore, to set VLAN tags in tunnel packets outbound for the WAN, create a tunnel using the VLAN IP address as an endpoint.

Tagging Inbound WAN-to-LAN Traffic

Inbound tunnel packets received from the remote appliance are encapsulated with a GRE/UDP or IPSec header, and contain no L2 information. Once decapsulated, the LAN-bound traffic needs to be directed to the proper VLAN. This can only be accomplished on the Silver Peak appliance through the use of L3 routing.

Logical interfaces, also known as tunnel endpoints

In-P

ath

Ou

t-o

f-P

ath

Silver Peak Appliance Manager Operator’s Guide Why configure VLAN interfaces on a Silver Peak appliance?

124 PN 200030-001 Rev N

The appliance may deliver the untagged packets on a native VLAN to an L3 router on the LAN-side (or even WAN-side), if that router is then capable of tagging the packet appropriately and routing between the VLANs.

However, you can create a local L3 interface that resides within a VLAN’s subnet. If this local interface is used to route packets, the underlying logical interface on the LAN side (for example, lan0.100) can tag the packet with the proper VLAN tag.

Subnet and default gateway datapath routes pointing at a LAN next-hop residing in an appliance’s local VLAN subnet may also be used to tag traffic.

Behavior without VLAN Configuration Chapter 8 Configuring and Managing VLANs

PN 200030-001 Rev N 125

Behavior without VLAN ConfigurationThis section discusses the following:

How an outbound packet is processed on the untagged native VLAN See page 126.

Delivering Inbound Packets to the LAN: No VLAN Interfaces See page 128.

Tunnel packets outbound for the WAN are by default untagged, and no VLAN information is propagated across the WAN.

When the appliance is inserted in-line, it can see all the VLAN tags and packets and match policy map criteria based upon VLAN tags, without any VLAN configuration on the appliance.

When the appliance receives tagged traffic for which it has no VLAN interface, and it optimizes that traffic, then the tag is stripped off when the L2 header information is removed.

If the tagged packets are sent pass-through, then the entire original L2 header (with the VLAN tag) is preserved.

When the appliance is inserted out-of-path and no VLAN interfaces are configured, it doesn’t see packets associated with the VLANs because they are not even redirected to the appliance.

Silver Peak Appliance Manager Operator’s Guide Behavior without VLAN Configuration

126 PN 200030-001 Rev N

How an outbound packet is processed on the untagged native VLAN

By default, optimized traffic leaves the appliance without any VLAN tags.

For every packet entering the appliance for optimization on its way to the WAN:

a The appliance strips away the existing L2 header

b The appliance then applies a new L2 header, designating the appliance as the Source MAC.

Untagged outbound LAN packet to untagged tunnel

Neither the outbound LAN packet nor the tunnel’s endpoint have a VLAN tag.

Behavior without VLAN Configuration Chapter 8 Configuring and Managing VLANs

PN 200030-001 Rev N 127

Tagged outbound LAN packet to untagged tunnel

This is the most common deployment.

The outbound LAN packet has a VLAN tag but the tunnel’s endpoint does not.

Silver Peak Appliance Manager Operator’s Guide Behavior without VLAN Configuration

128 PN 200030-001 Rev N

Delivering Inbound Packets to the LAN: No VLAN Interfaces

For packets arriving from the WAN, the LAN route table is what determines where a packet goes.

After discarding the arriving packet’s L2 and tunnel headers, the appliance does a LAN route table lookup, based solely on the Destination Host IP address.

Based on the destination’s subnet, the appliance determines where to send the packet.

Because no VLAN interfaces are configured on the appliance, the packet can only go on the untagged VLAN.

The following two conditions must be met for this packet to reach its final destination:

a The switch/router on the LAN side of the appliance supports untagged (native) VLAN, and

b The switch/router can route the packet to the destination VLAN.

Behavior with VLAN Interfaces Configured Chapter 8 Configuring and Managing VLANs

PN 200030-001 Rev N 129

Behavior with VLAN Interfaces ConfiguredThis section discusses the following:

Multiple Logical Interfaces See page 129.

How an outbound packet is processed for a tagged tunnel See page 130.

Delivering Inbound Packets to the LAN: VLAN Interfaces Configured See page 131.

Cisco VLAN Example with Multiple Interfaces See page 132.

Multiple Logical Interfaces

On the Configuration - Deployments page, you can add VLAN interfaces to the Silver Peak appliance by clicking +VLAN. Here are two separate excerpts from that page — one in Bridge mode (in-line) and one in Router mode (out-of-path).

Note If you try to configure something that’s incorrect or not supported, a message appears in a red banner at the bottom of the page, telling you what you need to do.

Any of these logical interfaces can be a tunnel endpoint.

• If a tunnel endpoint has a VLAN tag, then outbound packets directed to that tunnel receive that VLAN tag.

• If a tunnel endpoint has no tag, then outbound packets remain untagged after processing. This is the default behavior.

Once VLANs are configured on the appliance, tunnels built off of a VLAN interface are tagged using the VLAN ID associated with the VLAN interface — so all outgoing optimized traffic will have the L2 tag.

Logical interfaces, also known as tunnel endpoints

In-P

ath

Ou

t-o

f-P

ath

Silver Peak Appliance Manager Operator’s Guide Behavior with VLAN Interfaces Configured

130 PN 200030-001 Rev N

How an outbound packet is processed for a tagged tunnel

The following actions happen to every packet entering the appliance for optimization on its way to the WAN:

a The appliance strips away the existing L2 header.

b The appliance applies a new L2 header, designating the appliance as the Source MAC.

c The encapsulated tunnel packet uses the tunnel endpoint’s VLAN ID to tag the outgoing packet.

Tagged outbound packet to tagged tunnel

Both the outbound LAN packet and the tunnel endpoint have a VLAN tag.


PN 200030-001 Rev N 131

Delivering Inbound Packets to the LAN: VLAN Interfaces Configured

For packets arriving from the WAN, the LAN route table is what determines where a packet goes.

• After discarding the arriving packet’s L2 and tunnel headers, the appliance does a LAN route table lookup, based solely on the Destination Host IP address.

• Based on the destination’s subnet, the appliance determines which VLAN tag to use.

• The appliance must have an interface configured for each such VLAN.


132 PN 200030-001 Rev N

Cisco VLAN Example with Multiple Interfaces

The example below shows the configurations for the appliance and a Cisco router.

To install the Silver Peak on a VLAN trunk

1 Access the Configuration - Deployment page:

a For the untagged native VLAN, enter an IP address in the WAN router’s native VLAN subnet.

b Specify the Next Hop, and leave the VLAN field blank.

2 To add a VLAN interface, click +VLAN and complete the Appliance IP, Mask, VLAN, and Next Hop fields.

Note The VLAN IP must be a host IP and not a subnet IP address.


PN 200030-001 Rev N 133

3 To verify that each Next-hop IP address is reachable, do the following:

a Check Monitoring > Routes, for State = Reachable.

b Check the Alarms page.


134 PN 200030-001 Rev N

PN 200030-001 Rev N 135

C H A P T E R 9

Monitoring Traffic

This chapter describes the various tools available for monitoring performance, and reviewing traffic and application statistics.


About Viewing Statistics See page 138.

Application View See page 141.

Network View See page 142.

Viewing Charts See page 143.

Viewing Application Statistics See page 149.

Viewing Realtime Charts See page 151.

Viewing Current Flows See page 152.

Viewing QoS Statistics See page 167.

Viewing Tunnel Statistics See page 168.

Viewing Flow Redirection Statistics See page 173.

Viewing NetFlow Statistics See page 175.

Viewing Interface Statistics See page 176.

Viewing Bridge Mode Statistics See page 178.

Viewing Next-hop Reachability See page 179.


136 PN 200030-001 Rev N

OverviewThe Application View tab and Network View tab provide charted summaries of performance. Both tabs display the 10 Top Flows — a subset of the Monitoring menu’s Current Flows.

Additionally, the Monitoring menu provides a variety of reports:

Viewing Charts See page 143.

These charts feature pan and zoom capability for bandwidth, reduction, packets per second, flow counts, latency, loss, and out-of-order packets. You can review data from the last 30 days.

Viewing Application Statistics See page 149.

These summarize each application by percentage of total LAN traffic, reduction percent, and inbound and outbound bytes.

Viewing Current Flows See page 152.

You can view a listing of existing connections, based on selectable filter criteria. Additionally, you can customize which data columns display and view a flow’s details.

Viewing Realtime Charts See page 151.

You can select a filter and a metric to plot any of six types of realtime stats, and you can plot more than one chart at a time. The charts update every 3 seconds.

Viewing QoS Statistics See page 167.

You can view the total number of bytes and packets transmitted and received, based on traffic class and/or WAN QoS [DSCP markings].

QoS statistics display the data accumulated since the last reboot. You can also non-destructively clear the counters to zero and view the delta values.

Viewing Tunnel Statistics See page 168.

Tunnel statistics specify the number of bytes and/or packets received, processed, and transmitted by a tunnel in both the outbound (LAN-to-WAN) and inbound (WAN-to-LAN) directions. They tally control packets, as well as accelerated versus non-accelerated traffic flow, round-trip latency, and packet loss before and after forward error correction.

Tunnel statistics display the data accumulated since the last reboot. You can also non-destructively clear the counters to zero and view the delta values.

Viewing Flow Redirection Statistics See page 173.

This shows the statistics collected, specific to the process when you allow two (or more) appliances to exchange flow ownership information and then redirect packets to the owner.

Viewing NetFlow Statistics See page 175.

This displays how many NetFlow statistics the appliance exported to the collector(s). Stats are defined in terms of number of flows, and number of datagrams (packets) required to export those flows.

Viewing Interface Statistics See page 176.

Interface statistics display generic performance data for the actual physical LAN, WAN, and management interfaces (primary and secondary).

Interface statistics display the data accumulated since the last reboot. You can also non-destructively clear the counters to zero and view the delta values.

Viewing Bridge Mode Statistics See page 178.

This summarizes the data traffic traversing all the LAN and WAN interfaces, in a redundant bridge mode deployment.

Overview Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 137

Viewing Next-hop Reachability See page 179.

This page displays the state of each management, WAN, and LAN next-hop.

Before discussing individual reports, the next section describes the basics of viewing reports.

Silver Peak Appliance Manager Operator’s Guide About Viewing Statistics

138 PN 200030-001 Rev N

About Viewing StatisticsThis section discusses methods for viewing additional details about report charts and graphs. It includes:

• Understanding Traffic Direction See page 138.

• Viewing Counters Since Last Reboot See page 138.

• Clearing Counters Non-Destructively See page 139.

• Exporting Statistical Data See page 140.

Understanding Traffic Direction

In Appliance Manager, statistics and reports either reference the direction of the flow or the point(s) where the data is collected:

LAN-to-WAN refers to traffic exiting the LAN, destined for the WAN. This flow is also referred to as outbound traffic.

WAN-to-LAN refers to traffic coming from the WAN, destined for the LAN. This flow is also referred to as inbound traffic.

Tip Here’s a helpful mnemonic for remembering the difference:

- Rx is “Receive fRom”, so LAN Rx is “receive from LAN”- Tx is “Transmit To”, so LAN Tx is “transmit to LAN”

Viewing Counters Since Last Reboot

By default, the statistics that display in the following reports have accumulated since the last reboot: Applications, Tunnel QoS, Tunnels, Flow Redirection, NetFlow, and Interfaces.

To verify this, note that Actual Stats button is selected.

About Viewing Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 139

Clearing Counters Non-Destructively

To non-destructively set the counters to zero, click Delta Stats. To update the statistics, you can manually refresh the page whenever you want. Or, you can select from one of intervals in the same menu.

To restore the values since the last reboot, click Actual Stats.

To zero out counters non-destructively, select Delta Stats.

If you set the Refresh menu to manually, click the browser’s refresh icon as needed for a cumulative update.

Select table’s display units: Bytes, MBytes, Pkts, or KPkts

Silver Peak Appliance Manager Operator’s Guide About Viewing Statistics

140 PN 200030-001 Rev N

Exporting Statistical Data

For some statistics, Appliance Manager provides Download Data or Export button for downloading the data as a .csv (comma-separated values) file. In summary:

Type of Report Download Data / Export / Table View

(Dynamic) Charts

Applications

Realtime Charts no Export options

Current Flows

QoS [Tunnel] no Export options

Tunnels no Export options

Flow Redirection no Export options

NetFlow no Export options

Interfaces no Export options

Bridges no Export options

IP Routes no Export options

Application View Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 141

Application View

For each direction of traffic — inbound and outbound — the overlapping bars are paired to show the full volume of traffic and the reduced, optimized size of the same traffic.

The Traffic option profiles the same data, but color-codes it by traffic type.

Links to Current Flows [in Monitoring]. For more information, see “Viewing Current Flows” on page 152.

[Outbound LAN] – [Outbound WAN]

Outbound LAN

[Inbound LAN] – [Inbound WAN]

Inbound LAN

LAN WAN

Silver Peak Appliance Manager Operator’s Guide Network View

142 PN 200030-001 Rev N

Network ViewWhen you log in, this page opens by default.


Links to Current Flows [in Monitoring]. For more information, see “Viewing Current Flows” on page 152.


Outbound LAN


Inbound LAN

LAN WAN

Viewing Charts Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 143

Viewing ChartsCharts feature spark lines, as well as selectable (and modifiable) time ranges for any data collected in the last 30 days.

Dynamic charts exist for the following:

Bandwidth See page 145.

Reduction See page 145.

Packets per Second See page 146.

Flow Counts See page 146.

Latency See page 147.

Loss See page 147.

Out-of-Order Packets See page 148.

Charts consist of filters, a main chart display, and a time selection area.

FILTER SELECTION

1

1

2

3

Silver Peak Appliance Manager Operator’s Guide Viewing Charts

144 PN 200030-001 Rev N

CHART DISPLAY — Legend / X-axis / Y-axis

Click color to select/deselect parameter

To zoom in... click, drag, and release. The chart updates to show the new range.

2

The Y-axis height is calibrated to the maximum Y valuein the selected range.

The Y-axis calibration may change if you hide a parameter (LAN, WAN, or Ratio) that has higher values than the remaining parameters.

You can not manually zoom to change the Y-axis.

TIME SELECTION

To change the time frame, you can also

• drag the slider to change its position

• change the slider’s size — click and drag an edge

Spark lines showing the activity

Displays the slider’s range. You can also set it.

When you select, one endpoint is always NOW.

3


PN 200030-001 Rev N 145

Bandwidth

The Bandwidth chart answers the following questions:

How much has the bandwidth been optimized?

At what rate was the data sent and/or received in each time interval?

Reduction

The Reduction chart answers the following questions:

How much data is traveling in real-time?

How much data was sent and received for each minute in the current hour, the last 60 minutes, or three days ago?

What is the ratio of LAN to WAN (or WAN to LAN) traffic at any point in time?


146 PN 200030-001 Rev N

Packets per Second

The Packets per second chart answers the following questions:

What is the distribution of data in packets?

At what rate was the data sent and received in each time interval?

What is the ratio of LAN to WAN traffic at any point in time?

Flow Counts

The Flow Counts chart answers the following questions:

How much of my traffic is TCP-based?

How much of my TCP traffic is accelerated?

Since CIFS acceleration is a subset of TCP acceleration, that data is incorporated generically in the accelerated TCP flow data.


PN 200030-001 Rev N 147

Latency

The Latency chart answers the following questions:

How long does it take my data to get to the other end of the Silver Peak tunnel?

What were the peak, average, and minimum time intervals?

Loss

The Loss dynamic chart summarizes, by tunnel, the number of packets lost before and after enabling Forward Error Correction (FEC). It answers the following questions:

How many errors were there before and after turning on Forward Error Correction?

For any given minute, what was the percent loss?


148 PN 200030-001 Rev N

Out-of-Order Packets

The Out of Order Packets chart summarizes, by tunnel, the number of packets lost before and after enabling Packet Order Correction (POC).

It answers the following questions:

How many errors were there before and after turning on Packet Order Correction?

For any given minute, what was the percentage of out-of-order packets?

Viewing Application Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 149

Viewing Application StatisticsThe Applications page provides table and pie chart views of applications. It answers the following questions:

What percentage of total LAN traffic does each application comprise?

What is the data reduction in each direction?

When comparing outbound and inbound traffic, how are the application distributions different?

What is the ratio of LAN-to-WAN or WAN-to-LAN traffic for any given application?

Table View


Total LAN = Inbound LAN + Outbound LAN

Display up to 1000 applications


Outbound LAN


Inbound LAN

LAN WAN

Silver Peak Appliance Manager Operator’s Guide Viewing Application Statistics

150 PN 200030-001 Rev N

Pie View

What’s the difference between other and unassigned in the Applications stats pie chart?

The pie chart shows the top ten applications and, possibly, other.

unassigned means the sum of traffic (bytes) for which the appliance could not determine the application.

other means the sum of traffic other than the top nine.

If you don’t have more than ten applications, you won’t see other.

The pie view displays the Top 10 applications.

Viewing Realtime Charts Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 151

Viewing Realtime Charts

For each realtime chart, specify a filter and a metric.

You can view multiple realtime charts simultaneously.

Realtime charts refresh every 3 seconds.

Although the plotted data doesn’t persist when you leave the page (or refresh the browser), the charts do. They begin plotting anew when you return to the page.

Type of Stats Filters

Tunnel Stats Tunnel

Aggregate Tunnel Stats Traffic Type [Optimized, All]

DSCP Stats Traffic Type [Optimized, All]; DSCP [1 – 64]

Traffic Class Stats Traffic Type [Optimized, All]; Traffic Class [1 – 10]

Flow Stats Traffic Type [Optimized, All]; Flow Type [TCP Acc, TCP Not Acc, Non-TCP]

Application Stats Traffic Type [Optimized, All]; Application

Click to delete

The Filter determines the available Metrics.

Creates the chart

Silver Peak Appliance Manager Operator’s Guide Viewing Current Flows

152 PN 200030-001 Rev N

Viewing Current FlowsThe Current Flows page retrieves a list of existing connections. The maximum visible number depends on which browser you user.

• The page displays a default set of columns, along with individual links to flow details and to any alerts.

• You can display additional columns from a customization list.

This section discusses the following topics:

How Current Flows Are Organized See page 153.

Customizing Which Columns Display See page 155.

Current Flow Details See page 156.

Resetting Flows to Improve Performance See page 166.

Viewing Current Flows Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 153

How Current Flows Are Organized

Enter specific addresses and/or use zeroes (in the octet) as wildcards. The page lists flows that have either endpoint.

Click to select the filter. Active filters are highlighted.

How many entries shown out of total possible Click Alert to view its content

When selected, Appliance Manager still registers the alert but changes the status based on user input.

That status, OPTIMIZED*, is also a link that returns to the original Diagnose Flow Alert dialogue.

Details used by Silver Peak Support for troubleshooting


154 PN 200030-001 Rev N

The following filters are available:

Parameter or Action Definition

Flow Categories The number after each option specifies how many flows fit the criteria

• All – all flows• Optimized – optimized flows• Optimized* – these flows originally had a Status of Alert, and the user

chose to no longer receive Alerts of the same type• Pass-through – includes shaped and unshaped traffic• Alert – notifies the user of any issue that might be inhibiting optimization,

and offers a possible solution

Bytes Transferred Choose from Total or Last 5 minutes.

Flow Started Choose from Anytime or Last 5 minutes.

IP1 (2) / Port1 (2) The IP address of an endpoint(s) that you want to use as a filter:

• Entering a specific endpoint returns flows that have that endpoint.

• Entering 0 in any IP address’s octet position acts as a wild card for that position. 0 in the Port field is also a wild card.

• The two IP address (and port) fields are independent of each other. In other words, you can filter on two separate endpoints.

Application Select which standard or user-defined application (or application group) to use as a filter criteria. The default value is All.

Traffic Select the type of traffic connections you want to retrieve:

• All – all optimized and pass-through traffic.• Policy Drop – traffic with a Set Action of Drop in the Route Policy• Optimized Traffic – the sum of all optimized traffic. That is, all tunnelized

traffic.• Pass-through Shaped – all unoptimized, shaped traffic. • Pass-through Unshaped – all unoptimized, unshaped traffic. • [a named Tunnel] – that specific tunnel’s optimized traffic.

Protocol Select from the list. The default value is All.

VLAN Id Enter only the integer value for the VLAN Id.

Max Flows The upper limit depends on what browser you’re using.

Reset Flows Resetting the flow kills it and restarts it. It is service-affecting.

Reclassify Flows Reclassifying the flow is not service-affecting. If a policy change makes a flow stale or inconsistent, then reclassifying makes a best-effort attempt to conform the flow to the change. If the flow can’t be successfully “diverted” to this new policy, then an Alert asks if you want to Reset.


PN 200030-001 Rev N 155

Customizing Which Columns Display

Following are some customization guidelines:

The default set of columns includes the following:

You can customize by adding the following additional columns:

Customizations persist across sessions and across users. For a given appliance, all users see the same columns.

When you Export the data, all default and possible custom columns are included in the .csv file.

Customize and Export functions are accessible to all users.

To customize the screen display

1 To access the Customize Current Flows Table, click Customize.

2 Select additional columns, and click OK. The columns append to the right side of the table.

Select Status Protocol

Application Inbound Reduction % Outbound Tunnel

IP1 Inbound Bytes Detail

PORT1 Outbound Bytes

IP2 Outbound Reduction %

PORT2 Up Time

Outbound Rx Bytes Outbound Tx Bytes Outbound Ratio

Inbound Tx Bytes Inbound Rx Bytes Inbound Ratio

Inbound Tunnel Configured Outbound Tunnel Flow Redirected From

LAN–side VLAN Traffic Class LAN DSCP WAN DSCP


156 PN 200030-001 Rev N

Current Flow Details

Silver Peak Support uses the Flow Detail page for troubleshooting.

Most of the information on the Flow Detail page is beyond what is included in the Current Flows table.

Clicking the icon in the Details column displays a detailed flow report.

Field Definition

Route

Map Name The name of the Route Policy.

Priority in Map The number of the entry in the Route Policy that the flow matches.


PN 200030-001 Rev N 157

Configured Tx Action The SET action configured in the Route Policy’s Tunnel field.

Tx Action How the traffic is actually being transmitted. Usually, this is a tunnel name.

Rx Action By what path or method the appliance is receiving this flow’s traffic.

Tx Reason Any error associated with packet transmission to the WAN.

Application Name of the application to which that flow’s traffic belongs.

Protocol The flow’s protocol.

Using Stale Map Entry Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.

Flow Direction Whether the flow is Inbound or Outbound.

Flow Redirected From The IP address of the appliance that’s redirecting this flow to this appliance.

Auto-opt Status Whether it matched a specific Route Policy or was Auto Routed.

Auto-opt Transit Node (1 , 2, 3, 4)

The IP addresses of the hops between this appliance and the other end of the connection.

LAN-side VLAN Specifies the VLAN tag (1 – 4095) or None.

Optimization

Map Name The name of the Optimization Policy.

Priority in Map The number of the entry in the Optimization Policy that the flow matches.

TCP Acceleration Configured

Whether or not TCP acceleration is configured in the Optimization Policy.

TCP Acceleration Status Whether TCP is accelerated [Yes] or not [No].

TCP Acceleration Info The reason that a TCP flow is not accelerated..

For a list of error codes, see “Error Reasons for TCP Acceleration Failure” on page 160.

TCP Asymmetric When the answer is YES, the Silver Peak appliance is able to intercept connection establishment in only one direction. As a result, this flow is not accelerated. When this happens, it indicates that there is asymmetric routing in the network.

Proxy Remote Acceleration

Which side is accelerating the flow

CIFS Acceleration Configured

Whether or not CIFS acceleration is configured in the Optimization Policy [Yes/No]

CIFS Acceleration Status Whether CIFS is accelerated [Yes] or not [No].

CIFS Acceleration Info The reason that a CIFS flow is not accelerated.

For a list of error codes, see

“Error Reasons for CIFS Acceleration Failure” on page 163

CIFS Server Side [Yes/No] If Yes, then this is the server side and the appliance is not accelerating (only the client side accelerates).

CIFS SMB Signed Specifies whether or not the CIFS traffic is SMB-signed by the server:

• Yes means it was signed. If that’s the case, then the appliance was unable to accelerate any CIFS traffic.

• No means it wasn’t signed. If that’s the case, then server requirements did not preclude CIFS acceleration.

• Overridden means that SMB signing is ON and the appliance overrode it.

Field Definition (Continued)


158 PN 200030-001 Rev N

SRDF Acceleration Configured

Whether or not SRDF acceleration is configured in the Optimization Policy [Yes/No]

SRDF Acceleration Status Whether SRDF is accelerated [Yes] or not [No].

SSL Acceleration Configured

Whether or not SSL acceleration is configured in the Optimization Policy [Yes/No]

SSL Acceleration Status If a certificate has been appropriately installed via the GMS, then SSL traffic can be deduplicated.

Whether SSL is accelerated [Yes] or not [No].

SSL Acceleration Reason The reason that an SSL flow is not accelerated.

For a list of error codes, see

“Error Reasons for SSL Acceleration Failure” on page 164

Citrix Acceleration Configured

Whether or not Citrix cgp (gateway) or ica protocol acceleration is configured in the Optimization Policy [Yes/No]

Citrix Acceleration Status Whether Citrix is accelerated [Yes] or not [No].

Citrix Acceleration Reason

The reason that a Citrix flow is not accelerated.

Network Memory There are four Network Memory settings:

• Maximize Reduction — optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency. It is appropriate for bulk data transfers such as file transfers and FTP where bandwidth savings are the primary concern.

• Minimize Latency — ensures that no latency is added by Network Memory processing. This may come at the cost of lower data reduction. It is appropriate for extremely latency-sensitive interactive or transactional traffic. It is also appropriate if WAN bandwidth saving is not a primary objective, and instead it is desirable to fully utilize the WAN pipe to increase LAN–side throughput.

• Balanced — This is the default setting. It dynamically balances latency and data reduction objectives and is the best choice for most traffic types.

• Disabled — No Network Memory is performed.

Payload Compression Whether or not payload compression is turned on.

Using Stale Map Entry Whether or not the flow is using a Route Policy entry that has been edited or deleted since the flow began.

Stats Information

Outbound Ratio For the outbound traffic, a ratio of the Outbound LAN bytes divided by the Outbound WAN bytes.

When this ratio is less than 1.0, it’s attributable to a fixed overhead (for WAN transmission) being applied to traffic that either is not compressible or consists of few packets.

Inbound Ratio For the inbound traffic, a ratio of the Inbound WAN bytes divided by the Inbound LAN bytes.

Outbound LAN Total number of bytes received from the LAN [outbound traffic]

Outbound WAN Total number of bytes sent to the WAN [outbound traffic]

Inbound LAN Total number of bytes sent to the LAN [inbound traffic]

Inbound WAN Total number of bytes received from the WAN [inbound traffic]

Flow Up Time The length of time that there has been a connection between the endpoints.



PN 200030-001 Rev N 159

Flow ID A unique number that the appliance assigns to the flow.

TCP Flow Context Silver Peak uses this for debugging purposes.

Is Flow Queued for Reset Whether the flow is waiting to be reset (after user input) or not.

QoS Information

Map Name The name of the QoS Policy.

Priority in Map The number of the entry in the QoS Policy that the flow matches.

Traffic Class The number of the traffic class assigned by the QoS to the flow, based on the MATCH conditions satisfied:

LAN DSCP The LAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.

WAN DSCP The WAN DSCP marking that the QoS policy assigned to the flow, based on the MATCH conditions satisfied.

Using Stale Map Entry Whether or not the flow is using a policy entry that has been edited or deleted since the flow began.



160 PN 200030-001 Rev N

Error Reasons for TCP Acceleration Failure

When there is an acceleration failure, the appliance generates an Alert link that you can access from the Current Flows page. The Alert details the reason and the possible resolution.

Following is a list of possible errors, along with a brief description.

Error Reason Description

asymmetric flow Appliance did not receive a SYN-ACK.

RESOLUTION: Most likely reason is asymmetric routing.

client advertised zero MSS Flow is not accelerated because an endpoint did not send the TCP MSS option.

RESOLUTION: Sometimes older operating systems (like Windows 95) do not send the TCP MSS option. You will have to upgrade the operating system software on the endpoints.

connection reset by peer During setup, this TCP flow's endpoint(s) reset the connection.

RESOLUTION: This is a transient condition. If it persists, take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.

connection to be deleted Flow is not accelerated due to an internal error.

RESOLUTION: Contact Silver Peak Support for further help.

disabled in Optimization Map TCP Acceleration disabled in the Optimization Map.

RESOLUTION: If you want this flow to be TCP accelerated, enable it in the optimization map.

disabled to allow debug Flow is not accelerated because it has been disabled by tunbug debug console.


first packet not a SYN Appliance did not see the TCP SYN for this flow and therefore could not accelerate it.

RESOLUTION: This could be due to various reasons:

1. The flow is already established before the appliance sees the first packet for the flow. If so, then resetting the flow will fix the problem.

2. WCCP or PBR is not set up correctly to redirect outbound traffic to the appliance. Check the WCCP or PBR configuration on the router.

3. You have routing issues, so the appliance is not seeing some of the traffic (for example, some packets come to the appliance while others go through another router). If so, you must review and fix your routing.

4. If you are in a cluster of Silver Peak appliances, you may have received a flow redirection timeout. If so, you must investigate why it takes so long for the Silver Peak appliance clusters to communicate with each other.

IP briefly blacklisted Appliance did not receive a TCP SYN-ACK from remote end within 5 seconds and allowed the flow to proceed unaccelerated. Consequently, the destination IP address has been blacklisted for one minute.

RESOLUTION: Wait for a minute and then reset the flow.

If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options.

To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses:

• If you don't see a TCP SYN from the client, it is due to firewall or routing issues.

• If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.


PN 200030-001 Rev N 161

keep alive failure Appliance did not receive a TCP SYN-ACK from the remote end within 5 seconds and allowed the flow to proceed unaccelerated.

RESOLUTION: Wait for a minute and then reset the flow. If the problem reappears, the two most likely reasons are: 1) The remote server is slow in responding to TCP connection requests, or 2) a firewall is dropping packets containing Silver Peak TCP options.

To check for either of these causes, perform a tcpdump on the server, with the filter set to these IP addresses:

• If you don't see a TCP SYN from the client, it is due to firewall or routing issues.

• If you notice that SYN-ACK was sent by the server after 5 seconds, it is due to a slow server.

no remote appliance detected Appliance did not receive Silver Peak TCP option in the inbound direction.

RESOLUTION: This could be due to various reasons:

1. WCCP or PBR is not configured properly on the peer appliance.

2. Silver Peak routing policy not configured properly on the peer appliance.

3. Peer appliance is out of resources.

4. Routing is not configured properly on the router.

out of TCP memory Appliance is out of resources for accelerating TCP flows.

RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.

remote appliance dropped out of accel Flow is not accelerated because Silver Peak flag is not set in TCP header or there was a mismatch in internal settings.


retransmission timeout Flow is not accelerated due to TCP protocol timeouts.

RESOLUTION: This is a transient condition. You can reset the flow and then verify that it gets accelerated. If it does not, then take a tcpdump for this flow from both the client and server machines and contact Silver Peak Support.

Route Map set to drop packets Flow is not accelerated because the route policy is set to drop packets.

RESOLUTION: Fix the Set Action in the route policy entry.

Route Map set to pass-through Flow is not accelerated because the route policy is set to send packets pass-through.

RESOLUTION: Fix the Set Action in the route policy entry.

software version mismatch Flow is not accelerated due to software version mismatch between two appliances.

RESOLUTION: Upgrade software on one or both appliances to the same version of software.

stale flow Flow is not accelerated due to an internal error. Before the previous flow could terminate cleanly, a new flow began with the same parameters.


SYN packet fragmented Flow is not accelerated for unknown reasons. Please contact Silver Peak Support for further help.

RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.

Error Reason Description (Continued)


162 PN 200030-001 Rev N

system flow limit reached Appliance has reached its limit for the total number of flows that can be accelerated.

RESOLUTION: Contact Silver Peak about upgrading to an appliance with higher flow capacity.

tandem SP appliance involved Appliance saw Silver Peak TCP option in the outbound direction. This implies that another Silver Peak appliance precedes this one and is responsible for accelerating this flow.

RESOLUTION: Check the flow acceleration status on an upstream appliance.

TCP auto-optimization failed Automatic optimization logic failed to accelerate this flow.These are handled for each auto-opt subcode below:

• TCP auto-optimization failed - NOSPS

Auto-optimization failed because the peer appliance is not participating in automatic TCP acceleration. This can be due to various reasons: 1. Peer appliance is configured to not participate in optimization. 2. WCCP or PBR is not configured properly on the peer side. 3. Routing is not configured properly to send traffic to the peer appliance.

• TCP auto-optimization failed - NOTUNNEL

Auto-optimization failed because there is no tunnel between this appliance and its peer, for two possible reasons: 1) Auto-tunnel is disabled. If so, manually create a tunnel. 2) Auto-tunnel is enabled, but needs time to finish creating the tunnel. If so, wait ~30 seconds for tunnel completion, and then reset this flow.

• TCP auto-optimization failed - INVALID_OPT

This is generally due to an internal error. Contact Silver Peak Support for further help.

• TCP auto-optimization failed - MISC

Contact Silver Peak Support for further help.

• TCP auto-optimization failed - TUNNELDOWN

Automatic optimization failed because the tunnel between this appliance and its peer is down.

TCP state mismatch Flow is not accelerated due to an internal error. This flow will be automatically reset soon.

RESOLUTION: This is a transient condition. You can wait for this flow to reset, or you can reset it manually now.

terminated by user Flow has been reset by the user or automatically reset by the system.

RESOLUTION: This is a transient condition. The flow is in the process of being reset.

tunnel down Flow is not accelerated because the tunnel is down.

RESOLUTION: Investigate why the tunnel is down.

unknown cause Flow is not accelerated for unknown reasons.

RESOLUTION: Contact Silver Peak Support for further help. You may want to reset the connection to see if the problem resolves.



PN 200030-001 Rev N 163

Error Reasons for CIFS Acceleration Failure


Following is a list CIFS reason codes. They use the following format:

No [reason] — The connection is not accelerated, and the “reason string” explains why not.

Yes [reason] — The connection is partially accelerated, and the “reason string” explains why the connection is not fully accelerated.

Yes — The connection is fully accelerated.

Yes/No Reason Text Description

No CIFS optimization is disabled in the Optimization Policy

CIFS is disabled in the optmap.

No SMB signing is required by the server SMB signing is enforced by the server, and this requirement precludes optimization.

No SMB version 2 is enforced by the client SMB version 2 protocol is enforced by the client, and this requirement precludes optimization.

No The flow limit for CIFS optimization has been exceeded

Maximum flow limit reach for CIFS optimized flows.

Yes Sub-optimal read-write optimization - Non standard server

Sub-optimal read/write optimization due to non-standard server. For example, Windows XP cannot process more than 10 simultaneous outstanding requests.

Yes Metadata optimization disabled - NTNOTIFY failure

Metadata optimization is disabled due to change notification failure.

Yes Metadata optimization disabled - OPEN failure

Metadata optimization is disabled because proxy cannot open the root share.

To resolve, check the root share permissions.

Yes Metadata optimization disabled - Unsupported Dialect

Endpoints are using an unsupported CIFS dialect.

To resolve, upgrade the CLIFS client/server.

Yes Metadata optimization disabled - Unsupported Server

Unsupported CIFS server, like UNIX/Samba.

To resolve, switch to standard servers like Windows/NetApp..

Yes Metadata optimization disabled - Unsupported Client

Unsupported CIFS client, like UNIX/smbclient.

To resolve, switch to standard clients like Windows/Mac.


164 PN 200030-001 Rev N

Error Reasons for SSL Acceleration Failure


Note To deduplicate SSL (Secure Socket Layer) traffic, appliances must have a valid SSL certificate and key. For information about installing SSL certificates and keys, see “Adding SSL Certificates and Keys for Deduplication” on page 11.

Following is a list of the reasons you may receive a failure message for SSL acceleration.

Error Reason Description

error processing certificate Failure in processing certificate.Please check the certificate/key.

error processing client hello1 Failed to create client hello, protocol error, invalid SSL packet or Internal error

error processing client hello2 Unsupported client SSL protocol version or options

error processing client hello3 Invalid random number in SSLv2 client hello, protocol error, invalid SSL packet, or internal error

error processing SAN certificate Error while processing SAN certificate

error processing server hello Error while processing server hello

extension parse error TLS extension parse error, due to unknown TLS extensions

invalid certificate SSL certificate is invalid

invalid client cipher Client negotiated unsupported cipher algorithm

invalid client proto version Client negotiated unsupported SSL version.

invalid handshake condition Received invalid SSL packet or unsupported SSLv2 session resume request during handshake

invalid key SSL private key is invalid

invalid server cipher Server negotiated unsupported cipher algorithm

invalid server proto version Server negotiated unsupported SSL version

memory flow control The appliance SSL memory is full and cannot accelerate additional flows.

miscellaneous error Generic proxy layer internal error

missing active session Active session not found, cannot accelerate the SSL session.

missing certificate A matching SSL certificate was not found.

missing key A matching SSL key was not found.

missing pending session Pending session not found, possible failure in client hello.

missing resume session Do not have a session to resume in session cache.

missing SAN certificate Did not find a matching SAN certificate.

no ipsec on tunnel IPsec is not configured on the tunnel and IPsec on tunnel must be configured.

possibly no certs installed Possibly no SSL certificate installed. Check the GMS.

server-side advertised no dedup Peer appliance SSL did not optimize the flow.

ssl max flows limit Exceeded maximum SSL optmized flows limit.

unsupported client cipher Received unsupported cipher suite in SSLv2 client hello message.


PN 200030-001 Rev N 165

unsupported compress method Unsupported compression method negotiated.

unsupported extension Unsupported TLS extension negotiated.

unsupported server cipher Received unsupported cipher suite in SSLv2 server hello message.

unsupported server protocol Unsupported SSL protocol: SSLv2 server hello message not supported.



166 PN 200030-001 Rev N

Resetting Flows to Improve Performance

In the list of Alerts, you can look for the flows that aren’t being accelerated, but could be. Generally, this means flows that use TCP protocol and are not TCP-accelerated:

• This includes tunnelized TCP traffic that is not TCP-accelerated. TCP connections are not accelerated if they already exist when the tunnel comes up or when the appliance reboots.

• Pass-through connections are neither tunnelized nor accelerated if they already exist when a new tunnel is added and/or when an ACL is added or edited.

Unaccelerated TCP flows can be reset to allow them to reconnect at a later time. It is assumed that the connection end-points will re-establish the flows. When these flows are reconnected, the appliance recognizes them as new and accelerates them. Note that the time it takes to reset a flow may vary, depending on the traffic activity.

CAUTION Resetting a flow interrupts service for that flow. The appliance cannot restore the connection on its own; it relies on the end points to re-establish the flow. Use it only if service interruption can be tolerated for a given flow.

Tip For information about configuring the appliance to automatically reset TCP flows, see the Advanced TCP Options in “TCP Acceleration” on page 106.

Viewing QoS Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 167

Viewing QoS StatisticsThe QoS page summarizes optimized traffic on the basis of traffic class and/or WAN DSCP markings.

To view the QoS Statistics report

From the Monitoring menu, select QoS.

The QoS Statistics on Traffic Class area displays the following information:

The QoS Statistics on DSCP area displays the following information:

Choose the type of traffic. The default is All Traffic.

Choose all traffic classes, or any one from 1 through 10. The default is All.

Choose all DSCP markings or just one. The default is All.

Field Definition

LAN Rx Bytes Number of bytes received from the LAN

LAN Rx Pkts Number of packets received from the LAN

LAN Tx Bytes Number of bytes sent to the LAN

LAN Tx Pkts Number of packets sent to the LAN

Lan Rx Dropped Pkts Number of packets received from the LAN that were dropped

Field Definition

WAN Tx Bytes Number of bytes sent to the WAN

WAN Tx Pkts Number of packets sent to the WAN

WAN Rx Bytes Number of bytes received from the WAN

WAN Rx Pkts Number of packets received from the WAN

Silver Peak Appliance Manager Operator’s Guide Viewing Tunnel Statistics

168 PN 200030-001 Rev N

Viewing Tunnel StatisticsThe Tunnels page summarizes the overall inbound and outbound traffic statistics for the tunnels since the last reboot. The Tunnels table condenses the total LAN and WAN counters.

When you select a tunnel from the table, the Appliance Manager provides the following detailed report:

The Appliance Manager reports all realtime tunnel statistics as raw data.

Name Description

LAN/WAN Statistics • Specifies the number of bytes and packets received, processed, and transmitted by a Silver Peak tunnel in both the outbound (LAN-to-WAN) and inbound (WAN-to-LAN) directions.

• Statistics are separated for inbound and outbound traffic.

Flows/Latency/Packet Correction Statistics

• Specifies packets by TCP flow versus non-TCP flow. Packets in a TCP flow are further sorted by whether or not they’re accelerated.

• Displays round trip latency time in milliseconds (minimum, maximum, and average).• Displays how many received packets were lost before and after Forward Error Correction

(FEC).• Displays how many received packets were out-of-order before and after Packet Order

Correction (POC).• Statistics represent combined, bi-directional data.

When you choose manually, click the browser’s Refresh icon to view up-to-the-minute data.

The default display unit is Bytes. If you want, you can choose MBytes, Pkts [packets], or KPkts instead. If you select a specific tunnel and then change the units, the page refreshes to display the table only.

OUTBOUND traffic (Transmit LAN to WAN)

INBOUND traffic (Receive WAN to LAN)For detail, click a

tunnel name.

LAN Rx - WAN TxLAN Rx

WAN Rx - LAN TxWAN Rx

How long the tunnel has been up

Viewing Tunnel Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 169

To view a specific tunnel’s detailed statistics

Click the tunnel’s Name. Typically, the following displays:

The Appliance Manager organizes an individual tunnel’s statistics into two parts:

LAN/WAN Statistics See page 170.

Flows / Latency / Packet Correction Statistics See page 171.


170 PN 200030-001 Rev N

LAN/WAN Statistics

The LAN/WAN Statistics summarize realtime data directly related to the Silver Peak tunnel’s processing.

These statistics answer the following questions:

For any given tunnel, how many bytes (or packets) did the tunnel receive and subsequently transmit?

Which tunnels have processed the most traffic? The least traffic?

What error types and quantities were encountered for traffic inbound from the WAN?

What error types and quantities were encountered for traffic inbound from the LAN?

The LAN/WAN Statistics area displays the following information:

Section Field Definition

LAN Rx (outbound traffic)

Rx Bytes Number of bytes received from the LAN.

Rx Pkts Number of packets received from the LAN.

WAN Tx(outbound traffic)

Tx Bytes Number of bytes sent to the WAN.

Tx Pkts Number of packets sent to the WAN.

LAN Tx(inbound traffic)

Tx Bytes Number of bytes sent to the LAN.

Tx Pkts Number of packets sent to the LAN.

WAN Rx(inbound traffic)

Rx Bytes Number of bytes received from the WAN.

Rx Pkts Number of packets received from the WAN.

Viewing Tunnel Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 171

Flows / Latency / Packet Correction Statistics

The Flows / Latency / Packet Correction Statistics area includes other general statistics. It answers the questions:

How many of the traffic flows are based on TCP and how many are not?

How much of the TCP flow was accelerated?

What is the minimum, average, and peak latency in milliseconds?

How many packets were lost before Forward Error Correction (FEC), and how many were lost after?

How many out-of-order packets were there before and after Packet Order Correction?

TCP Flow / Latency / Packet Loss Statistics area displays the following statistics:


Traffic Flows Non-TCP Flows Number of flows that are not TCP-based.

TCP Flows Number of flows that are TCP-based.

TCP Accel Flows Number of TCP flows that are accelerated. Since CIFS acceleration is a subset of TCP acceleration, they are included herein.

TCP Non-Accel Flow Number of TCP flows that are not accelerated.

Round Trip Latency Average Length of the average round trip latency, in milliseconds.

Maximum Length of the peak round trip latency, in milliseconds.

Minimum Length of the shortest round trip latency, in milliseconds.

Rx Packet Correction Pre FEC Loss Number of packets lost before Forward Error Correction (FEC).

Post FEC Loss Number of packets lost after Forward Error Correction (FEC).

Pre POC Out-of-Order Number of out-of-order packets before Packet Order Correction (POC).

Post POC Out-of-Order Number of out-of-order packets after Packet Order Correction (POC).


172 PN 200030-001 Rev N

Fine-tuning Packet Correction

Enabling Forward Error Correction (FEC) in the tunnel configuration can sometimes result in the creation of additional Out-of-Order Packets (OOP).

To view the performance after enabling FEC, do either of the following:

Access the Monitoring > Tunnels page and review the Delta Stats for Pre POC Out-of-Order and Post

POC Out-of-Order.

Access the Monitoring > Charts page, select the tunnel from Traffic, and review its Out-of-Order

chart.

Adjust if necessary, as follows:

1 If out-of-order packets exist, then you’ll need to try another Reorder Wait time for the tunnel in question.

2 Go to Configuration > Tunnels, and in the row of the tunnel in question, click Advanced Tunnel.

3 At first, set the Reorder Wait time to 10ms, and save the configuration.

4 Return to the stats page(s) to see if the out-of-order packets have been eliminated.

5 If there are still out-of-order packets, then go back to the tunnel configuration and increase the Reorder Wait time.

6 Repeat Steps 5 and 6 until there are no more out-of-order packets.

Viewing Flow Redirection Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 173

Viewing Flow Redirection StatisticsThe Flow Redirection page displays the number of control packets sent and received between this appliance and the other peer(s) in the cluster, as well as how much traffic was redirected to and from the other peer(s).


What are the mgmt1 IP addresses of the other peers in this cluster?

How many control packets were exchanged between this appliance and each of its peers?

How many redirected flows does this appliance currently own?

How many flows is this appliance currently redirecting to peers?

In total, how many packets/bytes have been redirected to/from any given peer?

A Sampling of Results

When you choose manually, click the browser’s Refresh icon to view up-to-the-minute data.

For each mgmt1 IP address in the cluster, the Stats area summarizes the control packets that keep open the connection to a peer appliance.

These numbers are cumulative for all redirected flows, whether they’re active or terminated.

The Flows columns list current flows only.

This appliance owns all the Flows Redirected From.

Silver Peak Appliance Manager Operator’s Guide Viewing Flow Redirection Statistics

174 PN 200030-001 Rev N

The Flow Redirection page displays the following statistics:

Across all other reported statistics, only the owner of a flow reports a flow’s traffic statistics.


Stats Peer IP The mgmt1 IP address of a peer appliance in the same cluster as this appliance.

Hello Control packets used to keep open the TCP connection between two peers’ mgmt1 cluster interfaces.

Redirection Requests to redirect flows

Tx Msgs The number of messages transmitted.

Tx Bytes The size of the transmitted messages, in bytes.

Rx Msgs The number of messages received.

Rx Bytes The size of the received messages, in bytes.

Flows Redirected From

Peer The mgmt1 IP address of a peer appliance in the same cluster as this appliance.

Flows The number of current flows redirected from the peer to this appliance.

Pkts To date, the total number of packets redirected from the peer to this appliance.

Bytes To date, the total number of bytes redirected from the peer to this appliance.

Flows Redirected To Peer The mgmt1 IP address of a peer appliance in the same cluster as this appliance.

Flows The number of current flows redirected to the peer by this appliance.

Pkts To date, the total number of packets redirected to the peer by this appliance.

Bytes To date, the total number of bytes redirected to the peer by this appliance.

Viewing NetFlow Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 175

Viewing NetFlow StatisticsThe NetFlow page displays the how many records were exported to the NetFlow collectors.


How many flows were required to export the records to NetFlow?

How many packets were required export these flows?

A Sampling of Results

Silver Peak Appliance Manager Operator’s Guide Viewing Interface Statistics

176 PN 200030-001 Rev N

Viewing Interface StatisticsThe Interfaces page displays generic performance data for the actual physical LAN, WAN, and management interfaces (primary and secondary). It answers the following questions:

How many bytes or packets is the appliance transmitting or receiving?

How many errors exist?

What types of errors exist?

To view the Interface Statistics

From the Monitoring menu, select Interfaces. The page displays the actual statistics accumulated for wan0, lan0, mgmt0, and mgmt1 since the appliance’s last reboot.

If Refresh is set to manually, use the browser’s refresh to view up-to-the minute data.

When the appliance is in Bridge mode, there are lan0 interface statistics. When the appliance is in Router mode, there are not.

Management connection to LAN Management connection to PC

blan0 and bwan0 are visible when gigabit etherchannel bonding is configured.

For more information, see “Configuring Gigabit Etherchannel Bonding” on page 5.

Viewing Interface Statistics Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 177

The Interfaces page displays the following statistics:

Network Receive Statistics

Network Transmit Statistics

Field Definition

Rx Bytes Number of bytes received inbound from the WAN side

Rx Pkts Number of packets received inbound from the WAN side, including all packets that were either discarded, contained errors, arrived too quickly for the hardware to receive, or were frame or mcast packets,

Rx Discard Pkts Number of input packets selected to be discarded even though no errors are found.

Rx Error Pkts Number of input packets that contained errors.

Rx Overrun Pkts Number of times the receiver hardware was unable to hand a received packet to a hardware buffer because the rate exceeded the receiver's ability to handle the data.

Rx MCast Pkts Number of multicast packets received.

Rx Frame Pkts Number of packets received incorrectly having a CRC error and a non-integer number of octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.

Field Definition

Tx Bytes Number of bytes transmitted outbound toward the WAN side

Tx Pkts Number of packets transmitted outbound toward the WAN side, including all packets that were either discarded, contained errors, were overrun, had collisions, or were dropped because the interface detection link is lost.

Tx Discard Pkts Number of output packets selected to be discarded even though no errors are found.

Tx Error Pkts Number of outbound packets that could not be transmitted because of errors.

Tx Overrun Pkts Number of times the transmitter hardware was unable to hand a transmitted packet to a hardware buffer because the rate exceeded the transmitter's ability to handle the data.

Tx Carrier Pkts Number of packets dropped because the interface detection link is lost.

Tx Collision Pkts Number of output collisions detected on this interface.

Silver Peak Appliance Manager Operator’s Guide Viewing Bridge Mode Statistics

178 PN 200030-001 Rev N

Viewing Bridge Mode StatisticsThe Bridges page displays data traffic traversing all the LAN and WAN interfaces when the appliance is deployed in-line.


Is the appliance receiving/sending on all interfaces?

Is the link up?

Sampling of Results

Ingress for pass-through traffic

Egress for pass-through traffic

Viewing Next-hop Reachability Chapter 9 Monitoring Traffic

PN 200030-001 Rev N 179

Viewing Next-hop ReachabilityTo access the Next-hop Reachability page, select Monitoring > Routes.

This page displays the state of each management, WAN, and LAN next-hop.

Sampling of Results

The Next-hop Reachability page displays the following statistics:

Field Definition

Next-hop IP IP address of the router to which the Silver Peak appliance sends datapath traffic

Interface The logical port associated with the Next-hop IP

Source Direction of the next-hop router, relative to the appliance

State There are four possible states:

• Initializing• Reachable • Unreachable• Test disabled [when appliance is in Bypass mode]

Uptime How long the next-hop router has been reachable

WAN Configured Role Whether the next-hop router is Active or Backup. When Active, it’s delivering tunnelized packets.

WAN Current Role Actual WAN role. The options are Active, Backup, Down, and N/A [not applicable].

Silver Peak Appliance Manager Operator’s Guide Viewing Next-hop Reachability

180 PN 200030-001 Rev N

PN 200030-001 Rev N 181

C H A P T E R 1 0

Administration Tasks

This chapter describes various administration-related tasks.

In This Chapter Setting the Date and Time See page 182.

Adding Domain Name Servers See page 183.

Configuring SNMP See page 184.

Configuring Flow Exports for Netflow See page 187.

Pre-Positioning Data for Enhanced Acceleration Benefits See page 188.

Managing User Accounts See page 190.

Configuring Banners See page 191.

Configuring Authentication, RADIUS, and TACACS+ See page 192.

Configuring Settings for Web Protocols and Web Users See page 194.

Configuring Log Settings See page 195.

Understanding the Events Log See page 197.

Viewing a Log of All Alarms See page 198.

Viewing the Audit Log See page 199.

Managing Debug Files See page 200.

Support Services See page 206.

Silver Peak Appliance Manager Operator’s Guide Setting the Date and Time

182 PN 200030-001 Rev N

Setting the Date and TimeConfigure the appliance's date and time to reference a time you specify manually, or an NTP (Network Time Protocol) server you subsequently designate.

1 From the Time Zone list, select the appliance's geographical location.

2 Select Manual and enter the Date [YYYY/MM/DD] and Time [HH:MM:SS] (based on a 24-hour clock).

3 Click Apply.

4 If you want to enable reference to an NTP server, now select NTP Time Synchronization.

5 Click Add.

6 Enter the IP address of the server, and select the version of NTP protocol to use.

7 Click Apply.

When you list more than one NTP server, the Appliance Manager selects the servers in the order listed, always defaulting to the available server uppermost on the list.

Data Collection

Silver Peak's GMS (Global Management System) collects and puts all stats in its own database in Coordinated Universal Time (UTC).

When a user views stats, the appliance (or GMS server) returning the stats always presents the information relative to its own time zone.

Adding Domain Name Servers Chapter 10 Administration Tasks

PN 200030-001 Rev N 183

Adding Domain Name ServersA Domain Name Server (DNS) keeps a table of the IP addresses associated with domain names. It allows you to reference locations by domain name, such as mycompany.com, instead of using the routable IP address.

You can configure up to three name servers.

Under Domain Names, add the network domains to which your appliances belong.

Silver Peak Appliance Manager Operator’s Guide Configuring SNMP

184 PN 200030-001 Rev N

Configuring SNMPThis section describes the following about Simple Network Management Protocol (SNMP):

Loading SNMP MIBs See page 184.

Configuring SNMP Settings See page 185.

Loading SNMP MIBs

From Silver Peak’s website, you can download the Standard and the Silver Peak proprietary MIBs (Management Information Base) files, for loading into whatever MIBs browser you’re using:

• You can choose to install the Standard MIBs, the Silver Peak proprietary MIBs, or both.

• The Standard list and the Silver Peak file list share the same first three files. These are highlighted in green below.

• Because there are dependencies, you must load the files in a list in a specific sequence.

• If you choose to load both the Standard and the Silver Peak MIBs, load either list completely and then append the non-common files from the remaining list.

List of Silver Peak MIBs

Load these files in the following order:

1 SNMPv2-SMI.txt

2 SNMPv2-TC.txt

3 SNMPv2-CONF.txt

4 SILVERPEAK-SMI.txt

5 SILVERPEAK-TC.txt

6 SILVERPEAK-PRODUCTS-MIB.txt

7 SILVERPEAK-MGMT-MIB.txt

List of Standard SMIBs

Load these files in the following order:

1 SNMPv2-SMI.txt

2 SNMPv2-TC.txt

3 SNMPv2-CONF.txt

4 RFC1155-SMI.txt

5 RFC1213-MIB.txt

6 SNMPv2-MIB.txt

7 SNMP-FRAMEWORK-MIB.txt

8 SNMP-MPD-MIB.txt

9 SNMP-TARGET-MIB.txt

10 SNMP-NOTIFICATION-MIB.txt

11 SNMP-USER-BASED-SM-MIB.txt

12 SNMP-VIEW-BASED-ACM-MIB.txt

Configuring SNMP Chapter 10 Administration Tasks

PN 200030-001 Rev N 185

Configuring SNMP Settings

Use this page to configure the appliance's SNMP agent, the trap receiver(s), and how to forward appliance alarms as SNMP traps to the receivers.

The Silver Peak appliance supports the Management Information Base (MIB) II, as described in RFC 1213, for cold start traps and warm start traps, as well as Silver Peak proprietary MIBs.

The appliance issues an SNMP trap during reset--that is, when loading a new image, recovering from a crash, or rebooting.

The appliance sends a trap every time an alarm is raised or cleared. Traps contain additional information about the alarm, including severity, sequence number, a text-based description of the alarm, and the time the alarm was created. For additional information, see SILVERPEAK-MGMT-MIB.TXT in the MIBS directory.

For SNMP v1 and SNMP v2c, you only need configure the following:

Field Description

Enable SNMP Allows the SNMP application to poll this Silver Peak appliance.

Enable SNMP Traps Allows the SNMP agent (in the appliance) to send traps to the receiver(s).

Read-Only Community The SNMP application needs to present this text string (secret) in order to poll this appliance's SNMP agent. The default value is public, but you can change it.

Default Trap Community The trap receiver needs to receive this string in order to accept the traps being sent to it. The default value is public, but you can change it.

Silver Peak Appliance Manager Operator’s Guide Configuring SNMP

186 PN 200030-001 Rev N

For additional security when the SNMP application polls the appliance, you can select Enable Admin

User for SNMP v3, instead of using v1 or v2c. This provides a way to authenticate without using clear text:

To configure SNMP v3 admin privileges, you must be logged in as admin in Appliance Manager.

For SNMP v3, authentication between the user and the server acting as the SNMP agent is bilateral and required. You can use either the MD5 or SHA-1 hash algorithm.

Using DES or AES-128 to encrypt for privacy is optional. If you don't specify a password, the appliance uses the default privacy algorithm (AES-128) and the same password you specified for authentication.

You can configure up to 3 trap receivers:

Field Description

Host IP address where you want the traps sent

Community The trap receiver needs to receive a specific string in order to accept the traps being sent to it. By default, this field is blank because it uses the Default Trap Community string, which has the value, public. If the trap receiver you're adding has a different Community string, enter the community string that's configured on the trap receiver.

Version Select either v1 (RFC 1157) or v2c (RFC 1901) standards. For both, authentication is based on a community string that represents an unencrypted password.

Enabled When selected, enables this specific trap receiver.

Configuring Flow Exports for Netflow Chapter 10 Administration Tasks

PN 200030-001 Rev N 187

Configuring Flow Exports for NetflowYou can configure your appliance to export statistical data to NetFlow collectors. The appliance exports flows against two virtual interfaces -- sp_lan and sp_wan -- that accumulate the total of LAN-side and WAN-side traffic, regardless of physical interface.

These interfaces appear in SNMP and are therefore "discoverable" by NetFlow collectors.

Flow Exporting Enabled allows the appliance to export the data to collectors (and makes the configuration fields accessible).

The Collector's IP Address is the IP address of the device to which you're exporting the NetFlow statistics. The default Collector Port is 2055.

In Traffic Type, you can select as many of the traffic types as you wish. The default is Outbound

WAN.

Silver Peak Appliance Manager Operator’s Guide Pre-Positioning Data for Enhanced Acceleration Benefits

188 PN 200030-001 Rev N

Pre-Positioning Data for Enhanced Acceleration BenefitsThe Appliance Manager allows you to pre-position data into Network Memory so that users can get the benefits of second-pass performance without having to wait for Network Memory to populate.

With the Administration - Pre-position page, you can enable FTP server capability on each branch’s NX appliance:

After enabling pre-positioning, administrators can FTP files or directories to the appliances which will, in turn, “warm” Network Memory.

Subsequently, any user who requests data that was pre-positioned will immediately enjoy the acceleration benefits of the stored local instances.

Make sure that the relevant tunnels are admin-ed up before FTP transfer.

An Administrator can set up a script process for pre-positioning jobs that need to run automatically.

There is no down side to leaving this feature enabled by default.

In this scenario, the file server at the data center is the FTP client, with multiple directories under /dir/home.

Pre-Positioning Data for Enhanced Acceleration Benefits Chapter 10 Administration Tasks

PN 200030-001 Rev N 189

To configure a branch or remote appliance to pre-position data

1 From the Administration menu, select Pre-position.

a Select the Server Enable check box. This enables the appliance to act as an FTP server.

b To exempt the FTP client from needing to use an existing account on the appliance, select Anonymous Access Enable.

c Enter the maximum number of clients that may access the appliance simultaneously. The default value is 5. The range is 1 to 10.

2 Click Apply.

3 Click Save Changes.

Silver Peak Appliance Manager Operator’s Guide Managing User Accounts

190 PN 200030-001 Rev N

Managing User AccountsThe Silver Peak appliance’s built-in user database supports user names, groups, and passwords.

Use this page to create, edit, and delete users.

The Active Sessions table lists who is logged in to the appliance, and from where.

The User Accounts table lists all users known to this appliance, whether or not their accounts are enabled.

The system user names are admin and monitor.

• They CANNOT be deleted.

• You can only disable monitor.

• You can, however, change each one's password.

A user has either admin or monitor privileges:

• admin capability allows the user to view and modify.

• monitor capability allows the user to view only.

Suggested Guidelines for Creating Passwords

Passwords should be a minimum of 8 characters.

There should be at least one lower case letter and one upper case letter.

There should be at least one digit.

There should be at least one special character.

Consecutive letters in the password should not form words found in the dictionary.

Configuring Banners Chapter 10 Administration Tasks

PN 200030-001 Rev N 191

Configuring BannersYou can configure two different types of banners:

The Login Message appears on the Login page, before the login prompt.

The Message of the Day appears on the Network View page after a successful log in. Mouse over the icon to reveal it.

You can configure either, neither, or both.

Silver Peak Appliance Manager Operator’s Guide Configuring Authentication, RADIUS, and TACACS+

192 PN 200030-001 Rev N

Configuring Authentication, RADIUS, and TACACS+Silver Peak appliances support user authentication and authorization as a condition of providing access rights.

Authentication is the process of validating that the end user, or a device, is who or what they claim to be.

Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.

Map order refers to the order in which the authentication databases are queried.

The configuration specified for authentication and authorization applies globally to all users accessing that appliance.

If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, on the Administration - Session Management page.

Authentication and Authorization

To provide authentication and authorization services, Silver Peak appliances:

support a built-in, local database

can be linked to a RADIUS (Remote Address Dial-In User Service) server

can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.

Both RADIUS and TACACS+ are client-server protocols.

Appliance-based User Database

The local, built-in user database supports user names, groups, and passwords.

The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.

The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) enable mode privileges.

Configuring Authentication, RADIUS, and TACACS+ Chapter 10 Administration Tasks

PN 200030-001 Rev N 193

The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface's (CLI) configuration mode privileges.

RADIUS

RADIUS uses UDP as its transport.

With RADIUS, the authentication and authorization functions are coupled together.

RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Please see your RADIUS documentation for details.

Important: Configure your RADIUS server's priv levels within the following ranges:

• admin = 7 - 15

• monitor = 1 - 6

TACACS+

TACACS+ uses TCP as its transport.

TACACS+ provides separated authentication, authorization, and accounting services.

Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Please see your TACACS+ documentation for details.

Important: Configure your TACACS+ server's roles to be admin and monitor.

What Silver Peak recommends

Use either RADIUS or TACACS+, but not both.

For Authentication Order, configure the following:

• First = Local

• Second = either RADIUS or TACACS+. If not using either, then None.

• Third = None

When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:

• Map Order = Remote First

• Default User = admin

Silver Peak Appliance Manager Operator’s Guide Configuring Settings for Web Protocols and Web Users

194 PN 200030-001 Rev N

Configuring Settings for Web Protocols and Web UsersUse the Administration - Session Management page to configure the web protocol settings and web user settings.

You can configure the following:

• whether to enable HTTP, HTTPS, or both protocols

• how long you can go without using the Application Manager before it times out and you’re forced to log on again

• the maximum number of simultaneous user sessions allowed on an appliance

Configuring Log Settings Chapter 10 Administration Tasks

PN 200030-001 Rev N 195

Configuring Log SettingsUse the Administration - Log-Settings page to configure local and remote logging parameters.

Each requires that you specify the minimum severity level of event to log.

Set up local logging in the Log Configuration section.

Set up remote logging by using the Log Facilities Configuration and Remote Log Receivers sections.

Minimum Severity Levels

In decreasing order of severity, the levels are as follows.

For local logging

For remote logging

Level Definition

EMERGENCY The system is unusable.

ALERT Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and WARNING

CRITICAL A critical event

ERROR An error. This is a non-urgent failure.

WARNING A warning condition. Indicates an error will occur if action is not taken.

NOTICE A normal, but significant, condition. No immediate action required.

INFORMATIONAL Informational. Used by Silver Peak for debugging.

DEBUG Used by Silver Peak for debugging

NONE If you select NONE, then no events are logged.

Silver Peak Appliance Manager Operator’s Guide Configuring Log Settings

196 PN 200030-001 Rev N

The bolded part of the name is what displays in Silver Peak's logs.

If you select NOTICE (the default), then the log records any event with a severity of NOTICE, WARNING, ERROR, CRITICAL, ALERT, and EMERGENCY.

These are purely related to event logging levels, not alarm severities, even though some naming conventions overlap. Events and alarms have different sources. Alarms, once they clear, list as the ALERT level in the Event Log.

Configuring Remote Logging

You can configure the appliance to forward all events, at and above a specified severity, to a remote syslog server.

A syslog server is independently configured for the minimum severity level that it will accept. Without reconfiguring, it may not accept as low a severity level as you are forwarding to it.

In the Log Facilities Configuration section, assign each message/event type (System / Audit / Flow) to a syslog facility level (local0 to local7).

You can use a different facility for each log, or you can select the same facility for all the logs.

For each remote syslog server that you add to receive the events, specify the receiver's IP address, along with the messages' minimum severity level and facility level.

Both of these remote receivers have a local1 facility, so they’ll each receive System log events.

The only difference is that 172.20.2.106 accepts events with a lower severity than 10.10.20.41 does.

Understanding the Events Log Chapter 10 Administration Tasks

PN 200030-001 Rev N 197

Understanding the Events LogThe event log, which you access by selecting Administration > Logging > Event Log Viewer, contains timestamped messages for all system-level activity. It’s a locally saved, read-only log:

Configure the generic log settings on the Administration - Log Settings page. This includes specifying:

• the minimum severity level logged

• whether time intervals or log size determine when a new log begins

• the maximum number of log files to keep, including the current log

• to what other remote servers to send logged events

For more information, see “Setting the Date and Time” on page 182.

Go to first page Go to last page

Previous page Next page

Select how many alarmsper page

Silver Peak Appliance Manager Operator’s Guide Viewing a Log of All Alarms

198 PN 200030-001 Rev N

Viewing a Log of All AlarmsThe Administration - Alarm Log Viewer page displays all alarms—current and historical. It contains timestamped messages each time an alarm is raised or cleared. It is a locally saved read-only log.

To access the alarm log, select Administration > Logging > Alarm Log Viewer.

Configure the generic log settings on the Administration - Log Settings page. This includes specifying:

• the minimum severity level logged

• whether time intervals or log size determine when a new log begins

• the maximum number of log files to keep, including the current log

• to what other remote servers to send logged events

For more information, see “Setting the Date and Time” on page 182.

Go to first page Go to last page

Previous page Next page

Select how many alarmsper page

Viewing the Audit Log Chapter 10 Administration Tasks

PN 200030-001 Rev N 199

Viewing the Audit LogThe Administration - Audit Log Viewer page lists all configuration changes (create, modify, delete) and all system actions such as login/logout made by any users (Command Line Interface [CLI], Appliance Manager, and/or Global Management System [GMS]).

To access this page, select Administration > Logging > View Audit Log.

This log is only available to users with the Admin privilege level.

username@IP(/gms of GMS user)

Additional parameters (context dependent)

create /modify /delete /

action

succeeded / failed /requested

Appliance Hostname

SYSTEM /INTERFACE /ALARM /CONFIG-DB

Silver Peak Appliance Manager Operator’s Guide Managing Debug Files

200 PN 200030-001 Rev N

Managing Debug FilesThis section describes how to manage the system files – log files, debug dump files, stat reports, and tcpdump results. It also describes how to archive them by saving them to an SCP (Secure Copy) or FTP (File Transfer Protocol) Server.

Types of Debug Files See page 200.

Saving Files to a Remote Server See page 202.

Deleting Log Files See page 205.

Types of Debug Files

The appliance automatically creates and stores a number of non-configuration data files as a result of normal events, traffic monitoring, system crashes, and testing.

• The Appliance Manager’s Administration - Debug Files page lists these files and provides a way for you to save them to another location for storage or additional handling.

• With the exception of the [Log] files, you cannot view these files on the Appliance Manager.

• To free up memory in the appliance, you can delete the files.

Specifically, these five file types are as follows:

Log The raw event log data, viewable on the Administration - Event Log Viewer page. This includes historical alarms, not current ones. To access this page, select Administration > Logging > Event Log Viewer.

By default, a new file begins when the file reaches 50 MB. However, you can change the rotation criteria on the Administration - Log Settings page. To access this page, select Administration > Logging > Log Settings.

Debug Dump Created as a result of any system failure.

Can also be created on demand by clicking the Generate button next to the System & Debug Information File field.

Transfer these files to Silver Peak’s Customer Support for evaluation.

Snapshot Created as a result of any system failure.

Contains the same information as Debug Dump, and then includes additional information needed by the engineering team.


TCP Dump Result User-named data file generated by running using the Command Line Interface (CLI).


Show Tech Can also be created on demand by clicking the Generate button next to the Tech Support File field.


Managing Debug Files Chapter 10 Administration Tasks

PN 200030-001 Rev N 201

Shows the data disk space used and available, in bytes and as a percentage

To save a file to the local disk or an SCP or FTP remote server, click on the filename itself.

Debug Dump

The file name format is tunbug-[Hostname]-[YYYYMMDD-HHMMSS].tgz

TCP Dump Result

User-named file generated by running tcpdump in the Command Line Interface (CLI).

Show Tech

Generated when you execute the Tech Support File. The file name format is [Hostname]-[YYYYMMDD-HHMMSS].txt.gz

Snapshot

The file name format is [Hostname]-[sysd|statsd|soapd|snmpd|...]-[YYYYMMDD-HHMMSS].tar.gz

To generate the Show Tech file.

To manually generate Debug Dump file.

Log

As a new log file is created, the earlier files increment. For example, the file messages will eventually be renamed messages.3.gz.


202 PN 200030-001 Rev N

Saving Files to a Remote Server

The Application Manager lets you copy non-configuration files from the appliance to a remote server.

When you click to select the method, you can only edit the required fields.

The fields and options have the following definitions:

Click to return to the main Administration - Debug Files page

Field or Option Definition/Content

File Name (A read-only field) The name of the file you’ve chosen to save.

Save to Server with:

Local File For saving the software image file to your local PC.

SCP (Secure Copy) For saving the software image file to a remote Secure Copy server.

FTP (File Transfer Protocol) For saving the software image file to a remote File Transfer Protocol (FTP) server.

Remote Server Address Use either the server IP address or the server name (if it’s mapped to a local host table or a DNS server).

Remote User Name The name of the user that server expects

Remote Password The password of the user that the server expects

Remote Full PathRemote Relative Path

The type of path requested depends on which method you choose:

• If using the SCP server, enter the full path to the server.• (Optional) If using the FTP server, enter the relative path to the server.

Destination File Name (Optional) If you want to rename the file, you can do so here.

Status If the read-only value is Ready, you may proceed with transferring the file to a remote server.

Last Save Status The status at the end of the previous save operation.

Transfer Start Time What time the file transfer began

Transfer End Time What time the file transfer ended


PN 200030-001 Rev N 203

To save a log file to an SCP Server

1 Go to the Administration - Debug Files page.

2 In the File Management area, click the type of log you want to save: Log, Debug Dump, Snapshot, Stat Report, or TCP Dump Result.

3 In the table, click on the file name of the file you want to save.

The Administration - Debug Files - Save File page appears.

4 Click SCP (Secure Copy).

5 Enter the data necessary to save the file to the SCP server.

Here, we’ll use the example of saving the file, alerts, to the following location:

scp <UserName>@170.2.2.65:/home/<UserName>/work/logs/alerts

a For the Remote Server Address field, enter either:

• the server IP address, as in 170.2.2.65, or

• the server name, if it’s mapped to a local host table or a DNS server

b Enter the Remote User Name and Remote Password for the Secure Copy (SCP) server.

c For the Remote Full Path field, enter the full path.

A full pathname includes the drive (if required), starting or root directory, all attached subdirectories and ends with the file or object name. Begin the path with a forward slash (/).

d If you want to rename the file, enter the new file name in the Destination File Name field. If you leave the field blank, the Appliance Manager saves the file with its existing file name.

6 Click Save. The Appliance Manager displays the progress.


204 PN 200030-001 Rev N

To save a log file to an FTP Server

1 Go to the Administration - Debug Files page.

2 In the File Management area, click the type of log you want to save: Log, Debug Dump, Snapshot, Stat Report, or TCP Dump Result.

3 In the table, click on the file name of the file you want to save. The Administration - File System -

Save File page appears.

4 Click File Transfer to Protocol (FTP).

5 Enter the data necessary to save the file to the FTP server.

Here, we’ll use the example of saving the file, alerts, to Andrew’s directories on an FTP server. In the process, we’ll rename the file to alerts_SP41-NX-8600:

a For the Remote Server Address field, enter either:

• the server IP address, as in 170.2.2.65, or

• the server name, if it’s mapped to a local host table or a DNS server

b Enter the Remote User Name and Remote Password for the FTP server.

c For the Remote Relative Path field, enter the relative path.

A relative path is a path relative to the current working directory. Its first character can be anything but the pathname separator (here, a forward slash).

For example, if the ftp login directory is /home/<UserName>/, then the relative path would begin at the next subdirectory, as in, work/logs. It is not necessary to begin or end the relative path with a forward slash (/).

d If you want to rename the file, enter the new file name in the Destination File Name field. If you leave the field blank, the Appliance Manager saves the file with its existing file name.


If you want to rename the original file, enter it in this field. If you leave it blank, the file saves with its existing name.

For FTP, no slash necessary before or after the directory name


PN 200030-001 Rev N 205

Deleting Log Files

All logs files are removed the same way.

Click the unchecked box(es) to select the file(s) you want to delete...

...then click Remove Selected. The Appliance Manager deletes the files from the appliance.

The appliance name and the Debug Dump file’s creation date are encoded in the file name. This folder may contain different types of dump files, such as tunbug, statsdata, and sysdump. The appliance creates some at regular intervals; others are user-initiated.

Silver Peak Appliance Manager Operator’s Guide Support Services

206 PN 200030-001 Rev N

Support ServicesThe Administration - Support page lists the appliance-specific information you need when calling Technical Support. It also tells you how to contact Support via web, e-mail, and phone.

PN 200030-001 Rev N 207

C H A P T E R 1 1

System Maintenance

This chapter describes how to perform various system maintenance tasks.

Note Although Disk Management is part of the Maintenance menu, the topic is covered in the Silver Peak Field Replaceable Unit Guide.

In This Chapter Viewing System Information See page 208.

Upgrading the Appliance Manager Software See page 210.

Backing Up and Restoring the Appliance Configuration File See page 216.

Testing Network Connectivity See page 223.

Erasing Network Memory See page 236.

Restarting the Appliance See page 237.

Silver Peak Appliance Manager Operator’s Guide Viewing System Information

208 PN 200030-001 Rev N

Viewing System InformationThe Maintenance - System Information page displays system information specific to this appliance.

The Maintenance - System Information page summarizes the following information:

This field only displays for virtual appliances.


Hostname The name assigned to the appliance when using the initial configuration wizard. To edit it later, you can use the Command Line Interface (CLI) and the hostname command. The hostname is limited to a maximum of 24 characters.

Appliance ID A network-wide unique number between 1 and 65534, assigned automatically during initial configuration.

Model The appliance’s model number. For example, NX-7600 or NX-5600.

System Status The options are Normal and Bypass.

• When the status is Normal, traffic goes through tunnels, as configured.• Bypass refers to hardware bypass. If there is a major problem with the appliance

hardware, software, or power, all traffic goes through the appliance without any processing. Additionally, you can manually put the appliance into Bypass as an aid to troubleshooting.

Uptime The time elapsed since the last reboot. For example, 3d 3h 28m 28s means “3 days, 3 hours, 28 minutes, and 28 seconds”.

Date/Time The local date and time at the appliance’s location, specified by time zone.

Release The currently running software version of the Appliance Manager.

Serial Number The serial number of the appliance hardware.

Mode Whether the appliance is configured for Bridge (in-line) or Router (out-of-path) mode.

Appliance IP The IP address of this Silver Peak appliance

Viewing System Information Chapter 11 System Maintenance

PN 200030-001 Rev N 209

Disk Encryption Yes means that Network Memory is encrypted; No means that it’s not. Selecting either enforces the choice from that moment until you change it, in which case you’d have some network memory encrypted and some not. Although we don’t recommend that you do this, the Appliance Manager manages both seamlessly.

Auto Tunnel Whether or not the appliance is configured to create tunnels if there is network connectivity and active flows. The default is no.

Current Network Memory Media Type

This field displays for virtual appliances.


Silver Peak Appliance Manager Operator’s Guide Upgrading the Appliance Manager Software

210 PN 200030-001 Rev N

Upgrading the Appliance Manager SoftwareThis section consists of the following topics:

Overview See page 210.

Installing a New Software Image into a Partition See page 212.

Installing the Software Image See page 213.

Switching to the Other Boot Partition See page 215.

Overview

The Appliance Manager provides multiple options for managing appliance software. You can:

• Store two software images on the appliance

• Select which software version to run from the installed images

• Set up to switch to the other partition at the next reboot

• Install a software image from a local file, URL, Secure Copy (SCP) server, or a File Transfer Protocol (FTP) server, and install it into the appliance’s inactive partition.

• Choose to reboot and begin running a newly installed software image either immediately, or at the next reboot.

When appliances within a network are operating at different software release level, the higher numbered software release determines interoperability. For more information, see “Tunnel Compatibility Mode” on page 21, and check the Release Notes to verify software version compatibility.

Upgrading the Appliance Manager Software Chapter 11 System Maintenance

PN 200030-001 Rev N 211

Note Software upgrade files end with .img or .zip.

When you select a file source, only the appropriate fields display.

This section displays the download progress and results.

For details, see “Switching to the Other Boot Partition” on page 215.

To execute the Install Options choice you made with the radio buttons.

Reboots from the partition that has yes in the Next Boot column

Choose what, if anything, you want the Appliance Manager to do after installing the new software image into the inactive partition.


212 PN 200030-001 Rev N

Installing a New Software Image into a Partition

When you install a new software image, the Appliance Manager automatically downloads it into the inactive partition. Depending on the option you choose, you can install the software image and:

• Store it there indefinitely

• Specify it as the image to use at the next reboot

• Reboot immediately to begin running the newly installed software.

Some physical appliance models (NX) enter a hardware bypass state when rebooting. This allows traffic to pass, but without the benefits of compression, acceleration, or Network Memory™.

Virtual appliances, and the remaining physical appliances, do not process or pass traffic while rebooting.

Therefore, Silver Peak suggests that you perform upgrades when traffic volume is lower, preferably after hours.

Tip Best practices recommend that before upgrading (or switching to the other partition), you preserve a copy of the running configuration file by saving it to a server. For this, use the Maintenance - Backup/Restore page.

Tip Best practices also recommend scheduling a maintenance window to best accommodate the appliance reboot when installing an image.

CAUTION The database schema may change with software image upgrades. Because the database is in the same partition as its associated software version, going “backwards” is not an issue. However, be aware that configuration changes made since you last ran the earlier version will be lost. To verify the feasibility, consult first with Silver Peak Customer Support.


PN 200030-001 Rev N 213

Installing the Software Image

You can install the software image from any of four locations: your computer hard drive, a URL, an SCP server, or an FTP server.

To install the software image

1 On the Maintenance - Software Upgrade page, select one of the following from the Install Options:

• Install – to install the image into the inactive partition

• Install and set next boot partition – to install the image into the inactive partition and designate it as the partition to be used during the next boot

• Install and Reboot. – to install the image into the inactive partition, switch to that partition, and then reboot to begin running it immediately. While the Silver Peak appliance reboots, it goes into the hardware bypass state, allowing all traffic to pass through the appliance without intervention. Once the reboot is complete, the appliance comes out of the hardware bypass state and requires you to log in again.

2 Select the software image’s location. Choices include Local File, URL, SCP (Secure Copy), and FTP

(File Transfer Protocol).

Your selection determines what fields display in the Install Image area:

• For Local File, browse the hard drive to locate the file.

• For URL, enter the image file’s URL after http://, ending with the filename.


214 PN 200030-001 Rev N

• For SCP (Secure Copy), enter the data necessary to download the file from the SCP server.

In this example, we’ll download the file, image-6.2.5.0_51902.img from the location,

scp <UserName>@10.10.10.11:/home/<UserName>/SWimages/image-6.2.5.0_51902.img.

The full pathname includes the drive (if required), starting or root directory, and all relevant subdirectories.

• For FTP (File Transfer Protocol), enter the data necessary to download the file from the FTP server.

The relative path is a path relative to the current working directory. For example, if the ftp login directory is /home/<UserName>/, then the relative path would begin at the next subdirectory, as in, /SWimages.

3 Click Install. The browser reports your progress during download and installation.


PN 200030-001 Rev N 215

Switching to the Other Boot Partition

You can specify that you want to switch to the other, inactive partition for the next reboot:

To select the partition now, for a later reboot, click Switch Boot Partition. The inactive image’s Next

Boot value changes from no to yes.

To select the partition now and reboot immediately, click Reboot.

In this example, the user clicked Switch Boot Partition. As a result, Partition 1, which is not currently active, has yes in the Next Boot column.

Silver Peak Appliance Manager Operator’s Guide Backing Up and Restoring the Appliance Configuration File

216 PN 200030-001 Rev N

Backing Up and Restoring the Appliance Configuration FileThis section consists of the following topics:

Viewing the Appliance Configuration File See page 217.

Saving the Appliance Configuration File See page 218.

Restoring the Appliance Configuration File See page 220.

To protect the Appliance Manager database against loss or corruption, you can store a backup of the configuration database file, either locally on the appliance or on a local hard drive, an SCP (Secure Copy) server, or an FTP (File Transfer Protocol) server.

You can also restore or load a configuration database file from a local disk, SCP server, FTP server, or web-based location (URL).

For copying a saved configuration file (active or inactive) to/from an external location

For managing the running configuration file. That is, an active file with unsaved changes

Lists all the appliance’s configuration files.

To view the contents of a configuration file, click its name and a separate window opens.

Backing Up and Restoring the Appliance Configuration File Chapter 11 System Maintenance

PN 200030-001 Rev N 217

Viewing the Appliance Configuration File

The content display does not change after you open the file.

To view, click the file name. The contents open in a separate window.

IMPORTANT: You can only save this text file to your computer’s local hard disk.

To apply this configuration to another appliance, you must first open an SSH shell to the target appliance and then copy and paste these configuration commands into the shell.

Browser’s menu...

Indicates unsaved changes in the configuration file


218 PN 200030-001 Rev N

Saving the Appliance Configuration File

The Appliance Manager supports saving a configuration file to three external destinations — a local disk, an SCP server, or an FTP server.

To save the configuration file to an external location

1 On the Maintenance - Backup/Restore page, click [Save Configuration] and select the file you want to backup.

2 Select the backup file’s destination. Choices include Local File, SCP (Secure Copy), and FTP (File

Transfer Protocol).

Your selection determines what fields display below the chosen file.

• For Local File, click Save.

Your browser determines the file’s default destination.


PN 200030-001 Rev N 219

• For SCP (Secure Copy), enter the data necessary to save the file to the SCP server.

In this example, we’ll save the file, initial, to the location,scp <UserName>@180.6.7.243:/home/<UserName>/work/image/initial


• For FTP (File Transfer Protocol), enter the data necessary to save the file to the FTP server.

A relative path is a path relative to the current working directory. For example, if the ftp login directory is /home/<UserName>/, then the relative path would begin at the next subdirectory, as in, work/image/. The end slash isn’t required, but is accepted.


You can save the file to a new filename.

Initial slashes (/) are required for full path. End slashes are not.

You can save with either the existing, or a new, destination file name.

No slash necessary before the directory name.


220 PN 200030-001 Rev N

Restoring the Appliance Configuration File

The Appliance Manager supports restoring a configuration file from four sources external to the appliance.

To restore the configuration file from an external location

1 On the Maintenance - Backup/Restore page, click [Load Configuration] and select the file you want to restore to the appliance.

2 Select the backup file’s destination. Choices include Local File, URL, SCP (Secure Copy), and FTP

(File Transfer Protocol).

Your selection determines what fields display below the chosen file.

• For Local File, browse the hard drive to locate the file.

If you want the file you’re downloading to the appliance to have a new name, enter it here.


PN 200030-001 Rev N 221

• For URL, enter the image file’s URL after http://, ending with the filename.

• For SCP (Secure Copy), enter the data necessary to download the file from the SCP server to the appliance.

Here, we’ll use the example of renaming and restoring the file, testfile, from the following location:

scp <UserName>@180.6.7.243:/home/<UserName>/work/configfiles/testfile


• For FTP (File Transfer Protocol), enter the data necessary to restore the file from the FTP server.

Here, we’ll use the example of loading the file, testfile, from Roger’s directory on an FTP server. In the process, we’ll rename it to newfilename.

You can rename the file when you retrieve it.

Initial slashes (/) are required for full path. End slashes are not.

You can rename the file when you retrieve it.

No slash necessary before the directory name.


222 PN 200030-001 Rev N

A relative path is a path relative to the current working directory. It begins without a forward slash.

For example, if the ftp login directory is /home/<UserName>/, then the relative path would begin at the next subdirectory, as in, work/configfiles/. The end slash isn’t required, but is accepted.

3 Click Load. The Appliance Manager displays the progress.

Testing Network Connectivity Chapter 11 System Maintenance

PN 200030-001 Rev N 223

Testing Network ConnectivityThe Appliance Manager enables you to test network connectivity, using three commands: ping, traceroute, and tcpdump.

• There can only be one connectivity test session per appliance at any time, regardless of which command you’re using.

• Click Stop to terminate a test.

• If you log in to an appliance while a testing session is in progress, only the Abort button is accessible. Otherwise, that button is not visible.

To run a Network Connectivity test

1 From the Maintenance menu, select ping/traceroute/tcpdump. The Maintenance - ping/traceroute/tcpdump page appears.

After a test has begun, this area displays its status and start/end times.

• The ping and traceroute tests provide an IP/Hostname field.

• The tcpdump test displays a File Name field instead, and automatically enters a name in the format, tcpdump_<hostname>. After running a tcpdump test, you can locate the captured results on the Administration - Debug Files page, via the TCP Dump Result link. You can download the resulting file to your PC for viewing and analyzing via Wireshark® or Ethereal®.

When a test begins, Start changes to Stop. Use as needed.

To view the arguments that the selected command can take

Abort allows a user with admin privileges to terminate another user’s connectivity test session. It’s available whenever there’s a session in progress.

Silver Peak Appliance Manager Operator’s Guide Testing Network Connectivity

224 PN 200030-001 Rev N

2 Complete the fields as follows:

a From the Type field, click to select the test you want.

b If the IP / Hostname field is present, enter the IP address or hostname of the destination device. If the File Name field displays, its field is populated by a default name.

c In the Option field, enter the command option you want. For example, for ping, you could enter -c 3 to stop after sending three ECHO_REQUEST packets. For available arguments, click Help.

Options for each command are listed after these steps.

3 Click Start. The Network Connectivity Result area displays intermediate results every few seconds.

To stop the test and see the complete results, click Stop. For example:

ping


PN 200030-001 Rev N 225

traceroute

tcpdump

The Option field populates with -n by default. This flag results in tcpdump not trying to resolve IP addresses, so that the process doesn’t try to perform a DNS lookup on every new IP address it encounters.

Access this file on the Administration - Debug Files page, under the TCP Dump Result link.


226 PN 200030-001 Rev N

Using ping

Use the ping command to send Internet Control Message Protocol (ICMP) echo requests to a specified host.

By default, the ping command uses the mgmt0 interface. If you want to ping out of datapath interfaces, use the -I option with the local appliance IP address. For example:

The following ping options are supported:

ping -I <local appliance IP> — sends the ping out a datapath interface

Option Explanation

-A Adaptive ping. Interpacket interval adapts to round-trip time, so that effectively not more than one (or more, if preload is set) unanswered probes present in the network. Minimal interval is 200 msec if not super-user. On networks with low rtt this mode is essentially equivalent to flood mode.

-b Allow pinging a broadcast address.

-B Do not allow ping to change source address of probes. The address is bound to one selected when ping starts.

-c count: Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for count ECHO_REPLY packets, until the timeout expires.

-d Set the SO_DEBUG option on the socket being used. Essentially, this socket option is not used by Linux kernel.

-F flow label: Allocate and set 20 bit flow label on echo request packets. (Only ping6). If value is zero, kernel allocates random flow label.

-i interval: Wait interval seconds between sending each packet. The default is to wait for one second between each packet normally, or not to wait in flood mode. Only super-user may set interval to values less 0.2 seconds.

-I interface address: Set source address to specified interface address. Argument may be numeric IP address or name of device. When pinging IPv6 link-local address this option is required.

-l preload: If preload is specified, ping sends that many packets not waiting for reply. Only the super-user may select preload more than 3.

-L Suppress loopback of multicast packets. This flag only applies if the ping destination is a multicast address.

-M MTU discovery hint: Select Path MTU Discovery strategy. hint may be either do (prohibit fragmentation, even local one), want (do PMTU discovery, fragment locally when packet size is large), or dont (do not set DF flag).

-n Numeric output only. No attempt will be made to lookup symbolic names for host addresses.


PN 200030-001 Rev N 227

When you click the Help button, the following displays in the Network Connectivity Result area.

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline] [-p pattern] [-s packetsize] [-t ttl] [-I interface or address] [-M mtu discovery hint] [-S sndbuf] [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

-p pattern: You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.

-Q tos: Set Quality of Service -related bits in ICMP datagrams. tos can be either decimal or hex number.

Traditionally (RFC1349), these have been interpreted as: 0 for reserved (currently being redefined as congestion control), 1-4 for Type of Service and 5-7 for Precedence.

Possible settings for Type of Service are: minimal cost: 0x02, reliability: 0x04, throughput: 0x08, low delay: 0x10.

Multiple TOS bits should not be set simultaneously.

Possible settings for special Precedence range from priority (0x20) to net control (0xe0). You must be root (CAP_NET_ADMIN capability) to use Critical or higher precedence value. You cannot set bit 0x01 (reserved) unless ECN has been enabled in the kernel.

In RFC2474, these fields has been redefined as 8-bit Differentiated Services (DS), consisting of: bits 0-1 of separate data (ECN will be used, here), and bits 2-7 of Differentiated Services Codepoint (DSCP).

-q Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

-R Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option.

-r Bypass the normal routing tables and send directly to a host on an attached interface. If the host is not on a directly attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it provided the option -I is also used.

-s packetsize: Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

-S sndbuf: Set socket sndbuf. If not specified, it is selected to buffer not more than one packet.

-t ttl Set the IP Time to Live.

-T timestamp option: Set special IP timestamp options. timestamp option may be either tsonly (only timestamps), tsandaddr (timestamps and addresses) or tsprespec host1 [host2 [host3 [host4]]] (timestamp prespecified hops).

-U Print full user-to-user latency (the old behavior). Normally ping prints network round trip time, which can be different f.e. due to DNS failures.

-v Verbose output.

-V Show version and exit.

-w deadline: Specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received. In this case ping does not stop after count packet are sent, it waits either for deadline expire or until count probes are answered or for some error notification from network.

Option Explanation (Continued)


228 PN 200030-001 Rev N

Using traceroute

Use the traceroute command to trace the route that packets take to a destination.

The following traceroute options are supported:

Option Explanation

-d Enable socket level debugging.

-f Set the initial time-to-live used in the first outgoing probe packet.

-F Set the “don’t fragment” bit.

-g Specify a loose source route gateway (8 maximum).

-i Specify a network interface to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. (See the -s flag for another way to do this.)

-I Use ICMP ECHO instead of UDP datagrams.

-m Set the max time-to-live (max number of hops) used in outgoing probe packets. The default is 30 hops (the same default used for TCP connections).

-n Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).

-p Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is listening on a port in the default range, this option can be used to pick an unused port range.

-q nqueries

-r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it (for example, after the interface was dropped by routed (8C)).

-s Use the following IP address (which usually is given as an IP number, not a hostname) as the source address in outgoing probe packets. On multi-homed hosts (those with more than one IP address), this option can be used to force the source address to be something other than the IP address of the interface the probe packet is sent on. If the IP address is not one of this machine’s interface addresses, an error is returned and nothing is sent. (See the -i flag for another way to do this.)

-t Set the type-of-service in probe packets to the following value (default zero). The value must be a decimal integer in the range 0 to 255. This option can be used to see if different types-of-service result in different paths. (If you are not running 4.4bsd, this may be academic since the normal network services like telnet and ftp don’t let you control the TOS). Not all values of TOS are legal or meaningful - see the IP spec for definitions. Useful values are probably â-t 16â (low delay) and â-t 8â (high throughput). If TOS value is changed by intermediate routers, (TOS=<value>!) will be printed once: value is the decimal value of the changed TOS byte.

-v Verbose output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.

-w Set the time (in seconds) to wait for a response to a probe (default 5 sec.).


PN 200030-001 Rev N 229

-x Toggle ip checksums. Normally, this prevents traceroute from calculating ip checksums. In some cases, the operating system can overwrite parts of the outgoing packet but not recalculate the checksum (so in some cases the default is to not calculate checksums and using -x causes them to be calculated). Note that checksums are usually required for the last hop when using ICMP ECHO probes (-I). So they are always calculated when using ICMP.

-z Set the time (in milliseconds) to pause between probes (default 0). Some systems such as Solaris and routers such as Ciscos rate limit icmp messages. A good value to use with this is 500 (e.g. 1/2 second).



230 PN 200030-001 Rev N

Using tcpdump

Use the tcpdump command to display packets on a network.

For example, to capture 100 packets on the wan0 interface, use the command, -n -i wan0 -c 100.

The following tcpdump options are supported:

Option Explanation

-A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.

-c Exit after receiving count packets.

-C Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

-d Dump the compiled packet-matching code in a human readable form to standard output and stop.

-dd Dump packet-matching code as a C program fragment.

-ddd Dump packet-matching code as decimal numbers (preceded with a count).

-D Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, is printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.

This can be useful on systems that don’t have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.

The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs() function.

-e Print the link-level header on each dump line.


PN 200030-001 Rev N 231

-E Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.

Note that setting the secret for IPv4 ESP packets is supported at this time.

Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.

secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.

The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true ‘secret’ key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.

In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.

-f Print ‘foreign’ IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun’s NIS server â usually it hangs forever translating non-local internet numbers).

The test for ‘foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done. If that address or netmask are not available either because the interface on which capture is being done has no address or netmask or because the capture is being done on the Linux “any” interface, which can capture on more than one interface, this option will not work correctly.

-F Use file as input for the filter expression. An additional expression given on the command line is ignored.

-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.

On Linux systems with 2.2 or later kernels, an interface argument of “any” can be used to capture packets from all interfaces. Note that captures on the “any” device will not be done in promiscuous mode.

If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument.

-l Make stdout line buffered. Useful if you want to see the data while capturing it. For example,tcpdump -l | tee dat or tcpdump -l > dat & tail -f dat

-L List the known data link types for the interface and exit.

-m Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcp-dump.

-M Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.

-n Don’t convert host addresses to names. This can be used to avoid DNS lookups.

-nn Don’t convert protocol and port numbers etc. to names either.

-N Don’t print domain name qualification of host names. For example, if you give this flag then tcpdump will print nic instead of nic.ddn.mil.



232 PN 200030-001 Rev N

-O Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.

-p Don’t put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p cannot be used as an abbreviation for ‘ether host {local-hw-addr} or ether broadcast’.

-q Quick output. Print less protocol information so output lines are shorter.

-R Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH specification, tcpdump cannot deduce the version of ESP/AH protocol.

-r Read packets from file (which was created with the -w option). Standard input is used if file is ‘’-’’.

-S Print absolute, rather than relative, TCP sequence numbers.

-s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS’s NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets.Packets truncated because of a limited snapshot are indicated in the output with [|proto], where proto is the name of the protocol level at which the truncation has occurred.

Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you’re interested in. Setting snaplen to 0 means use the required length to catch whole packets.

-t Don’t print a timestamp on each dump line.

-tt Print an unformatted timestamp on each dump line.

-ttt Print a delta (in micro-seconds) between current and previous line on each dump line.

-tttt Print a timestamp in default format proceeded by date on each dump line.

-T Force packets selected by “expression” to be interpreted the specified type. Currently known types are:

aodv Ad-hoc On-demand Distance Vector protocolcnfp Cisco NetFlow protocolrpc Remote Procedure Callrtp Real-Time Applications protocolrtcp Real-Time Applications control protocolsnmp Simple Network Management Protocoltftp Trivial File Transfer Protocolvat Visual Audio Tool)wb distributed White Board

-u Print undecoded NFS handles.

-U Make output saved via the -w option “packet-buffered”; that is, as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills.

The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.

-v When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.



PN 200030-001 Rev N 233

-vv Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

-vvv Even more verbose output. For example, telnet SB... SE options are printed in full. With -X Telnet options are printed in hex as well.

-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is “-”.

-W Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a ‘rotating’ buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly.

-x Print each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding.

-xx Print each packet, including its link level header, in hex.

-X Print each packet (minus its link level header) in hex and ASCII. This is very handy for analyzing new protocols.

-XX Print each packet, including its link level header, in hex and ASCII.

-y Set the data link type to use while capturing packets to datalinktype.

-Z Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

This behavior can also be enabled by default at compile time.



234 PN 200030-001 Rev N

To retrieve tcpdump results

1 From the Administration menu, select Debug Files. The Administration - Debug Files page appears.

2 In the File Management area, click TCP Dump Result. Any saved tcpdump files display.


PN 200030-001 Rev N 235

3 To access the tcpdump file, click on its name link. The Administration - Debug Files - Save File page appears.

4 Select whether you want to save the file to your PC, an SCP server, or an FTP server, and click Save.

5 Complete the fields for the method you’ve chosen.

Silver Peak Appliance Manager Operator’s Guide Erasing Network Memory

236 PN 200030-001 Rev N

Erasing Network MemoryThe Maintenance - Erase Network Memory page is useful in lab and evaluation environments, when you need first-pass numbers to establish a baseline before Network Memory is applied.

You can use this page to clear Network Memory, without having to reboot.

Restarting the Appliance Chapter 11 System Maintenance

PN 200030-001 Rev N 237

Restarting the ApplianceThis section describes the types of reboots available for restarting the appliance, the possible reasons for choosing a particular method, and the consequences of each.

Some physical appliance models (NX) enter a hardware bypass state when rebooting. This allows traffic to pass, but without the benefits of compression, acceleration, or Network Memory™.

Virtual appliances, and the remaining physical appliances, do not process or pass traffic while rebooting.

To restart the appliance

1 From Maintenance menu, select Restart System.

2 Click the type of reboot you want. The appliance asks you to confirm your decision.

3 Click Yes. The appliance reboots.

Restart Type What it does... You might need to use it if...

Reboot Reboots the appliance gracefully. This is your typical, “vanilla” restart.

• You’re changing the deployment mode and other configuration parameters that require a reboot.

Reboot Clean Reboots the appliance and cleans out the Network Memory™.

• You need to restart the appliance with clean Network Memory™ data.

Shutdown Shuts down the appliance and turns the power off. To restart, you’ll need to go to the appliance and physically turn the power on with the power switch.

• You’re decommissioning the appliance. • You need to physically move the appliance to

another location. • You need to recable the appliance for another type

of deployment

Silver Peak Appliance Manager Operator’s Guide Restarting the Appliance

238 PN 200030-001 Rev N

PN 200030-001 Rev N 239

C H A P T E R 1 2

Monitoring Alarms

This chapter describes alarm categories and definitions. It also describes how to view and handle alarm notifications.

In This Chapter Understanding Alarms See page 240.

Types of Alarms See page 241.

Silver Peak Appliance Manager Operator’s Guide Understanding Alarms

240 PN 200030-001 Rev N

Understanding AlarmsThis section defines the four alarm severity categories and lists all Silver Peak appliance alarms.

The Alarms - Current Alarms page lists alarm conditions on the appliance. Each entry represents one current condition that may require human intervention. Because alarms are conditions, they may come and go without management involvement.

Whereas merely acknowledging most alarms does not clear them, some alarm conditions are set up to be self-clearing when you acknowledge them. For example, if you remove a hard disk drive, it generates an alarm; once you’ve replaced it and it has finished rebuilding itself, the alarm clears.

Categories of Alarms

The Appliance Manager categorizes alarms at four preconfigured severity levels: Critical, Major, Minor, and Warning.

Critical and Major alarms are both service-affecting. Critical alarms require immediate attention, and reflect conditions that affect an appliance or the loss of a broad category of service.

Major alarms, while also service-affecting, are less severe than Critical alarms. They reflect conditions which should be addressed in the next 24 hours. An example would be an unexpected traffic class error.

Minor alarms are not service-affecting, and you can address them at your convenience. An example of a minor alarm would be a user not having changed their account’s default password, or a degraded disk.

Warnings are also not service-affecting, and warn you of conditions that may become problems over time. For example, a software version mismatch.

Understanding Alarms Chapter 12 Monitoring Alarms

PN 200030-001 Rev N 241

Types of Alarms

The appliance can raise alarms based on issues with tunnels, software, equipment, and Threshold Crossing Alerts (TCAs). The latter are visible on the appliance but managed by the GMS (Global Management System).

Although Appliance Manager doesn’t display Alarm Type ID (Hex) codes, the data is available for applications that can do their own filtering, such as SNMP.

Table 12-1 Silver Peak Appliance Alarms

Subsystem Alarm Type ID (Hex)

Alarm Severity

Alarm Text

Tunnel 00010003 CRITICAL Tunnel keepalive version mismatch

RESOLUTION: Tunnel peers are running incompatible software versions.

• Normal during a software upgrade.

Run the same or compatible software releases among the tunnel peers.

00010001 CRITICAL Tunnel state is Down

RESOLUTION: Cannot reach tunnel peer.

• Check tunnel configuration [Admin state, Source IP/Dest IP, IPsec]

• Check network connectivity.

00010009 CRITICAL An unexpected GRE packet was detected from tunnel peer.

RESOLUTION: Check for tunnel encapsulation mismatch.

00010007 MAJOR Duplicate license detected in peer (only applies to virtual appliance)

RESOLUTION: Install unique license on all virtual appliances. To check and/or change license:

• In GMS: Initial Configuration page at Configuration > System (Single Appliance)

• In WebUI: Configuration - System page

00010000 MAJOR Tunnel remote ID is misconfigured

RESOLUTION: System ID is not unique.

• Virtual Appliance: Was the same license key used?

• Physical Appliance: Change System ID in the rare case of a duplicate ID (CLI command: system id < >)

0001000a MAJOR Software version mismatch between peers results in reduced functionality.

RESOLUTION: Upgrade all connected appliances for full optimization.

00010005 MINOR Tunnel software version mismatch

RESOLUTION: Tunnel are not running the same release of software. They will function, but with reduced functionality.

• Normal during an upgrade.

• Run the same software version to eliminate the alarm and fully optimize.


242 PN 200030-001 Rev N

Software 00040003 CRITICAL The licensing for this virtual appliance has expired.[For VX series only]a

RESOLUTION: Enter a new license.

00040004 CRITICAL There is no license installed on this virtual appliance. [For VX series only]a

RESOLUTION: Enter a valid license.

0004000c CRITICAL Invalid virtual appliance license.

RESOLUTION: Enter a new license key on the <System Page> to proceed.

0004000a MAJOR Virtual appliance license expires on mm/dd/yyy. [15-day warning]

RESOLUTION: Enter a new license key on the <System Page> to avoid loss of optimization or potential traffic disruption.

00040005 MAJOR A disk self-test has been run on the appliance.

RESOLUTION: Reboot the appliance. Traffic will not be optimized until this is performed.

00040002 MAJOR Significant change in time of day has occurred, and might compromise statistics. Please contact TAC.

RESOLUTION: Appliance statistics could be missing for a substantial period of time. Contact Customer Service.

00040001 MAJOR System is low on resources

RESOLUTION: Contact Customer Service.

0004000d MAJOR Dual wan-next-hop topology is no longer supported.

RESOLUTION: Create an additional bridge and use previous second WAN next-hop as its WAN next-hop. NOTE: Second Silver Peak requires another IP address that is in the same network as the first bridge.

00040010 MAJOR Major inconsistency among tunnel traffic class settings found during upgrade.

RESOLUTION: New QoS traffic class/Queue configuration has changed from a tunnel-based QoS system to one based on the system/WAN interface. Automatic mapping of existing tunnel traffic class configuration to new QoS Shaper traffic has failed. Check QoS Shaper configuration and adjust Traffic Class settings as necessary.

00040011 MAJOR Tunnel IP header disable setting was discarded during upgrade.

RESOLUTION: IP Header configuration has moved from tunnel context to the Optimization Policy. Use Optimization Policy to disable IP Header compression.

0004000b WARNING Virtual appliance license expires on mm/dd/yyy. [45-day warning]

RESOLUTION: Enter a new license key on the <System Page> to avoid loss of optimization or potential traffic disruption.

Table 12-1 Silver Peak Appliance Alarms (Continued)


Alarm Severity

Alarm Text


PN 200030-001 Rev N 243

Software(cont.)

00040007 WARNING The SSL certificate is not yet valid.

RESOLUTION: The SSL certificate has a future start date. It will correct itself when the future date becomes current. Otherwise, install a certificate that is current.

00040008 WARNING The SSL certificate has expired.

RESOLUTION: Reinstall a valid SSL certificate that is current.

00040009 WARNING The NTP server is unreachable.

RESOLUTION: Check the appliance’s NTP server IP and version configuration:

• Can the appliance reach the NTP server?

• Is UDP port 123 open between the appliance’s mgmt0 IP and the NTP server?

00040006 WARNING The SSL private key is invalid.

RESOLUTION: The key is not an RSA standard key that meets the minimum requirement of 1024 bits. Regenerate a key that meets this minimum requirement.

0004000e WARNING Setting default system next-hop to VLAN next-hop no longer necessary.

RESOLUTION: No action required. Current system is capable of using multiple WAN next-hops. It routes tunnel traffic to tunnel’s source IP interface’s WAN next-hop.

0004000f WARNING Minor inconsistency among tunnel traffic class settings found during upgrade.

RESOLUTION: New QoS traffic class/Queue configuration has changed from a tunnel-based QoS system to one based on the system/WAN interface. Automatic mapping of existing tunnel traffic class configuration to new QoS Shaper traffic has failed. Check QoS Shaper configuration and adjust Traffic Class settings as necessary.

00040012 WARNING A very large range has been configured for a local subnet.

RESOLUTION: Subnet sharing/advertisement module has detected a network mask of less than 8 bits. Verify your configured subnets in the Configuration > Subnets page.

Equipment 00030007 CRITICAL Encryption card hardware failure


00030003 CRITICAL Fan failure detected


00030024 CRITICAL Insufficient configured memory size for this virtual appliance

RESOLUTION: Assign more memory to the virtual machine, and restart the appliance. Traffic will not be optimized until this is resolved.

00030025 CRITICAL Insufficient configured processor count for this virtual appliance

RESOLUTION: Assign more processors to the virtual machine, and restart the appliance. Traffic will not be optimized until this is resolved.



Alarm Severity

Alarm Text


244 PN 200030-001 Rev N

Equipment (cont.)

00030026 CRITICAL Insufficient configured disk storage for this virtual appliance

RESOLUTION: Assign more storage to the virtual machine, and restart the appliance. Traffic will not be optimized until this is resolved.

00030005 CRITICAL LAN/WAN fail-to-wire card failure


00030021 CRITICAL NIC interface failure


00030004 CRITICAL System is in Bypass mode

RESOLUTION: Normal with factory default configuration, during reboot, and if user has put the appliance in Bypass mode. Contact Customer Service if the condition persists.

0003001d MAJOR Bonding members have different speed/duplex

RESOLUTION: Check interface speed/duplex settings and negotiated values on wan0/wan1 and lan0/lan1 etherchannel groups.

0003001c MAJOR [Flow redirection] cluster peer is down

RESOLUTION:

• Check flow redirection configuration on all applicable appliances.

• Check L3/L4 connectivity between the peers. • Open TCP and UDP ports 4164 between the cluster peer IPs

if they are blocked.

00030017 MAJOR Disk removed by operator

RESOLUTION: Normal during disk replacement. Insert disk using UI/GMS. Contact Customer Service if insertion fails.

00030001 MAJOR Disk is failed

RESOLUTION: Contact Customer Service to replace disk.

00030015 MAJOR Disk is not in service

RESOLUTION:

• Check to see if the disk is properly seated.• Contact Customer service for further assistance.

0003000b MAJOR Interface is half duplex

RESOLUTION: Check speed/duplex settings on the router/switch port.

0003000c MAJOR Interface speed is 10 Mbps

RESOLUTION:

• Check speed/duplex settings.• Use a 100/1000 Mbps port on the router/switch.



Alarm Severity

Alarm Text


PN 200030-001 Rev N 245

Equipment (cont.)

00030022 MAJOR LAN next-hop unreachableb

RESOLUTION: Check appliance configuration:

• LAN–side next-hop IP• Appliance IP / Mask• VLAN IP / Mask • VLAN ID

0003001a MAJOR LAN/WAN interface has been shut down due to link propagation of paired interface

RESOLUTION: Check cables and connectivity. For example, if lan0 is shut down, check why wan0 is down. Applicable only to in-line (bridge) mode.

00030018 MAJOR LAN/WAN interfaces have different admin states

RESOLUTION: Check interface admin configuration for lan0/wan0 (and lan1/wan1). Applicable only to in-line mode.

00030019 MAJOR LAN/WAN interfaces have different link carrier states

RESOLUTION: Check interface configured speed settings and current values (an0/wan0, lan1/wan1). Applicable only to in-line mode.

0003000a MAJOR Management interface link down

RESOLUTION:

• Check cables.• Check interface admin status on the router.

00030009 MAJOR Network interface link down

RESOLUTION: Is the system in Bypass mode?

• Check cables.• Check interface admin status on the router.

00030020 MAJOR Power supply not connected, not powered, or failed

RESOLUTION:

• Connect to a power outlet.• Check power cable connectivity.

00030023 MAJOR Unexpected system restart

RESOLUTION: Power issues? Was the appliance shutdown ungracefully? Contact Customer Service if the shutdown was not planned.

00030012 MAJOR VRRP instance is down

RESOLUTION: Check the interface. Is the link down?

00030014 MAJOR WAN next-hop router discovered on a LAN port (box is in backwards)

RESOLUTION:

• Check WAN next-hop IP address.• Check lan0 and wan0 cabling (in-line mode only).• If it cannot be resolved, call Customer Service.



Alarm Severity

Alarm Text


246 PN 200030-001 Rev N

Equipment (cont.)

00030011 MAJOR WAN next-hop unreachableb

RESOLUTION:

• Check cables on Silver Peak appliance and router.

• Check IP/mask on Silver Peak appliance and router. Next-hop should be only a single IP hop away.

• To troubleshoot, use:show cdp neighbor, show arp, and ping -I <appliance IP> <next-hop IP>.

0003001e MAJOR WCCP adjacency(ies) down

RESOLUTION: Cannot establish WCCP neighbor:

• Check WCCP configuration on appliance and router.• Verify reachability.• Enable debugging on router: debug ip wccp packet

0003001f MAJOR WCCP assignment table mismatch

RESOLUTION: Check WCCP mask/hash assignment configuration on all Silver Peak appliances and ensure that they match.

00030002 MINOR Disk is degraded

RESOLUTION: Wait for disk to recover. If it does not recover, contact Customer Service.

00030016 MINOR Disk is rebuilding

RESOLUTION: Normal. If rebuilding is unsuccessful, contact Customer Service.

0003001b MINOR Disk SMART threshold exceeded

RESOLUTION: Contact Customer Service to replace disk.

00030008 WARNING Network interface admin down

RESOLUTION: Check Silver Peak interface configuration.

00030013 WARNING VRRP state changed from Master to Backup

RESOLUTION: VRRP state has changed from Master to Backup.

• Check VRRP Master for uptime.• Check VRRP Master for connectivity.

Threshold Crossing Alerts (TCAs)

00050001 WARNING The average WAN–side transmit throughput of X Mbps over the last minute [exceeded, fell below] the threshold of Y Mbps

RESOLUTION: User configured. Check bandwidth reports for tunnel bandwidth.

00050002 WARNING The average LAN–side receive throughput of X Mbps over the last minute [exceeded, fell below] the threshold of Y Mbps

RESOLUTION: User configured. Check bandwidth reports.



Alarm Severity

Alarm Text


PN 200030-001 Rev N 247

Threshold Crossing Alerts (TCAs)(cont.)

00050003 WARNING The total number of X optimized flows at the end of the last minute [exceeded, fell below] the threshold of Y

RESOLUTION: User configured. Check flow and real-time connection reports.

00050004 WARNING The total number of X flows at the end of the last minute [exceeded, fell below] the threshold of Y

RESOLUTION: User configured. Check flow and real-time connection reports.

00050005 WARNING The file system utilization of X% at the end of the last minute [exceeded, fell below] the threshold of Y


00050006 WARNING The peak latency of X during the last minute [exceeded, fell below] the threshold of Y

RESOLUTION: User configured.

• Check Latency Reports. If latency is too high, check routing between the appliances and QoS policy on upstream routers.

• Check tunnel DSCP marking. If latency persists, contact ISP and Silver Peak support.

00050007 WARNING The average pre-FEC loss of X% over the last minute [exceeded, fell below] the threshold of Y%


• Check Loss Reports. • Check for loss between Silver Peak appliances (interface

counters on upstream routers). • Use network bandwidth measurement tools such as iperf to

measure loss. • Contact ISP (Internet Service Provider).

00050008 WARNING The average post-FEC loss of X% over the last minute [exceeded, fell below] the threshold of Y%


• Check Loss Reports. • Check for loss between Silver Peak appliances (interface

counters on upstream routers). • Use network bandwidth measurement tools such as iperf to

measure loss. • Enable/Adjust Silver Peak Forward Error Correction (FEC).• Contact ISP (Internet Service Provider).

00050009 WARNING The average pre-POC out-of-order packets of X% over the last minute [exceeded, fell below] the threshold of Y%


• Check Out-of-Order Packets Reports.

Normal in a network with multiple paths and different QoS queues.

Normal in a dual-homed router or 4-port in-line [bridge] configuration.

• Contact Customer Service if out-of-order packets are not 100% corrected.



Alarm Severity

Alarm Text


248 PN 200030-001 Rev N

Threshold Crossing Alerts (TCAs)(cont.

0005000a WARNING The average post-POC out-of-order packets of X% over the last minute [exceeded, fell below] the threshold of Y%


• Check Out-of-Order Packets Reports.

Normal in a network with multiple paths and different QoS queues.

Normal in a dual-homed router or 4-port in-line [bridge] configuration.

• Contact Customer Service if out-of-order packets are not 100% corrected.

0005000b WARNING The average tunnel utilization of X% over the last minute [exceeded, fell below] the threshold of Y%


Check bandwidth reports for tunnel bandwidth utilization.

0005000c WARNING The average tunnel reduction of X% over the last minute [exceeded, fell below] the threshold of Y%


• Check bandwidth reports for deduplication.• Check if the traffic is pre-compressed or encrypted.

0005000d WARNING The total number of flows <num-of-flows> is approaching the capacity of this appliance. Once the capacity is exceeded, new flows will be <dropped|bypassed>.

RESOLUTION: If this condition persists, a larger appliance will be necessary to fully optimize all flows.

a. The VX appliances are a family of virtual appliances, comprised of the VX-n000 software, an appropriately paired hypervisor and server, and a valid software license.

b. If there is either a LAN Next-Hop Unreachable or WAN Next-Hop Unreachable alarm, resolve the alarm(s) immediately by configuring the gateway(s) to respond to ICMP pings from the Silver Peak appliance IP Address.



Alarm Severity

Alarm Text

Viewing Current Alarms Chapter 12 Monitoring Alarms

PN 200030-001 Rev N 249

Viewing Current AlarmsMost Silver Peak appliance alarms cannot be cleared by the user. Instead, the appliance generally corrects the alarm condition and clears the alarm by itself.

The alarm summary appears in the banner. You can view current alarms as follows:

The Alarm - Current Alarms page displays the following information:

To view the Alarms - Current Alarms page, click anywhere in this area.

This appliance is in System Bypass.

To disable System Bypass:

1. Go to the Configuration - System page

2. Click to deselect System Bypass

3. Click Apply.

...and the Alarms - Current Alarms page displays.

For acknowledging alarms


Seq No. The sequential number of the alarm, based on the time the alarm raised.

Date/Time The local date and time at the appliance’s location, specified by a 24-hour clock.

Type The type of alarm:

• Tunnel A tunnel-based alarm• TC A traffic class-based alarm• EQU An equipment-based alarm• SW A code- or software-based alarm

Silver Peak Appliance Manager Operator’s Guide Viewing Current Alarms

250 PN 200030-001 Rev N

Severity The severity of the alarm, listed here in decreasing order of severity:

• Critical A critical alarm, such as “Tunnel Down”• Major A major alarm, such as “Disk out of Service”• Minor A minor alarm, such as “Disk Degraded”• Warning A warning, such as “Software Process Restart”• Info For Silver Peak debugging purposes.

These are purely related to alarms severities, not event logging levels, even though some of the naming conventions overlap. Events and alarms have different sources. Alarms, once they clear, list as the ALERT level in the Alarms - Log Viewer page.

Source Refers to the particular subsystem or equipment that is causing the alarm. For example, we can raise the tunnel-based alarm, “Tunnel Down”, where the source would refer to a particular tunnel.

Description A brief description of the alarm.

Recommended Action Describes what action to take and, when appropriate, provides a link to the page where you need to do it.

Clear If a checkbox is accessible, a user can clear the alarm.

To clear the alarm, click the Clear box, and click Apply. Once cleared, the row is removed and the content is viewable in the read-only page, Alarms - Log Viewer.

Ack Select Yes to acknowledge the alarm; Select No to remove acknowledgement.


PN 200030-001 Rev N 251

A P P E N D I X A

Specifications, Compliance, and Regulatory Statements

This appendix contains specifications, as well as compliance and regulatory statements.

In This Appendix Model Specifications See page 252.

Warning Statements See page 258.

Compliance Statements See page 261.

What Ports the NX and the GMS Use See page 262.

Appliance Views See page 266.

Silver Peak Appliance Manager Operator’s Guide Model Specifications

252 PN 200030-001 Rev N

Model SpecificationsThis section includes general and model-specific specifications for the Silver Peak appliances:

Model-specific Specifications See page 252.

Fiber Specifications See page 257.

NX-Series Specifications See page 257.

Note To verify the most current VXOA host system requirements, refer to the Quick Start Guides listed in the User Documentation section of http://www.silver-peak.com/Support.

Note To see which hypervisors Silver Peak’s VXOA software currently supports, refer to the Quick Start Guides listed in the User Documentation section of http://www.silver-peak.com/Support.

Model-specific Specifications

NX-700

[PN 200849]

NX-1700

[PN 200404]

NX-1700

[PN 200576]

Capacity WAN Capacity(All Features)

2 Mbps 4 Mbps 4 Mbps

Local Data Store 1 x 120GB SSD 1 x 500 GB HDD 1 x 500 GB HDD

Connectivity LAN/WAN Ethernet

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

Management 2 x 10/100/1000; RJ-45 serial port

2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port

Power Requirement 100–240VAC 50–60Hz, 23 W / 78.5 BTU

100–240VAC 47–63Hz, 90 W / 307 BTU

90–240VAC 47–63Hz, 46 W / 157 BTU

Power Supplies Single Single Single

Dimensions and Weight

Height 1.7 in. (44 mm) 1.8 in. (45 mm) 1 RU 1.75 in. (44.4 mm) 1 RU

Width 9.4 in. (240 mm) 17.5 in. (445 mm) 16.9 in. (430 mm)

Depth 6.5 in. (166 mm) 8.2 in. (209 mm) 10.9 in. (277 mm)

Weight 3.0 lbs (1.4 kg) 8.5 lbs (3.9 kg) 8.8 lbs (4.0 kg)

Model Specifications Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 253

NX-1700 DC

[PN 200464]

NX-2600

[PN 200178]

NX-2610

[PN 200193]



Local Data Store 1 x 500 GB HDD 1 x 250 GB HDD 2 x 250 GB HDD


4 x 10/100/1000 LAN WAN

2 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

Management 2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port

Power Requirement -31VDC to -72VDC, 86 W / 295 BTU

100–240VAC 50-60Hz, 145 W / 496 BTU

100–240VAC 50-60Hz, 165 W / 563 BTU

Power Supplies Single Single Single


Height 1.8 in. (45 mm) 1 RU 1.7 in. (43.5 mm) 1 RU 1.7 in. (43.5 mm) 1 RU


Depth 8.2 in. (209 mm) 22.4 in. (569 mm) 22.4 in. (569 mm)


NX-2700

[PN 200401]

NX-2700

[PN 200697]

NX-3600

[PN 200348]



Local Data Store 2 x 500 GB HDD 2 x 240 GB SSD 2 x 500 GB HDD


4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port

Power Requirement 100–240VAC 47-63Hz, 285 W / 973 BTU

100–240VAC 50-60Hz, 94 W / 321 BTU

100–240VAC 47-63Hz, 250 W / 853 BTU

Power Supplies 1+1 redundant 1+1 redundant 1+1 redundant


Height 3.5 in. (89 mm) 2 RU 1.69 in. (43 mm) 1 RU 3.5 in. (89 mm) 2 RU


Depth 26 in. (660 mm) 26.1 in. (663 mm) 26.0 in. (661 mm)



254 PN 200030-001 Rev N

NX-3700

[PN 200400]

NX-3700

[PN 200698]

NX-5600

[PN 200231]



Local Data Store 2 x 500 GB HDD 2 x 240 GB SSD 8 x 250 GB HDD


4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port


100–240VAC 50-60Hz, 94 W / 321 BTU

100–240VAC 50-60Hz, 440 W / 1501 BTU




Width 16.9 in. (430 mm) 17.1 in. (434 mm) 17 in. (432 mm)

Depth 26 in. (660 mm) 26.1 in. (663 mm) 26 in. (659 mm)

Weight 40.5 lbs (18.4 kg) 24.0 lbs (18.4 kg) 62 lbs (28.1 kg)

NX-5700

[PN 200399]

NX-5700

[PN 200699]

NX-6700

[PN 200828]



Local Data Store 8 x 500 GB HDD 8 x 240 GB SSD 8 x 240 GB SSD


4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port


100–240VAC 50-60Hz, 126 W / 430 BTU

100–240VAC 50-60Hz, 126 W / 430 BTU






Weight 43 lbs (19.6 kg) 26.0 lbs (11.8 kg) 26.0 lbs (11.8 kg)


PN 200030-001 Rev N 255

NX-7600

[PN 200225]

NX-7700

[PN 200398]

NX-7700

[PN 200702]



Local Data Store 12 x 250 GB HDD 10 x 500 GB HDD 8 x 240 GB SSD


4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port


100–240VAC 47-63Hz, 475 W / 1621 BTU

100–240VAC 50-60Hz, 126 W / 430 BTU




Width 17 in. (432 mm) 16.9 in. (430 mm) 17.1 in. (434 mm)

Depth 26 in. (659 mm) 26 in. (660 mm) 26.1 in. (663 mm)

Weight 68 lbs (30.8 kg) 44 lbs (20 kg) 26.0 lbs (11.8 kg)

NX-8600

[PN 200181]

NX-8700

[PN 200397]

NX-8700

[PN 200767]



Local Data Store 16 x 500 GB HDD 10 x 500 GB HDD4 x 100 GB SSD

14 x 240 GB SSD


4 x 10/100/1000 LAN WAN

4 x 10/100/1000 LAN WAN; 2 x 10 Gbps fiber LAN WAN

4 x 10/100/1000 LAN WAN; 2 x 10 Gbps fiber LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port


100-240VAC 47–63Hz, 520 W / 1775 BTU

100–240VAC 50-60Hz, 491 W / 1675 BTU






Weight 75 lbs (34.0 kg) 46.5 lbs (21.2 kg) 47.5 lbs (21.4 kg)


256 PN 200030-001 Rev N

NX-9610

[PN 200362]

NX-9700

[PN 200396]

NX-9700

[PN 200768]


1 Gbps 1 Gbps 1 Gbps

Local Data Store 16 x 500 GB HDD 10 x 500 GB HDD4 x 100 GB SSD

14 x 240 GB SSD


4 x 1 Gbps fiber LAN WAN;2 x 10 Gbps fiber LAN WAN




2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port


100-240VAC 47–63Hz, 600 W / 2048 BTU

100–240VAC 50-60Hz, 493 W / 1682 BTU






Weight 75.5 lbs (34.5 kg) 47 lbs (21.2 kg) 47.5 lbs (21.4 kg)

NX-10700

[PN 200519]

NX-10700

[PN 200769]

NX-11700

[PN 200711]


2.5 Gbps 2.5 Gbps 5 Gbps

Local Data Store 2 x 500 GB HDD16 x 100 GB SSD

18 x 100 GB SSD 18 x 100 GB SSD


4 x 10 Gbps fiber LAN WAN 4 x 10 Gbps fiber LAN WAN 4 x 10 Gbps fiber LAN WAN


2 x 10/100/1000; RS-232 serial port

2 x 10/100/1000; RS-232 serial port

Power Requirement 100-240VAC 47–63Hz, 600 W / 2048 BTU

100–240VAC 50-60Hz, 590 W / 2013 BTU

100–240VAC 50-60Hz, 590 W / 2013 BTU








PN 200030-001 Rev N 257

Fiber Specifications

NX-Series Specifications

1 Gbps Fiber Interfaces

NX-9610 / NX-9700

10 Gbps Fiber Interfaces

NX-8700 / NX-9610 / NX-9700

lan / wana

Fiber Support

a. This can be for lan0/wan0 or lan1/wan1.

lan / wana Fail-to-Close

tlan0 / twan0Fiber Support

tlan0 / twan0 Fail-to-Close

• 4 interfaces• LC connectors• Multi-mode 50μ fiber / 62.5μ

fiber

NX-9610 — no • 2 interfaces• LC connectors• Multi-mode 50μ fiber• SR (Short Reach) modules (default)

10 Gb/s 850 nm Multimode Datacom SFP+ Transceiver

• LR (Long Reach) modules10 Gb/s 10 km Single Mode Datacom SFP+ Transceiver

no

NX-9700 — yes

NX-10700 / NX-11700: 10 Gbps Fiber Interfaces

tlan0 / twan0 / tlan1 / twan1 Fiber Support

• 2 interfaces• LC connectors

• Multi-mode 50μ fiber• Fail-to-close — no• SR (Short Reach) modules (default)

10 Gb/s 850 nm Multimode Datacom SFP+ Transceiver• LR (Long Reach) modules

10 Gb/s 10 km Single Mode Datacom SFP+ Transceiver

Environmental Temperature (Operating) 10°C to 35°C (50°F to 95°F)

Temperature (Storage) -40°C to 65°C (-40°F to 149°F)

Humidity 8% to 90% relative humidity, non-condensing

Altitude (Operating) Up to 10,000 ft. (3,048 m)

Altitude (Storage) Up to 40,000 ft. (12,192 m)

Regulatory EMC FCC Part 15 Class A, EN 55022 Class A, EN 61000-3-2/3-3, EN 55024

Safety UL/cUL 60950, EN 60950

Silver Peak Appliance Manager Operator’s Guide Warning Statements

258 PN 200030-001 Rev N

Warning Statements

Class 1 Laser Products

NX-8700

NX-9600

NX-9700

NX-10700

NX-11700

Maintenance Port Precautions

The serial console is only used for periodic maintenance and not to be used under normal operation.

General Safety

CAUTION Please note the following:

1 The server will not be used in a home, school or other public area where the general population would have access to it.

2 The manufacturer specifies that the thumbscrew normally should be tightened with a screwdriver. Use of a thumbscrew is not considered to compromise the basic principles of safety associated with the standard.

WARNING To prevent potential for personal injury, property damage or death, please

observe the following instructions:

• Do not use damaged equipment, including exposed, frayed or damaged power cords. Use only the approved power cable that is rated for the equipment. The voltage and current rating of the cable should be greater than the ratings marked on the equipment.

• Plug the power cables into properly grounded electrical outlets

• Do not use adapter plugs or remove the grounding prong from a cable.If you must use an extension cable, use a 3-wire cable with properly grounded plugs.

• Observe extension cable and power strip ratings to ensure that the total ampere rating of all equipment plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings limit for the extension cable or power strip.

• When connecting or disconnecting power to hot-swappable power supplies, observe the following precautions:

• Install the power supply before connecting the power cable to it.

• Unplug the power cable before removing a power supply.

• To disconnect power from the server, disconnect all power cables from all power supplies. (If you only disconnect one hot-swappable power supply, the system will automatically switch to a redundant one.)

Warning Statements Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 259

• The power supplies in the server may produce high voltages and potential energy hazards. By opening the cover of the server you may be exposed to a risk of electric shock. The components inside the server housing should only be serviced by a trained service technician.

• Inside the housing, the power supply may have more than one power supply cable. To reduce the risk of electric shock, a trained service technician may need to disconnect all power supply cables before servicing the system.

• The server should not be operated with the cover removed.

• Components inside the server housing may become extremely hot during normal operations. These components include the memory and CPU modules. Allow sufficient time for components to cool before handling.

• The server should not be operated in environments that can get wet. Protect the server at all times from liquid intrusion.

• If your server gets wet, turn off the AC power at the circuit breaker before attempting to remove the power cables from the electrical outlet. Then disconnect power to the equipment and to any attached devices.

• Avoid obstructing the air vents on the server or pushing objects into the openings. This could lead to fire or electric shock.

CAUTION To prevent hardware damage or loss of data, observe the following precautions:

• Follow installation instructions carefully.

• Do not attempt to service the equipment yourself. The server should be serviced by a trained service technician.

• You should operate this equipment from the type of external power source indicated on the electrical ratings label.

• Wait 30 seconds after turning off the equipment before removing a component from the system or disconnecting a peripheral device from the server.

• Always leave at least 4 inches (10.2cm) of physical clearance on all vented sides of the server. This permits the airflow required for proper ventilation.

• Avoid placing equipment too close together such that it is subject to re-circulated (pre-heated) air. Avoid placing equipment too close to an server or exhaust vent.

• Ensure that cables are connected to the server without stress and that nothing rests on the cables.

• If the equipment is located in a rack, move it with caution. Ensure that all casters and/or stabilizers are firmly connected. While moving the equipment, avoid uneven surfaces and sudden stops.

• Do not place other equipment, monitors, or other devices on top of the server.

• To protect the server from fluctuations in electrical power, use a surge suppressor, line conditioner or uninterruptible power supply (UPS).

WARNING BATTERY WARNING: Installing an incompatible battery on the server board may

increase the risk of fire or explosion. Observe the following precautions:

Silver Peak Appliance Manager Operator’s Guide Warning Statements

260 PN 200030-001 Rev N

• The battery should only be replaced with a battery that is the same or equivalent as the factory installed battery.

• Do not attempt to open or service the battery. Do not dispose of the battery in a fire or with household waste. Contact the local waste disposal agency for the location of the nearest battery deposit site.

CAUTION Please observe the following additional precautions for rack-mounted systems:

• Slide/rail mounted equipment is not to be used as a shelf or a work space.

• Elevated Operating Ambient – If the server is installed in a closed or multi-unit rack assembly, the operating ambient temperature in the rack environment may be greater than the room ambient temperature. Therefore, consideration should be given to the maximum operating temperature specified in the environmental specifications.

• Reduced Air Flow – Installation of the server in a rack should be such that the amount of air flow required for safe operation is not compromised.

• Mechanical Loading – Mounting of the server in the rack should not create a hazardous condition from uneven mechanical loading.

• Circuit Overloading – Connection of the equipment to the supply circuit should not create an overloaded situation. Pay close attention to equipment nameplate ratings.

• Reliable Grounding – Appliances mounted in racks should be grounded properly. If using power strips to connect the server to the supply circuit, make certain that the power strips are also grounded properly.

• It is your responsibility to ensure that the rack and the provided rail system are compatible with each other before installing the server.

• Install the front and side stabilizers prior to installing equipment in a rack. Failure to install stabilizers may cause a rack to tip over.

• Load racks from the bottom up, loading the heaviest items near the bottom of the rack.

• Do not stand or step on components in the rack.

• Do not use slide-rail-mounted equipment as a shelf or workspace. Do not add weight to the top of the server.

WARNING Grounding Instructions for Qualified Electricians Only:

•Grounding techniques may vary. However, a positive connection to a safety (earth) ground is required.

• Make the ground connection first and disconnect it last to prevent hazards.

• Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor.

• If the system is installed in a rack, ensure that the system chassis is securely grounded to the rack cabinet frame. Do not connect power to the system until grounding cables are connected.

Compliance Statements Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 261

Compliance StatementsThis section includes the following required compliance statements:

FCC Compliance Statement See page 261.

ICES-003 statement See page 261.

Requirements for Rack-Mount Equipment See page 261.

Requirements for Knurled Thumb Screws See page 261.

FCC Compliance Statement

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

ICES-003 statement

The Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe A est conforme á la norme NMB-003 du Canada.

Requirements for Rack-Mount Equipment

Observe the following requirements for all rack-mount equipment:

1 Elevated Operating Ambient Temperature – If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient. Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tma) specified by the manufacturer.

2 Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.

3 Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.

4 Circuit Overloading – Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring.

Appropriate consideration of equipment nameplate ratings should be used when addressing this concern.

5 Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained. Particular attention should be given to supply connections other than direct connections to the branch circuit (for example, use of power strips).

Requirements for Knurled Thumb Screws

Thumbscrews should be tightened with a tool after both initial installation and subsequent access to the panel.

Silver Peak Appliance Manager Operator’s Guide What Ports the NX and the GMS Use

262 PN 200030-001 Rev N

What Ports the NX and the GMS UseFollowing are lists of ports that are used by the appliances and by the Global Management System (GMS). These are the ports used for “listening”.

If you intend to use a port, make sure that it is open in the firewall(s).

List of ports used by the GMS

Following is the list of ports used by the GMS. All are part of the management plane.

It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your network, applications, and chosen deployment.

Must open port?

TCP UDP Port Application Direction relative to the GMS

Comments

yes x 22 SSH bidirectional SNMP trap receivers

yes x 443 HTTPS bi-directional communications between the GMS and a physical or virtual appliance (NX or VX)

opt. x 21 FTP outgoing for GMS backup

This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.

opt. x 22 SCP outgoing for GMS backup

This is the default port. If you’ve configured a different port, then you also need to configure the firewall with that port number.

opt. x 49 TACACS+ outgoing user authentication and authorization

opt. x x 53 DNS outgoing domain name services

opt. x 80 HTTP outgoing If the appliance’s web configuration is for HTTP only, then you must open this port.

opt. x 123 NTP outgoing synchronizes clocks

opt. x 162 SNMP outgoing SNMP trap receivers

opt. x 1812 RADIUS outgoing user authentication and authorization

opt. x 2055 Netflow outgoing Netflow collector

What Ports the NX and the GMS Use Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 263

List of ports used by the NX

Data Plane

This is for packets that traverse the optimization path. For creating tunnels, at least one of the first three applications — GRE, IPsec, or UDP — is required.

Management Plane

It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your network, applications, and chosen deployment.

Diagrams of TCP/IP Port Use

See the following two pages.

Application Ports and Protocols Use

GRE Protocol 47 If tunnel mode is GRE

IPsec Protocol ESP 50; UDP port 500 (for IKE key exchange)

If tunnel mode is IPsec

UDP UDP Port 4163 If tunnel mode is UDP

WCCP UDP Port 2048 For WCCP redirection

Flow redirection TCP Port 4164 and UDP Port 4164 If flow direction is enabled and clustered via routers

iperf TCP Port 5001 and UDP Port 5001 For testing link integrity outside the tunnel.

Must open port ?

TCP UDP Port Application Direction relative to the appliance

Used for ...

yes x 22 SSH and SCP bidirectional • configuration backup• software upgrades

yes x 80 HTTP bidirectional communication with NX clients and with GMS

yes x 443 HTTPS bidrectional communication with NX clients

opt. x 20 [data channel]

21 [control channel]

FTP bidirectional • configuration backup• software upgrades

opt. x 49 TACACS+ outgoing user authentication and authorization

opt. x x 53 DNS outgoing domain name services

opt. x 123 NTP outgoing synchronizes clocks

opt. x 1812 RADIUS outgoing user authentication and authorization

opt. x 162 SNMP outgoing SNMP trap receivers

opt. x 2055 Netflow outgoing Netflow collector

Silver Peak Appliance Manager Operator’s Guide What Ports the NX and the GMS Use

264 PN 200030-001 Rev N

What Ports the NX and the GMS Use Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 265

Silver Peak Appliance Manager Operator’s Guide Appliance Views

266 PN 200030-001 Rev N

Appliance ViewsThis section includes each NX appliance model and provides information about its physical characteristics and layout.

ModelPart Number

Hard Disks Power Supplies

QtyAllow user to replace

Hot swappable Qty

Allow user to replace

Hot swappable

NX-700 200849 1 no -- 0a

a. The NX-700 has a power adapter.

N/A N/A

NX-1700 AC 200404 1 no -- 1 no --

NX-1700 AC 200576 1 no -- 1 no --

NX-1700 DC 200464 1 no -- 1 no --

NX-2600 200178 1 no -- 1 no --

NX-2610 200193 2 yes no 1 no --

NX-2700 200401 2 yes yes 2 yes yes


NX-3600 200349 2 yes no 2 yes yes











NX-8700b

b. Two disk configurations — regular and “v”

200397 14 yes yes 2 yes yes



NX-9700b 200396 14 yes yes 2 yes yes


NX-10700 200519 18 yes yes 2 yes yes

NX-10700 200769 18 yes yes 2 yes yes

NX-11700 200711 18 yes yes 2 yes yes

Appliance Views Appendix A Specifications, Compliance, and Regulatory Statements

PN 200030-001 Rev N 267

NX-700 [PN 200849]

NX-700 Hard Disks Power Adapter

Quantity 1 1

User authorized to replace? no N/A

Hot swappable? -- --

NX-700 — Front View

NX-700) — Rear View

NX-700

mgmt0 & mgmt1 lan0 / wan0 / lan1 / wan1

Not connected


Link/Activity: blinking = traffic

--

Speed = solid

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


268 PN 200030-001 Rev N

NX-1700 AC [PN 200404 and PN 200576]

There are a couple of different physical chassis for AC current. The functional distinction is only in whether the physical interfaces are on the front panel or the rear panel.

Option #1 – NX-1700 AC with Interfaces on Rear Panel [PN 200404]

NX-1700 Hard Disks Power Supplies

Quantity 1 1

User authorized to replace? no no


Power LED

Power switch

When you toggle the Power switch, verify that the Power LED illuminates green.

NX-1700 (AC) — Front View

parallel port

console[serial port]

VGA port auxiliary port

management interfaces[mgmt0 / mgmt1]

network interfaces[lan0 / wan0 / lan1 / wan1]

NX-1700

power supply LED

NX-1700 (AC) — Rear View


PN 200030-001 Rev N 269

Option #2 – NX-1700 AC with Interfaces on Front Panel [PN 200576]

Power LED


auxiliary port



NX-1700

NX-1700 (AC) — Front View

Power switch

Power plug

NX-1700 (AC) — Rear View

NX-1700


Not connected



--

Speed = solid

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


270 PN 200030-001 Rev N

NX-1700 DC [PN 200464]

NX-1700 DC Hard Disks Power Supplies

Quantity 1 1

User authorized to replace? no no


Power LED

Power switch

When you toggle the Power switch, verify that the Power LED illuminates green.

NX-1700 (DC) — Front View

parallel port


VGA port auxiliary port



power supply LED

DC terminal connector (DC)

side view

NX-1700 (DC) — Rear View

a Connect one wire from the NX-1700’s 0V terminal to the DC source 0V terminal.

b Connect the second wire from the NX-1700’s –48V terminal to the DC source –48V terminal.

NX-1700


Not connected



--

Speed = solid

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


PN 200030-001 Rev N 271

NX-2600 [PN 200178] / NX-2610 [PN 200193]

Power LED [blue]

Power switch

On the front panel, verify that the Power LED illuminates blue.

NX-2600 and NX-2610 — Front Views

Not usedAlarm MuteSystem Reset

mgmt0 mgmt1Hard Disk Driveactivity

NX-2600 — Disk Layout

User replacement NOT authorized

NX-2610

NX-2600 — Rear View

NX-2610

NX-2600 NX-2610

mgmt0 & mgmt1

Not connected 10 Mbps 100 Mbps 1000 Mbps Auto

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


272 PN 200030-001 Rev N

NX-2700 [PN 200401]


Quantity 2 2

User authorized to replace? yes yes

Hot swappable? yes yes

Power button

[plugging the power cords in automatically powers up the appliance]

Power LED [blue = ON]

System reset

Alarm mute

Illuminates red when a power supply is disconnected or off




PN 200030-001 Rev N 273

.

Each power cord socket has a corresponding green LED to its left. When a socket receives power, its LED illuminates green.


NX-2700mgmt0 & mgmt1

Not connected 10 Mbps 100 Mbps 1000 Mbps

Speed = solid

Link/Activity:solid = linkblinking = traffic

NX-2700 Network interfaces

Link/Activity:solid green = link goodblinking green = traffic

system bypass mode

Ports 0 + 2 – solid greenPorts 1 + 3 – OFF

slave portsnot in system bypass

Ports 0 + 2 – OFFPorts 1 + 3 – solid green

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity

lan0 wan0 lan1 wan1

Link/ActivityLink/Activity Link/Activity

lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


274 PN 200030-001 Rev N

NX-2700 [PN 200697]

NX-2700Hard Disks

Power Supplies Disk Layout

Quantity 2 2



Front View


StatusActivity

Drive online

StatusActivity

Drive failed

StatusActivity

Traffic(4 blinks/sec)

Rear View

mgmt0 & mgmt1

Not connected Connected at max speed Connected at lower speed Traffic

ActivityLink ActivityLink ActivityLink ActivityLink

Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


PN 200030-001 Rev N 275

NX-3600 [PN 200349]

.


Quantity 2 2


Hot swappable? no yes

Disk 0 Disk 1These two slots house the hard disks you can remove and replace.

NX-3600 — Front View & Disk Layout



Not connected 10 Mbps 100 Mbps 1000 Mbps Auto

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


276 PN 200030-001 Rev N

NX-3700 [PN 200400]


Quantity 2 2



Power button



System reset

Alarm mute





PN 200030-001 Rev N 277

.





Speed = solid




system bypass mode




Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


278 PN 200030-001 Rev N

NX-3700 [PN 200698]

.

NX-3700Hard Disks


Quantity 2 2



Front View


StatusActivity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View

mgmt0 & mgmt1



Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


PN 200030-001 Rev N 279

NX-5600 [PN 200231]


Quantity 8 3




NX-5600 — Front Views


mgmt0 mgmt1Hard Disk Drive activity[Yellow = busy]




280 PN 200030-001 Rev N

.

mgmt0 & mgmt1

Not connected

10 Mbps 100 Mbps 1000 Mbps Auto

NX-5600

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


PN 200030-001 Rev N 281

NX-5700 [PN 200399]


Quantity 8 2



Power button



System reset

Alarm mute





282 PN 200030-001 Rev N

.





Speed = solid




system bypass mode




Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


PN 200030-001 Rev N 283

NX-5700 [PN 200699]

.

NX-5700Hard Disks


Quantity 8 2



Front View


StatusActivity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View

mgmt0 & mgmt1



Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


284 PN 200030-001 Rev N

NX-6700 [PN 200828]

.

NX-6700Hard Disks


Quantity 8 2



Front ViewStatus

Activity

Drive online

StatusActivity

Drive failed

StatusActivity



Rear View

mgmt0 & mgmt1



Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


PN 200030-001 Rev N 285

NX-7600 [PN 200225]


Quantity 12 3










286 PN 200030-001 Rev N

mgmt0 & mgmt1

Not connected


NX-7600

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


PN 200030-001 Rev N 287

NX-7700 [PN 200398]


Quantity 10 2



Power button



System reset

Alarm mute





288 PN 200030-001 Rev N

.





Speed = solid




system bypass mode




Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


PN 200030-001 Rev N 289

NX-7700 [PN 200702]

.

NX-7700Hard Disks


Quantity 8 2



Front View


StatusActivity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View

mgmt0 & mgmt1



Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


290 PN 200030-001 Rev N

NX-8600 [PN 200181]


Quantity 16 3










PN 200030-001 Rev N 291

mgmt0 & mgmt1

Not connected


NX-8600

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


292 PN 200030-001 Rev N

NX-8700 [PN 200397]


Quantity 14 2




Power supply warning LED[red = 1 PS down or missing]

Alarm mute

Power LED [blue = on]

System reset

Power switch

blue = disk onNO LIGHT = OFF

DISK LEDs:green = disk activityred = error [no access to drive]

Solid-state disks

SATA hard disk drives


Note that the NX-9700 and NX-8700 appliances contain a mix of SATA hard disk drives and SSDs (solid-state drives).


The two NX-8700s differ only in the placement of the solid state drives.


PN 200030-001 Rev N 293

Management interfaces




Solid-state disks

NX-8700v — Disk Layout

auxiliary port

console [serial port]

VGA portPower Supply LEDsgreen = power on

management interfaces

copper network interfaces

10 Gbps fiber network interfaces




Speed = solid


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


294 PN 200030-001 Rev N

Network interfaces

10 Gbps fiber interfaces

You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default SR (Short Reach) modules in the NX-8700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.

You can distinguish the SR module from the LR module by the number on the label and the color of the handle.



system bypass mode




NX-8700 tlan0 / twan0

all LEDs are green

Link = solid

Activity = blinking

Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1

FTLX8571D3BCL — SR — Short Reach

• Bail (handle) is beige

• Default shipping module

FTLX1471D3BCL — LR — Long Range

• Bail (handle) is blue

• Optional, separate purchase


PN 200030-001 Rev N 295

NX-8700 [PN 200767]

.

NX-8700Hard Disks


Quantity 14 2



Front View


StatusActivity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View

mgmt0 & mgmt1



Network interfaces


system bypass mode




Link/Activity

lan0 wan0 lan1 wan1


lan0 wan0 lan1 wan1

lan0 wan0 lan1 wan1


296 PN 200030-001 Rev N







all LEDs are green

Link = solid

Activity = blinking








PN 200030-001 Rev N 297

NX-9610 [PN 200362]


Quantity 16 3








NX-9610 — Rear View 10 Gbps fiber network interfaces



298 PN 200030-001 Rev N

mgmt0 & mgmt1

Not connected


NX-9610

Speed = solid

--


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


PN 200030-001 Rev N 299

NX-9700 [PN 200396]


Quantity 14 2





Alarm mute


System reset

Power switch



Solid-state disks



Note that the NX-9700 appliance contains a mix of SATA hard disk drives and SSDs (solid-state drives).


The two NX-9700s differ only in the placement of the solid state drives.


300 PN 200030-001 Rev N





Solid-state disks

NX-9700v — Disk Layout

auxiliary port









Speed = solid


Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed


PN 200030-001 Rev N 301







NX-9700 lan0 / wan0 / lan1 / wan1

all LEDs are solid


all LEDs are green

Link = solid

Activity = blinking








302 PN 200030-001 Rev N

NX-9700 [PN 200768]

.


NX-9700Hard Disks


Quantity 14 2



Front ViewStatus

Activity

Drive online

StatusActivity

Drive failed

StatusActivity

Traffic(4 blinks/sec)Power LED [blue = ON]

Rear View



mgmt0 & mgmt1


lan0 / wan0 / lan1 / wan1

all LEDs are solid



PN 200030-001 Rev N 303







all LEDs are green

Link = solid

Activity = blinking








304 PN 200030-001 Rev N

NX-10700 [PN 200519]


Quantity 18 2



Front View


Alarm mute


System reset

Power switch



Solid-state disksSATA hard disk drives

Note that the NX-10700 appliance contains a mix of SATA hard disk drives and SSDs (solid-state drives).

Disk Layout

auxiliary port





Rear View


PN 200030-001 Rev N 305









Speed = solid



all LEDs are green

Link = solid

Activity = blinking

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed

Link/Activity Speed








306 PN 200030-001 Rev N

NX-10700 [PN 200769]

.


NX-10700Hard Disks


Quantity 18 2



Front ViewStatus

Activity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View


mgmt0 & mgmt1


tlan0 / twan0

all LEDs are green

Link = solid

Activity = blinking



PN 200030-001 Rev N 307












308 PN 200030-001 Rev N

NX-11700 [PN 200711]

.


NX-11700Hard Disks


Quantity 18 2



Front ViewStatus

Activity

Drive online

StatusActivity

Drive failed

StatusActivity


Rear View


mgmt0 & mgmt1


tlan0 / twan0

all LEDs are green

Link = solid

Activity = blinking



PN 200030-001 Rev N 309












310 PN 200030-001 Rev N

PN 200030-001 Rev N 311

A P P E N D I X B

Power Cords & Cable Pinouts

This appendix lists and illustrates power cords, by country, and cable pinouts.

In This Appendix Power Cords by Country See page 312.

Fiber Connectors See page 315.

Cable Pinouts See page 316.

Configuring DB-9 Console Access to the Appliance See page 317.

Silver Peak Appliance Manager Operator’s Guide Power Cords by Country

312 PN 200030-001 Rev N

Power Cords by CountryThis section includes country-specific power cord plug and receptacle specifications for the Silver Peak appliances.

Table 2-1 Power Cord Specifics by Country

COUNTRY APPROVALS POWER CORD P/N

Rating PLUG RECEPTACLE

Argentina IRAM 9000.098 10A / 250V IRM 2073: 1982 Argentina Plug

IEC-60320_C13

Australia SAA 8530.098 10A / 250V AS 3112, Australia Plug IEC-60320_C13

China CCC 8590.098 10A / 250V GB2099, China Plug IEC-60320_C13

Continental Europe VDE, KEMA, CEVEC, NEMKO, DEMKO, SETI, OVE, SEV

8500.098 10A / 250V CEE 7/7 Europe Plug “Schuko” CE

IEC-60320_C13

Denmark DEMKO 8540.098 10A / 250V SRAF 1962/DB 16/87, Danish Plug

IEC-60320_C13

India / South Africa SABS, VDE 8580.098 10A / 250V BS 546, Indian Plug IEC-60320_C13

Israel SII 8560.098 10A / 250V SI32, Israeli Plug IEC-60320_C13

Italy IMQ 8550.098 10A / 250V CEU -23-16m, Italian Plug

IEC-60320_C13

Japan PSE 2000.098 10A / 125V JIS 8303, Japanese Plug

IEC-60320_C13

Korea KETI 8704.098 10A / 250V KSC 8305, Korean Plug IEC-60320_C13

North America UL, CSA 2500.072 10A / 125V NEMA 5-15P IEC-60320_C13

Switzerland SEV 8520.098 10A / 250V SEV 1011, Swiss Plug IEC-60320_C13

United Kingdom / Ireland

BSI 9650.098 10A / 250V BS 1363, U.K. Plug IEC-60320_C13

Power Cords by Country Appendix B Power Cords & Cable Pinouts

PN 200030-001 Rev N 313

ARGENTINA POWER CORD

AUSTRALIA POWER CORD

CHINA POWER CORD

CONTINENTAL EUROPE POWER CORD

DENMARK POWER CORD

INDIA & SOUTH AFRICA POWER CORD

ISRAEL POWER CORD

Silver Peak Appliance Manager Operator’s Guide Power Cords by Country

314 PN 200030-001 Rev N

ITALY POWER CORD

JAPAN POWER CORD

KOREA POWER CORD

NORTH AMERICA POWER CORD

SWITZERLAND POWER CORD

UNITED KINGDOM & IRELAND POWER CORD

Fiber Connectors Appendix B Power Cords & Cable Pinouts

PN 200030-001 Rev N 315

Fiber ConnectorsFiber modules accept the following fiber cable:

multimode duplex Fibre Channel optic LC/LC patch cable

Silver Peak Appliance Manager Operator’s Guide Cable Pinouts

316 PN 200030-001 Rev N

Cable PinoutsFollowing is the pinout for the console (RS-232 serial) port, which uses a null modem cable.

Configuring DB-9 Console Access to the Appliance Appendix B Power Cords & Cable Pinouts

PN 200030-001 Rev N 317

Configuring DB-9 Console Access to the ApplianceFor console port access, the appropriate settings are as follows:

Bits per second 9600

Data bits 8

Parity none

Stop bits 1

Flow control none

Silver Peak Appliance Manager Operator’s Guide Configuring DB-9 Console Access to the Appliance

318 PN 200030-001 Rev N

PN 200030-001 Rev N 319

A P P E N D I X C

Glossary

802.1q encapsulation. Also known as VLAN tagging. An IEEE standard (and process) which allows multiple bridged networks to transparently share the same physical network link without leakage of information between networks and, in common usage, the name of the encapsulation protocol used to implement this mechanism over Ethernet networks.

ACL. Access Control List.

ARP. Address Resolution Protocol. An IP protocol for finding a host’s link layer (hardware) address when only its Internet Layer or some other Network Layer address is known.

asymmetric routing. When new writes can be made without having to wait for the secondary or remote storage site to also finish its writes.

asynchronous replication. A type of disk storage replication, where write is considered complete as soon as local storage acknowledges it. Remote storage is updated, but probably with a small lag. Performance is greatly increased, but in case of losing a local storage, the remote storage is not guaranteed to have the current copy of data and most recent data may be lost.

authentication. The process of validating the claimed identity of an end user or a device wuch as a host, server, switch, router, etc.

authorization. The act of granting access rights to a user, groups of users, system, or program.

auto discovery. Within the NX Series appliances, the ability of an appliance to discover and register with the Global Management System (GMS) server when first deployed.

auto-negotiation. The process by which terminating devices automatically negotiate for maximum bandwidth.

bandwidth. A rate of data transfer, throughput, or bit rate, measured in bits per second.

bit. A binary digit, taking a logical value of either "1" or "0" (also referred to as "true" or "false" respectively). It is also a unit of measurement, the information capacity of one binary digit.

blan0. When configuring for gigabit etherchannel bonding, lan0 plus lan1 bond to form blan0, which uses the lan0 IP address.

Bridge mode. In-line deployment of an appliance, placing it between an Ethernet LAN switch and a WAN edge router.


320 PN 200030-001 Rev N

bwan0. When configuring for gigabit etherchannel bonding, wan0 plus wan1 bond to form the virtual interface, bwan0, which uses the wan0 IP address.

bypass. Refers to hardware bypass. If there is a major problem with the appliance hardware, software, or power, all traffic goes through the appliance without any processing. Additionally, you can manually put the appliance into Bypass as an aid to troubleshooting.

chattiness. A common problem with naively designed application protocols is that they are too “chatty”. That is, they imply too many “round-trip” cycles.

CIFS. Common Internet File System. CIFS is the remote file system access protocol used by Windows servers and clients to share files across the network. Some specific capabilities of CIFS include file access, record locking, read/write privileges, change notification, server name resolution, request batching, and server authentication

CIFS acceleration. A set of techniques for mitigating the impacts of latency across the WAN. They include read-aheads and write-behinds to pipeline CIFS requests and the respective acknowledgements. This dramatically minimizes roundtrip delays when using CIFS over a WAN.

CLI. See Command Line Interface.

client. An application or system that accesses a remote service on another computer system, known as a server, by way of a network.

Command Line Interface. A method of configuring the appliance by typing in commands via the local serial interface or remote SSH session. [Peribit]

CoS. Class of Service (CoS) is a way of managing traffic in a network by grouping similar types of traffic (for example, e-mail, streaming video, voice, large document file transfer) together and treating each type as a class with its own level of service priority. Unlike Quality of Service (QoS) traffic management, Class of Service technologies do not guarantee a level of service in terms of bandwidth and delivery time; they offer a "best-effort." On the other hand, CoS technology is simpler to manage and more scalable as a network grows in structure and traffic volume. One can think of CoS as "coarsely-grained" traffic control and QoS as "finely-grained" traffic control.

crossflow compression. A technique that applies compression across various flows of traffic.

data streaming. The transfer of data at a steady high-speed rate sufficient to support such applications as high-definition television (HDTV) or the continuous backup copying to a storage medium of the data flow within a computer. Data streaming requires some combination of bandwidth sufficiency and, for real-time human perception of the data, the ability to make sure that enough data is being continuously received without any noticeable time lag.

datagram. An independent, self-contained message sent over the network whose arrival, arrival time, and content are not guaranteed.

default gateway. A gateway is a router on a computer network, serving as an access point to another network.

DHCP. Dynamic Host Configuration Protocol. A TCP/IP protocol that enables PCs and workstations to automatically get temporary or permanent IP addresses (out of a pool) from centrally administered servers.

DNS. Domain Naming System or Domain Name Server. It serves as the "phone book" for the Internet by translating human-friendly computer hostnames into IP addresses.

Appendix C Glossary

PN 200030-001 Rev N 321

DSCP. Differentiated Services Code Point. A 6-bit value that encoudes Per-Hop Behavior (PHB) into the 8-bit Differentiated Services (DS) field of the IP packet header. The DS field is the same as the TOS (Type of Service) field.

domain. The main purpose of a domain name is to provide a recognizable names to mostly numerically addressed Internet resources. This abstraction allows any resource (for example, website) to be moved to a different physical location in the address topology of the network, globally or locally in an intranet, in effect changing the IP address.

failover. The capability to switch over automatically to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active server, system, or network. Failover happens without human intervention and generally without warning, unlike switchover.

FEC. Forward Error Correction. When Adaptive Forward Error Correction (FEC) is enabled, the appliance introduces a parity packet, which helps detect and correct single-packet loss within a stream of packets, reducing the need for retransmissions. Silver Peak dynamically adjusts how often this parity packet is introduced in response to changing link conditions. This maximizes error correction while minimizing overhead.

flow. In a packet switching network, packet flow or traffic flow is a sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. As packets traverse successive communication links towards their destination, the packets from one flow (for example, A1, A2, A3) will be intermingled with packets from other flows also traversing the network to form a multiplexed stream (for example, A1, B7, C9, A2, C10, A3). This represents a form of statistical multiplexing because the link is shared as required.

FTP. File Transfer Protocol. A network protocol used to exchange and manipulate files over a TCP computer network, such as the Internet. An FTP client may connect to an FTP server to manipulate files on that server.

full duplex. Bidirectional, simultaneous two-way communications.

gateway. Also called protocol converters, can operate at any layer of the OSI model. The job of a gateway is much more complex than that of a router or switch. Typically, a gateway must convert one protocol stack into another.

GMS. Global Management System.

GRE. Generic Routing Encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.

GUI. Graphical User Interface.

half duplex. A circuit designed for data transmission in both directions, but not at the same time.

hardware bypass. If there is a major problem with the appliance hardware, software, or power, all traffic goes through the appliance without any processing. Additionally, you can manually put the appliance into Bypass as an aid to troubleshooting.

header compression. This technique can provide additional bandwidth gains by reducing packet header information using specialized compression algorithms.

high availability. For maximizing uptime, deploying NX appliances redundantly in 1+1 or N+1 configurations, with failover and load balancing.


322 PN 200030-001 Rev N

host. In computer networking, a network host, Internet host or host is a computer connected to the Internet. A network host can host information as well as client and/or server software.

host address. The host address, or more properly the host id portion of an IP address is the portion of the address used to identify hosts (which can be any device requiring a Network Interface Card, such a personal computer or networked printer) on the network.

HTTP. HyperText Transfer Protocol. The protocol web browsers use to communicated with web servers.

HTTPS. HyperText Transfer Protocol Secure. A combination of the HyperText Transfer Protocol and a cryptographic protocol, for accessing a secure web server.

ICMP. Internet Control Message Protocol. An internet protocol used by networked computers’ operating systems to manage errors and generate control messages.

Internet. A global network of interconnected computers, enabling users to share information along multiple channels.

IP. Internet Protocol. Network layer protocol in the TCP/IP stack that enables a connectionless internetwork service.

IP Address. An Internet Protocol (IP) address is a numerical identification and logical address that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes.

IPsec. Internet Protocol Security Protocol.

IP VPN. Internet Virtual Private Network.

LAN. Local Area Network.

LAN Rx. Traffic received from the LAN.

LAN Tx. Traffic transmitted to the LAN.

latency. A time delay between the moment something is initiated, and the moment one of its effects begins or becomes detectable. Network latency is the time it takes for information to go from a sender to a receiver and back.

load balancing. A technique to spread work between two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, and minimize response time. Using multiple components with load balancing, instead of a single component, may increase reliability through redundancy. The balancing service is usually provided by a dedicated program or hardware device.

lossy. A WAN prone to dropped and out-of-order packets. This is most common on shared networks, like MPLS and Internet VPNs.

MAPI. Messaging Application Programming Interface. A Microsoft Windows program interface that enables you to send e-mail from within a Windows application and attach the document you are working on to the e-mail note. Applications that take advantage of MAPI include word processors, spreadsheets, and graphics applications.

MIB. Management Information Base. A type of database for managing devices in a communications network.

Appendix C Glossary

PN 200030-001 Rev N 323

Microsoft Exchange. Messaging and groupware software for Windows from Microsoft. The Exchange server is an Internet-compliant messaging system that runs under Windows systems and can be accessed by web browsers, the Windows In-box, Exchange client or Outlook. The Exchange server also stores files for sharing.

MPLS. MultiProtocol Label Switching is an IETF initiative that integrates Layer 2 information into Layer 3 (IP) packets.

MTU. Maximum Transmission Unit. The largest size packet that a device can transmit on a network.

Network Acceleration. Addresses high WAN latency and TCP chattiness. This is achieved using standard TCP acceleration techniques, such as adjustable windows and selective acknowledgements.

Network Integrity. Protects traffic from collateral congestion in a shared service provider network by mitigating the impact of dropped and out-of-order packets.

Network Memory™. Addresses limited bandwidth. This technology uses advanced fingerprinting algorithms to examine all incoming and outgoing WAN traffic. Network Memory localizes information and transmits only modifications between locations.

NFS. Network File System. The file sharing protocol in a UNIX network.

OOO. Out-of-Order [packets]

out-of-path. Same as Router mode. In an out-of-path deployment, policy-based routing (PBR), VRRP, or WCCP redirect the traffic to the Silver Peak appliance for processing.

packet coalescing. When packets are small, packet headers consume substantial bandwidth in comparison to the amount of end-user data transferred. Packet coalescing combines multiple user packets traveling between the same two sites into a single coalesced packet. Used in conjunction with header compression, this amortizes a single header over multiple packets thus decreasing overhead, and therefore bandwidth requirements. Packet coalescing is particularly beneficial for web applications, VoIP, and interactive applications, like Citrix.

pass-through traffic. Traffic that is sent to the WAN without being optimized.

payload compression. Uses algorithms to identify relatively short byte sequences that are repeated frequently over time. These sequences are then replaced with shorter segments of code to reduce the size of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find duplication across packets and even across flows

PBR. Policy-based routing is a technique used to make routing decisions based on policies set by the network administrator.

Propagate Link Down. Forces the WAN interface to go down when the corresponding LAN interface goes down, or vice versa. By default, this option is enabled on the Configuration - System page.

ping. A programs used to test whether a particular network destination is online, by sending an Internet Control Message Protocol (ICMP) echo request and waiting for a response. [Peribit]

POC. Packet Order Correction. To avoid retransmissions that occur when packets arrive out of order, Silver Peak NX appliances use Packet Order Correction (POC) to resequence packets on the far end of a WAN link, as needed.

QoS. Quality of Service is the ability to provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. QoS involves several functions: 1) classification of packets into traffic classes based on characteristics such as source, destination addresses,


324 PN 200030-001 Rev N

and/or applications and 2) queuing and service mechanisms that are used to apply service policies based on these classifications, including bandwidth allocation.

RADIUS. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization and Accounting (AAA) management for computers to connect and use a network service. It is a client/server protocol that uses UDP as transport.

Router mode. Out-of-path deployment, where data traffic is redirected by using policy-based routing (PBR), Web Cache Coordination Protocol (WCCP), or Virtual Router Redundancy Protocol (VRRP).

RTT. Round-trip time. the time it takes to send a packet to a remote host and receive a response; used to measure delay on a network at a given time. [Peribit]

SMB. Server Message Block. An application-level network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

SMB2. Server Message Block, version 2.

SMTP. Simple Mail Transfer Protocol. A de facto standard for electronic mail (e-mail) transmissions across the Internet.

SNMP. Simple Network Management Protocol. A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor network devices, performance, and security, and to manage configurations and collect statistics.

SSL. Secure Socket Layer. These are cryptographic protocols that provide secure communications for such things web browsing, email, and other data transfers over the internet.

subnet. A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet. Dividing a network into subnets is useful for both security and performance reasons. IP networks are divided using a subnet mask.

switch. A network device that filters and forwards frames based on the destination address of each frame. The switch operates at Layer-2 (data link layer) of the Open System Interconnection (OSI) model.

TACACS+. Terminal Access Controller Access-Control System Plus is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services. It uses TCP for its transport. Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret.

TCP. Transmission Control Protocol. The error-correcting Transport layer (Layer-4) in the TCP/IP protocol suite. It ensures that all data arrive at the other end accurately and completely intact.

TCP acceleration. A set of techniques for mitigating the impacts of latency across the WAN. They include adjustable window sizing and selective acknowledgements.

TCP/IP. Transmission Control Protocol/Internet Protocol. A protocol suite for communication between computers, used as a standard for transmitting data over networks and as the basis for standard Internet protocols.

Telnet. A terminal emulation protocol used on the Internet and TCP/IP-based networks. A Telnet program allows a user at a terminal or PC to log in to a remote computer and run a program and execute other Unix commands.

throughput. The average rate of successful message delivery over a communication channel.

Appendix C Glossary

PN 200030-001 Rev N 325

tunneling. Encapsulating one type of network protocol (called the payload protocol) within a different delivery protocol. Reasons to use tunneling include carrying a payload over an incompatible delivery network, or to provide a secure path through an untrusted network.

UDP. User Datagram Protocol. Part of the TCP/IP protocol suite, it was created to provide a way for applications to access the connectionless features of IP. UDP provides for exchange of datagrams without acknowledgements or guaranteed delivery.

VLAN. Virtual Local Area Network. A means by which LAN users on different physical LAN segments are afforded priority access privileges across the LAN backbone so that they appear to be on the same physical segment of an enterprise-level logical LAN.

VLAN tag. See 802.1q encapsulation.

VoIP. Voice-Over-Internet-Protocol. A protocol optimized for the transmission of voice through the Internet or other packet-switched networks.

VRRP. Virtual Router Redundancy Protocol is a standard redundancy protocol designed to increase the availability of servicing hosts on the same subnet.

WAN. Wide Area Network

WAN Rx. Traffic received from the WAN.

WAN Tx. Traffic transmitted to the WAN.

WCCP. Web Cache Communications Protocol. A Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms.

X.11. An application redirect protocol; a distributed window system that is based on the client/server model.


326 PN 200030-001 Rev N

Index

PN 200030-001 Rev N 327

Index

Symbols

151

A

Access Control Lists 30–32application groups in 42

characteristics of 30

how they filter traffic 31–32

modifying an ACL rule 30

Alarm Log Viewer 198

alarmsclearing 240

current

viewing 249–250

list of types and text 241–248

severity levels 240

appliance configuration fileSee configuration file

application groupscreating 42–43

properties of 42

using in MATCH criteria 42

applicationsbuilt-in

list of 33–39

viewing 39

statistics 141, 149–150, 151

asymmetric networks or flowsSee flow redirection

Audit Log 199

Auto Tunnel 4, 14, 16, 46

auto-optimization 4, 14, 27, 45, 48, 58, 69–71, 72, 74SET actions diagram 77

TCP, Router mode handshaking 70

B

bandwidthdynamic chart 145

bandwidth managementauto bandwidth 93

best practices 88

for multiple tunnels 88

multiple traffic classes 88

bandwidth shaping 14See also Configuration - Tunnels

page

bannerslogin message 191

Message of the Day 191

blan0 See etherchannel bonding

bridge modestatistics 136

bwan0 See etherchannel bonding

bypassSee System Bypass

C

CIFS Acceleration 108disabled in Tunnel Compatibility

Mode 21

cluster interface 116, 118

configuration filedownloading

fron a local disk 220

saving 218

current flowscustomizing which columns display

155

details of 156–159

resetting for improved performance 166

statistics 136, 152–166

unaccelerated TCP 166

See also flows

D

Debug Dump 200, 201

debug filesDebug Dump 200, 201

deleting 205

Log 200, 201

saving to

a remote server 202

an FTP server 204

an SCP server 203

Show Tech 200, 201

Snapshot 200, 201

TCP Dump Result 200, 201

types of 200

See also logs

DSCP markings 84, 85, 109apply to

pass-through traffic 98–100

applying to

optimized traffic 95–97

definitions list 100–101

E

encapsulation 14

encryptionhard disk 209

etherchannel bondingconfiguring 6gigabit, for 4-port devices 5

Events Log 197

F

FECSee Forward Error Correction

flow countsstatistics 146

TCP and non-TCP 171

See also current flows

flow redirectionasymmetric networks and flows 112

configuration example 115–118

for LAN-initiated traffic 114

for removing asymmetry 112

reporting 119

statistics 136, 173–174

for WAN-initiated traffic 113

Forward Error Correctiondynamic chart 147


328 PN 200030-001 Rev N

statistics 147, 171, 172

in Tunnel Compatibility Mode 21

FTP server capability in appliance 188

I

inbound traffic 138, 170

interfacesmanually configuring for DHCP 9statistics 136, 176–177

L

latencystatistics 171

login message banner 191

logsAlarm Log Viewer 198

Audit Log 199

deleting files 205

Event Log Viewer 197

lossdynamic chart 147

M

MATCH criteria5-tuple 28

application groups in 42

how they filter traffic 31–32

specifying applications and protocols in 29

Message of the Day 191

MIBs, list of standard and proprietary 184

N

NetFlowstatistics 136

network connectivity, testing 223–225See also ping, traceroute, and

tcpdump

Network Memoryavailable settings 105

benefit scenarios 105

definition 105

disabled in Tunnel Compatibility Mode 21

erasing 236

hard disk encryption 209

pre-positioning data into 188, 189

See also Optimization policies

O

CIFS AccelerationSee also Optimization policies 108

Optimization policies 77, 104–110Configuration page organization

110

default behaviors 27

when the appliance can apply them 110

Payload CompressionSee also Optimization policies 106

TCP AccelerationSee also Optimization policies 106

outbound traffic 138, 170

Out-of-Order Packets (OOP)dynamic chart 148

See Packet Order Correction

P

packet coalescingin Tunnel Compatibility Mode 21

Packet Order Correctionstatistics 171

in Tunnel Compatibility Mode 21

pass-through trafficapplying DSCP markings 98–100

Payload Compression 106disabled 21

ping 224, 226–227

POCSee Packet Order Correction

power, connecting and verifying 266–305

pre-positioning data 188, 189

Q

QoS policies 83–101Configuration page organization 94

default behaviors 27, 84

QoS shaping and marking 21

QoS statistics 136, 167

R

reboot clean 237

rebooting the appliance 237

redirection

for TCP flow symmetry 7, 37, 68, 71

out-of-path traffic 4, 14, 16, 46, 72–75

Reorder Wait Time 172

restarting the appliance 237

Route policies 45–81auto optimization ??–71

auto-optimization 69–??Configuration page organization 81

default behaviors 27

where to direct flows 76–80

S

SET actions 27, 30, 31in Optimization policies 104, 110

in QoS policies 94

in Route policies 46, 76–80, 81

Shaper 14, 27, 77, 83, 84, 86, 88, 94defining Traffic Classes and limits

with 89–92

Show Tech 200, 201

shutdown 237

Snapshot 200, 201

SNMPconfiguring SNMP settings 185

loading SNMP MIBs 184

software managementinstalling a software image

into a partition 212

options 210–211

switching partitions 215

software versionlisted 208

statisticsabout viewing 138–140

applications 141, 149–150

bridge mode 136

counters

clearing non-destructively 139

view since reboot 138

current flows 136, 152–166

Delta Stats 139

flow counts 146

flow redirection 136, 173–174

Forward Error Correction 147

interfaces 136, 176–177

NetFlow 136

QoS 136, 167

refreshing 139

Index

PN 200030-001 Rev N 329

tunnel 168–172

subnet sharing 4, 14, 46, 72, 73how to use in common deployments

47–68

Support, contacting 206

System Bypass 17, 208

system information, displayed 208

T

TCP Acceleration 106disabled 21

TCP flowsasymmetric

See flow redirection

tcpdump 200, 201, 225options 230–233

retrieving results 234–235

Technical Support, contacting 206

traceroute 225, 228–229

trafficdirection of flows 138

inbound 138

outbound 138

tunnelcharacteristics 15

diagram of directing flows to 76–77

encapsulation 21

manually creating a 17–20

parallel 15

parameters

FEC 21

POC 21

QoS shaping and marking 21

reduced functionality, indicating 21

statistics 168–172

traffic

how Route Policies affect 14

Tunnel Compatibility Mode 21

disabled optimizations 21

preserved functionalities 21

U

uptime, of appliance 208

V

VLANsin Current Flows Details 157

W

webprotocol settings 194

user settings 194


330 PN 200030-001 Rev N

PN 200030-001 Rev N 331

Silver Peak Systems, Inc.2860 De La Cruz Blvd., Suite 100Santa Clara, CA 95050

1.877.210.7325+1.408.935.1850

www.silver-peak.com

Date post:	19-Jan-2023
Category:	Documents
Upload:	khangminh22
View:	0 times
Download:	0 times

Silver Peak WAN Optimization Appliances

Documents