The Route Policy specifies where to direct flows.By default, the Route Policy auto-optimizes all unicast IP traffic, automatically directing flows to the appropriate tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for optimization.The three strategies that auto-optimization uses are subnet sharing, TCP-based auto-opt, and IP-based auto-opt.
n Subnet sharing is the appliance’s first choice for auto-optimization. When subnet sharing is disabled, the appliance defaults to using TCP-based auto-opt and IP-based auto-opt (as a shortcut, this document may refer to it as TCP/IP-based auto-optimization).
n When might you choose to disable subnet sharing? If your network has numerous non-local LAN-side routers, you would need to manually enter each one into the appliance’s subnet table. With TCP-based or IP-based auto-opt, this is unnecessary; however, if your appliance is not deployed in-line, you would need to configure inbound redirection using either Policy-Based Routing (PBR), Filter-Based Forwarding (FBF), or Web Cache Communication Protocol (WCCP).For a discussion of when you need inbound and outbound redirection, see “Determining the Need for Traffic Redirection”.
n Auto-optimization uses different mechanisms for TCP versus non-TCP traffic. Because both mechanisms ultimately require an exchange of packets between two appliances, unidirectional IP traffic will not trigger auto-optimization.
n Auto-opt may not work with a firewall in the path. Some firewalls may be configured to strip out or block the TCP options in the initial SYN packet, which will break auto-optimization. Subnet sharing does not use the TCP options field, and thus avoids this issue. Therefore, use of subnet sharing is a recommended best practice.
n You can, if you choose, modify the default entry’s SET action of auto-optimized.
• You can, however, choose to forego auto-optimization and create any and all route policies manually.
n If you enable auto-tunnel on the Configuration - System page, then the initial TCP-based or IP-based handshaking creates the tunnel. That requires outbound and inbound redirection to be in place.
n You can let the Initial Configuration Wizard create the tunnel to the remote appliance.
n You can create a tunnel manually on the Configuration - Tunnels page.
Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com. |