Out-of-Path with Policy-Based-Routing Redirection : Overview
Overview
This scenario deploys Site B in-line and the Site A network out-of-path using an available spare router port. Policy-Based Routing (PBR) is configured on interfaces of Site A’s router to redirect traffic destined for the WAN to the Silver Peak appliance.
Network Diagram
Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [requires spare router port]
In this example, the Silver Peak appliance optimizes traffic to/from 172.60.10.0/24 and 172.80.10.0/24.
Summary
Appliance Placement
Attached to available router interface:
Silver Peak appliance wan0 interface connects to available router WAN interface
Do not connect lan0 interface
Failure Method
Fails-Open:
The appliance behaves as an unconnected port in all failure cases (hardware, software, power)
The WAN router sees the link to the appliance go down, Policy-Based Routing fails, unicast routing forwards traffic normally.
IP Addresses
This deployment model requires two IP addresses (on the same or separate subnets):
Silver Peak Appliance data path IP address (to originate and terminate tunnel)
Silver Peak Management IP Address (for appliance configuration and management)
 
Configure PBR on WAN router
Direct traffic from LAN (subnet/interface) destined for WAN to Silver Peak appliance
Direct traffic from WAN (subnet/interface) destined for LAN to Silver Peak appliance
Do NOT enable this PBR on the interface to which the Silver Peak appliance connects
Fail-Safe Behavior
Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases:
1
With the appliance in bypass state
2
With the appliance powered off
3
With the tunnels administratively down.
Summary of Initial Configuration Tasks
The configuration steps are as follows:
 
Task
Notes
For detailed instructions, see...
1
Gather all the IP addresses needed for setup
Saves time and avoids mistakes.
“Collecting the Necessary Information”.
2
Install the appliance into the network
Physical appliance: Connect the Site A appliance to the Site A router, and insert the Site B appliance between its WAN edge router and the Ethernet switch. Verify connectivity, connect power, and verify LEDs.
Virtual appliance: Configure the hypervisor, with the required interfaces.
Silver Peak Appliance Manager Operator’s Guide
Quick Start Guides
3
Configure Site A’s appliance1
From a web browser, access and use the Initial Configuration Wizard to configure the appliance in Router mode.
Reboot the appliance after finishing the configuration.
“Using the Initial Config Wizard”.
5
Configure the router
Access the router’s command line interface, and configure the router for policy-based routing.
“Configuring the Router to Redirect Traffic”.
6
Site A Appliance: Create tunnel and Route Policy entry
Use the Appliance Manager to configure Site A’s Silver Peak appliance.
“Verifying Traffic”.
7
Configure Site B’s appliance for in-line deploymenta
Use the Initial Configuration Wizard to configure Site B’s appliance in Bridge mode.
Reboot the appliance.
“Configuring Site B’s Appliance”.
1
IMPORTANT: The Appliance Next-hop IP Address must be the IP address of the WAN edge router. This may or may not be the same as the LAN Next-hop IP Address for hosts on the LAN side of your network. If in doubt, check with your network administrator.

Collecting the Necessary Information
The example makes the following assumptions:
n
You’re not using DHCP.
n
Speed and duplex for all interfaces are left at the default: auto-negotiation.
n
Although it isn’t a requirement, it’s considered a best practice to use different subnets for mgmt0 and the Appliance IP.
Out-of-Path Deployment with Policy-Based Routing (PBR): Router Mode [Spare Router Port Available]
Hostname
A
B
Mode
Out-of-Path (Router)
In-line (Bridge)
Admin Password: Old
admin
admin
Admin Password: New / Confirm
 
 
Time Zone
 
 
NTP Server IP Address
 
 
License (for virtual appliance only)
 
 
mgmt0 IP Address / Mask1
172.60.10.100 / 24
172.80.10.100 / 24
mgmt0 Next-hop IP Address
172.60.10.1
172.80.10.1
Appliance data path IP Address / Mask
172.70.10.101 / 24
172.80.10.101 / 24
Appliance data path Next-hop IP
172.70.10.1
172.80.10.1
LAN Next-hop IP Address (optional) 2
not applicable
---
1
In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it’s likely that mgmt0 IP addresses are in different subnets.

2
LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address.

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.