Overview

Out-of-Path with PBR and VRRP Redundant Silver Peak Appliances : Overview

Overview

In this example, Site A deploys two primary appliances out-of-path (Router mode), and Site B deploys a single appliance in-line (Bridge mode).

The peered appliances at Site A use the Virtual Router Redundancy Protocol (VRRP) to create and share a common IP address, called the Virtual IP (VIP) address. Configuring for high availability assigns one appliance a higher priority than the other appliance, thereby making it the Master, and the other, the backup.

The appliance at Site B has separate tunnels going to each of the two appliances at Site A:

•

If one of the appliances at Site A is down, then Site B only sends traffic to the appliance (tunnel) that is up.

•

If both appliances at Site A are up, then Site B sends traffic to the tunnel (appliance) that has higher VRRP priority.

Network Diagram

Out-of-Path Deployment: Redundant Silver Peak Appliances using Policy-Based-Routing (PBR)

The Silver Peak appliances optimize traffic to/from 10.110.31.0/24 and 10.110.11.0/24.

The following table summarizes installation considerations:

Summary

Appliance Placement

Both appliances are attached to the same available subnet via an Ethernet LAN switch:

•

Each appliance’s wan0 interface connects to the Ethernet switch that is connected to the available WAN interface

•

Do not connect lan0 interface of either appliance

Failure Method

Fails Open:

•

The failed appliance behaves as unconnected port in all failure cases (hardware, software, power).

•

The redundant Silver Peak appliance assumes the Silver Peak Appliance Virtual IP Address.

•

Remote appliances switch to the redundant appliance.

IP Addresses

This deployment model requires five IP addresses:

•

Each appliance needs a Silver Peak Appliance IP data path address (to originate and terminate tunnels).

•

The two appliances share one Silver Peak Appliance Virtual IP Address for VRRP.

•

Each appliance needs a Silver Peak Management IP Address (for appliance configuration and management).

Configure PBR on WAN router

•

Direct traffic from LAN (subnet/interface) destined for WAN to Silver Peak Appliances’ Virtual IP Address

•

Do NOT enable this PBR on the interface to which the Silver Peak appliances connect

Fail-Safe Behavior

Fail-safe behavior should always be tested before production deployment by ensuring that traffic continues to flow in each of the following cases:

1

With the appliance in bypass state

2

With the appliance powered off

3

With the tunnels administratively down.

Collecting the Necessary Information

The example makes the following assumptions:

n

You’re not using DHCP.

n

For all interfaces, speed and duplex are left at the default, which is auto-negotiation.

n

Although it isn’t a requirement, it’s considered a best practice to use different subnets for mgmt0 and the Appliance IP.

Out-of-Path Deployment: Silver Peak Appliance peered with an L3 router using Virtual Router Redundancy Protocol (VRRP)

Hostname

A1

A2

B

Mode

Router / Out-of-Path

Router / Out-of-Path

Bridge / In-line

Admin Password: Old

admin

admin

admin

Admin Password: New / Confirm

Time Zone

NTP Server IP Address

License (for virtual appliance only)

mgmt1 IP Address / Mask

10.10.10.1/30

10.10.10.2/30

---

mgmt0 IP Address / Mask¹

192.168.1.7/24

192.168.1.8/24

192.168.1.9/24

mgmt0 Next-hop IP Address

192.168.1.1

192.168.1.1

192.168.1.1

Appliance data path IP Address / Mask

10.110.31.100/24

10.110.31.101/24

10.110.11.100/24

Appliance data path Next-hop IP

10.110.31.1/24

10.110.31.1/24

10.110.11.1/24

LAN Next-hop IP Address (optional) ²

not applicable

not applicable

---

VRRP Group ID

1

1

---

VRRP Virtual IP Address (VIP)

10.110.31.254

10.110.31.254

not applicable

VRRP Priority

130

128

not applicable

1

In this example, all mgmt0 IP addresses are in the same subnet. In your actual network, it’s likely that mgmt0 IP addresses are in different subnets.

2

LAN next-hop IP is only required when there are subnets for which the Silver Peak appliance does not have a configured IP address.

Summary of Configuration Tasks

Task

Notes

For detailed instructions, see...

1

Gather all the IP addresses needed for setup

Saves time and avoids mistakes.

“Collecting the Necessary Information”.

2

Install the appliance into the network

Physical appliance: Connect both appliances to the same available subnet via an Ethernet LAN switch. Verify connectivity, connect power, and verify LEDs.

Virtual appliance: Configure the hypervisor, with the required interfaces.

Silver Peak Appliance Manager Operator’s Guide

Quick Start Guides

3

Configure the peer appliances at Site A

In a browser, access and use the Initial Configuration Wizard to configure each appliance.

Reboot the appliances after finishing the configuration.

“Using the Initial Config Wizard for Site A”

4

Configure VRRP for the Site A peers

You’ll configure one appliance to be the Master, and the other to be the Backup.

“Configuring VRRP on A1 and A2”

5

Configure flow redirection for the Site A peers

When you create a cluster, the peers keep track of which appliance owns each flow. If the path between client and server isn’t the same in both directions, the flow is redirected to the appliance that first saw it and “owns” it.

“Configuring Flow Redirection”

6

Configure Site B’s appliance

In a browser, access and use the Initial Configuration Wizard to configure the appliance.

Reboot the appliance after finishing the configuration.

“Using the Initial Config Wizard with Site B”

7

Verify appliance connectivity

Tests data path connectivity.

Do NOT proceed until you verify connectivity.

“Verifying Appliance Connectivity”

8

Enable subnet sharing

This prepares each appliance to share local subnets.

“Enabling Subnet Sharing”

9

Create a tunnel on each appliance

Specify the local and remote endpoints for the tunnel.

“Creating Tunnels and Updating the Subnet Table”

10

Manually add Site A’s non-local subnets

Manually add subnets that aren’t directly connected to an appliance interface so they can be advertised.

“Configuring A1 and A2 to Advertise Non-Local Subnets”

11

Configure the router

Access the router’s command line interface, and configure the router for policy-based routing.

“Configuring the Cisco Router for Policy-Based Routing (PBR)”

12

Test the connectivity from both ends

Verify that the tunnel is up and that flows are being optimized.

“Verifying Traffic”

Hostname	A1	A2	B
Mode	Router / Out-of-Path	Router / Out-of-Path	Bridge / In-line
Admin Password: Old	admin	admin	admin
Admin Password: New / Confirm
Time Zone
NTP Server IP Address
License (for virtual appliance only)
mgmt1 IP Address / Mask	10.10.10.1/30	10.10.10.2/30	---
mgmt0 IP Address / Mask¹	192.168.1.7/24	192.168.1.8/24	192.168.1.9/24
mgmt0 Next-hop IP Address	192.168.1.1	192.168.1.1	192.168.1.1
Appliance data path IP Address / Mask	10.110.31.100/24	10.110.31.101/24	10.110.11.100/24
Appliance data path Next-hop IP	10.110.31.1/24	10.110.31.1/24	10.110.11.1/24
LAN Next-hop IP Address (optional) ²	not applicable	not applicable	---
VRRP Group ID	1	1	---
VRRP Virtual IP Address (VIP)	10.110.31.254	10.110.31.254	not applicable
VRRP Priority	130	128	not applicable

	Task	Notes	For detailed instructions, see...
1	Gather all the IP addresses needed for setup	Saves time and avoids mistakes.	“Collecting the Necessary Information”.
2	Install the appliance into the network	Physical appliance: Connect both appliances to the same available subnet via an Ethernet LAN switch. Verify connectivity, connect power, and verify LEDs. Virtual appliance: Configure the hypervisor, with the required interfaces.	Silver Peak Appliance Manager Operator’s Guide Quick Start Guides
3	Configure the peer appliances at Site A	In a browser, access and use the Initial Configuration Wizard to configure each appliance. Reboot the appliances after finishing the configuration.	“Using the Initial Config Wizard for Site A”
4	Configure VRRP for the Site A peers	You’ll configure one appliance to be the Master, and the other to be the Backup.	“Configuring VRRP on A1 and A2”
5	Configure flow redirection for the Site A peers	When you create a cluster, the peers keep track of which appliance owns each flow. If the path between client and server isn’t the same in both directions, the flow is redirected to the appliance that first saw it and “owns” it.	“Configuring Flow Redirection”
6	Configure Site B’s appliance	In a browser, access and use the Initial Configuration Wizard to configure the appliance. Reboot the appliance after finishing the configuration.	“Using the Initial Config Wizard with Site B”
7	Verify appliance connectivity	Tests data path connectivity. Do NOT proceed until you verify connectivity.	“Verifying Appliance Connectivity”
8	Enable subnet sharing	This prepares each appliance to share local subnets.	“Enabling Subnet Sharing”
9	Create a tunnel on each appliance	Specify the local and remote endpoints for the tunnel.	“Creating Tunnels and Updating the Subnet Table”
10	Manually add Site A’s non-local subnets	Manually add subnets that aren’t directly connected to an appliance interface so they can be advertised.	“Configuring A1 and A2 to Advertise Non-Local Subnets”
11	Configure the router	Access the router’s command line interface, and configure the router for policy-based routing.	“Configuring the Cisco Router for Policy-Based Routing (PBR)”
12	Test the connectivity from both ends	Verify that the tunnel is up and that flows are being optimized.	“Verifying Traffic”

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.