Anda di halaman 1dari 13

Hands-On Training – Riverbed Services Platform

Version 1.0 – Feb 2009


Hands-On Training - RSP

HANDS-ON TRAINING – RIVERBED SERVICES PLATFORM (RSP)


Introduction
Welcome to this lab exercise. The objectives of this lab are to show you how to create your own RSP package and to choose
the correct deployment type. When you complete this lab, you will see the possibility with RSP is endless. You want to run
Snort as your IDS/IPS? Or you want to run a Windows® 2003 print server at the branch? How about a pre-built virtual appliance
from VMWare Marketplace? You can do all that with RSP.

For the first part of this lab, we will use m0n0wall as the sample package. m0n0wall is a free firewall package that is based on
BSD and it was chosen because of its small foot print in terms of memory and disk size. However, the process involved in the
first part of this lab is applicable to all packages whether it’s m0n0wall or Windows® 2003.

You can find more information on m0n0wall by going here: http://m0n0.ch/wall/ The m0n0wall package used in this lab has been
modified to include an extra NIC for management purpose.

In the second and third portion of the lab, we will look into specific deployment types and how to configure the data flow rules to
redirect the traffic to the package.

The following assumptions have been made:

• Somewhat familiar with the concept of virtualization and that you have a basic understanding of VMWare Workstation
or VMWare Server;
• You have already upgraded the Steelhead’s memory per the RSP requirement;

Software required for this lab


Unless otherwise noted, all the software can be downloaded from the Support website

• VMWare Workstation or VMWare Server – http://www.vmware.com


• m0n0wall package
• RiOS 5.5.1 and later
• RSP image for the Steelhead
• RSP license
• RSP Package Creator
• Putty SCP – available for download from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Network Topology
This is the topology that we’ll be using for this lab. Note that there is no Network Nightmare in this topology and that it is a
bridged network.
172.30.1.11

P – 172.30.1.50 P – 172.30.1.40
` InP – 172.30.1.51 InP – 172.30.1.41
PC

Branch-side Server-side Server


Steelhead Steelhead 172.30.1.30

172.30.1.0/24

Preparing for the lab


• Download and unzip the m0n0wall package to c:\rsp\packages\m0n0wall (note “zeros” and not alphabet “O’s” for
m0n0wall)

© 2009 Riverbed Technology, Inc. All rights reserved. 1


Hands-On Training - RSP

• Place the Putty SCP in the c:\rsp\packages folder


• Place the RSP Package Creator in the c:\rsp\packages folder
• Install VMWare Workstation or VMWare Server on the client PC
• Install the RSP license on the Branch-side Steelhead

Part 1
Using the RSP Package Creator to create the package
Convert the growable VMDK to a pre-allocated VMDK
Creating VMWare images with growable VMDK is a common practice as it doesn’t require the allocation of disk space at the time
of creation. However, the current release of RSP doesn’t support this feature. If you have VMWare images that use growable
VMDK, you’ll need to convert them to pre-allocated VMDK using the vmware-vdiskmanager.

Vmware-vdiskmanager is a tool that comes with VMWare Workstation/Server/ESX. This tool is not available with VMWare
Player.

The author of m0n0wall created the package using a growable VMDK and therefore it needs to be converted to a pre-allocated
VMDK.

1. Open a command prompt window


2. Navigate to the c:\rsp\packages\m0n0wall directory (note “zeros” and not alphabet “O’s” for m0n0wall)
3. Run the following command to convert the growable VMDK to pre-allocated VMDK:
vmware-vdiskmanager –r m0n0wall.vmdk –t 2 m0n0wall2.vmdk

Your vmware-vdiskmanager should be in the search path. If that is not the case, specify the absolute path

4. Rename the m0n0wall2.vmdk to m0n0wall.vmdk:


vmware-vdiskmanager –n m0n0wall2.vmdk m0n0wall.vmdk

Running the renaming command will overwrite the original VMDK. This is intentional.

You should see, amongst other files, two files in the directory: m0n0wall.vmdk and m0n0wall-flat.vmdk. The m0n0wall.vmdk file
should be < 1K, and the m0n0wall-flat.vmdk should be approximately 27MB.

Creating the package using the RSP Package Creator


While it’s possible to create the RSP package manually, it is much easier to do so by using the RSP Package Creator. The RSP
Package Creator creates the rsp.conf file and compresses the relevant VMDK into a single package. The rsp.conf file is based
on the associated VMX file.

1. Launch the “RSP Package Creator” in c:\rsp\packages


2. In the “Virtual Machine Folder”, navigate to c:\rsp\packages\m0n0wall and click Next
3. Under “General Preferences”, enter the following information:
a. Name: m0n0wall
b. Version: 1.3b15
c. Description: m0n0wall
4. Leave “Enable Watchdog” to “No” and click Next
5. Under “Management Interfaces”, click Add
6. Enter the following information:
a. “Interface Name”, type in m0n0wall-mgmt
b. “Virtual Interface”, select VM Network Adaptor 0 and click OK
7. Under “Optimization Interfaces”, click Add
8. Enter the following information
a. “Interface Name”, type in m0n0wall-wan
b. “Interface Type”, select wan
c. “Virtual Interface”, select VM Network Adaptor 1
9. Leave everything else in its default configuration and click OK

© 2009 Riverbed Technology, Inc. All rights reserved. 2


Hands-On Training - RSP

10. Repeat step 7 – 9, but enter the following information


a. “Interface Name”, type in m0n0wall-lan
b. “Interface Type”, type in lan
c. “Virtual Interface”, select VM Network Adaptor 2
11. Click Next
12. Under “Package File Name”, type in c:\rsp\packages\m0n0wall.pkg and click on “Create Package”
13. Once the package has been created, acknowledge the notification message and click on “Finish”

Installing the RSP image

You should have already downloaded the RSP image. If not, please download the RSP image now.

1. Login to the Branch-side Steelhead


2. Navigate to Configuration > Branch Servers > RSP Service page
3. Under “Install RSP”, click on “From Local File” and click “Browse”
4. Locate your RSP image then click “Install”. Wait for the installation to complete.
5. Click “Start” to enable the RSP service

Uploading the package to the Steelhead


There are three ways to upload a package to the Steelhead: browser upload, URL download, and SCP (secure copy) upload.

Browser upload is the simplest method of the three but there is also a size limitation of 2GB. If your package is > 2GB, you
cannot use this method to upload the package.

If your package is > 2GB, you can place the image on a HTTP server and configure the RSP to download the image instead.
However, you will need to place the image on a HTTP server.

The third way to upload the package is to use SCP.

For the purpose of this exercise, we will use pscp (Putty secure copy) as the other two methods are self-explanatory.

1. Open a command prompt window


2. Navigate to the c:\rsp\packages directory
3. Enter the following command to push the package up to Steelhead

pscp m0n0wall.pkg admin@172.30.1.50:/rsp/packages (Branch-side Steelhead)

4. Enter the password for the Steelhead


5. Navigate to Configuration > Branch Services > RSP Packages. You should see the m0n0wall.pkg in the list of
packages.

Slotting and enabling the package

1. Navigate to Configure > Branch Services > RSP Packages


2. Under “Slots”, click on slot 5
3. (Optional) For “Slot Name”, you can change the name of the slot to be something more meaningful. e.g. m0n0wall.
4. In the pull-down list for “Package File Name”, choose m0n0wall.pkg
5. Click on Update Slot
6. If successful, you should see a message confirming that you have successful slotted the package.

Binding the package’s management interface to the primary/aux interface of the Steelhead
Not every package has a management interface, but if it does, you can choose to bind it to either the primary or auxiliary
interface. For m0n0wall, we will bind the management interface to the Steelhead’s primary interface.

1. Navigate to Configure > Branch Services > RSP Packages

© 2009 Riverbed Technology, Inc. All rights reserved. 3


Hands-On Training - RSP

2. Under “Slots”, click on 5, or if you renamed the slot, click on m0n0wall


3. In the section “Management Virtual Network Interfaces:”, select the primary radio button under “Physical Interface”
4. Click on Update Slot
5. The message, “Change will take effect when slot is next powered on” will appear.

Power on the package


When you slot the package, it will not be automatically powered on. To power on the package, perform the following steps.

1. Navigate to Configure > Branch Services > RSP Packages


2. Under “Slots”, click on 5 or m0n0wall
3. Click on Enable Slot
4. The message, “Slot "5" is now enabled” or “Slot “m0n0wall” is now enabled”

End of Part 1
Congratulations! You’ve successfully loaded a package on the RSP! Regardless of the package, these are the necessary steps
to load the package on the RSP. In the next section, we will look at the different deployment types and how to configure specific
features.

Part 2
Accessing and configuring the package

There are two ways to access the packages: through VMWare Infrastructure client or through the console itself.

Accessing the package through the VMWare Infrastructure client

1. Download the client from the following URL - https://172.30.1.50:8333/client/VMware-viclient.exe


2. Install the client and reboot the PC if necessary
3. After installing the client, there should be a shortcut on the desktop. If not, navigate to Start > Programs > VMWare >
VMWare Infrastructure Client
4. For the “IP address/Name”, enter the 172.30.1.50:8333
5. Login as admin and enter your password

Accessing the package through the console


1. Navigate to Configure > Branch Services > RSP Packages
2. Under “Slots”, click on 5 or m0n0wall
3. Click on Launch VM Console
4. A new window/tab will open. Login as admin and enter your password
5. click Login

NB: After logging in, you may see an error message that says you don’t have permission to access this console. This is a
VMWare plug-in issue. If you wait for ~ 30 secs, the message will disappear.

6. You may be asked to install the browser plug-in. If so, install the plug-in and log back into the Steelhead.
7. Click in the black window to open the virtual machine.

Deployment scenarios
RSP supports the following mode of deployments: in-path, out-of-band, virtual in-path, virtual in-path (span port), and virtual in-
path (destination NAT).

© 2009 Riverbed Technology, Inc. All rights reserved. 4


Hands-On Training - RSP

In-path/In-band package
Configuring the m0n0wall package
As mentioned previously, m0n0wall is a stateful firewall based on BSD. m0n0wall also has the capability of inducing latency into
the network – similar to the function of Network Nightmare. For the purpose of this exercise, we will configure m0n0wall to
induce 100ms of latency and set the network bandwidth to 512Kbps.

1. Access the m0n0wall package via the console or through the VM Infrastructure client.
2. You should see a screen similar to the following

3. Type “1” to assign network ports


4. Answer “n” to the question, “Do you want to set up VLANs now? (y/n)”
5. For LAN interface name, type in em0 (e, m, numeric zero)
6. For WAN interface name , type em1 (e, m, numeric one)
7. For Optional 1 interface name, type lnc0 (lower-case alphabet “l” for lima, n, c, numeric zero)
8. Press <Enter> when it asks for the Optional 2 interface name
9. Answer “y” to the question, “Do you want to proceed”. The firewall will reboot.

A note regarding m0nwall’s interfaces: the default m0n0wall package does not include a dedicated management interface.
The m0n0wall VM was modified to include a third interface so that a dedicated interface can be used for management.
m0n0wall uses the LAN interface as its management interface. Therefore, the interface maps as follow:

m0n0wall LAN – management interface (em0)


m0n0wall WAN – VNI WAN (em1)
m0n0wall Opt 1 – VNI LAN (lnc0)

10. Once the firewall comes back up, enter “2” to assign an IP address to the LAN interface.
11. If you’re using the Branch Steelhead with m0n0wall, use the IP address 172.30.1.42
12. Enter “24” for the number of bits
13. Enter “n” for enabling DHCP on the LAN
14. You can now perform the rest of the configuration through the client’s browser.
15. RDP into a client PC. Launch your browser and navigate to the IP address that you’ve given to m0n0wall.
16. Login as “admin”, password “mono” (alphabet “o” and not zeroes “0”)

© 2009 Riverbed Technology, Inc. All rights reserved. 5


Hands-On Training - RSP

17. On the left hand side under “Interfaces (assign), click on “OPT1”.
18. Click on the checkbox for “Enable Optional 1 interface”
19. In the pull-down for “Bridge with”, select “WAN”. Click “Save”
20. On the left hand side under “Interfaces (assign)”, click on WAN. Scroll to the bottom and uncheck the box for “Block
private networks”. Click “Save”
21. On the left hand side under “Firewall”, click on “Rules”
22. Click on “WAN”
23. Click on the “+” sign
24. Make sure the “Interfaces” says “WAN” and change the “Protocol” to “Any”. Click “Save”
25. On the same page, click on “OPT1”
26. Click on the “+” sign
27. Make sure the “Interfaces” says “OPT1” and change the “Protocol” to “Any”. Click “Save”
28. Click on “Apply changes”
29. On the left hand side under “Firewall”, click on “Traffic Shaper”.
30. Check the box “Enable traffic shaper”. Click “Save”
31. On the same page, click on “Pipes”, then click on the “+” sign
32. For “Bandwidth”, enter 512. For “Delay”, enter 50. Click “Save”
33. Click “Apply changes”
34. You should now be in the “Firewall:Traffic shaper:Rules” page. Click on the “+” sign.
35. For “Interface”, choose “OPT1”. For “Protocol”, choose “any”. Click “Save”
36. Click on either one of the “+” sign.
37. For “Interface”, choose “WAN”. For “Protocol”, choose “any”. Click “Save”
38. There should now be two rules in the list. Click “Apply Changes”
39. m0n0wall is now configured to induce 100ms of latency (50ms in each direction).
40. From the client, initiate a ping to the server’s IP (172.30.1.30). What do you see? You should see the latency remains
at LAN speed.

Configuring data flow rules for in-path packages


For in-path or virtual in-path packages, slotting and turning on the package will not cause the traffic to be redirected to the
package itself. This is by design to prevent users from disrupting any existing traffic. To redirect traffic to the package, you’ll
need to configure the data flow rules.

1. Navigate to Configuration > Branch Services > RSP Data Flow

If your Steelhead has a 4 port card, you will see two data flow tables: one for the inpath0_0 and the other for inpath0_1. We will
only be using inpath0_0. However, it’s important to note that in a real life scenario, if you want the package to cover multiple in-
path interfaces, you need to make sure that the package itself is capable of doing so.

2. Click “Add a VNI”


3. Select “m0n0wall:LAN” and place that at the end
4. Click “Add a VNI”
5. Select “m0n0wall:WAN” and place that at the end
6. Your data flow should now look like this:
LAN > RiOS > m0n0wall-LAN > m0n0wall-WAN > WAN
7. Now, ping from your client to the server. What do you see? You should see the latency remains at LAN speed.

Even after adding the package’s VNI to the dataflow, the default behavior is to pass-through the traffic. To start redirecting traffic
to the package, you can do one of two things: change the default IP and non-IP policy to redirect all the traffic to the package; or
create specific data flow rules to redirect the traffic that you’re interested in and bypass all other traffic.

Data flow rules are similar to in-path rules. Data flow governs what traffic should be redirected to the package. For this exercise,
we will change the default IP and non-IP policy to redirect all traffic to the package.

Dataflow rules are VNI specific. This means that if you will need to manually create rules for each VNI depending on the
direction of the traffic.

1. Click on the “m0n0wall-LAN” VNI


2. Change the default IP and non-IP policy to “redirect traffic to slot”
3. Click on the “m0n0wall-WAN” VNI

© 2009 Riverbed Technology, Inc. All rights reserved. 6


Hands-On Training - RSP

4. Change the default IP and non-IP policy to “redirect traffic to slot”


5. Ping the server from the client and your latency should be 100ms

Configuring Watchdog
When deploying the Steelheads in-path, you have the option of choosing fail-to-wire or fail-to-block. The same concept applies
to RSP packages. For in-path and virtual in-path packages, you can choose either fail-to-wire or fail-to-block if the package fails.

In this section, we will demonstrate the fail-to-wire feature. It is best for each partner to take turns in performing this exercise.

1. Ping the server from the client and ensure the latency is ~ 100ms
2. Navigate to Configure > Branch Services > RSP Packages
3. Under slots, click on 5 or m0n0wall
4. Complete the configuration per the settings below:
a. Watchdog: Bypass on failure
b. Watchdog IP: 172.30.1.42
c. Watchdog Frequency: 1
d. Watchdog Timeout: 3
5. Click on “Update Slot”.
6. Initiate a continuous ping from the client to the server.
7. Access the m0n0all console via the console or VMWare Infrastructure client.
8. Select option “5” to reboot m0n0wall
9. Watch what happens to the latency as the firewall reboots. The latency should decrease from 100ms to LAN speed for
the duration of the reboot.
10. You can also repeat the above exercise for fail-to-block.

End of Part 2
Great! You’ve successfully created and configured you first in-path RSP package! In the next section, things will be slightly
more complex as we introduce virtual in-path, destination NAT, and stream splitting.

Part 3
There are some extra pre-requisites for this part of the lab.

For the Virtual in-path (with DNAT) portion of the lab:


• Windows® 2008 server (full) package with Windows Media Services already installed. This package should be built
with a “virtual in-path” optimization interface and 512MB RAM. It should be assigned with an IP address of 172.30.1.43
• Windows Media Services for Windows® 2008 server is a separate component and can be downloaded from
Microsoft’s website. At the time of writing, you can download it from here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9CCF6312-723B-4577-BE58-
7CAAB2E1C5B7&displaylang=en
• A second client PC on the branch side
• The physical Windows® 2003 server (172.30.1.30) should have Windows Media Services already installed.

For the Out-of-band portion of the lab:


• Windows ® 2003 server package configured with Active Directory, DNS, and/or DHCP. This is separate from the
physical server you used in the last portion of the exercise. This package should be built with a single management
interface and 512MB RAM. It should be assigned with an IP address of 172.30.1.44

Note that Riverbed do not distribute the Windows® 2008 or Windows® 2003 packages. You will need to create those VM
packages yourself.

Creating VMWare images is beyond the scope of the lab. If you need additional documentation on creating VMWare images,
please refer to VMWare’s website.

Virtual in-path (with DNAT) package


In the section, we will setup stream splitting between a Windows 2003 and a Windows 2008 server running on RSP. The
Windows 2003 server will act as the origin content server (OCS) while the Windows 2008 will act as the stream splitting proxy.

© 2009 Riverbed Technology, Inc. All rights reserved. 7


Hands-On Training - RSP

172.30.1.43
`

PC1

Branch-side Server-side Server


`
Steelhead Steelhead 172.30.1.30
PC2

Configuring the physical Windows 2003 server for sample broadcast


1. RDP into Server
2. Click on Start > All Programs > Administrative Tools > Windows Media Services
3. Expand the tree for the server > Publishing Point > Sample_Broadcast
4. If the Sample_Broadcast publishing point is started, click on “Stop”
5. You should see the following message …

6. Click on the “Source” tab.

7. Next to the “repeatCount” field, type in indefinite. Save your changes to the playlist.
8. Click on the play button to restart the publishing point

© 2009 Riverbed Technology, Inc. All rights reserved. 8


Hands-On Training - RSP

9. Confirm the broadcasting point is functioning. From one client , click on


Start > Run and type in
mms://<server IP or name>/Sample_Broadcast

You should now see the broadcast stream (the stream will loop indefinitely).

10. On the second client PC, initiate the second connection to the broadcast stream
11. RDP to the server and launch Windows Media Services to verify that there are two clients connected and that the
bandwidth consumed is ~ 628Kbps
12. Stop the Windows Media Player on both clients.

Power on Windows® 2008 RSP package


You should have slotted the Windows® 2008 package onto the Branch-side Steelhead. You should now power on the
Windows® 2008 package.

Configuring the Windows ® 2008 package for stream splitting

1. After powering on the package, login to Windows 2008 via the console of VMWare Infrastructure client. You can use
Ctrl+Alt+Ins to send Ctrl+Alt+Delete to the server.
2. Click on Start > Administrative Tools > Windows Media Services

If you do not see the Windows Media Services, make sure you have downloaded this from Microsoft. The Windows
Media Services does not come standard with Windows® 2008.

3. Expand the server > Cache/Proxy Management > Cache/Proxy Broadcast


4. Ensure that the cache/proxy is allowing new connections.

5. If you see the following message instead …

… click on the green “film strip” to allow new connections

Configuring data flow rules for VinP (with DNAT) packages

1. Click on Configuration > Branch Services > RSP Data Flow > Add a VNI. Select the following:

Interface: 2:Win2K8-NIC

© 2009 Riverbed Technology, Inc. All rights reserved. 9


Hands-On Training - RSP

Data Flow position: 1

Click Add
2. Click on Win2K8-NIC
3. Under “LAN to WAN rules”, create three rules such that the table looks similar the following:

NB: After configuring the redirect rules, you will not be able to access the Server-side Steelhead via HTTP from the clients.
If you try and access the Server-side Steelhead, the Windows Media Player may pop-up. The reason for this strange
behavior is because second redirect rule forward the traffic to the Windows ® 2008 server. If you need to access the
Server-side Steelhead, you can use HTTPS or create a more specific redirect rule.

4. Under “Destination NAT rule”, check the box “Enable Destination NAT”

5. For “Default Destination NAT Target IP:”, enter the IP address 172.30.1.43 and click “Apply”
Verifying stream splitting is working
1. On the first client PC, click on Start > Run and type in
mms://<server IP or name>/Sample_Broadcast
2. One the second client PC, click on Start > Run and type in
mms://<server IP or name>/Sample_Broadcast
3. RDP to Server and launch Windows Media Services. You should now see the number of connected clients is one and
the bandwidth is ~ 314Kbps.

Note that due to a bug WMS in Windows® 2008, it will show zero clients connected to it even though there may be clients
connected to the server.

Out-of-band package
Configuring the Windows 2003 package
You should have slotted the Windows® 2003 package onto the Branch-side Steelhead. You should now power on the
Windows® 2003 package.

1. Navigate to Configuration > Branch Servers > RSP Packages


2. Under slots, click on 1
3. In the section “Management Virtual Network Interfaces:”, select the primary radio button under “Physical Interface”
4. Click on Update Slot
5. The message, “Change will take effect when slot is next powered on” will appear.
6. Click on “Enable slot”
7. Access the Windows® 2003 package by using the VMWare console or through the VMWare Infrastructure client

© 2009 Riverbed Technology, Inc. All rights reserved. 10


Hands-On Training - RSP

Configuring data flow rules for Out-of-band packages


Data flow rules does not apply to out-of-band packages.

Testing the Windows 2003 package


Since the Windows 2003 package is running DNS, we can simply launch a DNS query from the client against the Windows 2003
server.

1. Add a DNS A-record to the DNS server


2. Open a command prompt window on the client
3. Perform an nslookup against the server (e.g. nslookup server.foobar.com 172.30.1.44)
4. (Optional). Modify the IP address associated with the A-record and query the DNS server again. You should see the
changes that you made.

© 2009 Riverbed Technology, Inc. All rights reserved. 11


Hands-On Training - RSP

Conclusion and Summary


The RSP is an extremely powerful feature as it allows customers to run the best-of-breed applications on the Steelhead. The
“tap” technology in RSP is also unique as it allows for manipulation of the traffic either before, or after, optimization.

As the underlying virtualization engine is VMWare, it allows customers to download applications from VMWare Marketplace
(http://www.vmware.com/appliances/) and run the pre-built applications on the Steelhead without having to create the VM images
themselves.

Not all deployment scenarios are covered in this document. If you have any questions about the RSP, please contact your
Riverbed Sales Engineer.

Riverbed Technology, Inc. Riverbed Technology Ltd. Riverbed Technology Pte. Ltd. Riverbed Technology K.K.
199 Fremont Street No 1, The Courtyard, Eastern Road 391A Orchard Road #22-06/10 Shiba-Koen Plaza Building 9F
San Francisco, CA 94105 Bracknell, Berkshire RG12 2XB Ngee Ann City Tower A 3-6-9, Shiba, Minato-ku
Tel: (415) 247-8800 United Kingdom Singapore 238873 Tokyo, Japan 105-0014
www.riverbed.com Tel: +44 1344 354910 Tel: +65 6508-7400 Tel: +81 3 5419 1990

© 2009 Riverbed Technology, Inc. All rights reserved. Riverbed Technology, Riverbed, Steelhead and the Riverbed logo are trademarks or registered trademarks of Riverbed
Technology, Inc. Portions of Riverbed’s products are protected under Riverbed patents, as well as patents pending. WP-UT021506

© 2009 Riverbed Technology, Inc. All rights reserved. 12