Simplified Routing

Simplified Routing
Maksim Ioffe, Global Consulting Engineer maksim@riverbed.com
Agenda
Packet ricochet Simplified routing (SR) description Advanced configs 802.1q trunks Asymmetric routing L2 WANs How to override SR Command summary
Take simplified out of simplified routing
2
2006 RIVERBED TECHNOLOGY, INC CONFIDENTIAL
What is packet ricochet?
router1
R
10.0.5.5/24 10.0.0.4/24 Steelhead1 inpath0_0 10.0.0.2/24
router2
R
10.0.0.1/24 Steelhead2 inpath0_0 10.0.3.3/24
What default gateway should Steelhead1 have?

If LAN side (router1), traffic to remote Steelheads must ricochet off LAN router, then through Steelhead1, then out to WAN. If WAN side (router2), traffic to local hosts must ricochet off WAN router, then through Steelhead1, then into LAN.
3
What is bad about packet ricochet?
R
10.0.5.5/24 10.0.0.4/24 Steelhead1 inpath0_0 10.0.0.2/24 10.0.0.1/24
R
Steelhead2 inpath0_0 10.0.3.3/24
Router/switch has QoS marking/enforcement on ingress interface Router may throttle traffic to LAN if bounced through router Switch may alter DSCP markings if bounced through switch Firewalls may not re-transmit packets Router may have 10/half Ethernet connection
Steelhead sees more pass-through traffic

Older routers on overload
4
How to avoid ricochet

Sites with only one subnet have no ricochet why? ARP for everything, track whether to use LAN or WAN physical interface ICMP redirects Pick a gateway that sends redirects. Steelhead uses redirect information for 5 minutes (Linux default), then must relearn Static routes Pick WAN side gateway for default, then put in static routes for LAN traffic. Simplified Routing
5
Simplified routing fundamentals

Simplified routing changes the process used to select the destination Ethernet address for packets transmitted from the inpath interfaces. Watches traffic entering and passing through the inpath interface to create a table Each entry contains: IP address, MAC address
Right before sending a packet out on the wire, do the SR table lookup, and overwrite the dst MAC address if entry is found Does not affect passthrough traffic SR table per in-path interface
6
Simplified routing walk through
R1
R
IP 10.0.0.4/24 MAC 94C2
S1
R2
R
IP 10.0.0.1/24 MAC 65DE
S2
10.0.5.5/24
S1 configured with: in-path simplified routing all Default gateway for inpath0_0 is R1
7

A B
R1
R
IP 10.0.0.4/24 MAC 94C2
S1
R2
R
IP 10.0.0.1/24 MAC 65DE
S2
10.0.5.5/24
10.0.3.7/24
SYN
TCP SYN received IP src Aip -> IP dst Bip MAC src R1mac -> MAC dst R2mac
S1 learns: IP Aip, MAC R1mac IP Bip, MAC R2mac
8

A B
R1
R
IP 10.0.0.4/24 MAC 94C2
S1
R2
R
IP 10.0.0.1/24 MAC 65DE
S2
10.0.5.5/24
10.0.3.7/24
SYN/ACK PROBE RESP
Probe response received IP src Bip -> IP dst Aip MAC src R2mac -> MAC dst R1mac
Steelhead also learns association for remote Steelhead! IP S2ip, MAC R2mac
9

A B
R1
R
IP 10.0.0.4/24 MAC 94C2
S1
R2
R
IP 10.0.0.1/24 MAC 65DE
S2
10.0.5.5/24
10.0.3.7/24
S1s inpath0_0 SR table says: IP S2ip, MAC R2mac IP Bip, MAC R2mac IP Aip, MAC R1mac
10
802.1q trunks and SR

A R1
R
S1
R2
R
S2
A is a server Suppose there are 2 VLANs representing 2 remote branch offices/subnets VLAN interfaces on R1 have different MAC addresses
To find MAC address when sending data to A, now need to know what VLAN the connection is on
11
802.1q trunks and SR
R
R
Use in-path mac-match-vlan (not on by default) SR entries now contain: IP address, VLAN ID, MAC address SR table now maps: (IP address, VLAN) -> MAC address Also need in-path vlan-conn-based (not on by default) Also may need to disable probe caching on other Steelheads
12
Probe caching interaction

A R1
R
10.0.5.5/24 VLAN 10 IP 10.0.10.4/24 VLAN 20 10.0.20.4 Steelhead1 inpath0_0 10.0.10.2/24 Inpath0_0 vlan 10 VLAN 10 IP 10.0.10.1/24 VLAN 20 IP 10.0.20.1/24
S1
R2
R
S2
10.0.3.7/24
If a connection is made from B to A, what VLAN should Steelhead1 use for the S1 <-> A traffic? If we create the connection because of an auto-discovery probe, we can learn and use the right vlan to use for the connection in-path vlan-conn-based
Solution: disable probe caching on S2 This is obviously hard to do in a large deployment! Bug filed to improve
13
Asymmetric Routing
simplified routing all learns from both src and dst info If theres asymmetric routing, src info may be wrong Use simplified routing dest-only to only learn dst info May need to turn on Enhanced Auto Discovery to learn src info from the network
14
L2 WANs
R
10.0.5.5/24 IP 10.0.0.4/24 MAC 94C2 Steelhead1 inpath0_0 10.0.0.2/24 IP 10.0.0.1/24 MAC 65DE
R
Steelhead2 inpath0_0 10.0.3.3/24 10.0.3.7/24
Steelhead acts as a L2 bridge for traffic it generates

maintains a bridging table [MAC addr->interface]
If has no entry for a MAC addr, broadcasts packet on both LAN and WAN interfaces On L2 WANs, this broadcast can leak over the WAN SR table on remote Steelhead can get corrupted with invalid info
15
L2 WANs
A
R
10.0.5.5/24 IP 10.0.0.4/24 MAC 94C2 Steelhead1 inpath0_0 10.0.0.2/24 IP 10.0.0.1/24 MAC 65DE
S1
R
S2
10.0.3.7/24
B->A
S1 generates a LAN-bound packet

S2 learns an incorrect SR mapping for B
Source MAC address was Steelhead1s own MAC address Table entry maps Bip->S1mac
Use in-path mac-except-locl (not on by default)

Only matters if Steelheads are in different subnets (why?)
16
Overriding SR Behavior
By default, if SR is on and a SR table match is found, in-path routing table is ignored What if you want to use static routes for certain subnets? Use in-path simplified mac-def-gw-only
17
Miscellaneous
Each Steelhead has a SR table big enough to hold info for each optimized connection Never run out of entries
18
Command Summary
Currently bug workarounds that are not enabled by default:
in-path simplified mac-def-gw-only (bug 15804) in-path mac-except-locl (bug 16389) in-path mac-match-vlan (bug 14662)
Simple L3 link:
in-path simplified routing all in-path peering auto
Additionally for 802.1q trunk link:

in-path vlan-conn-based
Certain asymmetric routing environments:

in-path simplified routing dest-only
19

Simplified Routing

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Simplified Routing

Diunggah oleh

Hak Cipta:

Format Tersedia

Simplified Routing

Maksim Ioffe, Global Consulting Engineer maksim@riverbed.com

Take simplified out of simplified routing

What is packet ricochet?

What default gateway should Steelhead1 have?

What is bad about packet ricochet?

Steelhead sees more pass-through traffic

How to avoid ricochet

Simplified routing fundamentals

Simplified routing walk through

Simplified routing walk through

Simplified routing walk through

SYN/ACK PROBE RESP

Simplified routing walk through

802.1q trunks and SR

802.1q trunks and SR

Probe caching interaction

Steelhead acts as a L2 bridge for traffic it generates

S1 generates a LAN-bound packet

Use in-path mac-except-locl (not on by default)

Additionally for 802.1q trunk link:

Certain asymmetric routing environments:

Anda mungkin juga menyukai