Download In This Chapter

Document related concepts
no text concepts found
Transcript
Silver Peak
WAN Optimization Appliances
Appliance Manager Operator’s Guide
VXOA 6.2
July 2014
PN 200030-001 Rev M
Silver Peak Appliance Manager Operator’s Guide
Silver Peak Appliance Manager Operator’s Guide
Document PN 200030-001 Rev M
Date: July 2014
Copyright © 2014 Silver Peak Systems, Inc. All rights reserved. Information in this document is subject to change at any time. Use of
this documentation is restricted as specified in the End User License Agreement. No part of this documentation can be reproduced,
except as noted in the End User License Agreement, in whole or in part, without the written consent of Silver Peak Systems, Inc.
Trademark Notification
Silver Peak SystemsTM, the Silver Peak logo, Network MemoryTM, and Silver Peak NX-SeriesTM are trademarks of Silver Peak
Systems, Inc. All trademark rights reserved. All other brand or product names are trademarks or registered trademarks of their
respective companies or organizations.
Warranties and Disclaimers
THIS DOCUMENTATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. SILVER PEAK SYSTEMS, INC. ASSUMES NO RESPONSIBILITY FOR ERRORS OR
OMISSIONS IN THIS DOCUMENTATION OR OTHER DOCUMENTS WHICH ARE REFERENCED BY OR LINKED TO THIS
DOCUMENTATION. REFERENCES TO CORPORATIONS, THEIR SERVICES AND PRODUCTS, ARE PROVIDED “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. IN NO EVENT SHALL SILVER PEAK SYSTEMS, INC.
BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES
WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT OF OR
IN CONNECTION WITH THE USE OF THIS DOCUMENTATION. THIS DOCUMENTATION MAY INCLUDE TECHNICAL OR OTHER
INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN;
THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE DOCUMENTATION. SILVER PEAK SYSTEMS, INC.
MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS
DOCUMENTATION AT ANY TIME.
Silver Peak Systems, Inc.
2860 De La Cruz Boulevard, Suite 100
Santa Clara, CA 95050
1.877.210.7325 (toll-free in USA)
+ 1.408.935.1850
www.silver-peak.com/support
ii
PN 200030-001 Rev M
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Who Should Read This Manual?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Manual Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .vii
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Appliance Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Getting Started with Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Deployment Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
How to Adjust the Basic Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Configuring Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Management Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
WAN Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
LAN Next-Hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Modifying Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Taking a Quick Look at the System Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Adding SSL Certificates and Keys for Deduplication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 Creating Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Policies Affect Tunnel Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tunnel Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Parallel Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Letting the Auto-Tunnel Feature Do the Work for You . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manually Creating a Traffic-Carrying Tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tunnel Compatibility Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jumbo Frames and MTU Interworking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What you need to know. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
14
15
15
16
17
21
22
22
Chapter 3 Building Policy Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
What Happens to an Outbound Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How the Policies are Related . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Default SET Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding MATCH Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring MATCH Criteria in a Map or Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using ACLs to Summarize Match Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Policies and ACLs Filter Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Applications and Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Built-in Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining User-Defined Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating and Using Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26
26
27
28
28
30
31
33
33
40
42
Chapter 4 Route Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Choose an Optimization Strategy for the Traffic Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Use Subnet Sharing in Common Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Replication and Backup Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hub and Branch Offices Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP (Master/Backup) with Subnet Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP (Master/Master) with Subnet Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How TCP-based Auto-Optimization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Handshaking for TCP Auto-Optimization in In-Line Deployments . . . . . . . . . . . . . . . . . . . . . . .
Handshaking for TCP Auto-Optimization in Out-of-Path Deployments. . . . . . . . . . . . . . . . . . . .
How IP-based Auto-Optimization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determining the Need for Traffic Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PN 200030-001 Rev M
46
47
49
52
62
68
69
69
70
71
72
i
Silver Peak Appliance Manager Operator’s Guide
When using subnet sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When defaulting to TCP-based or IP-based auto-optimization . . . . . . . . . . . . . . . . . . . . . . . .
When specifying a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Where the Route Policy Can Direct Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow directed to a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow designated as auto-optimized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow designated as shaped pass-through traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow designated as unshaped pass-through traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow dropped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Continue option used in Tunnel Down Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Route Policy Page Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
73
74
75
76
76
77
78
78
79
80
81
Chapter 5 Bandwidth Management & QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
What Path a Flow Follows for Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Flow sent to a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Flow sent as pass-through shaped traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Flow sent as unshaped pass-through traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Best Practices for Bandwidth Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Summary of Bandwidth Assessment and Management Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . 88
Defining Traffic Classes and Limits with the Shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Traffic Class Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Max WAN Bandwidth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Max Bandwidth for Pass-through Shaped Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Role of Tunnel Configuration Values and Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
QoS Policy Page Organization and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Handling and Marking Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Applying DSCP Markings to Optimized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic. . . . . . . . . . . . . . . . . 98
Definitions of DSCP Markings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 6 Optimization Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP Header Compression and Payload Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCP Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocol Acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When the Appliance Can Apply the Optimization Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Optimization Policy Page Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
104
105
106
106
108
109
110
Chapter 7 Using Flow Redirection to Address TCP Asymmetry . . . . . . . . . . . . 111
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Asymmetrical Networks and Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Removing Asymmetry with Flow Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Redirection for WAN-initiated Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Avoiding Asymmetry in LAN-initiated Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Flow Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example #1: Simple Cluster with Two Physically Connected Peers. . . . . . . . . . . . . . . . . . . . .
Flow Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
112
112
112
113
114
115
116
119
Chapter 8 Configuring and Managing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
In This Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why configure VLAN interfaces on a Silver Peak appliance? . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ii
121
122
122
123
PN 200030-001 Rev M
Behavior without VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How an outbound packet is processed on the untagged native VLAN . . . . . . . . . . . . . . . . . . .
Delivering Inbound Packets to the LAN: No VLAN Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . .
Behavior with VLAN Interfaces Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multiple Logical Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How an outbound packet is processed for a tagged tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delivering Inbound Packets to the LAN: VLAN Interfaces Configured . . . . . . . . . . . . . . . . . . .
Cisco VLAN Example with Multiple Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
125
126
128
129
129
130
131
132
Chapter 9 Monitoring Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Viewing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Traffic Direction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Counters Since Last Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clearing Counters Non-Destructively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exporting Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packets per Second . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow Counts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Out-of-Order Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Application Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pie View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Realtime Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Current Flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Current Flows Are Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Customizing Which Columns Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Current Flow Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resetting Flows to Improve Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Tunnel Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LAN/WAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flows / Latency / Packet Correction Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Flow Redirection Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing NetFlow Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Bridge Mode Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sampling of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Next-hop Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
136
138
138
138
139
140
141
142
143
145
145
146
146
147
147
148
149
149
150
151
152
153
155
156
166
167
168
170
171
173
175
176
178
178
179
Chapter 10 Administration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Setting the Date and Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Domain Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Loading SNMP MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Flow Exports for Netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pre-Positioning Data for Enhanced Acceleration Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PN 200030-001 Rev M
182
182
183
184
184
185
187
188
190
iii
Silver Peak Appliance Manager Operator’s Guide
Configuring Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Authentication, RADIUS, and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appliance-based User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Silver Peak recommends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Settings for Web Protocols and Web Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Minimum Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Remote Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding the Events Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing a Log of All Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Debug Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Debug Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving Files to a Remote Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deleting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
192
192
192
193
193
193
194
195
195
196
197
198
199
200
200
202
205
206
Chapter 11 System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrading the Appliance Manager Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing a New Software Image into a Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing the Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switching to the Other Boot Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Backing Up and Restoring the Appliance Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing the Appliance Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Saving the Appliance Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restoring the Appliance Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Testing Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Erasing Network Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restarting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
208
210
210
212
213
215
216
217
218
220
223
226
228
230
236
237
Chapter 12 Monitoring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Understanding Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Categories of Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Viewing Current Alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
240
240
241
249
Appendix A Specifications, Compliance, and Regulatory Statements . . . . . . . 251
Model Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Model-specific Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fiber Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NX-Series Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Warning Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Class 1 Laser Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Maintenance Port Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FCC Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICES-003 statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
252
252
257
257
258
258
258
258
261
261
261
PN 200030-001 Rev M
Requirements for Rack-Mount Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Requirements for Knurled Thumb Screws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Ports the NX and the GMS Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Appliance Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
261
261
262
266
Appendix B Power Cords & Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Power Cords by Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fiber Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cable Pinouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring DB-9 Console Access to the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
310
313
314
315
Appendix C Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
PN 200030-001 Rev M
v
Silver Peak Appliance Manager Operator’s Guide
vi
PN 200030-001 Rev M
Preface
The Silver Peak appliances enable branch office infrastructure centralization by delivering applications
across a WAN with LAN-like performance.
Who Should Read This Manual?
Anyone who wishes to install the NX, VX, or VRX Series appliances should read this manual. Users
should have some background in Windows terminology, Web browser operation, and a knowledge of
where to find the TCP/IP and subnet mask information for their system.
Manual Organization
This section outlines the chapters and summarizes their content.
Chapter 1, “Getting Started,” describes the fundamentals and considerations of setting up a basic first
deployment. Additionally, it describes how to work with the routing table, modify network interface
parameters, configure gigabit etherchannel bonding, and add SSL certificates and keys for optimizing
encrypted traffic.
Chapter 2, “Creating Tunnels,” describes characteristics of tunnels and how their endpoints determine
the source and destination IP addresses that go into the tunnel packets. It discusses auto-tunnels and
manually created tunnels, as well as jumbo frames and MTU interworking.
Chapter 3, “Building Policy Maps,” describes how the Silver Peak appliance optimizes traffic by
allowing you to define flows with MATCH criteria and direct flows with policy maps. It also describes
techniques for streamlining your network management by using Access Control Lists (ACLs),
user-defined applications, and application groups.
Chapter 4, “Route Policy,” focuses on the SET actions that are specific to the Route policy. It discusses
subnet sharing, auto-optimization, and how to determine if you need to configure traffic redirection.
Chapter 5, “Bandwidth Management & QoS Policy,” describes the QoS Policy’s SET actions and how
the Shaper defines and manages the traffic classes assigned in the QoS Policy. It also explains how to
configure traffic classes in the Shaper for optimized and pass-through traffic, along with providing best
practices guidelines for effectively managing bandwidth..
Chapter 6, “Optimization Policy,” describes how the appliance optimizes tunnelized traffic — improving
the performance of applications across the WAN.
Chapter 7, “Using Flow Redirection to Address TCP Asymmetry,” describes how flow redirection
enables Silver Peak appliances to optimize asymmetrically routed flows by redirecting packets between
appliances.
Chapter 8, “Configuring and Managing VLANs,” describes how to configure and manage VLANs .
Chapter 9, “Monitoring Traffic,” describes how to view realtime and historical statistics for applications,
current flows, QoS, tunnels, data reduction, bandwidth optimization, flow counts, latency, flow
redirection, NetFlow, interfaces, and bridge mode.
PN 200030-001 Rev M
vii
Silver Peak Appliance Manager Operator’s Guide
Technical Support
Chapter 10, “Administration Tasks,” describes administrative tasks such as configuring log settings,
viewing event and alarm logs, managing debug files, pre-positioning file server data into Network
Memory, configuring SNMP, managing user accounts, configuring settings for web protocols and web
users, and contacting Silver Peak Support.
Chapter 11, “System Maintenance,” describes tasks related to maintaining the hardware, software, and
database. This includes tasks such as managing the software images and the configuration files, testing
network connectivity, managing the hard disks, erasing Network Memory, and restarting the appliance.
Chapter 12, “Monitoring Alarms,” describes alarms categories and definitions. It also describes how to
view and handle alarm notifications.
Appendix A, “Specifications, Compliance, and Regulatory Statements,” lists model specification,
warning statements, compliance statements, TCP/IP port usage, and provides annotated diagrams of each
hardware model’s interfaces, LEDs, and disk layout.
Appendix B, “Power Cords & Cable Pinouts,” lists and illustrates power cords by country.
Appendix C, “Glossary,” provides definitions of terms related to WAN acceleration technology and
equipment.
Technical Support
For product and technical support, contact Silver Peak Systems at any of the following:
•
1.877.210.7325 (toll-free in USA)
•
+1.408.935.1850
•
www.silver-peak.com
•
[email protected]
We’re dedicated to continually improving the usability of our products and documentation. If you have
suggestions or feedback for our documentation, please send an e-mail to [email protected].
For usability suggestions, questions, or issues, please send an e-mail to [email protected].
Appliance Management Options
Silver Peak provides a variety of ways for you to access and configure the appliances, as well as review
statistics and events across a Silver Peak network:

Appliance Manager WebUI: The Silver Peak Appliance can be managed through the web-based
Appliance Manager.

Command Line Interface (CLI): You can manage the Silver Peak Appliance through the CLI. You
can access the full-featured CLI either locally, through the RS-232 serial (console) port, or remotely,
through a Secure Shell (SSH) connection.

Global Management System (GMS): This is a comprehensive platform for deployment, management,
and monitoring of a Silver Peak-enabled WAN. In addition to centralizing the administration of the
Silver Peak appliances, GMS provides detailed visibility into all aspects of application delivery
across a distributed enterprise, including application behavior, WAN performance, Quality of
Service (QoS) policies, and bandwidth utilization.

viii
SNMP: The appliances work with standard and proprietary SNMPv2c traps.
PN 200030-001 Rev M
CHAPTER 1
Getting Started
This chapter describes the fundamentals of setting up a basic first deployment.
In This Chapter

Getting Started with Deployment See page 2.

Configuring Next-Hops See page 7.

Modifying Interface Configuration See page 9.

Adding SSL Certificates and Keys for Deduplication See page 11.
PN 200030-001 Rev M
1
Silver Peak Appliance Manager Operator’s Guide
Getting Started with Deployment
Getting Started with Deployment
When you first install the appliance and log in via the browser, the Initial Configuration Wizard appears.
The wizard guides you through configuring management settings, deployment and network settings, and
creating a tunnel to a remote appliance. With simpler deployments, this is enough to start optimizing
traffic.
•
You can always access the wizard again later by going to the Configuration menu and selecting
Initial Config Wizard.
•
For more complex deployments, access the Configuration > Deployment page, seen below.
Modify parameters,
if needed
Next-hops for management,
LAN, and WAN interfaces
Provide next-hop address(es) for LAN-side networks
that are not directly connected to an in-line (bridge mode)
appliance. Redundant (backup) LAN Next-hop(s) can be
created by the second (lan1) next-hop.
2
Context-sensitive access
Appliance IP VLAN Tag is required if the appliance is installed on a
VLAN trunk and an untagged VLAN is unavailable.
PN 200030-001 Rev M
Getting Started with Deployment
Chapter 1 Getting Started
Deployment Basics
This section discusses the basic in-line and out-of-path deployments.
It also describes common scenarios, considerations when selecting a deployment, redirection concerns,
and some adaptations.
For detailed deployment examples, refer to the Silver Peak Network Deployment Guide.
In-Path (Bridge Mode)
Single WAN-side Router
In this deployment, the appliance is in-line between a single WAN router and a single WAN-side switch.
Dual WAN-side Routers
•
This is the most common 4-port bridge configuration. 2 WAN egress routers / 1 or 2 subnets /
1 appliance
•
2 separate service providers or WAN services (MPLS, IPsec VPN, MetroEthernet, etc.)
Considerations for In-Path Deployments
•
Do you have a physical appliance or a virtual appliance?
•
A virtual appliance has no fail-to-wire, so you would need a redundant network path to maintain
connectivity if the appliance fails.
•
If your LAN destination is behind a router or L3 switch, you need to add a LAN-side route (a
LAN next-hop).
•
If the appliance is on a VLAN trunk, then you need to configure VLANs on the Silver Peak so
that the appliance can tag traffic with the appropriate VLAN tag.
Out-of-Path (Router/Server Mode)
Single WAN-side Router
•
This deployment redirects traffic from a single router (of L3 switch) to a single subnet on the
Silver Peak appliance.
•
When using two Silver Peaks at the same site, this is also the most common deployment for high
availability (redundancy) and load balancing.
Dual WAN-side Routers
This deployment redirects traffic from two routers to two interfaces on a single Silver Peak appliance.
This is also known as Dual-Homed Router Mode.
•
2 WAN egress routers / 2 subnets / 1 appliance
•
2 separate service providers or WAN services (MPLS, IPsec VPN, MetroEthernet, etc.)
Considerations for Out-of-Path Deployments
•
Does your router support VRRP, WCCP, or PBR?
•
Are you planning to use host routes on the server/end station?
•
In the rare case when you need to send inbound WAN traffic to a router other than the WAN
next-hop router, use LAN-side routes.
PN 200030-001 Rev M
3
Silver Peak Appliance Manager Operator’s Guide
Getting Started with Deployment
Examining the Need for Traffic Redirection
Whenever you place an appliance out-of-path, you must redirect traffic from the client to the appliance.
There are three methods for redirecting outbound packets from the client to the appliance (known as
LAN-side redirection, or outbound redirection):
•
PBR (Policy-Based Routing) — configured on the router. No other special configuration
required on the appliance. This is also known as FBR (Filter-Based Forwarding).
If you want to deploy two Silver Peaks at the site, for redundancy or load balancing, then you
also need to use VRRP (Virtual Router Redundancy Protocol).
•
WCCP (Web Cache Communication Protocol) — configured on both the router and the Silver
Peak appliance. You can also use WCCP for redundancy and load balancing.
•
Host routing — the server/end station has a default or subnet-based static route that points to
the Silver Peak appliance as its next hop. Host routing is the preferred method when a virtual
appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).
To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between
the appliance and a router, or the appliance and another redundant Silver Peak.
How you plan to optimize traffic also affects whether or not you also need inbound redirection from the
WAN router (known as WAN-side redirection):
•
If you use subnet sharing (which relies on advertising local subnets between Silver Peak
appliances) or route policies (which specify destination IP addresses), then you only need
LAN-side redirection.
•
If, instead, you rely on TCP-based or IP-based auto-optimization (which relies on initial
handshaking outside a tunnel), then you must also set up inbound and outbound redirection on
the WAN router.
•
For TCP flows to be optimized, both directions must travel through the same client and server
appliances. If the TCP flows are asymmetric, you need to configure flow redirection among
local appliances.
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
•
If you enable Auto Tunnel, then the initial TCP-based or IP-based handshaking creates the
tunnel. That means that the appropriate LAN-side and WAN-side redirection must be in place.
•
You can let the Initial Configuration Wizard create the tunnel to the remote appliance.
•
You can create a tunnel manually on the Configuration - Tunnels page.
For more detailed information about when and where to set up traffic redirection, see
“Determining the Need for Traffic Redirection” in Chapter 4, “Route Policy.”
High availability — as configured with VRRP and WCCP — are covered separately, and in depth,
in the Silver Peak NX Series Appliances Network Deployment Guide.
For detailed configuration information, see the Silver Peak Network Deployment Guide.
4
PN 200030-001 Rev M
Getting Started with Deployment
Chapter 1 Getting Started
How to Adjust the Basic Deployments
When you choose a deployment, only the appropriate options are accessible.
Option
Description
Bonding
•
When using an NX appliance with four 1Gbps Ethernet ports, you can bond like
pairs into a single 2Gbps port with one IP address. For example, wan0 plus wan1
bond to form bwan0. This increases throughput on a very high-end appliance
and/or provides interface-level redundancy.
•
For bonding on a virtual appliance, you would need configure the host instead of the
appliance. For example, on a VMware ESXi host, you would configure NIC teaming
to get the equivalent of etherchannel bonding.
•
Whether you use a physical or a virtual appliance, etherchannel must also be
configured on the directly connected switch/router.
For more information, see “Configuring Gigabit Etherchannel Bonding” on page 5.
Use mgmt0 for
datapath traffic
(server mode)
On virtual appliances, you can optimize traffic and manage the appliance using a single
interface — mgmt0.
10G ports
Choose this when you want to enable 10Gbps ports on a physical appliance that also
has 1Gbps non-management ports.
Propagate Link Down
Forces the WAN interface to go down when the corresponding LAN interface goes
down, or vice versa.
4-port single bridge
This is a corner case. Here, four ports form a single bridge with a single WAN next-hop.
This is in contrast to having dual WAN routers with two separate bridges.
Note Changing the deployment mode requires a reboot.
Configuring Gigabit Etherchannel Bonding
When using a four-port Silver Peak appliance, you can bond pairs of Ethernet ports into a single port with
one IP address. This feature provides the capability to carry 2 Gbps in and out of an NX Series appliance
when both ports are in service.
When you configure bonding, the following is true:
•
lan0 plus lan1 bond to form blan0, which uses the lan0 IP address.
•
wan0 plus wan1 bond to form bwan0, which uses the wan0 IP address.
•
The appliances use flow-based load balancing across the links.
•
This configuration provides failover in case one link goes down.
•
You can view the statistics on the Monitoring - Interfaces page. If you’re using bonding, you’ll
see statistics for blan0 and bwan0, as well as for the interfaces that comprise them (lan0, lan1,
wan0, and wan1).
•
If a WCCP or VRRP deployment already exists, then you must reconfigure the deployment on
the bonding interface. In other words, if you previously configured on wan0, then after bonding
you must reconfigure on bwan0.
•
Rollback to non-bonding mode returns the intact, non-bonded configuration.
•
Enabling/disabling bonding requires an appliance reboot.
PN 200030-001 Rev M
5
Silver Peak Appliance Manager Operator’s Guide

Getting Started with Deployment
To configure etherchannel bonding
To enable bonding, you need to configure both the appliance and the router for bonding.
1
Access the Configuration - Deployment page. The three available bonding modes are:
a
Out-of-path (Router/Server mode) with a single WAN-side router
b
Out-of-path (Router/Server mode) with dual WAN-side routers
c
In-path (Bridge mode) with dual WAN-side routers
2
Complete the various fields and click Apply.
3
When prompted, reboot the appliance.
4
Now, configure the Cisco router. Following is an example of the commands, where angle brackets
indicate variables:
config t
interface range <g1/0/6-7>
channel-group <1> mode on
show etherchannel
show interface port-channel <1>
6
PN 200030-001 Rev M
Configuring Next-Hops
Chapter 1 Getting Started
Configuring Next-Hops
Use the Configuration > Routes page to configure next-hops for management, LAN, and WAN
interfaces.
Management Next-Hops

Management routes specify the default gateways and local IP subnets for the management
interfaces.

In a Dual-Homed Router Mode configuration, you may need to add a static management route for
flow redirection between appliances paired for redundancy at the same site.

The management routes table shows the configured static routes and any dynamically created routes.
If you use DHCP, then the appliance automatically creates appropriate dynamic routes. A user
cannot delete or add dynamic routes.
WAN Next-Hops

WAN next-hops provide next-hop addresses for optimized traffic.

In an in-line deployment (bridge mode), the wan0 interface displays as bvi0, for bridge virtual
interface.

When two WAN next-hops are configured Active/Active in 4-port bridge mode:
•
lan0 ingress traffic is routed to the wan0 next-hop.
•
lan1 ingress traffic is routed to the wan1 next-hop.
PN 200030-001 Rev M
7
Silver Peak Appliance Manager Operator’s Guide

Configuring Next-Hops
When two WAN next-hops are configured Active/Active in Dual-Homed Router Mode:
•
wan0 ingress traffic is routed to the wan0 next-hop.
•
lan0 ingress traffic is routed to the lan0 next-hop.
LAN Next-Hops

LAN routes provide next-hop addresses for traffic going to LAN-side networks that are not directly
connected to an in-line (bridge mode) appliance.

You can create redundant (backup) LAN routes by specifying another next-hop with a larger metric
value.
For example, to specify 1.1.1.2 as a backup next-hop for 1.1.1.1, the table would contain:

8
•
default 1.1.1.1 10
•
default 1.1.1.2 20
Selecting Inter-VLAN Routing enables the appliance to route packets over another VLAN when
the originally specified VLAN is unavailable.
PN 200030-001 Rev M
Modifying Interface Configuration
Chapter 1 Getting Started
Modifying Interface Configuration
Use this page if you want to change interface parameters such as.
•
whether an interface is admin up or down
•
mgmt1 IP address
•
whether or not an IP address is static, or dynamically assigned with DHCP
•
speed and duplex
•
MTU (Mean Transmission Unit) size
•
MAC address
WARNING DHCP (Dynamic Host Configuration Protocol) can dynamically assign a new IP
address to the appliance. This may result in traffic loss because previously configured tunnel
endpoints would now be incorrect. If you elect to use DHCP, allocate the appliance’s IP
address manually in the DHCP server. This prevents the possibility of lost traffic due to the
DHCP server dynamically changing the IP address.
Overall, Silver Peak recommends statically assigning IP addresses.
PN 200030-001 Rev M
9
Silver Peak Appliance Manager Operator’s Guide
Taking a Quick Look at the System Page
Taking a Quick Look at the System Page
Odds are, you won’t need to make any changes to this page.
Before deciding whether or not to use the Auto Tunnel feature, refer to “Letting the Auto-Tunnel Feature
Do the Work for You” on page 16.
For virtual appliances only
10
PN 200030-001 Rev M
Adding SSL Certificates and Keys for Deduplication
Chapter 1 Getting Started
Adding SSL Certificates and Keys for Deduplication
By supporting the use of SSL certificates and keys, Silver Peak provides deduplication for Secure Socket
Layer (SSL) encrypted WAN traffic:


Silver Peak decrypts SSL data using the configured certificates and keys, optimizes the data, and
transmits data over an IPSec tunnel. The peer Silver Peak appliance uses configured SSL certificates
to re-encrypt data before transmitting.

Peers that exchange and optimize SSL traffic must use the same certificate and key.

Use this page to directly load the certificate and key into this appliance.
•
You can add either a PFX certificate (generally, for Microsoft servers) or a PEM certificate.
•
The default is PEM when PFX Certificate File is deselected.
•
If the key file has an encrypted key, enter the passphrase needed to decrypt it.

Silver Peak supports X509 Privacy Enhanced Mail (PEM), Personal Information Exchange (PFX),
and RSA key 1024-bit and 2048-bit certificate formats.

Silver Peak appliances support:
•
Protocol versions: SSLv3, SSLv3.3, TLS1.0, TLS1.1, TLS1.2
•
Cipher algorithms: AES128, AES256, RC4, 3DES
•
Digests: MD5, SHA1
Before installing the certificates, you must do the following:
1
Configure the tunnels bilaterally for IPSec mode.
To do so, access the Configuration > Tunnels page, select the tunnel, and for Mode, select ipsec.
2
Verify that TCP acceleration and SSL acceleration are enabled.
To do so, access the Configuration > Optimization Policy page, and review the Set Actions.
PN 200030-001 Rev M
11
Silver Peak Appliance Manager Operator’s Guide
12
Adding SSL Certificates and Keys for Deduplication
PN 200030-001 Rev M
CHAPTER 2
Creating Tunnels
The appliance only optimizes traffic that the Route Policy directs to a tunnel. This chapter characterizes
tunnels and their management.
The discussion of creating tunnels for high availability with VRRP and WCCP is beyond the scope of
this document. For those specifics, see the Silver Peak Appliances Network Deployment Guide.
In This Chapter

Overview See page 14.

Letting the Auto-Tunnel Feature Do the Work for You See page 16.

Manually Creating a Traffic-Carrying Tunnel See page 17.

Tunnel Compatibility Mode See page 21.

Jumbo Frames and MTU Interworking See page 22.
PN 200030-001 Rev M
13
Silver Peak Appliance Manager Operator’s Guide
Overview
Overview
To optimize traffic, Silver Peak appliances send traffic to one another via tunnels. A tunnel connects a
pair of appliances.

At each appliance, a tunnel is terminated/originated at a data-plane L3 (Layer 3) interface. An L3
interface is an interface that has an IP address assigned to it.

A data-plane interface is an interface that carries user data, as opposed to management data. So
mgmt0 is not a data-plane interface. On a dual-home router-mode (DHRM) appliance, for
example, wan0 and lan0 are data-plane L3 interfaces. On a bridge-mode appliance, lan0 and wan0
are not L3 interfaces, but bvi0 is. VLANs are also data-plane L3 interfaces.

IP addresses of a tunnel's endpoints determine the source and destination IP addresses that go into
the tunnel packets. These IP addresses, in turn, determine how tunnel packets are routed from one
appliance to the other.

By default, the route map’s default (last) entry, has the SET action, [auto optimized]:
•
When subnet sharing is enabled (that is, Use shared subnet information is selected), then the
first packet sent triggers a lookup in the subnet table and assigns the tunnel and IP address.
Because appliances communicate to learn about each others subnets, a tunnel must exist before
subnet sharing can proceed.
•
When subnet sharing is disabled (that is, Use shared subnet information is not selected) or
subnet sharing is enabled but no subnet is found in the subnet table, then the initial TCP-based
or IP-based handshaking triggers tunnel creation (which you can then save) and determines the
path. However, this requires the appropriate outbound and inbound redirection to already be in
place.
For more information about when to set up redirection, see Chapter 4, “Route Policy.”

You can create a tunnel in any one of three ways:
•
If you enable Auto Tunnel (on the Configuration - System page) on both appliances, then the
initial TCP-based or IP-based handshaking creates the tunnel. This requires the appropriate
outbound and inbound redirection to be in place.
•
If the auto-tunnel feature is disabled, then you must do one of the following. Either:
•
You can let the Initial Configuration Wizard manually create the tunnel to the remote
appliance.
•
You can create a tunnel manually on the Configuration - Tunnels page.
How Policies Affect Tunnel Traffic
The Route Policy’s MATCH criteria and SET actions determine if a flow is directed to a tunnel. If so:

The appliance encapsulates the flow’s packets, according to the tunnel configuration.
The default is UDP. The other options are GRE or IPsec.

The tunnel may be shaped to a specified maximum bandwidth to avoid overrunning downstream
bottlenecks.

14
•
Maximum bandwidth is configured on the Configuration - Tunnels page
•
The QoS Policy assigns a traffic class. Traffic classes are defined in the Shaper.
•
The QoS Policy honors or changes the DSCP markings to request appropriate per-packet
treatment by the network.
The Optimization Policy applies optimization, compression, and acceleration techniques to
enhance application performance.
PN 200030-001 Rev M
Overview
Chapter 2 Creating Tunnels
Tunnel Characteristics
Each Silver Peak tunnel:

Is bidirectional (or consists of a pair of unidirectional tunnels). The tunnel does not become
operational until connectivity is established in both directions.

Is specified by a source IP address and destination IP address, owned by the two terminating Silver
Peak appliances.

Can have the terminating appliances automatically negotiate for maximum bandwidth. Or, you can
set it manually.

By default, uses the User Datagram Protocol (UDP) protocol to interconnect Silver Peak appliances.

Runs a keepalive protocol so that a tunnel failure can be detected rapidly and appropriate recovery
actions initiated.
Parallel Tunnels
Silver Peak appliances that have multiple data-plane L3 interfaces can support parallel tunnels. As a
result, tunnels with different source endpoints can reside on the same appliance.
Parallel tunnels are useful for providing redundancy and for load balancing. The deployments that can
be used for this are:

•
Standard 4-port bridge
•
Dual-homed router mode (DHRM)
•
Appliances with VLANs
To take advantage of parallel tunnels you must:
1
Configure “standard” 4-port bridge or DHRM (or VLANs).
2
Manually create parallel tunnels from the Appliance Manager.
3
Manually create route policies that use the parallel tunnels.
For information about deploying in standard 4-port bridge and DHRM modes, see the Silver Peak
Appliances Network Deployment Guide.
PN 200030-001 Rev M
15
Silver Peak Appliance Manager Operator’s Guide
Letting the Auto-Tunnel Feature Do the Work for You
Letting the Auto-Tunnel Feature Do the Work for You
If you want the auto-tunnel feature to automatically build tunnels for you, it must be enabled for each
appliance involved.
This feature is useful when setting up a basic Proof of Concept.
It is not recommended if you:

•
Have multiple IP addresses per appliance
•
Would be creating an excess of unnecessary tunnels, based on having a large volume of
appliances
•
Need to configure parallel tunnels
•
Want a non-standard or more complex tunnel configuration — for example, configuring for
IPsec or for FEC (Forward Error Correction).
To verify the state of the auto-tunnel feature
1
From the Configuration menu, select System. The Configuration - System page appears.
2
Make sure that Auto Tunnel is selected on this appliance, and on its peer.
When bilateral traffic begins to flow, the Appliance Manager constructs the tunnel and begins
optimizing traffic.
Note This feature requires that any necessary outbound and inbound redirection is already
configured. For more information, see Chapter 4, “Route Policy.”
16
PN 200030-001 Rev M
Manually Creating a Traffic-Carrying Tunnel
Chapter 2 Creating Tunnels
Manually Creating a Traffic-Carrying Tunnel
If this is the first tunnel on a physical appliance, Silver Peak recommends that you put the local and
remote appliances in System Bypass until you’ve created the tunnel(s) and tuned the policies — Route,
QoS, and Optimization — for the local and remote appliances. Then, when you’re done, take the
appliances out of System Bypass.
This serves a number of purposes:
•
It keeps things “quiet” until you’re done. Specifically because tunnels default to Admin Up.
•
It tests Fail To Wire.
This step is recommended, but not required.
You won’t be able to put a virtual appliance into System Bypass mode.

To put the appliance in System Bypass when creating the first tunnel
1
From the Configuration menu, select System. The Configuration - System page appears.
2
Before creating the first tunnel, select System Bypass and click Apply.
3
Repeat for the appliance at the remote end.
PN 200030-001 Rev M
17
Silver Peak Appliance Manager Operator’s Guide

Manually Creating a Traffic-Carrying Tunnel
To create a traffic-carrying tunnel
Access the Configuration > Tunnels page, click Add Tunnel, and make your selections.
Use this page to view, add, and delete tunnels.

To create a tunnel, click Add Tunnel and edit within the new row.

You cannot edit a Local IP or Remote IP on an existing tunnel.
Definitions (alphabetically)
Field
Definition/Content
Admin State
Allows you to admin Up (or admin Down) a tunnel.
Auto Discover MTU
Enabled
Allows the tunnel MTU to be discovered automatically. When selected, this
overrides the MTU setting.
Auto Max BW Enabled
Allows the appliances to negotiate the maximum tunnel bandwidth based upon the
lower of the two system bandwidths of the two appliances.
For more information about this feature, see “Tunnel Auto BW” on page 93.
FEC (Forward Error
Correction)
Reconstructs lost packets (as reported by the remote appliance). The options are
disable, enable, and auto.
•
•
18
When set to enable, FEC reconstructs lost tunnel packets at the destination
appliance. FEC achieves this by injecting redundant (called parity) packets in the
tunnel traffic. The specified FEC ratio determines the number of parity packets
relative to data packets (for example, at 1:5 ratio, a parity packet is added for
every 5 data packets).
When set to auto, it adjusts dynamically based on network conditions, with the
upper limit being capped by the FEC Ratio value you choose.
FEC Ratio
Ratio of parity packets relative to data packets (for example, at 1:5 ratio, a parity
packet is added for every 5 data packets). The selectable values include disable,
auto, 1:2, 1:5, 1:10, and 1:20. A FEC Ratio of 1:2 is very aggressive and should only
be utilized with great care in networks with extremely high loss (10% or greater).
Local IP
A local address on the appliance
Max BW Kbps
Maximum bandwidth for this tunnel, in kilobits per second. This must be equal to or
less than the upstream bandwidth of your WAN connection.
PN 200030-001 Rev M
Manually Creating a Traffic-Carrying Tunnel
Chapter 2 Creating Tunnels
Field
Definition/Content (Continued)
Min BW Kbps
Minimum bandwidth for this tunnel, in kilobits per second.
For more information about prudently setting bandwidths, see Chapter 5,
“Bandwidth Management & QoS Policy.”
Mode
Indicates whether the tunnel protocol is udp, gre, or ipsec. The default is udp.
If you select ipsec, the page prompts you for any other required information.
MTU (700..9000) Bytes.
Maximum Transmission Unit. is the maximum tunnel packet size including its
payload and Layer-3 header. By default, MTU is automatically discovered because
Auto Discover MTU is enabled. When setting this value manually, set it to the
largest value that won't result in tunnel packets being fragmented by networking
equipment in the WAN.
Name
A unique string identifying this tunnel
Remote IP
IP address for the remote appliance
Status
Indications are as follows:
•
•
•
•
•
•
•
Down = The tunnel is down. This can be because the tunnel administrative
setting is down, or the tunnel can't communicate with the appliance at the other
end. Possible causes are:
•
Lack of end-to-end connectivity / routability (test with iperf)
•
Intermediate firewall is dropping the packets (open the firewall)
•
Intermediate QoS policy (be packets are being starved. Change control
packet DSCP marking)
•
Mismatched tunnel mode (udp / gre / ipsec)
•
IPsec is misconfigured: (1) enabled on one side (see show int tunnel
configured), or (2) mismatched pre-shared key
Down - In progress = The tunnel is down. Meanwhile, the appliance is
exchanging control information with the appliance at the other end, trying to bring
up the tunnel.
Down - Misconfigured = The two appliances are configured with the same
System ID. (see show system)
Up - Active = The tunnel is up and active. Traffic destined for this tunnel will be
forwarded to the remote appliance.
Up - Active - Idle = The tunnel is up and active but hasn't had recent activity in
the past five minutes, and has slowed the rate of issuing keep-alive packets.
Up - Reduced Functionality = The tunnel is up and active, but the two endpoint
appliances are running mismatched software releases that give no performance
benefit.
UNKNOWN = The tunnel status is unknown. This can be because the appliance
is unable to retrieve the current tunnel status. Try again later.
The modifier, – idle, can be added to any tunnel state (for example, up – active idle). Idle means that there has been no traffic in either direction on the tunnel for
five minutes, and that as a result, the periodic sending of keepalives has been
reduced to once a minute.
Uptime
PN 200030-001 Rev M
How long since the tunnel came up
19
Silver Peak Appliance Manager Operator’s Guide
Manually Creating a Traffic-Carrying Tunnel
Advanced Tunnel Options
Type
Field
Definition/Content
General
IPSec Pre-shared Key
A shared, secret string of Unicode characters that is used for
authentication of an IPSec connection between two parties. If you
select Default, the appliance makes the key; if you select Custom
(recommended), the user specifies the key.
IPSec Anti-replay window
IP security (IPsec) authentication provides anti-replay protection
against an attacker duplicating encrypted packets by assigning a
unique sequence number to each encrypted packet. The decryptor
keeps track of which packets it has seen on the basis of these
numbers. The default window size is 64 packets. Increase this value
for networks with a lot of jitter (out-of-order packets).
UDP destination port
Tunnel traffic will be transmitted in a UDP protocol packet using this
destination port address. Only valid when the tunnel mode is set to
UDP.
UDP flows
Number of flows over which to spread tunnel traffic.
Coalescing Enabled
Whether or not to coalesce smaller packets into larger packets.
Default = ON. Packet coalescing is particularly beneficial for web
applications, VoIP, and interactive applications, like Citrix
Coalescing Wait (ms)
Determines how long the appliance should hold packets while
attempting to coalesce smaller packets into larger packets.
Default = 0.
Reorder Wait (0..500 ms)
Maximum time the appliance holds an out-of-order packet when
attempting to reorder. The 100ms default value should be adequate
for most situations. FEC may introduce out-of-order packets if the
reorder wait time is not set high enough.
Retry Count
Number of failed keep-alive messages that are allowed before the
appliance brings the tunnel down. Keep-alive packets are sent once
per second. Default = 30.
DSCP
DSCP value for the tunnel control packets
Packet
Tunnel Health
20
PN 200030-001 Rev M
Tunnel Compatibility Mode
Chapter 2 Creating Tunnels
Tunnel Compatibility Mode
Tunnel Compatibility Mode enables two nodes with mismatched software versions to keep the tunnel up
and offer some basic services.
Because some optimizations are disabled as a result, the tunnel Status flags this as reduced functionality.
Preserved Functionalities
Disabled Optimizations

Tunnel encapsulation (including IPsec, if applicable)

Network Memory

QoS shaping and marking

Payload Compression

Forward Error Correction [FEC]

TCP Acceleration

Packet Order Correction [POC]

CIFS Acceleration

packet coalescing

SSL Acceleration

statistics gathering

SRDF Acceleration

network path behavior
Check the Release Notes to verify software version compatibility.
PN 200030-001 Rev M
21
Silver Peak Appliance Manager Operator’s Guide
Jumbo Frames and MTU Interworking
Jumbo Frames and MTU Interworking
Silver Peak provides support for MTUs (Maximum Transmission Units) up to 9000 bytes. Because of
pps (packets per second) limits on the LAN-side, using 9000-byte MTUs can lead to significant
performance improvements in LAN-side throughput for applications such as storage replication.
More importantly, the appliances support interworking. You can configure 9000-byte MTUs on storage
arrays even if the replication protocol is running over a WAN with standard (1500-byte) MTUs. This is
important because not all service providers allow for jumbo frames on the WAN.
Efficient MTU interworking scenarios include the following:
Local Interface MTU (bytes)
Tunnel MTU (bytes)
Remote Interface MTU (bytes)
[Configuration > Interfaces]
[Configuration > Tunnels]
[Configuration > Interfaces]
1500
1500
1500
9000
9000
9000
9000
1500
9000
1500
9000
1500
9000
1500
1500
What you need to know
CAUTION Across all network devices, you must configure all interfaces on the same subnet to
have the same MTU.
1
22
For the Interface MTU, you must configure each pair of lan and wan interfaces on the appliance to
have the same MTU value. For example, you’d configure both lan0 and wan0 to have a value of 9000
MTU. These are accessible via Configuration > Interfaces.
PN 200030-001 Rev M
Jumbo Frames and MTU Interworking
Chapter 2 Creating Tunnels
2
To configure the tunnel MTU, access the Configuration - Tunnels page.
3
If either end host has an MTU of 9000 and the tunnel MTU is 1500, then you need to disable the
Adjust MSS to Tunnel MTU feature on both appliances. This prevents appliances from lowering
higher MSS values negotiated by end stations to match the lower MTU of the tunnel.
4
To disable this feature, go to the Optimization Policy, and in the TCP Accel Details column, click the
icon to open the Advanced TCP Options.
Deselect this option
For more information, see “TCP Acceleration” on page 106, and check with Silver Peak
Support, if necessary.
PN 200030-001 Rev M
23
Silver Peak Appliance Manager Operator’s Guide
24
Jumbo Frames and MTU Interworking
PN 200030-001 Rev M
CHAPTER 3
Building Policy Maps
This chapter describes how MATCH criteria and SET actions, respectively, filter packets and process
flows.
It also describes how to create Access Control Lists (ACLs), user-defined applications, and application
groups as reusable components in MATCH criteria.
In This Chapter

What Happens to an Outbound Packet See page 26.

Understanding MATCH Criteria See page 28.

How Policies and ACLs Filter Traffic See page 31.

Managing Applications and Application Groups See page 33.
PN 200030-001 Rev M
25
Silver Peak Appliance Manager Operator’s Guide
What Happens to an Outbound Packet
What Happens to an Outbound Packet
MATCH criteria and SET Actions are the building blocks of policy maps. Maps use prioritized entries,
known as rules, to sort traffic.
The appliance pairs MATCH criteria with SET Actions to filter outbound packets into flows and then
process them appropriately.

MATCH criteria define flows in policy maps, Access Control Lists (ACL), and user-defined
applications. Wherever they are, MATCH criteria all have the same possible components.

SET Actions determine how the flow is processed. The possible actions are specific to the type of
policy. For ACLs, the possible actions are Permit and Deny.
How the Policies are Related
The Appliance Manager has separate policies for routing, optimization, and QoS (Quality of Service)
functions. You can create multiple versions (maps) for each policy, but only the active map is applied.
By default, each of the three policies has one active map, map1. However, there is no relationship
between map names across different policies.
The Route Policy does the first screening and determines whether an individual flow is ultimately:
•
directed to a tunnel, shaped, and optimized
•
processed as shaped, pass-through (unoptimized) traffic
•
processed as unshaped, pass-through (unoptimized) traffic
•
continued to the next applicable Route Policy entry if a tunnel goes down, or
•
dropped.
When a flow is not directed to a tunnel, then
26
•
the Optimization Policy is not applied, and
•
the QoS Policy processes pass-through shaped and unshaped traffic for DSCP markings, and
only pass-through shaped traffic for traffic class assignment.
PN 200030-001 Rev M
What Happens to an Outbound Packet
Chapter 3 Building Policy Maps
Default SET Actions
Within a policy, the appliance searches the Priorities in ascending order. When it finds a match for the
outbound packet, it executes the associated SET action(s). If no entries match, it applies the policy’s
default entry.
Each map has one default entry. It’s always the last entry, with a Priority of 65535.
Following are the SET actions available for each policy. The default value is highlighted in blue:
Policy
Parameters for SET actions
Options
For more information, see...
Route
Tunnel
•
[a specific tunnel]
Chapter 4, “Route Policy”
•
Auto optimized
•
Pass-through shaped
•
Pass-through unshaped
•
Drop
•
Pass-through shaped
•
Pass-through unshaped
•
Drop
•
Continue
Traffic Class
•
Default is Traffic Class 1.
Traffic classes are defined in
the Shaper.
LAN QoS
trust-lan
(plus other DSCP markings)
WAN QoS
trust-lan
(plus other DSCP markings)
Network Memory
Default = Balanced
IP Header Compression
Default = ON
Payload Compression
Default = ON
TCP Acceleration
Default = ON
Protocol Accelerationa
Defaults = CIFS, SSL
Tunnel Down Action
QoS
Optimization
a.
Chapter 5, “Bandwidth
Management & QoS Policy”
Chapter 6, “Optimization
Policy”
SRDF and Citrix optimizations are also available. By default, they’re not enabled because you need to configure the
most appropriate port for your circumstances.
•
The Route map automatically optimizes all IP flows — TCP and non-TCP.
•
The QoS map places all traffic in Traffic Class #1 and trusts the existing DSCP markings.
•
The Optimization map applies all optimizations to tunnelized flows — Network Memory, IP
header compression, payload compression, TCP acceleration, and protocol-specific
accelerations (CIFS and SSL).
PN 200030-001 Rev M
27
Silver Peak Appliance Manager Operator’s Guide
Understanding MATCH Criteria
Understanding MATCH Criteria
The rest of this section describes the basic building blocks of filtering traffic into flows:
•
Configuring MATCH Criteria in a Map or Policy See page 28.
•
Specifying Protocols in MATCH Criteria See page 29.
Configuring MATCH Criteria in a Map or Policy
MATCH criteria are universal across all maps — Route, QoS, and Optimization.
If you expect to use the same MATCH criteria in different maps, you can create an ACL (Access Control
List), which is a named, reusable set of MATCH criteria.
MATCH criteria are based on the 5-tuple, and also provide some additional criteria:
•
A 5-tuple refers to a set of five different values that comprise a Transmission Control
Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number,
destination IP address/port number, and the protocol in use.
•
Specifying an application by name is a shorter way of representing a protocol paired with source
and/or destination port(s).
•
MATCH criteria also let you filter on an outbound flow’s DSCP markings and VLAN tags.
MATCH criteria are organized in a ordered table with prioritized entries. A packet “scans” the entries,
starting with the lowest number (which is the highest priority).
As soon as the outbound packet finds an entry it matches, the scan stops and the SET action associated
with the entry is performed.
Therefore, best practice is to prioritize entries from most restrictive matches to the least restrictive.
Entries are assigned Priority in intervals of 10 (ten), making it
easy to insert another entry later.
To reorder a Priority, edit the number.
The Protocol you select determines whether these two fields are necessary and accessible.
For more information, see “Specifying Protocols in MATCH Criteria” on page 29.
An Access Control List (ACL) is a reusable set of MATCH criteria.
For more information, see “Using ACLs to Summarize Match Criteria” on page 30.
28
PN 200030-001 Rev M
Understanding MATCH Criteria
Chapter 3 Building Policy Maps
Specifying Protocols in MATCH Criteria
The Protocol you specify determines whether the Application or Source:Destination Ports are accessible
as MATCH criteria. When the column is greyed out, its contents are unavailable.

If you select IP from the Protocol field, then you must select an Application.
The Application drop-down list classifies applications as Built-in, User-Defined, or user-defined
Application Groups. You can also use the default, any.
The Appliance Manager filters for the application’s source or destination port.

•
To create a user-defined application, see “Defining User-Defined Applications” on page 40.
•
To create an application group, see “Creating and Using Application Groups” on page 42.
If you select TCP or UDP from the Protocol field, then you must specify a Source Port and a
Destination Port.
Src:Dst Port
Means to match on...
0:0
any source port and any destination port
0:100
any source port and only destination port 100
100:0
only source port 100 and any destination port
100:100
only source port 100 and only destination port 100
This last case (100:100) is not OR. The only way to match on 100 for either
source or destination port is to use two different MATCH entries (0:100,
100:0).

If you select any other protocol (see list below), then the Application and Source:Destination Port
fields are unavailable.
ah
etherip
idpr-cmtp
ip-mobility
iso-ip
pim
vrrp
egp
fc
idrp
ipip
iso-tp4
rdp
1-255
eigrp
gre
igmp
ipip4
l2tp
rsvp
encap
icmp
igp
ipx-in-ip
mhrp
sctp
esp
idpr
ip-comp
irtp
ospf
tlsp
PN 200030-001 Rev M
29
Silver Peak Appliance Manager Operator’s Guide
Understanding MATCH Criteria
Using ACLs to Summarize Match Criteria
If you want to reuse the same MATCH criteria across multiple maps, you can create an Access Control
List (also called an Access List). An ACL is a set of one or more prioritized rules.
Look here to see if any maps are using this ACL. However, it won’t tell you whether or not those
maps are active. For that information, check the specific policy’s page.
ACL’s name
ACL rules
Silver Peak ACLs have the following characteristics:

Rules process sequentially, based on their priority number. A low number has a higher priority.

You can reorder a rule by changing its priority.

Each access control rule is composed of two parts:
•
The first part is the filter, as specified by the MATCH criteria. The rule only applies to a packet
if all the filter criteria match.
•
The second part specifies the action — either Permit or Deny.
•
Deny prevents further processing of the flow by that ACL, specifically. The appliance then
goes to the next entry in the policy — Route, QoS, or Optimization. For an explanatory
diagram, see “Scenario #3 — Traffic matches ACL with Deny” on page 32.
•
Permit allows the matching traffic flow to proceed on to the policy entry’s associated SET
action(s). The default is Permit.
For more information, see “How Policies and ACLs Filter Traffic” on page 31.

When creating ACL rules, list the Deny statements first. Also, it’s best to prioritize less restrictive
rules ahead of more restrictive rules.

You can modify ACLs (and policies) without deactivating the policy. Changes don’t affect existing
flows, only new ones.
Note You can see a list of existing flows by going to the Monitoring menu and selecting
Current Flows.

30
To delete an ACL, you must first remove it from any associated map(s).
PN 200030-001 Rev M
How Policies and ACLs Filter Traffic
Chapter 3 Building Policy Maps
How Policies and ACLs Filter Traffic
The following three scenarios illustrate how policies and ACLs interact to isolate flows:
•
Scenario #1 — Policy with no ACLs in MATCH Criteria See page 31.
•
Scenario #2 — Traffic matches ACL with Permit See page 31.
•
Scenario #3 — Traffic matches ACL with Deny See page 32.
It’s important to remember that ACLs are only applied when called out for use in a policy’s MATCH
criteria.

Scenario #1 — Policy with no ACLs in MATCH Criteria
Here, the traffic doesn’t fit the MATCH
criteria of the first two entries, but it
does match the third (Priority = 30).
The policy applies the SET Actions for
entry 30.

Scenario #2 — Traffic matches ACL with Permit
a
The traffic comes to entry 30 in the policy, where ACL-1 defines the MATCH criteria.
ACL-1 has three rules.
b
The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.
c
ACL Rule 20 has a Permit action, so the appliance applies the SET actions for Policy entry 30.
PN 200030-001 Rev M
31
Silver Peak Appliance Manager Operator’s Guide

How Policies and ACLs Filter Traffic
Scenario #3 — Traffic matches ACL with Deny
a
The traffic arrives at entry 30 in the policy, where ACL-2 is the MATCH criteria.
ACL-2 has three rules.
32
b
The traffic doesn’t match ACL Rule 10, but it does match ACL Rule 20.
c
ACL Rule 20 has a Deny action, so it prevents further processing of that ACL. Traffic looks for
a match with the next policy entry.
d
No other user-configured policy entries fit, so the Default entry processes the traffic.
PN 200030-001 Rev M
Managing Applications and Application Groups
Chapter 3 Building Policy Maps
Managing Applications and Application Groups
The Appliance Manager provides you with many ways to define and organize the applications you use.
These include the following:
•
Built-in Applications See page 33.
•
Defining User-Defined Applications See page 40.
•
Creating and Using Application Groups See page 42.
Built-in Applications
Silver Peak appliances have over 120 built-in applications. For the latest information regarding default
port numbers, see http://www.iana.org/assignments/port-numbers.
When you create MATCH criteria in policies or ACLs, you have access to these applications via a
drop-down list.
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
3par
5781–5783, 5785
5781–5783, 5785
3PAR
aol
5191–5193
--
America Online [AOL]
aol_im
4443, 5190
--
AOL/ICQ Instant Messenger
AOL/ICQ Image Transfer
aspera
33001
33001
Aspera
avamar
7778, 27000,
28001–28002,
29000
--
EMC Avamar
[override ms_zone 29000]
backweb
--
370
Backweb is a generic, background downloading tool that software
vendors can incorporate into their product to download data (for
example, product updates) to the user's PC.
bit_torrent
6881–6999
--
BitTorrent
bluearc
32963
--
HDS BlueArc
celerra
5085, 8888
--
EMC Celerra Replicator
centera
3218, 3682
3218
8888
replication
5085
session management
EMC Centera
3218
data
3682
management
cifs_smb
139, 445
--
Microsoft’s Common Internet File System/Server Message Block
protocol
cisco_skinny
2000
2000
Cisco Skinny (SCCP) Control
(override MeterFlow DPI failure)
citrix
1494, 2512–2513,
2598
1604
•
•
TCP 1494 is MeterFlow matched
UPD 1604 is MeterFlow matched
Citrix
Citrix - ICA WinFrame Server
commvault
PN 200030-001 Rev M
8400–8403
8400–8403
CommVault
33
Silver Peak Appliance Manager Operator’s Guide
Managing Applications and Application Groups
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
cuseeme
7648–7649
7648–7652,
24032
Cu-SeeMe Videoconferencing
cvs
2401
--
CVS [Concurrent Versions System]
datadomain
2051, 4126
4126
EMC Data Domain
ddm
446–447
446–447
Distributed Data Management (DB)
ddm_ssl
448
448
DDM over SSL
dns
53
53
Domain Name Services
Domain Name Service (DNS) over TCP (RFC 793)
doom
666
--
DOOM Game - Id Software
doubletake
1100, 1106, 6320,
6325
1100, 1105, 6320
NSI Double-Take
1100
old data
6320
new data
echo
7
7
Echo Protocol (RFC 863)
edonkey
4661–4662
4665
eDonkey2000 Server
fcip
3225–3228
--
FCIP [FCIP iana port 3225 only]
filenet
32768–32771
32768–32771
FileNet TMS Transfer Management System
FileNet RPC Remote Procedure Call
FileNet NCH Network Clearinghouse
FileNet RMI Remote Method Invocation
ftp
20–21
--
File Transfer Protocol - Control Port (RFC 959)
File Transfer Protocol - Data Port (RFC 959)
ftps
989–990
--
Secure FTP Data Port (FTP Data Port over SSL)
Secure FTP Control Port (FTP Control Port over SSL)
gnutella
6346–6347
6346–6347
Gnutella Server
Gnutella Router
h_323
1720
1718–1719
H.323 Videoconferencing Call Signaling & Control
hadoop
8020–8021,
9000–9001,
50010, 50020,
50030, 50060,
50070, 50075,
50090, 50100,
50105, 50470,
500475
--
Hadoop ports for http web mgmt and IPC communication among
servers
hostname
101
--
NIC Internet Hostname Server Protocol (RFC 953)
http
80, 591, 8008,
8080
--
WWW Hypertext Transfer Protocol (HTTP - RFC 1945, 2068,
2069, 2109, 2145)
HTTP Alternate (see Port 80 for HTTP)
https
443
--
Secure HTTP (HTTP over SSL)
ibm_db2
523, 3700-3701
--
IBM DB2 Administration Server
IBM-DB2 Connection Service
IBM-DB2 Interrupt Connection Service
34
PN 200030-001 Rev M
Managing Applications and Application Groups
Chapter 3 Building Policy Maps
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
ifcp
3420
3420
iFCP (Internet Fibre Channel Protocol)
imap
143, 220
--
143
IMAP2 and IMAP4
220
IMAP3
Internet Message Access Protocol (IMAP)
Internet Message Access Protocol (IMAP) (v2 - RFC 1064, v4 RFC 1730)
Internet Message Access Protocol (IMAP) (v3 - RFC 1203)
imap4s
585, 993
--
Secure IMAPv4 (IMAPv4 over SSL)
585
secure IMAP (IMAP4-SSL)
993
IMAP4 over SSL (IMAPS)
ipsec
--
--
A collection of IP security measures that comprise an optional
tunneling protocol for IPv6; IP protocol AH and ESP
irc
194
194
Internet Relay Chat Protocol (RFC 1459)
irc_ssl
994
994
Secure IRC Chat (IRC Chat over SSL)
isakmp
--
500
Internet Security Association and Key Management Protocol
(ISAKMP)
iscsi
860, 3260
860, 3260
860
iSCSI system port
3260
used for iSCSI connections
isns
3205
3205
internet Storage Name Service (associated with iSCSI)
ivisit
--
9943, 9945, 56768 iVisit - Internet Video CHAT
kazaa
1214
1214
Kazaa-Morpheus-Grokster P2P File Sharing
Kazaa P2P File Sharing - File Download
kerberos
--
88
Kerberos
l2tp
--
1701
Layer 2 Tunneling Protocol
ldap
389
389
Lightweight Directory Access Protocol
(LDAP over TCP - RFC 1777)
ldaps
636
636
Secure LDAP (LDAP over SSL)
lotus_cc_mail
3264
3264
Lotus cc:Mail
lotus_notes
1352
1352
Lotus NOTES
matip
350–351
--
MATIP (RFC 2351)
ms_exchange
135
--
Microsoft Exchange Server (detected from ms_rpc)
ms_media
1755
--
Microsoft Media Player
Microsoft Media Streaming Payload
ms_messenger
1863, 6891–6901
1863, 6901, 7001
MSN Messenger
MSN Messenger File Transfer
MSN Messenger Voice
ms_odbc
--
--
Microsoft Open DataBase Connectivity (detected from Oracle)
ms_ole
--
--
Microsoft Object Linking and Embedding (detected from Oracle)
ms_rpc
135
--
Microsoft Remote Procedure Call
PN 200030-001 Rev M
35
Silver Peak Appliance Manager Operator’s Guide
Name
TCP Port
Number(s)
UDP Port
Number(s)
ms_sql
1433–1434
--
ms_terminal_services
3389
--
Managing Applications and Application Groups
Description and Inclusions
1433
Microsoft SQL Server
1434
Microsoft SQL Monitor
Microsoft Terminal Services
Microsoft Terminal Server
ms_zone
6073,
28800–28999,
29001–29100,
47624
--
•
29000 overridden by avamar
MSN Zone
MSN Zone DirectX 7.0 Control
MSN Zone DirectX 8.0 Control
nameserver
--
42
Name Server
ndmp
10000
10000
Network Data Management Protocol (used by SnapVault and
others)
netbios
137
137
Network Basic Input/Output System
NetBIOS-over-TCP/UDP - Datagram Service (RFC 1001, 1002)
NetBIOS-over-TCP/UDP - Name Service, WINS (RFC 1001,
1002)
NetBIOS-over-TCP/UDP - Session Service (RFC 1001, 1002)
nfs
2049
2049
Sun Network File System
nntp
119
--
Network News Transfer Protocol (NNTP - RFC 977)
nntps
563
--
Secure NNTP (NNTP over SSL) or TLS [Transport Layer Security]
novell
524
524
Novell NCP [Netware Core Protocol]
ntp
--
123
Network Time synchronization Protocol -- protocol providing time
across a network with precise clocks; implemented over TCP and
UDP
openwindows
2000
2000
Open Windows
oracle
1521, 1525–1527,
1529, 1571, 1575,
1600, 1610, 1620,
1754, 1808–1809,
2481–2484
2481–2484
Oracle Co-Author Database
Oracle Enterprise Manager
Oracle Names Database
Oracle Remote Database
Oracle Server
Oracle TNS Server
Oracle VP
pcanywhere
5631
5632
pcANYWHERE
pcANYWHERE - Data
pcmail
158
--
PCMail
PCMail Server (RFC 1056)
pcoip
4172, 50002
4172, 50002
PCoIP (PC-over-IP — VMware)
peoplesoft
--
--
PeopleSoft enterprise application software
[detected from Oracle]
pop
109-110
110
Post Office Protocol
Post Office Protocol - Version 2 (RFC 937)
Post Office Protocol - Version 3 (RFC 1725)
pop3s
36
995
995
Secure POP3 Mail (POP3 Mail over SSL)
PN 200030-001 Rev M
Managing Applications and Application Groups
Chapter 3 Building Policy Maps
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
pptp
1723
--
Microsoft Point-to-Point Tunneling Protocol (PPTP)
printer
515
--
Printer Spooler
printer_pdl
9100
9100
Printer PDL (Page Description Language)
quake
26000
26000
Quake
Quake-II
recoverpoint
5020, 5040
5020, 5040
EMC Recover Point
rlogin
513
--
BSD RLOGIN (remote login a la telnet)
routing
179, 201
--
179 BGP
Border Gateway Protocol
201 RTMP
Routing Table Messaging Protocol
•
Includes IP protocols for:
EGP
Exterior Gateway Protocol
OSPF
Open Shortest Path First
IGP
Interior Gateway Protocol
IGRP
Interior Gateway Routing Protocol
EIRGP
Enhanced Interior Gateway Routing Protocol
rtcp
--
5005
Real Time Transport Control Protocol
rtsp
554, 8554
--
Real Time Stream Control Protocol (RTSP - RFC 2326)
sap
3200, 330–3388,
3390–3399,
3600–3681,
3683–3699
--
Service Advertising Protocol (a NetWare protocol)
sgcp
--
440
Simple Gateway Control Protocol
sgmp
153, 160
153, 160
Signaling Gateway Monitoring Protocol
shell
514
--
RCMD, RSH (Remote execution; like exec, but automatic)
silverpeak_comm
4164
4164
Silver Peak Communication Protocol
SAP R/3
[3682 overridden by centera]
[Redirection cluster (should never be seen in current flows);
added for completeness]
silverpeak_gms
3011–3020
--
Silver Peak GMS (Global Management System)
silverpeak_internal
4321
--
Reconcile (valid for 3.X; gone with 4.X)
silverpeak_iperf
5001
5001
Silver Peak iperf
silverpeak_peer
--
4163
UDP tunnels (should never see in current flows); added for
completeness
silverpeak_tcpperf
2153–2154
--
Silver Peak tcpperf (default tcpperf server ports)
sip
--
5060
Session Initiated Protocol, or Session Initiation Protocol, an
application-layer control protocol; a signaling protocol for Internet
Telephony
sip_tls
5061
--
SIP over Transport Layer Security
smtp
25
--
Simple Mail Transfer Protocol (SMTP - RFC 821)
smtps
465
--
Secure SMTP (SMTP over SSL)
PN 200030-001 Rev M
37
Silver Peak Appliance Manager Operator’s Guide
Managing Applications and Application Groups
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
snapmirror
10565–10569
--
NetApp SnapMirror
•
•
snmp
161-162
161-162
async uses 10566
sync and semi-sync use 10565–10569
Simple Network Management Protocol (RFC 1902, 1905)
Simple Network Management Protocol - Traps (RFC 1902, 1905)
sql
118, 150, 156
118, 150
•
all iana
SQL (Structured Query Language)
118 SQL Services
150 Oracle SQL*NET
156 SQL Service
srdf
1748
--
EMC SRDF
•
overrride Oracle (iana 1748 for Oracle)
ssh
22
--
SSH (Secure Shell) Remote Login Protocol
sshell
614
--
Secure shell (shell over SSL)
sun_rpc
111, 2049
111, 2049
Sun Remote Procedure Call (RFC 1831)
sybase
1498, 2638
--
Sybase SQL Anywhere (v6.0)
Sybase SQL Anywhere (v5.x & older)
syslog
--
514
Syslog
t_120
1503
--
T.120 Whiteboarding
tacacs
49, 65
--
Login Host Protocol (TACACS)
TACACS - Default Server Port (RFC 1492)
telnet
23
--
Telnet (RFC 854)
telnets
992
--
Secure TELNET (TELNET over SSL)
tftp
--
69
Small, simple FTP used primarily in booting diskless systems
timbuktu
407, 1417–1420
407, 1419
Timbuktu
time
37
37
Time Protocol (RFC 868)
uucp
540
--
UUCP (Unix-to-Unix copy protocol) over TCP
UUCP Path Service (RFC 915)
vnc
5500, 5800, 5900
--
VNC
•
•
•
•
vplex
match on 1 VNC display only (ignore 5801/5901 ...)
iana for 5900
5500 for server-initiated connection
5800 for Java VNC viewer on web browser
11000
EMC VPLEX
vvr
4145, 8199, 8989
4145
Veritas Volume Replicator (VVR iana port 4145)
xwindows
6000–6063
--
X Window (x11) System
38
PN 200030-001 Rev M
Managing Applications and Application Groups
Chapter 3 Building Policy Maps
Name
TCP Port
Number(s)
UDP Port
Number(s)
Description and Inclusions
yahoo_games
11999
--
Yahoo Games
yahoo_im
5000–5001, 5050,
5100–5101
5000–5010, 5055
Yahoo Instant Messenger
Yahoo Instant Messenger file transfer
Yahoo Instant Messenger voice
Yahoo Instant Messenger webcam

To view the list of built-in applications
In the menu bar, click Configuration > Application > Built-in to access the Configuration - Built-in
Application page.
Link to a helpful document that opens in a separate browser tab.
PN 200030-001 Rev M
39
Silver Peak Appliance Manager Operator’s Guide
Managing Applications and Application Groups
Defining User-Defined Applications
You can also define custom applications, by associating an application name with a protocol and a port
number. For more granularity in the definitions, the standard MATCH criteria parameters are available:
•
priority
•
protocol
•
source IP address, subnet, and port(s)
•
destination IP address, subnet, and port(s)
•
DSCP
•
VLAN
User-defined applications (UDA) are available in the Match Criteria when configuring any of the traffic
maps (Route, Optimization, QoS), Access [Control] Lists (ACLs), or application groups.
Tip Notice that custom applications look like ACLs, but without the SET Action
(Permit/Deny).
Important Considerations for Statistical Reports


When creating a custom application on one appliance, you must create the same application on each
corresponding device so that there is reporting symmetry. Doing so ensures that if an application has
a name on one appliance, it isn’t listed as unassigned application on another, paired appliance.

When it comes to flow and application statistics reports, user-defined applications are always
checked before built-in applications.

Ports are unique. If a port or a range includes a built-in port, then the custom application is the one
that lays claim to it.

If two distinctly named user-defined applications have a port number in common, then report results
will be skewed, depending on the priority assigned to the custom applications. A port is only counted
once.
To create a user-defined application
In the menu bar, click Configuration > Application > User-Defined to access the Configuration User-Defined Applications page.
40
PN 200030-001 Rev M
Managing Applications and Application Groups
Chapter 3 Building Policy Maps
•
Each application consists of at least one rule.
•
You can create an application that uses the same port with tcp and with udp. In that case, use
the option, tcp/udp.
•
If you select tcp, udp, or tcp/udp, then you can access the Port field. If you don’t select one of
those three specific protocols, then the Port field(s) are unavailable.
•
A warning displays if you reach the maximum number of rules, ports, or addresses allowed.
•
If a UDA is in use, deleting it deletes all the dependent entries. A warning message appears
before deletion.
•
Multiple UDAs can have the same name. Whenever that name is referenced, the software
sequentially matches against each UDA definition having that name. So, dependent entries are
only deleted when you delete the last definition of that UDA.
•
You’ll only be able to rename an application if it’s not used in a policy or ACL.
•
Source IP / Destination IP:
PN 200030-001 Rev M
•
An IP address can specify a subnet - for example: 10.10.10.0/24.
•
An IP address can specify a range - for example: 10.10.10.20-30.
•
To allow any IP address, use 0.0.0.0/0.
•
Ports are available only for the protocols tcp, udp, and tcp/udp.
•
Specify either a single port or a range of ports - for example: 1234-1250.
•
To allow any port, use 0.
41
Silver Peak Appliance Manager Operator’s Guide
Managing Applications and Application Groups
Creating and Using Application Groups
If your ACLs or policy maps contain MATCH conditions that involve multiple applications, you can
simplify the MATCH criteria with application groups.
For example, an application group, secure, might include SSH, HTTPS, and SFTP.
Application groups have the following properties:
•
Any built-in or user-defined application can belong to multiple groups.
•
An application group cannot contain an application group.
•
You can modify the contents of an application group even when it’s used by an ACL or policy
map. But you can’t rename it if it’s being used.
•
If an application group is in use, deleting it deletes all the dependent entries. A warning message
appears before deletion.
When creating an application group on one appliance, you must create the same application group on
each corresponding device so that there is reporting symmetry. Doing so ensures that if an application
group has a name on one appliance, it isn’t listed as unassigned application on another, paired appliance.

To create an Application Group
1
42
In the menu bar, click Configuration > Application > Groups to access the Configuration Application Groups page.
PN 200030-001 Rev M
Managing Applications and Application Groups
2
Chapter 3 Building Policy Maps
After you click Add Groups, you can name the group and select from a list of filterable applications.
•
The Group Name cannot be empty or have more than 64 characters.
•
Group names are not case-sensitive.
•
A group can be empty or contain up to 128 applications.
PN 200030-001 Rev M
43
Silver Peak Appliance Manager Operator’s Guide
44
Managing Applications and Application Groups
PN 200030-001 Rev M
CHAPTER 4
Route Policy
This chapter describes the Route Policy.
Because MATCH criteria work the same way across all policies, the discussions focus on the SET actions
that are specific to the Route policy. Where applicable, they also provide context relative to the
Optimization and QoS policies.
Because the default is to auto-optimize all traffic, the Route Policy only requires rules for flows that are
to be:
•
sent pass-through (shaped or unshaped)
•
dropped
•
configured for a specific high-availability deployment
•
routed based on application, VLAN, DSCP, or ACL (Access Control List)
Because you must ensure that the appliance intercepts the packets from inbound and outbound flows, this
chapter also examines how to appropriately redirect traffic when you deploy the appliance out-of-path
(Router Mode).
In This Chapter

Choose an Optimization Strategy for the Traffic Path See page 46.

How to Use Subnet Sharing in Common Deployments See page 47.

How TCP-based Auto-Optimization Works See page 69.

How IP-based Auto-Optimization Works See page 71.

Determining the Need for Traffic Redirection See page 72.

Where the Route Policy Can Direct Flows See page 76.

Route Policy Page Organization See page 81.
PN 200030-001 Rev M
45
Silver Peak Appliance Manager Operator’s Guide
Choose an Optimization Strategy for the Traffic Path
Choose an Optimization Strategy for the Traffic Path
The Route Policy specifies where to direct flows.
By default, the Route Policy auto-optimizes all IP traffic, automatically directing flows to the appropriate
tunnel. Auto-optimization strategies reduce the need to create explicit route map entries for
optimization.
The three strategies that auto-optimization uses are subnet sharing, TCP-based auto-opt, and IP-based
auto-opt. By default, all three are enabled.

Subnet sharing is the appliance’s first choice for auto-optimization. When subnet sharing is disabled,
the appliance defaults to using TCP-based auto-opt and IP-based auto-opt.

When might you choose to disable subnet sharing? If your network has numerous non-local
LAN-side routers, you would need to manually enter each one into the appliance’s subnet table.
With TCP-based or IP-based auto-opt, this is unnecessary; however, you would need to configure
inbound redirection using either Policy-Based Routing (PBR), Filter-Based Forwarding (FBF), or
Web Cache Communication Protocol (WCCP).
For a discussion of when you need inbound and outbound redirection, see “Determining the
Need for Traffic Redirection” on page 72.

Auto-optimization uses different mechanisms for TCP versus non-TCP traffic. Because both
mechanisms ultimately require an exchange of packets between two appliances, unidirectional IP
traffic will not trigger auto-optimization.

You can, if you choose, modify the default entry’s SET action of auto-optimized.
The Route Policy, then, only requires entries for flows that are to be:
•
sent pass-through (shaped or unshaped)
•
dropped
•
configured for a specific high-availability deployment.
•
routed based on application, VLAN, DSCP, or ACL (Access Control List)
Note
IMPORTANT — A tunnel must exist before subnet sharing can proceed.
Create tunnels in one of three ways:

If you enable auto-tunnel (on the Configuration - System page), then the initial TCP-based or
IP-based handshaking creates the tunnel. This requires the appropriate outbound and inbound
redirection to be in place.

You can let the Initial Configuration Wizard create the tunnel to the remote appliance.

You can create a tunnel manually on the Configuration - Tunnels page.
The next few sections discuss each of the auto-optimization mechanisms.
46
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Chapter 4 Route Policy
How to Use Subnet Sharing in Common Deployments
This section introduces you to the components of the subnet table and illustrates how to use subnet
sharing in the following deployments:

Data Replication and Backup Deployment See page 49.

Hub and Branch Offices Deployment See page 52.

VRRP (Master/Backup) with Subnet Sharing See page 62.

VRRP (Master/Master) with Subnet Sharing See page 68.
How is subnet sharing implemented?
Each appliance builds a subnet table from entries added automatically by the system or manually by
a user. When two appliances are connected by a tunnel, they exchange this information ("learn" it)
and use it to route traffic to each other.
When would you need to use a Route Policy?
Subnet sharing takes care of optimizing IP traffic based on the destination IP address alone.
Use a Route Policy (or when using the Global Management System (GMS), use and apply a Route
Policy template) for flows that are to be:
•
sent pass-through (shaped or unshaped)
•
dropped
•
configured for a specific high-availability deployment
•
routed based on application, ports, VLAN, DSCP, or ACL (Access Control List)
What are the components of the subnet table?
This section introduces the components of Appliance Manager’s Configuration - Subnets page.
global tags
PN 200030-001 Rev M
see definitions below
47
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
The following are global tags, which apply at a system level:
•
Use shared subnet information enables subnet sharing on the appliance.
If deselected, the subnet table is not used or available for auto-optimization.
•
Automatically include local subnets adds the local subnet(s) of the appliance's interfaces to the
subnet table. A local subnet is a subnet that includes one of the appliance IP addresses.
If deselected, the system doesn't create entries for the appliance's local subnets. If these subnets
aren't listed, they cannot be shared with peer appliances for auto-optimization.
•
Metric for automatically added subnets indicates the priority (0 to 100) of a given subnet. The
default priority is 50.
These fields apply to individual subnets:
Column Name
Definition/Content
Subnet/Mask
Specifies the actual subnet to be shared/advertised so it can be learned by a peer appliance.
Metric
Value must be between 0 and 100. When an appliance finds that more than one peer appliance is
advertising the longest matching subnet, it chooses the peer that advertises the subnet with the
lowest metric value — that is, lower metrics have priority.
Is Local
Specifies if the subnet is local to this site.
The appliance sets this parameter for automatically added subnets because those subnets are
directly attached to an appliance interface, and therefore are most likely local to the appliance.
Also, you can select the parameter when manually adding a subnet:
•
Select this option for a manually added subnet if all the IP addresses in the subnet are known to
be local.
•
Deselect this option if the subnet is so large (for example, 0.0.0.0/0) that it may include IP
addresses that are not local to this appliance..
If a subnet is too wide, and it’s marked local, then the stats will count any pass-through packets
with an IP address within that range as WAN-to-LAN.
Advertise to Peers
Selecting this shares the subnet information with peers. Peers then learn it.
To add a subnet to the table without divulging it to peers, yet, deselect this option.
Type [of subnet]
Learned from Peer
48
•
Auto (added by system)
Automatically added subnets of interfaces on this appliance
•
Added by user
Manually added/configured subnets for this appliance
•
Learned from peer
Subnets added as a result of exchanging information with peer
appliances
Identifies the peer appliance that advertised this subnet information.
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Chapter 4 Route Policy
Data Replication and Backup Deployment
An excellent opportunity for using subnet sharing is with data protection (replication and backup)
deployments, where storage personnel seek to optimize their replication, and backup, workloads and
improve RPO (Recovery Point Objective). Just put the Silver Peak appliance in the same subnet, and
either add a static route or change the default gateway to be the Silver Peak appliance. This, in fact,
eliminates the requirement for WAN-side redirection on the routers, saving storage personnel the need
to coordinate with network engineers.
Figure 4-1
To configure the subnets
Configure the subnet table at Replication Site 1, followed by the subnet table at Replication Site 2.
From the menu, access Configuration > Subnets. The empty Configuration - Subnets page appears.
Replication Site 1
1
PN 200030-001 Rev M
49
Silver Peak Appliance Manager Operator’s Guide
Do the following:
a
Select Use shared subnet information.
b
Select Automatically include local subnets.
c
Click Apply. The appliance automatically adds its subnet and will share the information with its
peers.
Replication Site 1
2
How to Use Subnet Sharing in Common Deployments
Now, configure Replication Site 2’s appliance.
From the menu, access Configuration > Subnets. The Configuration - Subnets page appears and
displays the subnet learned from its peer at the other site.
Replication Site 2
3
50
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Do the following:
a
Select Use shared subnet information.
b
Select Automatically include local subnets.
c
Click Apply. The appliance automatically adds its own subnet and shares the information with
its peers.
Replication Site 2
4
Chapter 4 Route Policy
To verify that the information has been shared, return to the Replication Site 1’s subnet table and
view the results.
Replication Site 1
5
The process is now complete.
Traffic originating from a replication site is sent to the Silver Peak appliance, which is the default
gateway. Once traffic reaches the appliance, it uses the subnet table information to route traffic into the
correct tunnel, thereby overcoming the need for inbound (WAN-side) redirects on the router.
PN 200030-001 Rev M
51
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
Hub and Branch Offices Deployment
In this example, the branches can only access the Internet via the Hub appliance. We direct and optimize
Internet traffic between the branch offices and the hub site.
Figure 4-2
This example assumes the following facts before configuring the subnet tables:
52
•
The tunnels already exist between hub and branches, and also between branches.
•
All out-of-path traffic is redirected using VRRP (Virtual Router Redundancy Protocol), WCCP
(Web Cache Communication Protocol), or PBR (Policy-Based Routing).
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Chapter 4 Route Policy
To configure the subnets
First, configure the subnet table on the Hub appliance, then configure the subnet table on branch-2, and
finally configure the subnet table on branch-1.
From the menu, access Configuration > Subnets. The empty Configuration - Subnets page appears.
2
Do the following:
Hub
1
a
Select Use shared subnet information.
b
The subnet 10.1.166.0/24 is not in the same subnet as the Hub appliance. Therefore, you must
manually add it to the appliance’s subnet table.
Select Is Local, to indicate that the subnet is local to this site.
•
Select Advertise to Peers.
Hub
•
c
PN 200030-001 Rev M
Click Apply.
53
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
Now, configure the appliance, branch-2.
From the menu, access branch-2’s Configuration - Subnets page. The Configuration - Subnets page
appears.
branch-2
3
Notice that Hub’s shared information appears as an entry.
Do the following:
a
Select Use shared subnet information.
b
Select Automatically include local subnets. This ensures that the appliance automatically learns
its own subnet, 10.1.155.0/24.
c
Click Apply. The subnet table updates.
branch-2
4
Next, configure the appliance, branch-1.
54
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
From the menu, access branch-1’s Configuration - Subnets page. The Configuration - Subnets page
appears.
branch-1
5
Chapter 4 Route Policy
Notice that branch-1 has already learned subnets from the configurations performed on Hub and
branch-2.
Do the following:
a
Select Use shared subnet information.
b
Select Automatically include local subnets. This ensures that the appliance automatically learns
its own subnets, 10.1.237.0/24 and 10.10.237.0/24.
PN 200030-001 Rev M
55
Silver Peak Appliance Manager Operator’s Guide
Click Apply. The subnet table updates.
branch-1
c
How to Use Subnet Sharing in Common Deployments
Because of VLAN 10 (see diagram), the appliance is
able to learn this subnet automatically.
Hub
You can refer to Hub’s subnet table to verify that all the appropriate entries are there.
Next, separately test the connections and use branch-2’s Monitoring - Current Flows page to verify
that traffic from client A, 10.1.155.85, in Branch Office 2, is being optimized correctly as it flows:
56
•
to client B, 10.1.237.85, in Branch Office 1, and
•
to client C, 10.1.166.85, in the Main Office.
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
6
Chapter 4 Route Policy
To verify communication between the branches, access branch-2. From the Monitoring menu, select
Current Flows. One by one, the results were as follows:
from client A, 10.1.155.85, in Branch Office 2, to client B, 10.1.237.85, in Branch Office 1
branch-2
•
The tunnel from branch-2 to branch-1 is 2-branch-1,
and it’s traffic is being optimized successfully.
from client A, 10.1.155.85, in Branch Office 2, to client C, 10.1.166.85, in the Main Office
branch-2
•
The tunnel from branch-2 to Hub is 2-hub, and it’s
traffic is being optimized successfully.
PN 200030-001 Rev M
57
Silver Peak Appliance Manager Operator’s Guide
from client A, 10.1.155.85, in Branch Office 2, to client D, 128.242.109.85, in the Internet
Client D has no configured or advertised subnet(s).
branch-2
•
How to Use Subnet Sharing in Common Deployments
This host lives
in the internet.
An ALERT is visible when traffic is not
being optimized successfully.
The traffic has been sent through pass-through, that is, unoptimized:
•
branch-2 subnet sharing failed because there is no subnet entry match for client D.
•
Without a known subnet, the Silver Peak software determines the correct tunnel by using
other optimization strategies, such as TCP-based auto-opt and IP-based auto-opt. These
failed because of the lack of WAN-side redirection at the Hub site for traffic intended for
client D.
The end result is that the traffic goes pass-through.
58
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
7
Chapter 4 Route Policy
To overcome these issues and to successfully optimize internet traffic, create a “wild card”
(0.0.0.0/0) entry on Hub’s subnet table, and give it the highest value metric so that it’s accessed last.
Hub
Since subnet 0.0.0.0/0 may include IP addresses
that are not local, deselect the “Is Local” option.
Note Exercise caution before configuring a wild card (0.0.0.0/0) subnet entry on the hub.
This will cause the branches to steer traffic that is destined to unknown (that is, not in the
subnet tables) subnets to the hub. Also, if you add a new network to a site, make sure to add
that subnet to the appropriate appliance as a local subnet.
PN 200030-001 Rev M
59
Silver Peak Appliance Manager Operator’s Guide
Go to branch-2’s subnet table, and notice that it has learned the subnet.
branch-2
8
How to Use Subnet Sharing in Common Deployments
If Internet subnet is not among the
previous entries, it will always go to Hub.
60
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Go to branch-2’s Monitoring - Current Flows table to see that traffic from A to D is now being
optimized between branch-2 and Hub.
branch-2
9
Chapter 4 Route Policy
A
D
If 128.242.109.0/24 is in the Internet, then branch-2’s internet access is now via Hub.
This assumes that the firewall translates the internal IP address to a public address.
branch-2
Now the bidirectional view ...
Traffic is flowing in both directions.
The process is now complete.
This demonstrates how subnet sharing can be used to auto-optimize internet traffic to and from a
branch office, where the branch office’s only access to the internet is via the hub appliance.
PN 200030-001 Rev M
61
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
VRRP (Master/Backup) with Subnet Sharing
In this example, Site A deploys two appliances out-of-path (Router mode), and Site B deploys a single
appliance in-line (Bridge mode).
The peered appliances at Site A use the Virtual Router Redundancy Protocol (VRRP) to create and share
a common IP address, called the Virtual IP (VIP) address (not shown here). Configuring for high
availability assigns one appliance a higher priority than the other, thereby making it the master appliance,
and the other, the backup.
Figure 4-3
Before configuring the subnet tables:
•
The tunnels must already exist.
•
For each appliance in Site A, configure VRRP by using the Configuration > VRRP menu. Be
sure to give your Master appliance the greater Priority value (for example, 130 for the Master,
and 128 for the Backup).
•
Configure Site A’s WAN router to send traffic to the VRRP IP address.
To configure the subnets
First, configure Site A’s Master appliance (vrrp2), and then the Backup appliance (vrrp1).
62
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Chapter 4 Route Policy
From the menu, access Configuration > Subnets. The empty Configuration - Subnets page appears.
2
Do the following:
Master [vrrp2]
1
a
Select Use shared subnet information.
b
The subnets 10.1.166.0/24 and 10.1.167.0/24 are not in the same subnet as the appliance.
Therefore, you must manually add them to the appliance’s subnet table.
Since this is the Master appliance, change the Metric to a smaller number to give its subnets
precedence. Here, we’ve changed it from the default, 50, to 10.
•
Select Is Local, to indicate that the subnet is local to this site.
•
Select Advertise to Peers.
Master [vrrp2]
•
Lower number = higher priority
c
Click Apply.
Now, configure Site A’s Backup appliance, vrrp1.
PN 200030-001 Rev M
63
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
From the menu, access vrrp1’s Configuration - Subnets page. The empty Configuration - Subnets
page appears.
4
Do the following:
Backup [vrrp1]
3
a
Select Use shared subnet information.
b
The subnets 10.1.166.0/24 and 10.1.167.0/24 are not in the same subnet as vrrp1. Therefore,
you must manually add them to the appliance’s subnet table.
Since this is the Backup appliance, accept the default Metric value of 50. Since you changed
vrrp2’s Metric to 10, vrrp2 has priority. With subnet metrics, the lower the number, the
higher the priority.
•
Select Is Local, to indicate that the subnet is local to this site.
•
Select Advertise to Peers.
Backup [vrrp1]
•
c
Click Apply. The table updates.
Now, we’ll configure Site B’s appliance.
5
64
From the menu, access Site B’s appliance’s Configuration - Subnets page. The empty Configuration
- Subnets page appears.
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Do the following:
a
Select Use shared subnet information.
b
Select Automatically include local subnets. This assures that the appliance, 10.1.155.3,
automatically adds the subnet (10.1.155.0/24) that’s local to its interface.
c
Because it’s not in the same subnet as the appliance, you must manually add 10.10.155.0/24 to
the appliance’s subnet table.
•
Select Is Local, to indicate that the subnet is local to this site.
•
Select Advertise to Peers.
Site B
6
Chapter 4 Route Policy
d
Click Apply.
Site B
Site B’s subnet table now also includes those subnets advertised by the peers in Site A.
same subnet
(VRRP)
PN 200030-001 Rev M
Master
vrrp2, the Master appliance
Backup
65
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
Backup [vrrp1]
Master [vrrp2]
If you now examine the subnet tables for vrrp2 and vrrp1, you’ll see that both have learned
Site B’s subnets.
To verify that traffic is flowing from Site B to the Master appliance, vrrp2, at Site A, go to Site B’s
menus and access Monitoring > Current Flows.
Site B
7
This shows that the tunnel carrying
traffic is the one that goes to vrrp2.
66
PN 200030-001 Rev M
How to Use Subnet Sharing in Common Deployments
Chapter 4 Route Policy
In the event that the Master appliance goes down, the first thing to verify is whether the Backup,
vrrp1, has successfully become the Master appliance.
In vrrp1’s user interface, access the Configuration - VRRP page and verify the state.
Backup [vrrp1]
8
Site B
When the original Master goes down, its learned entries disappear from Site B’s subnet table.
vrrp1, the new master
View Site B’s Monitoring - Current Flows page to verify that the traffic is now flowing from host
10.1.155.85 to 10.1.166.85 through tunnel, 2-vrrp1.
Site B
9
The process is now complete. This demonstrates how VRRP subnet sharing can be used in
auto-optimization mode to correctly steer traffic to the Master appliance.
PN 200030-001 Rev M
67
Silver Peak Appliance Manager Operator’s Guide
How to Use Subnet Sharing in Common Deployments
VRRP (Master/Master) with Subnet Sharing
For Active/Active style deployments, we need to configure two VRRP groups/instances.
•
Each VRRP group/instance will look similar to the one in Active-Backup setup (shown in
Figure 4-3).
•
Only one VRRP group/instance is active on each appliance (shown in Figure 4-4).
•
In this deployment, Silver Peak recommends that you set up flow redirection between
appliances. This helps avoid traffic not being optimized due to asymmetry.
Figure 4-4
All of the above deployments demonstrate how subnet sharing effectively helps the user achieve his goal
for that specific topology and use case.
Some of the examples, like VRRP, show how to integrate subnet sharing with other features. Subnet
sharing is not limited to these deployments. You can apply it to other different deployments, based on
requirements and topology.
68
PN 200030-001 Rev M
How TCP-based Auto-Optimization Works
Chapter 4 Route Policy
How TCP-based Auto-Optimization Works
In the context of TCP traffic, auto-optimization begins with the sending of TCP control packets that—in
the process of handshaking—determine which tunnel to use as they open the connection.
Basic TCP handshaking consists of three ordered steps:
1
The client sends a SYN packet to the server, as “hello”.
2
The server receives the SYN packet and acknowledges it by sending a SYN/ACK packet .
3
The client receives the SYN/ACK packet. The connection is established. The client then sends an
ACK packet, along with the data, known as a TCP flow.
During this process, the appliances interact with the control packets to set up auto-optimization.
Handshaking for TCP Auto-Optimization in In-Line Deployments
Beginning at the top and progressing to the bottom, this diagram summarizes the sequence of activities
during handshaking in in-line deployments.
PN 200030-001 Rev M
69
Silver Peak Appliance Manager Operator’s Guide
How TCP-based Auto-Optimization Works
Handshaking for TCP Auto-Optimization in Out-of-Path Deployments
Beginning at the top and progressing to the bottom, this diagram summarizes the sequence of activities
during handshaking in out-of-path deployments.
70
PN 200030-001 Rev M
How IP-based Auto-Optimization Works
Chapter 4 Route Policy
Note The appliance tries to override asymmetric route policy settings. It emulates Auto-opt
behavior by using the same tunnel for the returning SYN+ACK as it did for the original SYN
packet.
Enabled by default (in the Optimization Policy, under TCP Accelerations Details, this feature
needs to be disabled if the asymmetric route policy setting is necessary to correctly route packets.
In such a case, other features like flow redirection might need to be employed to ensure TCP
optimization of the flow.
How IP-based Auto-Optimization Works
IP-based (non-TCP) auto-optimization requires that at least 12 packets are transmitted in each direction
to auto-optimize the flow.
Therefore, unidirectional non-TCP traffic will not trigger auto-optimization.
PN 200030-001 Rev M
71
Silver Peak Appliance Manager Operator’s Guide
Determining the Need for Traffic Redirection
Determining the Need for Traffic Redirection
To optimize traffic, the appliance must intercept both the inbound and outbound packets for the flow.
Therefore, whenever you place an appliance out-of-path, you must redirect traffic from the client to the
appliance.
There are three methods for redirecting outbound packets from the client to the appliance (known as
LAN-side redirection, or outbound redirection):
•
PBR (Policy-Based Routing) — configured on the router. No other special configuration
required on the appliance. This is also known as FBF (Filter-Based Forwarding).
If you want to deploy two Silver Peaks at the site, for redundancy or load balancing, then you
also need to use VRRP (Virtual Router Redundancy Protocol).
•
WCCP (Web Cache Communication Protocol) — configured on both the router and the Silver
Peak appliance. You can also use WCCP for redundancy and load balancing.
•
Host routing — the server/end station has a default or subnet-based static route that points to
the Silver Peak appliance as its next hop. Host routing is the preferred method when a virtual
appliance is using a single interface, mgmt0, for datapath traffic (also known as Server Mode).
To ensure end-to-end connectivity in case of appliance failure, consider using VRRP between
the appliance and a router, or the appliance and another redundant Silver Peak.
How you plan to optimize traffic affects whether or not you also need inbound redirection from the
WAN router (also known as WAN-side redirection):
•
If you enable subnet sharing (which relies on advertising local subnets between Silver Peak
appliances) or route policies (which specify destination IP addresses), then you only need
outbound redirection.
•
If, instead, you default to TCP-based or IP-based auto-optimization (which relies on initial
handshaking outside a tunnel), then you must set up inbound and outbound redirection on the
WAN router.
•
Additionally, for TCP flows to be optimized, both directions must travel through the same client
and server appliances. If the TCP flows are asymmetric —as could occur in a high-availability
deployment — you need to configure clusters for flow redirection among local appliances.
For more about flow redirection, see Chapter 7, “Using Flow Redirection to Address
TCP Asymmetry.”
A tunnel must exist before auto-optimization can proceed. There are three options for tunnel creation:
•
If you enable auto-tunnel on the Configuration - System page, then TCP-based or IP-based
handshaking creates the tunnel. That requires outbound and inbound redirection to be in place.
•
You can let the Initial Configuration Wizard create the tunnel to the remote appliance.
•
You can create a tunnel manually on the Configuration - Tunnels page.
The following diagrams show where redirection is required and which methods you can use:
72
•
when subnet sharing is enabled
•
when using TCP-based or IP-based auto-optimization (that is, subnet sharing is not enabled)
•
when directed to a specific tunnel by the Route Policy
PN 200030-001 Rev M
Determining the Need for Traffic Redirection
Chapter 4 Route Policy
When using subnet sharing

Enable subnet sharing on both the local and remote appliances.

For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or
host routing.

Host routing only requires configuration on the client — not on the router or appliance.
Figure 4-5
PN 200030-001 Rev M
73
Silver Peak Appliance Manager Operator’s Guide
Determining the Need for Traffic Redirection
When defaulting to TCP-based or IP-based auto-optimization

Initial handshaking between appliances happens outside the tunnel, requiring inbound redirection
for packet routing.

For inbound and outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF)
or WCCP.
Figure 4-6
74
PN 200030-001 Rev M
Determining the Need for Traffic Redirection
Chapter 4 Route Policy
When specifying a tunnel

For outbound redirection to the out-of-path appliance (B), choose from PBR (or FBF), WCCP, or
host routing.

With host routing, the outbound redirection is configured on the client, as opposed to on the router
and/or appliance.

Host routing only requires configuration on the client — not on the router or appliance.
Figure 4-7
PN 200030-001 Rev M
75
Silver Peak Appliance Manager Operator’s Guide
Where the Route Policy Can Direct Flows
Where the Route Policy Can Direct Flows
The Route Policy’s SET actions determine:
•
where the appliance directs the traffic, and
•
how traffic is managed if a tunnel is down.
These actions correlate with what you choose for the options in Tunnel and Tunnel Down Action. The
following diagrams illustrate the consequences for each:
•
Flow directed to a tunnel See page 76.
•
Flow designated as auto-optimized See page 77.
•
Flow designated as shaped pass-through traffic See page 78.
•
Flow designated as unshaped pass-through traffic See page 78.
•
Flow dropped See page 79.
•
Continue option used in Tunnel Down Action See page 80.
Flow directed to a tunnel
The most important thing to remember is that the only way to optimize traffic is to direct flows to
tunnels, either by specifying the tunnel or selecting auto-optimization.
This diagram shows how the appliance processes a flow assigned to a tunnel by the Route Policy. The
QoS and Optimization policies are shown only in the interest of providing a broader context for interested
users.
76
1
First, the Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.
2
The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to
Tunnel A. Once traffic matches an entry, no subsequent entries are examined.
PN 200030-001 Rev M
Where the Route Policy Can Direct Flows
3
4
Chapter 4 Route Policy
Before the flow reaches Tunnel A, the QoS Policy checks against its entries and
•
applies the DSCP marking specified for LAN QoS, and
•
assigns the flow to a traffic class. (Traffic classes are defined in and processed by the Shaper.)
The appliance passes the flow to the Optimization Policy.
Only flows directed to tunnels are subject to the Optimization Policy.
5
The appliance queues the flow into Traffic Class #1 in the Shaper.
6
After shaping, the QoS Policy applies the DSCP markings for the WAN QoS.
7
The appliance queues the optimized flow into Tunnel A as it exits the physical WAN interface.
Flow designated as auto-optimized
When a Route Policy entry has a SET action of auto optimized — as is the case with the default entry —
the appliance uses one of three strategies — subnet sharing, TCP-based auto-opt, or IP-based (non-TCP)
auto-opt — to direct a flow to the appropriate tunnel.
Once the appliance determines the appropriate tunnel, it processes the flow in the same way as a flow
directed to a specific tunnel.
PN 200030-001 Rev M
77
Silver Peak Appliance Manager Operator’s Guide
Where the Route Policy Can Direct Flows
Flow designated as shaped pass-through traffic
Flows tagged by the Route Policy as shaped, pass-through traffic follow this path:
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. Entry 40 matches the traffic and tells the appliance to process the flow as shaped,
pass-through traffic.
2
The QoS Policy checks against its entries and
•
ignores the DSCP marking specified for LAN QoS, and
•
assigns the flow to a traffic class.
3
After shaping, the QoS Policy applies the DSCP markings for the WAN QoS.
4
The appliance queues the flow to exit the physical WAN interface.
Flow designated as unshaped pass-through traffic
Flows marked by the Route Policy as unshaped, pass-through traffic follow this path:
78
PN 200030-001 Rev M
Where the Route Policy Can Direct Flows
Chapter 4 Route Policy
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. The first three entries don’t match the traffic, but Entry 40 does.
2
In this case, the flow is to be processed as unshaped, pass-through traffic.
3
The QoS Policy only applies the DSCP marking specified for WAN QoS.
4
The appliance queues the flow to exit the physical WAN interface.
Flow dropped
Flows that have a SET action of drop follow this path:
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.
2
With a SET action of drop, the appliance stops all processing on the flow.
PN 200030-001 Rev M
79
Silver Peak Appliance Manager Operator’s Guide
Where the Route Policy Can Direct Flows
Continue option used in Tunnel Down Action
The Continue option in the Tunnel Down Action field enables the appliance to read ensuing entries in the
Route Policy in the event that the tunnel used in a previous entry goes down.
Flows that have a Tunnel Down SET action of Continue follow this path:
(We’ve simplified this last diagram, skipping over the sequenced application of Optimization and QoS
Policies. To refresh your memory, see “Flow directed to a tunnel” on page 76.)
1
First, the Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. Entries 10 and 20 don’t match the traffic, but Entry 30 does.
2
The policy applies the entry’s SET actions to the identified flow. In this case, it sends the flow to
Tunnel A. Once any traffic matches an entry, no subsequent entries are examined.
3
If Tunnel A goes down, the Route Policy refers back to the policy entry’s Tunnel Down Action. The
action prescribed is to continue to the next applicable MATCH criteria, which is Entry 50, putting
all traffic into Tunnel B.
This configuration provides redundancy for high availability environments:
80
•
If Tunnel A is subsequently restored, the Route Policy directs new flows matching Entry 30 to
Tunnel A.
•
Flows that were continued from Entry 30 to Entry 50 (and Tunnel B) persist until complete.
PN 200030-001 Rev M
Route Policy Page Organization
Chapter 4 Route Policy
Route Policy Page Organization
The Route Policy page allows you to:
•
add, delete, activate, and rename maps
•
add, edit, and delete rules
The following shows the SET actions:
To switch to another route map, select from the drop-down
menu and click Activate. Any change governs all new flows.
Hyperlinks
The following options are available
when configuring the Tunnel:
The last column is only accessible if
the Tunnel entry is a specific tunnel.
•
auto optimized
•
the name of any tunnel from the
Configuration - Tunnels page
•
pass-through [shaped]
Tunnel Down Action has the
following options:
•
pass-through-unshaped, and
•
pass-through [shaped]
drop
•
pass-through-unshaped
•
drop, and
•
continue
•
The default rule is always last.
PN 200030-001 Rev M
81
Silver Peak Appliance Manager Operator’s Guide
82
Route Policy Page Organization
PN 200030-001 Rev M
CHAPTER 5
Bandwidth Management & QoS Policy
This chapter describes the QoS Policy’s SET actions and how the Shaper defines and manages the traffic
classes assigned in the QoS Policy.
It also explains how to configure traffic classes in the Shaper for optimized and pass-through traffic,
along with providing best practices guidelines for effectively managing bandwidth.
In This Chapter

Overview See page 84.

What Path a Flow Follows for Shaping See page 84.

QoS Policy Page Organization and Management See page 94.

Defining Traffic Classes and Limits with the Shaper See page 89.

QoS Policy Page Organization and Management See page 94.

Handling and Marking Packets See page 95.
PN 200030-001 Rev M
83
Silver Peak Appliance Manager Operator’s Guide
Overview
Overview
When the network gets congested or you start to run out of bandwidth, your QoS policy determines how
to allocate the available resources.
In a well-designed network, QoS helps manage every potential bottleneck point. It’s important to
implement QoS in the WAN acceleration appliance for the following reasons:
•
It can offload the router.
•
It’s the only element that collects real-time metrics — such as packet loss and delay — for
pre-optimization and post-optimization views of the traffic.
In the event that demand exceeds available bandwidth, QoS gives preferential treatment to selected
flows, while slowing down or delaying others.
The QoS Policy assigns each flow to a queue that’s associated with a traffic class, for processing and
transmission across the WAN:
•
The configuration of the traffic classes determines how likely packets are to get WAN
bandwidth at any point in time.
•
Traffic Class definitions are part of the Shaper configuration.
•
The appliance’s WAN interface supports 10 traffic classes.
•
Traffic class definitions, and QoS Policy settings apply to both optimized and pass-through
shaped traffic. By default, both share the same limit for maximum bandwidth. However, you
can set a lower maximum bandwidth for pass-through traffic than for optimized traffic.
A QoS policy asks:
•
How to you want to use traffic classes to prioritize and shape your traffic?
•
How should the DSCP markings be treated? Trust the incoming LAN or re-mark for the WAN?
•
Do you want to use DSCP markings to prioritize traffic downstream?
The default QoS Policy honors incoming DSCP tags. It also prepopulates the QoS policy table with rules
to send traffic to predefined traffic classes (2 - real-time, 3 - interactive, 4 - best-effort) and sends the
remaining flows to Traffic Class 1 - default. For the majority of users, the need to adjust this will be a
“corner case”.
What Path a Flow Follows for Shaping
The QoS Policy’s SET actions determine two things:
•
what traffic class a shaped flow — whether optimized or pass-through — is assigned
•
how to handle DSCP markings for all flows leaving the appliance’s WAN interface, whether
the marking is for over-the-WAN or for the LAN on the remote side.
The following diagrams illustrate the consequences for each:
84
•
Flow sent to a tunnel See page 85.
•
Flow sent as pass-through shaped traffic See page 86.
•
Flow sent as unshaped pass-through traffic See page 87.
PN 200030-001 Rev M
What Path a Flow Follows for Shaping
Chapter 5 Bandwidth Management & QoS Policy
Flow sent to a tunnel
This diagram shows how the appliance applies QoS to a flow that’s been directed to a tunnel.
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria. Entries 10 and
20 don’t match the traffic, but Entry 30 does.
2
The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to
Tunnel C. Once any traffic matches an entry, no subsequent entries are examined.
3
Before the flow reaches Tunnel C, the QoS Policy checks against its entries and
•
applies the DSCP marking specified for LAN QoS, and
•
assigns the flow to a traffic class. Here, the application, ssh, matches to the pre-defined
application group, interactive, so the appliance assigns the flow to Traffic Class 3.
•
passes the flow to the Optimization Policy for optimizations, accelerations, and compressions.
The Optimization Policy only applies to tunnelized traffic.
4
After optimization, the flow queues to Traffic Class 3 for shaping.
5
QoS Policy applies the DSCP markings for the WAN QoS.
6
The optimized flow exits the WAN interface.
If the Route Policy’s Set Action is auto-optimized and the local appliance initiates either TCP-based or
IP-based handshaking, then the remote appliance determines which tunnel to use, based on information
it receives in the first packets from the local appliance.
Also, auto-optimization relies on deploying the appliance such that it intercepts outbound and inbound
flows. For an out-of-path (Router Mode) appliance, this requires traffic redirection.
For more information about auto-optimization, see Chapter 4, “Route Policy.”
Handling of DSCP markings is further explained in “Applying DSCP Markings to Optimized
Traffic” on page 95.
PN 200030-001 Rev M
85
Silver Peak Appliance Manager Operator’s Guide
What Path a Flow Follows for Shaping
Flow sent as pass-through shaped traffic
Flows tagged by the Route Policy as pass-through shaped traffic follow this path:
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria in its
prioritized entries. Entry 20 matches and designates the flow for pass-through shaped traffic.
2
The QoS Policy checks against its entries and
•
ignores the DSCP marking specified for LAN QoS (because packets are not encapsulated), and
•
because the flow matched no earlier entries, assigns the flow to the default, Traffic Class 1. Note
that the same traffic classes process both optimized and pass-through shaped traffic. Unless you
configure pass-through shaped traffic to have a lower maximum bandwidth, the Shaper
processes both types of traffic by the same criteria.
3
After optimization, the flow queues to Traffic Class 1 for shaping.
4
The QoS Policy applies the DSCP markings for the WAN QoS.
5
The flow exits the WAN interface.
Note The user interface uses the terminology, pass-through, to refer to pass-through shaped.
We use the latter terminology here for clarity.
Handling of DSCP markings is further explained in “Applying DSCP Markings to Shaped and
Unshaped Pass-through Traffic” on page 98.
86
PN 200030-001 Rev M
What Path a Flow Follows for Shaping
Chapter 5 Bandwidth Management & QoS Policy
Flow sent as unshaped pass-through traffic
Flows marked by the Route Policy as unshaped, pass-through traffic follow this path:
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria. The flow
matches on Entry 20.
2
The policy applies the entry’s SET actions to the identified flow. In this case, the flow is to be
processed as unshaped, pass-through traffic.
3
Because the traffic is set to pass-through unshaped, it is not encapsulated. The QoS Policy checks
against its entries and only applies the DSCP marking specified for WAN QoS.
4
The flow exits the WAN interface.
Handling of DSCP markings is further explained in “Applying DSCP Markings to Shaped and
Unshaped Pass-through Traffic” on page 98.
PN 200030-001 Rev M
87
Silver Peak Appliance Manager Operator’s Guide
Best Practices for Bandwidth Management
Best Practices for Bandwidth Management
Congestion is unlikely on either of the LAN segments to which the Silver Peak device connects directly,
since these are typically operating at 100Mbps or 1000Mbps.
In a typical deployment, congestion is most likely to arise at the near-end WAN interface.
With wise bandwidth management and QoS, the Silver Peak appliance can guarantee shaping and
prioritization for all traffic. For smooth network operation, it’s wisest to consider your overall bandwidth
allocation in advance and then to revisit it each time you add, edit, or remove a tunnel.
Summary of Bandwidth Assessment and Management Tasks
The following table summarizes the tasks when configuring multiple tunnels for an appliance and/or
more than one traffic class per entity.
Task
Notes
For detailed instructions, see...
1
Configure the maximum system
bandwidth, based on the
bandwidth of the WAN link.
Because of where network
congestion typically occurs, you
want to ensure that the appliance
doesn’t deliver more than the WAN
can manage.
“Configuring Max WAN
Bandwidth” on page 91.
2
Configure traffic classes in the
Shaper.
The same traffic classes manage
optimized (tunnel) traffic and
pass-through shaped traffic.
“Traffic Class Configuration” on
page 90.
You can configure up to 10 traffic
classes for the physical WAN
interface.
3
Configure the tunnel minimum
bandwidth
This is a consideration when using
Dynamic Rate Control.
“Dynamic Rate Control” on
page 93.
4
Let the appliance negotiate
tunnel maximum bandwidth(s)
When Auto BW is active (as it is by
default), the appliance negotiates
maximum bandwidth for each
tunnel.
“Tunnel Auto BW” on page 93.
5
Configure your QoS Policy
Here you assign flows to the traffic
classes you defined in the shaper.
“QoS Policy Page Organization
and Management” on page 94.
“Handling and Marking Packets”
on page 95.
6
88
Review your configuration
Make sure that you haven’t over- or
undersubscribed the link.
PN 200030-001 Rev M
Defining Traffic Classes and Limits with the Shaper
Chapter 5 Bandwidth Management & QoS Policy
Defining Traffic Classes and Limits with the Shaper
The Shaper is a simplified way of globally configuring QoS (Quality of Service) on the appliances:
•
The QoS Policy assigns each packet to a traffic class.
•
Traffic Class definitions are part of the Shaper configuration.
•
The Shaper defines ten traffic classes, four of which are prescriptively named --- real-time,
interactive, default, and best effort.
•
It shapes outbound traffic by allocating bandwidth as a percentage of the system bandwidth.
•
The Shaper's parameters apply to the WAN interface.
•
The system applies these QoS settings globally after compressing (deduplicating) all the
outbound tunnelized and pass-through-shaped traffic --- shaping it as it exits to the WAN.
This section discusses the following:

Traffic Class Configuration See page 90.

Configuring Max WAN Bandwidth See page 91.

Configuring Max Bandwidth for Pass-through Shaped Traffic See page 92.

Role of Tunnel Configuration Values and Features See page 92.
PN 200030-001 Rev M
89
Silver Peak Appliance Manager Operator’s Guide
Defining Traffic Classes and Limits with the Shaper
Traffic Class Configuration
The Configuration - Shaper page looks like this:
Priority determines the order in which to allocate each class’s Minimum Bandwidth —
1 being the highest priority, and 10 being the lowest priority. Here, Traffic Class 2 has
the highest priority. This becomes critical when you oversubscribe.
Each traffic class is guaranteed this percentage of bandwidth, allocated by Priority.
Configure the %, and the Kbps is calculated for you.
After minimums are satisfied, excess bandwidth is distributed
among traffic classes in proportion to their weights.
You can limit a traffic class
to a maximum percentage
of bandwidth.
Packets are dropped if
they have been in the
system longer than the
configured max wait times.
What happens if you change the Minimum Bandwidth values?
•
If all minimums are equal to 0%, then Excess Weighting alone determines bandwidth
allocation and no traffic class has priority. (Referred to as pure weights.)
Tip When you set a traffic class Minimum Bandwidth to zero, you are explicitly not
guaranteeing any bandwidth for that class.
90
•
If the sum of the percentages for the queues in use exceeds 100%, then low-priority traffic
classes might not receive their guaranteed bandwidth (starvation).
•
If all minimums are equal to 100%, then Priorities alone determine bandwidth allocation. For
example, Priority 2 only gets bandwidth if Priority 1 is completely satisfied. (Referred to as pure
priorities.)
PN 200030-001 Rev M
Defining Traffic Classes and Limits with the Shaper
Chapter 5 Bandwidth Management & QoS Policy
How is Excess Weighting calculated and applied?
•
Excess Weighting is a ratio of the weight of one traffic class divided by the sum of the weights
of the active traffic classes. So, if all three traffic classes were active in the example above,
Traffic Class 2 would get 1000/(100 + 1000 + 1000) = 1000/2100 = 48% of the excess
bandwidth.
•
If all Minimum Bandwidth values were set to 0 (zero), then ratios would allocate all bandwidth.
Configuring Max WAN Bandwidth
When you configure the Max WAN Bandwidth, you need to consider two things:
•
the speed of the appliance WAN interface
•
the speeds of the edge router’s WAN links
If you set the Max WAN Bandwidth too low, you may underutilize your links. If you set it too high
(oversubscribe), you may overrun the appliance WAN link, or cause congestion and drops on the router.
You can enter this value on either the Configuration - Deployment page or the Configuration - Shaper
page.
Best Practices
•
Total the speeds of the WAN links on the WAN router, and configure that as the Max WAN
Bandwidth.
•
Ideally, set it to your SLA (Service-Level Agreement) value, or less.
•
Make sure the appliance has enough bandwidth on its WAN interface to fill a “pipe” that size.
•
When using a single appliance with dual WAN routers (two WAN next-hops), use these rules
of thumb:
PN 200030-001 Rev M
•
If the ISPs are configured Active/Active, then use the sum of the two routers’ WAN
bandwidths.
•
If the ISPs are configured Active/Standby, then use the larger of the two routers’ WAN
bandwidths.
91
Silver Peak Appliance Manager Operator’s Guide
Defining Traffic Classes and Limits with the Shaper
Configuring Max Bandwidth for Pass-through Shaped Traffic
By default, the values are the same for Max WAN Bandwidth (for tunnelized traffic) and the Max
Bandwidth for pass-through shaped traffic.
However, you can cap the maximum amount of bandwidth allocated to pass-through shaped traffic by
configuring the upper limit at the bottom of the Configuration - Shaper page.
It’s important to note that this is not the same as configuring a percentage of Max WAN BW. This
calculation is done after exiting the Shaper, so until that point, all shaped packets have queued through
the traffic classes as they arrived. As a result, pass-through packets in a higher priority traffic class have
a better chance of getting through in the event that the max is exceeded, or if congestion occurs.
Role of Tunnel Configuration Values and Features
Some tunnel configuration parameters directly affect bandwidth management.
Even though it appears on the Configuration - Tunnels page, as opposed to the Configuration - Shaper
page, the Shaper uses the Tunnel Max BW value as it services queues.
The Shaper uses this as the upper limit
on the traffic going to this tunnel.
Auto Max BW is recommended.
Not used by the Shaper for calculations, but
rather by Dynamic Rate Control (DRC).
After the Max Bandwidth has been met for a given tunnel, the Shaper won’t schedule any more packets
for transmission in that tunnel until more bandwidth is available. Since the clock is still ticking for any
packets still in a queue for that tunnel, the traffic class Max Wait Time could be exceeded for those packets
before bandwidth is available.
92
PN 200030-001 Rev M
Defining Traffic Classes and Limits with the Shaper
Chapter 5 Bandwidth Management & QoS Policy
Tunnel Auto BW
Each model of appliance has a specific maximum system bandwidth. That is, the amount of bandwidth
it can support for optimized traffic at the WAN interface.
By default, all tunnels are set to automatically negotiate tunnel bandwidth to the lowest common value.
The following illustrations show this negotiation from the perspective of an NX-8500 with multiple
tunnels. The maximum values assume that all options are enabled.
After negotiating bandwidth for all four tunnels, 119 Mbps (1000 minus 881) are left over for shaped
pass-through traffic.
Dynamic Rate Control
Auto BW can only negotiate the link between two appliances — A and Hub, and B and Hub. So, here
it can negotiate the link down to 100 Mbps. However, if A and B both transmit at 100 Mbps, the hub will
be overrun.
Enabling Dynamic Rate Control on the Hub allows it to control the tunnel traffic by lowering each remote
appliance’s Tunnel Max Bandwidth. The smallest possible value for A or B is that appliance’s Tunnel Min
Bandwidth.
By default, a tunnel’s Minimum Bandwidth is set to 32 kbps.
DRC is disabled by default and can only be configured in the command line interface.
PN 200030-001 Rev M
93
Silver Peak Appliance Manager Operator’s Guide
QoS Policy Page Organization and Management
QoS Policy Page Organization and Management
The QoS Policy page allows you to:
•
add, delete, activate, and rename maps
•
add, edit, and delete rules
The following shows the SET actions for the appliance.
To switch to another route map, select from the drop-down
menu and click Activate. Any change governs all new flows.
Hyperlinks
The QoS Policy doesn’t apply DSCP
markings for LAN QoS if the flows are
pass-through shaped or unshaped.
The QoS Policy comes with five default QoS rules.
94
•
Four of the 10 possible traffic classes are predefined in the Shaper configuration.
•
It pairs a couple of predefined application groups in the MATCH criteria with predefined traffic
classes in the SET actions.
•
It pairs a couple of DSCP settings in the MATCH criteria with predefined traffic classes in the
SET actions.
•
All rules, except 65535, are editable.
PN 200030-001 Rev M
Handling and Marking Packets
Chapter 5 Bandwidth Management & QoS Policy
Handling and Marking Packets
All flows that are not explicitly dropped by the Route Policy are subject to DSCP marking by the QoS
Policy. DSCP markings specify end-to-end QoS policies throughout a network.
As with all policies, the appliance searches sequentially through the policy for the first MATCH criteria
that applies. If no entries match, then ultimately the default entry applies. For the QoS Policy, the default
DSCP values for LAN QoS and WAN QoS are trust-lan.
The appliance encapsulates optimized traffic. This process adds an IP outer header to packets for travel
across the WAN. However, because pass-through traffic doesn’t receive this additional header, its
handling is different. The following two sections provide illustrated examples:
•
Applying DSCP Markings to Optimized Traffic See page 95.
•
Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic See page 98.
•
Definitions of DSCP Markings See page 100.
Applying DSCP Markings to Optimized Traffic
This section illustrates and explains how the appliance applies the QoS Policy to optimized traffic in the
following scenarios:
•
LAN and WAN set to trust-lan See page 95.
•
LAN setting changed, WAN is trust-lan See page 96.
•
LAN is trust-lan, WAN setting changed See page 96.
•
LAN setting changed, WAN setting changed See page 97.
LAN and WAN set to trust-lan
1
The source appliance receives the packet from the LAN with a DSCP marking of be (best effort).
2
Based on MATCH criteria, the QoS Policy applies the LAN QoS setting of trust-lan, leaving the
LAN DSCP markings as be (best effort). As the packet is encapsulated, this is now part of the IP
inner header.
3
Since the WAN QoS is trust-lan, the appliance also sets the WAN QoS bits to be in the encapsulating
IP outer header.
4
When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the
packet traverses the LAN with the DSCP markings set to be.
PN 200030-001 Rev M
95
Silver Peak Appliance Manager Operator’s Guide
Handling and Marking Packets
LAN setting changed, WAN is trust-lan
1
The source appliance receives the packet from the LAN. It has a DSCP marking of be (best effort).
2
Based on MATCH criteria, the QoS Policy changes the LAN QoS setting to ef (express forwarding).
As the packet is encapsulated, this is now part of the IP inner header.
3
Since the policy’s WAN QoS is trust-lan, the appliance refers back to the original DSCP markings
and sets the WAN QoS bits to be in the encapsulating IP outer header.
4
When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the
packet traverses the LAN with the DSCP markings set to ef.
LAN is trust-lan, WAN setting changed
96
1
The source appliance receives the packet from the LAN.
2
Based on MATCH criteria, the QoS Policy applies the LAN QoS setting of trust-lan, leaving the
LAN DSCP markings as be (best effort). As the packet is encapsulated, this is now part of the IP
inner header.
3
Since the policy’s WAN QoS action is cs5 (class selector 5), the appliance sets the bits to cs5 in the
encapsulating IP outer header.
4
When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the
packet traverses the LAN with the DSCP markings set to be.
PN 200030-001 Rev M
Handling and Marking Packets
Chapter 5 Bandwidth Management & QoS Policy
LAN setting changed, WAN setting changed
1
The source appliance receives the packet from the LAN. It has a DSCP marking of be (best effort).
2
Based on MATCH criteria, the QoS Policy changes the LAN QoS setting to ef. As the packet is
encapsulated, this is now part of the IP inner header.
3
Since the policy’s WAN QoS action is cs5, the appliance sets the bits to cs5 in the encapsulating IP
outer header.
4
When the packet reaches the destination appliance, the appliance de-encapsulates the packet, and the
packet traverses the LAN with the DSCP markings set to ef.
PN 200030-001 Rev M
97
Silver Peak Appliance Manager Operator’s Guide
Handling and Marking Packets
Applying DSCP Markings to Shaped and Unshaped Pass-through Traffic
The appliance applies the QoS Policy’s DSCP markings to all pass-through flows — whether shaped or
unshaped — in the same way:
•
If there is a match, the appliance applies the WAN QoS setting to the packet (in the IP
ToS/DSCP field).
•
If there is a LAN QoS setting in the policy match, it is ignored.
•
If there is a trust-lan setting in the policy match, it is ignored.
To summarize, all pass-through traffic is trust-lan unless it’s modified by the WAN QoS setting. When
that’s the case, the packet retains the modified QoS setting as it travels through the WAN to the
destination appliance.
The following three examples illustrate how the QoS Policy’s LAN QoS and WAN QoS settings affect
a matched flow’s DSCP markings:
•
LAN and WAN set to trust-lan See page 98.
•
LAN setting changed, WAN is trust-lan See page 99.
•
LAN is trust-lan, WAN setting changed See page 99.
LAN and WAN set to trust-lan
98
1
Because it’s pass-through traffic, the appliance ignores the LAN QoS setting.
2
Since the WAN QoS is trust-lan, the appliance sets the WAN QoS bits to be (best effort).
3
When the packet reaches the destination appliance, it retains the be setting as the LAN receives it.
PN 200030-001 Rev M
Handling and Marking Packets
Chapter 5 Bandwidth Management & QoS Policy
LAN setting changed, WAN is trust-lan
1
Because it’s pass-through traffic, the appliance ignores the new LAN QoS setting.
2
Since the WAN QoS is trust-lan, the appliance sets the WAN QoS bits to be (best effort).
3
When the packet reaches the destination appliance, it retains the be setting as the LAN receives it.
LAN is trust-lan, WAN setting changed
1
Because it’s pass-through traffic, the appliance ignores the LAN QoS setting.
2
The appliance sets the WAN QoS bits to cs5.
3
When the packet reaches the destination appliance, it retains the cs5 setting as the LAN receives it.
PN 200030-001 Rev M
99
Silver Peak Appliance Manager Operator’s Guide
Handling and Marking Packets
LAN setting changed, WAN setting changed
1
Because it’s pass-through traffic, the appliance ignores the LAN QoS setting.
2
The appliance sets the WAN QoS bits to cs5.
3
When the packet reaches the destination appliance, it retains the cs5 setting as the LAN receives it.
Definitions of DSCP Markings
Following is a list of definitions for the available Differentiated Services Code Point (DSCP) markings,
which use a 6-bit value to indicate Per-Hop Behavior (PHB):
100
DSCP Marking
Per-Hop Behavior Group
Codepoint
Number
be
Best Effort
000000
DSCP 0
af11
Assured Forwarding 11
001010
DSCP 10
af12
Assured Forwarding 12
001100
DSCP 12
af13
Assured Forwarding 13
001110
DSCP 14
af21
Assured Forwarding 21
010010
DSCP 18
af22
Assured Forwarding 22
010100
DSCP 20
af23
Assured Forwarding 23
010110
DSCP 22
af31
Assured Forwarding 31
011010
DSCP 26
af32
Assured Forwarding 32
011100
DSCP 28
af33
Assured Forwarding 33
011110
DSCP 30
af41
Assured Forwarding 41
100010
DSCP 34
af42
Assured Forwarding 42
100100
DSCP 36
af43
Assured Forwarding 43
100110
DSCP 38
cs1
Class Selector 1 (precedence 1)
001000
CS1
cs2
Class Selector 2 (precedence 2)
010000
CS2
cs3
Class Selector 3 (precedence 3)
011000
CS3
cs4
Class Selector 4 (precedence 4)
100000
CS4
cs5
Class Selector 5 (precedence 5)
101000
CS5
PN 200030-001 Rev M
Handling and Marking Packets
PN 200030-001 Rev M
Chapter 5 Bandwidth Management & QoS Policy
DSCP Marking
Per-Hop Behavior Group
Codepoint
Number
cs6
Class Selector 6 (precedence 6)
110000
CS6
cs7
Class Selector 7 (precedence 7)
111000
CS7
ef
Expedited Forwarding
101110
DSCP 46
101
Silver Peak Appliance Manager Operator’s Guide
102
Handling and Marking Packets
PN 200030-001 Rev M
CHAPTER 6
Optimization Policy
This chapter describes how the appliance optimizes tunnelized traffic — improving the performance of
applications across the WAN.
In This Chapter

Introduction See page 104.

When the Appliance Can Apply the Optimization Policy See page 109.

Optimization Policy Page Organization See page 110.

The following shows the Optimization Policy’s SET actions. See page 110.
PN 200030-001 Rev M
103
Silver Peak Appliance Manager Operator’s Guide
Introduction
Introduction
The Optimization Policy applies various compression and acceleration techniques to improve the
performance of applications across the WAN.
Note If a flow is not directed to a tunnel, it’s not subject to the Optimization Policy.
The Optimization Policy’s SET actions include:
•
Network Memory See page 105.
•
IP Header Compression and Payload Compression See page 106.
•
TCP Acceleration See page 106.
•
Protocol Acceleration See page 108.
For the CIFS and SSL protocols, the Optimization map
automatically includes entries that pair protocol-specific
accelerations with their default ports.
To preserve data integrity, it’s critical that SRDF optimization be applied
only to SRDF traffic. Therefore, the user must manually create an entry to
specify the chosen port.
When using Citrix, pick the port(s) based on the Citrix version you’re using.
Changing these settings can affect
service!
Consult with Tech Support before
editing the default values.
104
PN 200030-001 Rev M
Introduction
Chapter 6 Optimization Policy
Network Memory
All Silver Peak appliances are equipped with Network Memory™ technology. Network Memory
inspects all inbound and outbound WAN traffic in real-time and stores a single local instance on each
appliance.
Before sending information across the WAN, appliances use Network Memory to compare real-time
traffic streams to the stored patterns. If a match exists, a short reference pointer is sent to the remote
Silver Peak appliance, instructing it to deliver the traffic pattern from its local instance. Repetitive data
is never sent across the WAN.
If content is modified, the Silver Peak appliance detects the change at the byte level and updates the
network’s “memory”. Only the modifications are sent across the WAN. At the destination, Silver Peak
appliances combines these with the original content.
Benefit scenarios
The following scenarios exemplify the benefits of Network Memory.
File Server Even when the file is not identical to the version that was previously downloaded,
significant performance improvements are realized by transporting only the incremental changes across
the WAN.
Web If a web application is generating dynamic pages (for example, using HTTP), only delta
information is transferred. For example, a SharePoint table with many rows updates by just transmitting
the delta for the row, rather than the whole page.
If several employees in an office chose to watch the same
video (for example, a distance learning module or a taped CEO address), Network Memory eliminates
the need to send multiple copies across the WAN. This has the same advantage whether they’re watching
the video simultaneously, or at different times.
Video streaming and Video On Demand
If employees in an office need to download the same
software patch, Network Memory eliminates the need to send multiple copies across the WAN.
Software patch distribution and upgrades
Remote backups Once the first backup is completed, future “full” backups are effectively reduced to
“incremental backups” as far as WAN traffic is concerned.
Available Settings
You can configure Network Memory on a per-flow (or per-application, or per-ACL) basis.
There are four available Network Memory settings:
Maximize Reduction
Optimizes for maximum data reduction at the potential cost of
slightly lower throughput and/or some increase in latency. It is
appropriate for bulk data transfers such as file transfers and FTP,
where bandwidth savings are the primary concern.
Minimize Latency
Ensures that Network Memory processing adds no latency. This
may come at the cost of lower data reduction. This is appropriate for
extremely latency-sensitive interactive or transactional traffic. It's
also appropriate when the primary objective is to fully utilize the
WAN pipe to increase the LAN-side throughput, as opposed to
conserving WAN bandwidth.
Balanced
This is the default setting. It dynamically balances latency and data
reduction objectives and is the best choice for most traffic types.
Disabled
Turns off Network Memory.
PN 200030-001 Rev M
105
Silver Peak Appliance Manager Operator’s Guide
Introduction
IP Header Compression and Payload Compression
Compression reduces the bandwidth consumed by traffic traversing the WAN. Payload compression
uses algorithms to identify relatively short byte sequences that are repeated frequently over time. These
sequences are then replaced with shorter segments of code to reduce the size of transmitted data. Simple
algorithms can find repeated bytes within a single packet; more sophisticated algorithms can find
duplication across packets and even across flows.
IP header compression provides additional bandwidth gains by reducing packet header information
using specialized compression algorithms.
Silver Peak appliances include state of the art, cross-flow data compression and header compression as
part of a broader Local Instance Networking solution. Information gleaned from the compression of one
flow can be applied to other flows.
Payload compression is used along with Network Memory to provide compression on “first pass” data.
TCP Acceleration
TCP acceleration uses techniques such as selective acknowledgement, window scaling, and message
segment size adjustment to compensate for poor performance on high latency links.
This feature has a set of advanced options with default values.
CAUTION Because changing these settings can affect service, Silver Peak recommends that
you do not modify these without direction from Customer Support.
106
PN 200030-001 Rev M
Introduction
Chapter 6 Optimization Policy
Following is a brief description of each item.
Adjust MSS to Tunnel MTU
Limits the TCP MSS (Maximum Segment Size) advertised by the
end hosts in the SYN segment to a value derived from the Tunnel
MTU (Maximum Transmission Unit). That is,
Tunnel MSS = Tunnel MTU – Tunnel Packet Overhead.
This feature is enabled by default so that the maximum value of
the end host MSS is always coupled to the Tunnel MSS. If the end
host MSS is smaller than the tunnel MSS, then the former is used
instead.
A use case for disabling this feature is when the end host uses
Jumbo frames.
Preserve Packet Boundaries
Preserves the packet boundaries end to end. If this feature is
disabled, then the appliances in the path could coalesce
consecutive packets of a flow to utilize bandwidth more
efficiently.
It is enabled by default so applications that require the matching
packet boundaries don’t fail.
Enable Silver Peak TCP SYN
Option Exchange
Controls whether or not Silver Peak forwards its proprietary TCP
SYN option on the LAN side. Enabled by default, this feature
detects if there are more than two Silver Peak appliances in the
flow’s data path and optimizes accordingly.
It needs to be disabled if there is a LAN–side firewall or a
third-party appliance that would drop a SYN packet when it sees
an unfamiliar TCP option.
Route Policy Override
Tries to override asymmetric route policy settings. It emulates
Auto-opt behavior by using the same tunnel for the returning
SYN+ACK as it did for the original SYN packet.
Enabled by default, this feature needs to be disabled if the
asymmetric route policy setting is necessary to correctly route
packets. In such a case, other features like flow redirection might
need to be employed to ensure TCP optimization of the flow.
Auto Reset Flows
NOTE: Whether this feature is enabled or not, the default
behavior when a tunnel goes Down is to automatically reset the
flows.
If enabled, it resets all TCP flows that are not accelerated but
should be (based on policy and on internal criteria like Tunnel Up
event).
The internal criteria can also include:
PN 200030-001 Rev M

Resetting all TCP accelerated flows on a Tunnel Down event.

Resetting all unaccelerated TCP flows that are associated
with a normally operating Tunnel, where:
•
TCP acceleration is enabled
•
SYN packet was not seen (so this flow was either part of
WCCP redirection, or it already existed when the
appliance was inserted in the data path).
107
Silver Peak Appliance Manager Operator’s Guide
Introduction
WAN Window Scale
(1...14)
This is the WAN–side TCP Window scale factor that Silver Peak
uses internally for its WAN–side traffic. This is independent of the
WAN–side factor advertised by the end hosts.
Slow LAN Defense
(0...12, 0=off)
Resets all flows that are consuming a disproportionate amount of
buffer and have a very slow throughput on the LAN side. These
flows affect the performance of all other flows and as such no
flows see improvement in throughput through TCP acceleration
due to a few slower end hosts or a lossy LAN. By default, it is
enabled and the number relates indirectly to the amount of time
the system waits before resetting such slow flows.
WAN Congestion Control
Selects the internal Congestion Control parameter.
Optimized This is the default setting. This mode offers
optimized performance in almost all scenarios.
Standard In some unique cases it may be necessary to
downgrade to Standard performance to better interoperate with
other flows on the WAN link.
Aggressive Provides aggressive performance and should be
used with caution. Recommended mostly for Data Replication
scenarios.
Per-Flow Buffer Settings
(Max LAN to WAN Buffer and Max WAN to LAN Buffer)
This setting clamps the maximum buffer space that can be
allocated to a flow, in each direction.
Protocol Acceleration
Protocol-specific acceleration techniques can help minimize latency and improve application response
times. The Optimization Map provides configurable protocol acceleration explicitly for CIFS, SRDF,
SSL, and Citrix:
•
Each Optimization Map includes the default SSL and CIFS ports as “built-in” entries. You can
edit or delete these entries.
•
CIFS acceleration includes read-aheads, write-behinds, and metadata caching. This reduces the
impact of latency on data transfers that use this protocol. CIFS is enabled for ports 139 and 445.
•
When you install SSL certificates into Appliance Manager, you’re able to securely decrypt the
traffic, optimize it, and re-encrypt the deduped traffic. SSL is enabled for port 443.
•
Because SRDF doesn’t use a reserved port, SRDF optimization is disabled by default. If SRDF
optimization were run on non-SRDF traffic, it would corrupt the data. So, be sure that the port
you associate with this optimization is actually running SRDF traffic.
•
The version of Citrix used determines which port(s) to use for Citrix optimization. For a list of
Citrix ports, you can check the Configuration - Built-in Applications page.
In a network environment, it’s possible that all appliances don’t have the same protocol-specific
optimization configurations. Hence, the side that initiates the flow determines the protocol-specific
optimization.
•
The initiator is known as the client, and the other as the server.
•
Current Flows > Details on the receiving (server) side will indicate if the remote peer has
overridden the policy.
108
PN 200030-001 Rev M
When the Appliance Can Apply the Optimization Policy
Chapter 6 Optimization Policy
When the Appliance Can Apply the Optimization Policy
This diagram shows how the appliance processes a flow assigned to a tunnel.
1
The Route Policy checks traffic incoming from the LAN against the MATCH criteria. Entries 10 and
20 don’t match the traffic, but Entry 30 does.
2
The policy applies the entry’s SET actions to the identified flow. In this case, it directs the flow to
Tunnel C. Once any traffic matches an entry, no subsequent entries are examined.
3
Before the flow reaches Tunnel C, the QoS Policy checks against its entries and
•
applies the DSCP marking specified for LAN QoS, and
•
assigns the flow to a traffic class. Here, the application, ssh, matches to the pre-defined
application group, interactive, so the appliance assigns the flow to Traffic Class 3.
•
passes the flow to the Optimization Policy for optimizations, accelerations, and compressions.
The Optimization Policy only applies to tunnelized traffic.
4
After optimization, the flow queues to Traffic Class 3 for shaping.
5
QoS Policy applies the DSCP markings for the WAN QoS.
6
The optimized flow exits the WAN interface.
PN 200030-001 Rev M
109
Silver Peak Appliance Manager Operator’s Guide
Optimization Policy Page Organization
Optimization Policy Page Organization
The Optimization Policy applies to any flow that the Route Policy will place into a tunnel.
This page allows you to:
•
add, delete, activate, and rename maps
•
add, edit, and delete rules
The following shows the Optimization Policy’s SET actions.
To switch to another optimization map, select from the drop-down
menu and click Activate. Any change governs all new flows.
Hyperlinks
If traffic doesn’t match any user-configured entries,
then the default entry applies all optimizations to all
flows that the Route Policy is directing to a tunnel.
Here, VoIP is a user-created application group that includes h_323 and
cisco_skinny.
Those details aren’t apparent on this screen, but you could see them by
selecting Configuration > Application > Groups from the main menu
bar.
Notice that for the application group, VoIP, Network Memory is disabled.
110
PN 200030-001 Rev M
CHAPTER 7
Using Flow Redirection to Address TCP
Asymmetry
This chapter describes how Flow Redirection allows Silver Peak appliances to optimize asymmetrically
routed flows by redirecting packets between appliances.
The flow redirection feature is implemented solely in software, and is available in both bridge and router
modes.
In This Chapter

Introduction See page 112.

Configuring Flow Redirection See page 115.

Flow Reporting See page 119.
PN 200030-001 Rev M
111
Silver Peak Appliance Manager Operator’s Guide
Introduction
Introduction
A network is asymmetric when a client request and its server response don’t use the same path through
the network. This asymmetric network configuration is common for:
•
Financial institutions, which virtualize geographically separate data centers for load balancing
and redundancy.
•
Businesses that have multiple ISP paths across a customer network.
Asymmetrical Networks and Flows
The following diagram shows a sample asymmetric network. In this example, each server appliance sees
only one direction of the traffic flow.
1. The client initiates traffic to the
server and sends it through SP1.
5. The client receives the
return traffic from SP3.
2. The traffic traverses the
server appliance, SP2.
4. SP3 only sees the traffic
returning to the client.
3. The server receives traffic from
SP2 but returns it via SP3.
For TCP flows to be optimized, both directions must travel through the same client and server appliances.
Removing Asymmetry with Flow Redirection
Flow redirection removes the asymmetry locally by merging the traffic of an asymmetric flow into a
single appliance. An appliance that handles both directions of traffic for a flow can then optimize the flow
properly. Specifically, this sets the stage for TCP acceleration and CIFS acceleration.
With flow redirection, the appliance that receives the first packet — that is, the TCP SYN packet — owns
the flow and eventually receives all of that flow’s traffic. To be able to redirect, appliances are configured
into clusters, whereby they communicate with each other and keep track of flows. Any given appliance
can own multiple flows and redirect others, depending on whether or not the appliance received the initial
TCP SYN packet.
112
PN 200030-001 Rev M
Introduction
Chapter 7 Using Flow Redirection to Address TCP Asymmetry
The client request — in the form of an initiating SYN packet — may be received from the WAN side or
the LAN side. This results in two possible scenarios for evading asymmetry:
•
Redirection for WAN-initiated Traffic See page 113.
•
Avoiding Asymmetry in LAN-initiated Traffic See page 114.
The assumptions is that flow redirection happens across a LAN environment. Redirection across a WAN
is not supported.
Redirection for WAN-initiated Traffic
In this scenario, the WAN initiates the flow. All traffic returned from the server is redirected to the
appliance that first received traffic from the WAN.
PN 200030-001 Rev M
113
Silver Peak Appliance Manager Operator’s Guide
Introduction
Avoiding Asymmetry in LAN-initiated Traffic
In this scenario, the LAN initiates the flow.
The default behavior is that all traffic returned from the WAN is always returned to the appliance that
first received the traffic from the LAN, regardless of the route policy at the remote appliance.
114
PN 200030-001 Rev M
Configuring Flow Redirection
Chapter 7 Using Flow Redirection to Address TCP Asymmetry
Configuring Flow Redirection
If you have one path from the client to the server and a different path from the server to the client, you
need to enable flow redirection and configure the appliances to communicate with each other.
Flow redirection moves packet traffic between appliances that belong to a cluster:
•
A cluster may contain just one appliance (in which no redirection occurs), or several appliances
(in which redirection may occur between different pairs).
•
All the appliances in a cluster are equal peers.
•
You can have up to 32 peers in a cluster.
•
The Silver Peak Communication Protocol (SPCP) formalizes the peer-to-peer communications
in an appliance cluster. SPCP is both a discovery and control protocol. By default, SPCP uses
mgmt1 to communicate between appliances.
•
This must be a Layer 2 connection. In other words, you want a switch — not a router — between
any two peers.
For each peer appliance in a cluster, the process of configuring flow redirection uses three of the
Appliance Manager’s pages:
•
The [Configuration] Interfaces page, for configuring the mgmt1 IP address.
•
The [Configuration] Routes page, for configuring the necessary static route(s).
•
The [Configuration] Flow Redirection page, for enabling flow redirection, selecting the
management interface, and identifying the peers in the cluster.
Note IMPORTANT — When configuring for flow redirection, the mgmt1 interfaces need to be
in a separate subnet from the mgmt0 interfaces.
Tip Typically, you’ll use the mgmt1 interface. However, when the LAN–side is greater than
1 Gbps and your Silver Peak appliance has a 10-Gbps interface, then you may consider using a
10-Gbps interface (tlan0 or twan0) for flow direction.
Following is the complete example:

Example #1: Simple Cluster with Two Physically Connected Peers See page 116.
Because of their physical proximity, a crossover cable connects two peers’ mgmt1 interfaces.
PN 200030-001 Rev M
115
Silver Peak Appliance Manager Operator’s Guide
Configuring Flow Redirection
Example #1: Simple Cluster with Two Physically Connected Peers
When you want to cluster two appliances that are in the same subnet (with Layer 2 connectivity), and
they’re located in the same room, you can physically cable the two mgmt1 interfaces together, in lieu of
setting up an IP static route.
Instead of physically cabling the appliances, you also have the option of connecting the mgmt1 interfaces
via the local area network.
Note IMPORTANT — When configuring for flow redirection, the mgmt1 interfaces need to be
in a separate subnet from the mgmt0 interfaces.

To configure this scenario
1
Using a crossover cable, physically connect one appliance’s mgmt1 port to the other appliance’s
mgmt1 port.
2
From SP1’s Configuration menu, select Interfaces. The Configuration - Interfaces page appears.
The mgmt1 interface shipped with a default IP address, to make
initial configuration easy. You don’t need this any longer, so we’ll
reconfigure it to use as a cluster interface for flow redirection.
116
PN 200030-001 Rev M
Configuring Flow Redirection
Chapter 7 Using Flow Redirection to Address TCP Asymmetry
a
Change mgmt1’s IP address to be 10.10.10.1/24.
b
Click Apply.
To complete the appliance’s configuration, you’ll enable flow redirection and specify the other
peer in the cluster.
3
From the Configuration menu, select Flow Redirection. The Configuration - Flow Redirection page
appears.
In the Settings area:
a
Click Enable.
b
Verify that the default Interface is mgmt1.
c
Click Apply and click Save Changes.
PN 200030-001 Rev M
117
Silver Peak Appliance Manager Operator’s Guide
4
Configuring Flow Redirection
In the Peers area, click Add. The Add Peer area appears.
a
Enter the mgmt1 IP address for the appliance, SP2. Here, it’s 10.10.10.2.
b
Click Apply. The Peers table appears, displaying SP2’s mgmt1 interface IP address.
When you click Enable and Apply, it enables all
the peers that are associated with this appliance.
To verify, manually refresh the screen and then
view State in the table below.
5
•
State is either Unreachable or OK
•
Flow Redirection is either
Disabled or Enabled
Click Save Changes.
Now, repeat the entire procedure for the other appliance. When that’s complete, both cluster interfaces
are able to communicate with each other and the State changes to OK.
118
PN 200030-001 Rev M
Flow Reporting
Chapter 7 Using Flow Redirection to Address TCP Asymmetry
Flow Reporting
For flow redirection, the appliance handles flow reporting as follows:

The reporting mechanism of locally owned flows is unchanged.

When a peer redirects a flow, it does no per-flow reporting. Rather, that traffic’s statistics are
maintained by the owner of the flow. That is, the peer appliance to which the flow is redirected.

On the Monitoring - Current Flows page, a flow’s Detail link has a field named, Flow Redirected
From which displays which peer appliance IP is redirecting the flow to this appliance. This field only
has an entry if the appliance owns the flow.
For more information, see “Viewing Current Flows” on page 152.

The Monitoring - Flow Redirection page lists the mgmt1 IP address for each peer in the cluster. It
also displays statistics for the control packet, number of current flows redirected to/from the
appliance, and a cumulative tally of the packets and bytes redirected to/from peers.
For more information, see “Viewing Flow Redirection Statistics” on page 173.
PN 200030-001 Rev M
119
Silver Peak Appliance Manager Operator’s Guide
120
Flow Reporting
PN 200030-001 Rev M
CHAPTER 8
Configuring and Managing VLANs
This chapter discusses issues related to insertion of a Silver Peak appliance on an 802.1q VLAN trunk,
explains why this is necessary, and provides a configuration example.
In This Chapter

Why configure VLAN interfaces on a Silver Peak appliance? See page 122.

Behavior without VLAN Configuration See page 125.

Behavior with VLAN Interfaces Configured See page 129.
PN 200030-001 Rev M
121
Silver Peak Appliance Manager Operator’s Guide
Why configure VLAN interfaces on a Silver Peak appliance?
Why configure VLAN interfaces on a Silver Peak appliance?
It may be desirable to deploy a Silver Peak appliance into a network that’s using 802.1q tagging.
An appliance can be inserted in-line between a LAN router/switch and a WAN edge router to bridge an
existing VLAN trunk.
In an out-of-path (Router mode) deployment, you can choose to have a trunk between the router and the
Silver Peak appliance to preserve traffic segregation (as in an ISP), or to provide a redirect IP address in
a VLAN’s domain so as to redirect VLAN tagged traffic.
An appliance deployed with no VLAN configuration can “see” all VLAN tags, and make route-policy
decisions accordingly. It can also bridge pass-through traffic, keeping VLAN tags intact. However,
without configuration, the appliance has no way of tagging the packets it generates, or tagging
decapsulated packets received from the remote-side appliance. Since neighboring routers may drop
untagged traffic if a native VLAN is not configured, this creates for both directions of traffic.
The Issues
Outbound LAN-to-WAN Traffic
To optimize traffic, the appliance uses GRE, UDP, or IPSec encapsulation to create a packet that uses IP
addresses configured on the appliance. By default, these IP addresses are configured on the bvi0 or wan0
interfaces, and those interfaces reside in the native, or untagged, space. These packets will leave the
appliance without an 802.1q tag in the outbound L2W direction.
122
PN 200030-001 Rev M
Why configure VLAN interfaces on a Silver Peak appliance?
Chapter 8 Configuring and Managing VLANs
Inbound WAN-to-LAN Traffic
When inbound tunnel packets are received from the remote appliance in the W2L direction, the inner
packet has no VLAN information about the local side. The appliance would normally transmit the packet
to the LAN side, untagged. If the inner packet is destined for a subnet residing on a particular VLAN, a
method of tagging the packet is required. The appliance determines how to tag the packet based upon
routing — using either the subnet IPs of the local VLANs we’ve configured, or ip datapath routes.
The Solutions
In-Path
To address these issues, you can create Layer 3 VLAN interfaces on the Configuration - Deployment page
by specifying IP addresses and VLAN tags, which in turn create underlying logical interfaces (for
example, lan0.100, wan0.200) capable of tagging packets.
Out-of-Path
Logical interfaces, also known as tunnel endpoints
Tagging Outbound LAN-to-WAN Traffic
Tunnels may built off of any logical interface on the appliance.
A tunnel built off of a VLAN interface transmits its encapsulated tunnel traffic toward the default WAN
next-hop IP configured for the VLAN interface. This traffic is sent on the VLAN interface’s logical
WAN interface (for example, wan0.100). Consequently, the traffic is tagged with the tag associated with
the VLAN interface (for example, 100).
Therefore, to set VLAN tags in tunnel packets outbound for the WAN, create a tunnel using the VLAN
IP address as an endpoint.
Tagging Inbound WAN-to-LAN Traffic
Inbound tunnel packets received from the remote appliance are encapsulated with a GRE/UDP or IPSec
header, and contain no L2 information. Once decapsulated, the LAN-bound traffic needs to be directed
to the proper VLAN. This can only be accomplished on the Silver Peak appliance through the use of L3
routing.
PN 200030-001 Rev M
123
Silver Peak Appliance Manager Operator’s Guide
Why configure VLAN interfaces on a Silver Peak appliance?
The appliance may deliver the untagged packets on a native VLAN to an L3 router on the LAN-side (or
even WAN-side), if that router is then capable of tagging the packet appropriately and routing between
the VLANs.
However, you can create a local L3 interface that resides within a VLAN’s subnet. If this local interface
is used to route packets, the underlying logical interface on the LAN side (for example, lan0.100) can tag
the packet with the proper VLAN tag.
Subnet and default gateway datapath routes pointing at a LAN next-hop residing in an appliance’s local
VLAN subnet may also be used to tag traffic.
124
PN 200030-001 Rev M
Behavior without VLAN Configuration
Chapter 8 Configuring and Managing VLANs
Behavior without VLAN Configuration
This section discusses the following:

How an outbound packet is processed on the untagged native VLAN See page 126.

Delivering Inbound Packets to the LAN: No VLAN Interfaces See page 128.
Tunnel packets outbound for the WAN are by default untagged, and no VLAN information is propagated
across the WAN.

When the appliance is inserted in-line, it can see all the VLAN tags and packets and match policy
map criteria based upon VLAN tags, without any VLAN configuration on the appliance.

When the appliance receives tagged traffic for which it has no VLAN interface, and it optimizes that
traffic, then the tag is stripped off when the L2 header information is removed.

If the tagged packets are sent pass-through, then the entire original L2 header (with the VLAN tag)
is preserved.

When the appliance is inserted out-of-path and no VLAN interfaces are configured, it doesn’t see
packets associated with the VLANs because they are not even redirected to the appliance.
PN 200030-001 Rev M
125
Silver Peak Appliance Manager Operator’s Guide
Behavior without VLAN Configuration
How an outbound packet is processed on the untagged native VLAN
By default, optimized traffic leaves the appliance without any VLAN tags.
For every packet entering the appliance for optimization on its way to the WAN:
a
The appliance strips away the existing L2 header
b
The appliance then applies a new L2 header, designating the appliance as the Source MAC.
Untagged outbound LAN packet to untagged tunnel
Neither the outbound LAN packet nor the tunnel’s endpoint have a VLAN tag.
126
PN 200030-001 Rev M
Behavior without VLAN Configuration
Chapter 8 Configuring and Managing VLANs
Tagged outbound LAN packet to untagged tunnel
This is the most common deployment.
The outbound LAN packet has a VLAN tag but the tunnel’s endpoint does not.
PN 200030-001 Rev M
127
Silver Peak Appliance Manager Operator’s Guide
Behavior without VLAN Configuration
Delivering Inbound Packets to the LAN: No VLAN Interfaces
For packets arriving from the WAN, the LAN route table is what determines where a packet goes.
128

After discarding the arriving packet’s L2 and tunnel headers, the appliance does a LAN route table
lookup, based solely on the Destination Host IP address.

Based on the destination’s subnet, the appliance determines where to send the packet.

Because no VLAN interfaces are configured on the appliance, the packet can only go on the
untagged VLAN.

The following two conditions must be met for this packet to reach its final destination:
a
The switch/router on the LAN side of the appliance supports untagged (native) VLAN, and
b
The switch/router can route the packet to the destination VLAN.
PN 200030-001 Rev M
Behavior with VLAN Interfaces Configured
Chapter 8 Configuring and Managing VLANs
Behavior with VLAN Interfaces Configured
This section discusses the following:

Multiple Logical Interfaces See page 129.

How an outbound packet is processed for a tagged tunnel See page 130.

Delivering Inbound Packets to the LAN: VLAN Interfaces Configured See page 131.

Cisco VLAN Example with Multiple Interfaces See page 132.
Multiple Logical Interfaces
On the Configuration - Deployments page, you can add VLAN interfaces to the Silver Peak
appliance by clicking +VLAN. Here are two separate excerpts from that page — one in Bridge mode
(in-line) and one in Router mode (out-of-path).
In-Path

Out-of-Path
Logical interfaces, also known as tunnel endpoints
Note If you try to configure something that’s incorrect or not supported, a message appears
in a red banner at the bottom of the page, telling you what you need to do.


Any of these logical interfaces can be a tunnel endpoint.
•
If a tunnel endpoint has a VLAN tag, then outbound packets directed to that tunnel receive that
VLAN tag.
•
If a tunnel endpoint has no tag, then outbound packets remain untagged after processing.
This is the default behavior.
Once VLANs are configured on the appliance, tunnels built off of a VLAN interface are tagged
using the VLAN ID associated with the VLAN interface — so all outgoing optimized traffic will
have the L2 tag.
PN 200030-001 Rev M
129
Silver Peak Appliance Manager Operator’s Guide
Behavior with VLAN Interfaces Configured
How an outbound packet is processed for a tagged tunnel
The following actions happen to every packet entering the appliance for optimization on its way to the
WAN:
a
The appliance strips away the existing L2 header.
b
The appliance applies a new L2 header, designating the appliance as the Source MAC.
c
The encapsulated tunnel packet uses the tunnel endpoint’s VLAN ID to tag the outgoing packet.
Tagged outbound packet to tagged tunnel
Both the outbound LAN packet and the tunnel endpoint have a VLAN tag.
130
PN 200030-001 Rev M
Behavior with VLAN Interfaces Configured
Chapter 8 Configuring and Managing VLANs
Delivering Inbound Packets to the LAN: VLAN Interfaces Configured
For packets arriving from the WAN, the LAN route table is what determines where a packet goes.
•
After discarding the arriving packet’s L2 and tunnel headers, the appliance does a LAN route
table lookup, based solely on the Destination Host IP address.
•
Based on the destination’s subnet, the appliance determines which VLAN tag to use.
•
The appliance must have an interface configured for each such VLAN.
PN 200030-001 Rev M
131
Silver Peak Appliance Manager Operator’s Guide
Behavior with VLAN Interfaces Configured
Cisco VLAN Example with Multiple Interfaces
The example below shows the configurations for the appliance and a Cisco router.

To install the Silver Peak on a VLAN trunk
1
2
Access the Configuration - Deployment page:
a
For the untagged native VLAN, enter an IP address in the WAN router’s native VLAN subnet.
b
Specify the Next Hop, and leave the VLAN field blank.
To add a VLAN interface, click +VLAN and complete the Appliance IP, Mask, VLAN, and Next Hop
fields.
Note The VLAN IP must be a host IP and not a subnet IP address.
132
PN 200030-001 Rev M
Behavior with VLAN Interfaces Configured
3
Chapter 8 Configuring and Managing VLANs
To verify that each Next-hop IP address is reachable, do the following:
a
Check Monitoring > Routes, for State = Reachable.
b
Check the Alarms page.
PN 200030-001 Rev M
133
Silver Peak Appliance Manager Operator’s Guide
134
Behavior with VLAN Interfaces Configured
PN 200030-001 Rev M
CHAPTER 9
Monitoring Traffic
This chapter describes the various tools available for monitoring performance, and reviewing traffic and
application statistics.
In This Chapter

Overview See page 136.

About Viewing Statistics See page 138.

Application View See page 141.

Network View See page 142.

Viewing Charts See page 143.

Viewing Application Statistics See page 149.

Viewing Realtime Charts See page 151.

Viewing Current Flows See page 152.

Viewing QoS Statistics See page 167.

Viewing Tunnel Statistics See page 168.

Viewing Flow Redirection Statistics See page 173.

Viewing NetFlow Statistics See page 175.

Viewing Interface Statistics See page 176.

Viewing Bridge Mode Statistics See page 178.

Viewing Next-hop Reachability See page 179.
PN 200030-001 Rev M
135
Silver Peak Appliance Manager Operator’s Guide
Overview
Overview
The Application View tab and Network View tab provide charted summaries of performance. Both tabs
display the 10 Top Flows — a subset of the Monitoring menu’s Current Flows.
Additionally, the Monitoring menu provides a variety of reports:

Viewing Charts See page 143.
These charts feature pan and zoom capability for bandwidth, reduction, packets per second, flow
counts, latency, loss, and out-of-order packets. You can review data from the last 30 days.

Viewing Application Statistics See page 149.
These summarize each application by percentage of total LAN traffic, reduction percent, and
inbound and outbound bytes.

Viewing Current Flows See page 152.
You can view a listing of existing connections, based on selectable filter criteria. Additionally, you
can customize which data columns display and view a flow’s details.

Viewing Realtime Charts See page 151.
You can select a filter and a metric to plot any of six types of realtime stats, and you can plot more
than one chart at a time. The charts update every 3 seconds.

Viewing QoS Statistics See page 167.
You can view the total number of bytes and packets transmitted and received, based on traffic class
and/or WAN QoS [DSCP markings].
QoS statistics display the data accumulated since the last reboot. You can also non-destructively
clear the counters to zero and view the delta values.

Viewing Tunnel Statistics See page 168.
Tunnel statistics specify the number of bytes and/or packets received, processed, and transmitted by
a tunnel in both the outbound (LAN-to-WAN) and inbound (WAN-to-LAN) directions. They tally
control packets, as well as accelerated versus non-accelerated traffic flow, round-trip latency, and
packet loss before and after forward error correction.
Tunnel statistics display the data accumulated since the last reboot. You can also
non-destructively clear the counters to zero and view the delta values.

Viewing Flow Redirection Statistics See page 173.
This shows the statistics collected, specific to the process when you allow two (or more) appliances
to exchange flow ownership information and then redirect packets to the owner.

Viewing NetFlow Statistics See page 175.
This displays how many NetFlow statistics the appliance exported to the collector(s). Stats are
defined in terms of number of flows, and number of datagrams (packets) required to export those
flows.

Viewing Interface Statistics See page 176.
Interface statistics display generic performance data for the actual physical LAN, WAN, and
management interfaces (primary and secondary).
Interface statistics display the data accumulated since the last reboot. You can also
non-destructively clear the counters to zero and view the delta values.

Viewing Bridge Mode Statistics See page 178.
This summarizes the data traffic traversing all the LAN and WAN interfaces, in a redundant bridge
mode deployment.
136
PN 200030-001 Rev M
Overview
Chapter 9 Monitoring Traffic

Viewing Next-hop Reachability See page 179.
This page displays the state of each management, WAN, and LAN next-hop.
Before discussing individual reports, the next section describes the basics of viewing reports.
PN 200030-001 Rev M
137
Silver Peak Appliance Manager Operator’s Guide
About Viewing Statistics
About Viewing Statistics
This section discusses methods for viewing additional details about report charts and graphs. It includes:
•
Understanding Traffic Direction See page 138.
•
Viewing Counters Since Last Reboot See page 138.
•
Clearing Counters Non-Destructively See page 139.
•
Exporting Statistical Data See page 140.
Understanding Traffic Direction
In Appliance Manager, statistics and reports either reference the direction of the flow or the point(s)
where the data is collected:

LAN-to-WAN refers to traffic exiting the LAN, destined for the WAN.
This flow is also referred to as outbound traffic.

WAN-to-LAN refers to traffic coming from the WAN, destined for the LAN.
This flow is also referred to as inbound traffic.
Tip Here’s a helpful mnemonic for remembering the difference:
- Rx is “Receive fRom”, so LAN Rx is “receive from LAN”
- Tx is “Transmit To”, so LAN Tx is “transmit to LAN”
Viewing Counters Since Last Reboot
By default, the statistics that display in the following reports have accumulated since the last reboot:
Applications, Tunnel QoS, Tunnels, Flow Redirection, NetFlow, and Interfaces.
To verify this, note that Actual Stats button is selected.
138
PN 200030-001 Rev M
About Viewing Statistics
Chapter 9 Monitoring Traffic
Clearing Counters Non-Destructively
To non-destructively set the counters to zero, click Delta Stats. To update the statistics, you can manually
refresh the page whenever you want. Or, you can select from one of intervals in the same menu.
To zero out counters non-destructively,
select Delta Stats.
Select table’s display units:
Bytes, MBytes, Pkts, or KPkts
If you set the Refresh menu to manually, click the browser’s
refresh icon as needed for a cumulative update.
To restore the values since the last reboot, click Actual Stats.
PN 200030-001 Rev M
139
Silver Peak Appliance Manager Operator’s Guide
About Viewing Statistics
Exporting Statistical Data
For some statistics, Appliance Manager provides Download Data or Export button for downloading the
data as a .csv (comma-separated values) file. In summary:
Type of Report
(Dynamic) Charts
Applications
140
Download Data / Export / Table View


Realtime Charts
no Export options
Current Flows

QoS [Tunnel]
no Export options
Tunnels
no Export options
Flow Redirection
no Export options
NetFlow
no Export options
Interfaces
no Export options
Bridges
no Export options
IP Routes
no Export options
PN 200030-001 Rev M
Application View
Chapter 9 Monitoring Traffic
Application View
The Traffic option profiles the same
data, but color-codes it by traffic type.
Links to Current Flows [in Monitoring]. For more information, see “Viewing Current Flows” on page 152.
For each direction of traffic — inbound and outbound — the overlapping bars are paired to show the full
volume of traffic and the reduced, optimized size of the same traffic.
LAN
WAN
[Inbound LAN] – [Inbound WAN]
[Outbound LAN] – [Outbound WAN]
Inbound LAN
Outbound LAN
PN 200030-001 Rev M
141
Silver Peak Appliance Manager Operator’s Guide
Network View
Network View
When you log in, this page opens by default.
Links to Current Flows [in Monitoring]. For more information, see “Viewing Current Flows” on page 152.
For each direction of traffic — inbound and outbound — the overlapping bars are paired to show the full
volume of traffic and the reduced, optimized size of the same traffic.
LAN
142
WAN
[Inbound LAN] – [Inbound WAN]
[Outbound LAN] – [Outbound WAN]
Inbound LAN
Outbound LAN
PN 200030-001 Rev M
Viewing Charts
Chapter 9 Monitoring Traffic
Viewing Charts
Charts feature spark lines, as well as selectable (and modifiable) time ranges for any data collected in the
last 30 days.
Dynamic charts exist for the following:

Bandwidth See page 145.

Reduction See page 145.

Packets per Second See page 146.

Flow Counts See page 146.

Latency See page 147.

Loss See page 147.

Out-of-Order Packets See page 148.
Charts consist of filters, a main chart display, and a time selection area.
1
2
3
1
FILTER SELECTION
PN 200030-001 Rev M
143
Silver Peak Appliance Manager Operator’s Guide
2
Viewing Charts
CHART DISPLAY — Legend / X-axis / Y-axis
Click color to select/deselect parameter
To zoom in... click, drag, and release. The chart
updates to show the new range.
The Y-axis height is calibrated to the maximum Y value
in the selected range.
The Y-axis calibration may change if you hide a parameter
(LAN, WAN, or Ratio) that has higher values than the remaining
parameters.
You can not manually zoom to change the Y-axis.
3
TIME SELECTION
To change the time frame, you can also
•
drag the slider to change its position
•
change the slider’s size — click and drag an edge
Spark lines showing the activity
When you select, one endpoint is always NOW.
144
Displays the slider’s range.
You can also set it.
PN 200030-001 Rev M
Viewing Charts
Chapter 9 Monitoring Traffic
Bandwidth
The Bandwidth chart answers the following questions:

How much has the bandwidth been optimized?

At what rate was the data sent and/or received in each time interval?
Reduction
The Reduction chart answers the following questions:

How much data is traveling in real-time?

How much data was sent and received for each minute in the current hour, the last 60 minutes, or
three days ago?

What is the ratio of LAN to WAN (or WAN to LAN) traffic at any point in time?
PN 200030-001 Rev M
145
Silver Peak Appliance Manager Operator’s Guide
Viewing Charts
Packets per Second
The Packets per second chart answers the following questions:

What is the distribution of data in packets?

At what rate was the data sent and received in each time interval?

What is the ratio of LAN to WAN traffic at any point in time?
Flow Counts
The Flow Counts chart answers the following questions:

How much of my traffic is TCP-based?

How much of my TCP traffic is accelerated?
Since CIFS acceleration is a subset of TCP acceleration, that data is incorporated generically in the
accelerated TCP flow data.
146
PN 200030-001 Rev M
Viewing Charts
Chapter 9 Monitoring Traffic
Latency
The Latency chart answers the following questions:

How long does it take my data to get to the other end of the Silver Peak tunnel?

What were the peak, average, and minimum time intervals?
Loss
The Loss dynamic chart summarizes, by tunnel, the number of packets lost before and after enabling
Forward Error Correction (FEC). It answers the following questions:

How many errors were there before and after turning on Forward Error Correction?

For any given minute, what was the percent loss?
PN 200030-001 Rev M
147
Silver Peak Appliance Manager Operator’s Guide
Viewing Charts
Out-of-Order Packets
The Out of Order Packets chart summarizes, by tunnel, the number of packets lost before and after
enabling Packet Order Correction (POC).
It answers the following questions:
148

How many errors were there before and after turning on Packet Order Correction?

For any given minute, what was the percentage of out-of-order packets?
PN 200030-001 Rev M
Viewing Application Statistics
Chapter 9 Monitoring Traffic
Viewing Application Statistics
The Applications page provides table and pie chart views of applications. It answers the following
questions:

What percentage of total LAN traffic does each application comprise?

What is the data reduction in each direction?

When comparing outbound and inbound traffic, how are the application distributions different?

What is the ratio of LAN-to-WAN or WAN-to-LAN traffic for any given application?
Table View
Display up to 1000 applications
Total LAN = Inbound LAN + Outbound LAN
LAN
WAN
[Inbound LAN] – [Inbound WAN]
[Outbound LAN] – [Outbound WAN]
Inbound LAN
Outbound LAN
For each direction of traffic — inbound and outbound — the overlapping bars are paired to show the full
volume of traffic and the reduced, optimized size of the same traffic.
PN 200030-001 Rev M
149
Silver Peak Appliance Manager Operator’s Guide
Viewing Application Statistics
Pie View
The pie view displays the Top 10
applications.
What’s the difference between other and unassigned in the Applications stats pie chart?

The pie chart shows the top ten applications and, possibly, other.

unassigned means the sum of traffic (bytes) for which the appliance could not determine the
application.
150

other means the sum of traffic other than the top nine.

If you don’t have more than ten applications, you won’t see other.
PN 200030-001 Rev M
Viewing Realtime Charts
Chapter 9 Monitoring Traffic
Viewing Realtime Charts

For each realtime chart, specify a filter and a metric.
Type of Stats
Filters
Tunnel Stats
Tunnel
Aggregate Tunnel Stats
Traffic Type [Optimized, All]
DSCP Stats
Traffic Type [Optimized, All]; DSCP [1 – 64]
Traffic Class Stats
Traffic Type [Optimized, All]; Traffic Class [1 – 10]
Flow Stats
Traffic Type [Optimized, All]; Flow Type [TCP Acc, TCP Not Acc, Non-TCP]
Application Stats
Traffic Type [Optimized, All]; Application

You can view multiple realtime charts simultaneously.

Realtime charts refresh every 3 seconds.

Although the plotted data doesn’t persist when you leave the page (or refresh the browser), the charts
do. They begin plotting anew when you return to the page.
The Filter determines the available Metrics.
Creates the chart
Click to delete
PN 200030-001 Rev M
151
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Viewing Current Flows
The Current Flows page retrieves a list of existing connections. The maximum visible number depends
on which browser you user.
•
The page displays a default set of columns, along with individual links to flow details and to any
alerts.
•
You can display additional columns from a customization list.
This section discusses the following topics:
152

How Current Flows Are Organized See page 153.

Customizing Which Columns Display See page 155.

Current Flow Details See page 156.

Resetting Flows to Improve Performance See page 166.
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
How Current Flows Are Organized
Click to select the filter.
Active filters are highlighted.
How many entries shown
out of total possible
Enter specific addresses and/or use
zeroes (in the octet) as wildcards. The
page lists flows that have either endpoint.
Details used by Silver Peak
Support for troubleshooting
Click Alert to view its content
When selected, Appliance Manager still
registers the alert but changes the status
based on user input.
That status, OPTIMIZED*, is also a link
that returns to the original Diagnose
Flow Alert dialogue.
PN 200030-001 Rev M
153
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
The following filters are available:
Parameter or Action
Definition
Flow Categories
The number after each option specifies how many flows fit the criteria
•
•
•
•
•
Bytes Transferred
Choose from Total or Last 5 minutes.
Flow Started
Choose from Anytime or Last 5 minutes.
IP1 (2) / Port1 (2)
The IP address of an endpoint(s) that you want to use as a filter:
•
Entering a specific endpoint returns flows that have that endpoint.
•
Entering 0 in any IP address’s octet position acts as a wild card for that
position. 0 in the Port field is also a wild card.
•
The two IP address (and port) fields are independent of each other. In
other words, you can filter on two separate endpoints.
Application
Select which standard or user-defined application (or application group) to
use as a filter criteria. The default value is All.
Traffic
Select the type of traffic connections you want to retrieve:
•
•
•
•
•
•
154
All – all flows
Optimized – optimized flows
Optimized* – these flows originally had a Status of Alert, and the user
chose to no longer receive Alerts of the same type
Pass-through – includes shaped and unshaped traffic
Alert – notifies the user of any issue that might be inhibiting optimization,
and offers a possible solution
All – all optimized and pass-through traffic.
Policy Drop – traffic with a Set Action of Drop in the Route Policy
Optimized Traffic – the sum of all optimized traffic. That is, all tunnelized
traffic.
Pass-through Shaped – all unoptimized, shaped traffic.
Pass-through Unshaped – all unoptimized, unshaped traffic.
[a named Tunnel] – that specific tunnel’s optimized traffic.
Protocol
Select from the list. The default value is All.
VLAN Id
Enter only the integer value for the VLAN Id.
Max Flows
The upper limit depends on what browser you’re using.
Reset Flows
Resetting the flow kills it and restarts it. It is service-affecting.
Reclassify Flows
Reclassifying the flow is not service-affecting. If a policy change makes a
flow stale or inconsistent, then reclassifying makes a best-effort attempt to
conform the flow to the change. If the flow can’t be successfully “diverted” to
this new policy, then an Alert asks if you want to Reset.
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Customizing Which Columns Display
Following are some customization guidelines:



The default set of columns includes the following:
Select
Status
Protocol
Application
Inbound Reduction %
Outbound Tunnel
IP1
Inbound Bytes
Detail
PORT1
Outbound Bytes
IP2
Outbound Reduction %
PORT2
Up Time
You can customize by adding the following additional columns:
Outbound Rx Bytes
Outbound Tx Bytes
Outbound Ratio
Inbound Tx Bytes
Inbound Rx Bytes
Inbound Ratio
Inbound Tunnel
Configured Outbound Tunnel
Flow Redirected From
LAN–side VLAN
Traffic Class
LAN DSCP
WAN DSCP

Customizations persist across sessions and across users. For a given appliance, all users see the
same columns.

When you Export the data, all default and possible custom columns are included in the .csv file.

Customize and Export functions are accessible to all users.
To customize the screen display
1
To access the Customize Current Flows Table, click Customize.
2
Select additional columns, and click OK. The columns append to the right side of the table.
PN 200030-001 Rev M
155
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Current Flow Details
Silver Peak Support uses the Flow Detail page for troubleshooting.
Clicking the icon in the Details column displays a detailed flow report.
Most of the information on the Flow Detail page is beyond what is included in the Current Flows table.
Field
Definition
Map Name
The name of the Route Policy.
Priority in Map
The number of the entry in the Route Policy that the flow matches.
Route
156
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Field
Definition (Continued)
Configured Tx Action
The SET action configured in the Route Policy’s Tunnel field.
Tx Action
How the traffic is actually being transmitted. Usually, this is a tunnel name.
Rx Action
By what path or method the appliance is receiving this flow’s traffic.
Tx Reason
Any error associated with packet transmission to the WAN.
Application
Name of the application to which that flow’s traffic belongs.
Protocol
The flow’s protocol.
Using Stale Map Entry
Whether or not the flow is using a policy entry that has been edited or deleted
since the flow began.
Flow Direction
Whether the flow is Inbound or Outbound.
Flow Redirected From
The IP address of the appliance that’s redirecting this flow to this appliance.
Auto-opt Status
Whether it matched a specific Route Policy or was Auto Routed.
Auto-opt Transit Node
(1 , 2, 3, 4)
The IP addresses of the hops between this appliance and the other end of the
connection.
LAN-side VLAN
Specifies the VLAN tag (1 – 4095) or None.
Optimization
Map Name
The name of the Optimization Policy.
Priority in Map
The number of the entry in the Optimization Policy that the flow matches.
TCP Acceleration
Configured
Whether or not TCP acceleration is configured in the Optimization Policy.
TCP Acceleration Status
Whether TCP is accelerated [Yes] or not [No].
TCP Acceleration Info
The reason that a TCP flow is not accelerated..
For a list of error codes, see “Error Reasons for TCP Acceleration Failure” on
page 160.
TCP Asymmetric
When the answer is YES, the Silver Peak appliance is able to intercept
connection establishment in only one direction. As a result, this flow is not
accelerated. When this happens, it indicates that there is asymmetric routing in
the network.
Proxy Remote
Acceleration
Which side is accelerating the flow
CIFS Acceleration
Configured
Whether or not CIFS acceleration is configured in the Optimization Policy
[Yes/No]
CIFS Acceleration Status
Whether CIFS is accelerated [Yes] or not [No].
CIFS Acceleration Info
The reason that a CIFS flow is not accelerated.
For a list of error codes, see
“Error Reasons for CIFS Acceleration Failure” on page 163
PN 200030-001 Rev M
CIFS Server Side
[Yes/No] If Yes, then this is the server side and the appliance is not accelerating
(only the client side accelerates).
CIFS SMB Signed
Specifies whether or not the CIFS traffic is SMB-signed by the server:
•
Yes means it was signed. If that’s the case, then the appliance was unable to
accelerate any CIFS traffic.
•
No means it wasn’t signed. If that’s the case, then server requirements did not
preclude CIFS acceleration.
•
Overridden means that SMB signing is ON and the appliance overrode it.
157
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Field
Definition (Continued)
SRDF Acceleration
Configured
Whether or not SRDF acceleration is configured in the Optimization Policy
[Yes/No]
SRDF Acceleration Status
Whether SRDF is accelerated [Yes] or not [No].
SSL Acceleration
Configured
Whether or not SSL acceleration is configured in the Optimization Policy
[Yes/No]
SSL Acceleration Status
If a certificate has been appropriately installed via the GMS, then SSL traffic can
be deduplicated.
Whether SSL is accelerated [Yes] or not [No].
SSL Acceleration Reason
The reason that an SSL flow is not accelerated.
For a list of error codes, see
“Error Reasons for SSL Acceleration Failure” on page 164
Citrix Acceleration
Configured
Whether or not Citrix cgp (gateway) or ica protocol acceleration is configured in
the Optimization Policy [Yes/No]
Citrix Acceleration Status
Whether Citrix is accelerated [Yes] or not [No].
Citrix Acceleration
Reason
The reason that a Citrix flow is not accelerated.
Network Memory
There are four Network Memory settings:
•
Maximize Reduction — optimizes for maximum data reduction at the
potential cost of slightly lower throughput and/or some increase in latency. It
is appropriate for bulk data transfers such as file transfers and FTP where
bandwidth savings are the primary concern.
•
Minimize Latency — ensures that no latency is added by Network Memory
processing. This may come at the cost of lower data reduction. It is
appropriate for extremely latency-sensitive interactive or transactional traffic.
It is also appropriate if WAN bandwidth saving is not a primary objective, and
instead it is desirable to fully utilize the WAN pipe to increase LAN–side
throughput.
•
Balanced — This is the default setting. It dynamically balances latency and
data reduction objectives and is the best choice for most traffic types.
•
Disabled — No Network Memory is performed.
Payload Compression
Whether or not payload compression is turned on.
Using Stale Map Entry
Whether or not the flow is using a Route Policy entry that has been edited or
deleted since the flow began.
Stats Information
Outbound Ratio
For the outbound traffic, a ratio of the Outbound LAN bytes divided by the
Outbound WAN bytes.
When this ratio is less than 1.0, it’s attributable to a fixed overhead (for WAN
transmission) being applied to traffic that either is not compressible or consists of
few packets.
158
Inbound Ratio
For the inbound traffic, a ratio of the Inbound WAN bytes divided by the Inbound
LAN bytes.
Outbound LAN
Total number of bytes received from the LAN [outbound traffic]
Outbound WAN
Total number of bytes sent to the WAN [outbound traffic]
Inbound LAN
Total number of bytes sent to the LAN [inbound traffic]
Inbound WAN
Total number of bytes received from the WAN [inbound traffic]
Flow Up Time
The length of time that there has been a connection between the endpoints.
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Field
Definition (Continued)
Flow ID
A unique number that the appliance assigns to the flow.
TCP Flow Context
Silver Peak uses this for debugging purposes.
Is Flow Queued for Reset
Whether the flow is waiting to be reset (after user input) or not.
QoS Information
PN 200030-001 Rev M
Map Name
The name of the QoS Policy.
Priority in Map
The number of the entry in the QoS Policy that the flow matches.
Traffic Class
The number of the traffic class assigned by the QoS to the flow, based on the
MATCH conditions satisfied:
LAN DSCP
The LAN DSCP marking that the QoS policy assigned to the flow, based on the
MATCH conditions satisfied.
WAN DSCP
The WAN DSCP marking that the QoS policy assigned to the flow, based on the
MATCH conditions satisfied.
Using Stale Map Entry
Whether or not the flow is using a policy entry that has been edited or deleted
since the flow began.
159
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Error Reasons for TCP Acceleration Failure
When there is an acceleration failure, the appliance generates an Alert link that you can access from the
Current Flows page. The Alert details the reason and the possible resolution.
Following is a list of possible errors, along with a brief description.
Error Reason
Description
asymmetric flow
Appliance did not receive a SYN-ACK.
RESOLUTION: Most likely reason is asymmetric routing.
client advertised zero MSS
Flow is not accelerated because an endpoint did not send the TCP MSS
option.
RESOLUTION: Sometimes older operating systems (like Windows 95)
do not send the TCP MSS option. You will have to upgrade the operating
system software on the endpoints.
connection reset by peer
During setup, this TCP flow's endpoint(s) reset the connection.
RESOLUTION: This is a transient condition. If it persists, take a tcpdump
for this flow from both the client and server machines and contact Silver
Peak Support.
connection to be deleted
Flow is not accelerated due to an internal error.
RESOLUTION: Contact Silver Peak Support for further help.
disabled in Optimization Map
TCP Acceleration disabled in the Optimization Map.
RESOLUTION: If you want this flow to be TCP accelerated, enable it in the
optimization map.
disabled to allow debug
Flow is not accelerated because it has been disabled by tunbug debug
console.
RESOLUTION: Contact Silver Peak Support for further help.
first packet not a SYN
Appliance did not see the TCP SYN for this flow and therefore could not
accelerate it.
RESOLUTION: This could be due to various reasons:
1. The flow is already established before the appliance sees the first
packet for the flow. If so, then resetting the flow will fix the problem.
2. WCCP or PBR is not set up correctly to redirect outbound traffic to the
appliance. Check the WCCP or PBR configuration on the router.
3. You have routing issues, so the appliance is not seeing some of the
traffic (for example, some packets come to the appliance while others
go through another router). If so, you must review and fix your routing.
4. If you are in a cluster of Silver Peak appliances, you may have received
a flow redirection timeout. If so, you must investigate why it takes so
long for the Silver Peak appliance clusters to communicate with each
other.
IP briefly blacklisted
Appliance did not receive a TCP SYN-ACK from remote end within 5
seconds and allowed the flow to proceed unaccelerated. Consequently,
the destination IP address has been blacklisted for one minute.
RESOLUTION: Wait for a minute and then reset the flow.
If the problem reappears, the two most likely reasons are: 1) The remote
server is slow in responding to TCP connection requests, or 2) a firewall is
dropping packets containing Silver Peak TCP options.
To check for either of these causes, perform a tcpdump on the server, with
the filter set to these IP addresses:
•
•
160
If you don't see a TCP SYN from the client, it is due to firewall or routing
issues.
If you notice that SYN-ACK was sent by the server after 5 seconds, it
is due to a slow server.
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Error Reason
Description (Continued)
keep alive failure
Appliance did not receive a TCP SYN-ACK from the remote end within 5
seconds and allowed the flow to proceed unaccelerated.
RESOLUTION: Wait for a minute and then reset the flow. If the problem
reappears, the two most likely reasons are: 1) The remote server is slow
in responding to TCP connection requests, or 2) a firewall is dropping
packets containing Silver Peak TCP options.
To check for either of these causes, perform a tcpdump on the server, with
the filter set to these IP addresses:
•
•
no remote appliance detected
If you don't see a TCP SYN from the client, it is due to firewall or routing
issues.
If you notice that SYN-ACK was sent by the server after 5 seconds, it
is due to a slow server.
Appliance did not receive Silver Peak TCP option in the inbound direction.
RESOLUTION: This could be due to various reasons:
1. WCCP or PBR is not configured properly on the peer appliance.
2. Silver Peak routing policy not configured properly on the peer
appliance.
3. Peer appliance is out of resources.
4. Routing is not configured properly on the router.
out of TCP memory
Appliance is out of resources for accelerating TCP flows.
RESOLUTION: Contact Silver Peak about upgrading to an appliance with
higher flow capacity.
remote appliance dropped out of accel
Flow is not accelerated because Silver Peak flag is not set in TCP header
or there was a mismatch in internal settings.
RESOLUTION: Contact Silver Peak Support for further help.
retransmission timeout
Flow is not accelerated due to TCP protocol timeouts.
RESOLUTION: This is a transient condition. You can reset the flow and
then verify that it gets accelerated. If it does not, then take a tcpdump for
this flow from both the client and server machines and contact Silver Peak
Support.
Route Map set to drop packets
Flow is not accelerated because the route policy is set to drop packets.
RESOLUTION: Fix the Set Action in the route policy entry.
Route Map set to pass-through
Flow is not accelerated because the route policy is set to send packets
pass-through.
RESOLUTION: Fix the Set Action in the route policy entry.
software version mismatch
Flow is not accelerated due to software version mismatch between two
appliances.
RESOLUTION: Upgrade software on one or both appliances to the same
version of software.
stale flow
Flow is not accelerated due to an internal error. Before the previous flow
could terminate cleanly, a new flow began with the same parameters.
RESOLUTION: Contact Silver Peak Support for further help.
SYN packet fragmented
Flow is not accelerated for unknown reasons. Please contact Silver Peak
Support for further help.
RESOLUTION: Contact Silver Peak Support for further help. You may
want to reset the connection to see if the problem resolves.
PN 200030-001 Rev M
161
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Error Reason
Description (Continued)
system flow limit reached
Appliance has reached its limit for the total number of flows that can be
accelerated.
RESOLUTION: Contact Silver Peak about upgrading to an appliance with
higher flow capacity.
tandem SP appliance involved
Appliance saw Silver Peak TCP option in the outbound direction. This
implies that another Silver Peak appliance precedes this one and is
responsible for accelerating this flow.
RESOLUTION: Check the flow acceleration status on an upstream
appliance.
TCP auto-optimization failed
Automatic optimization logic failed to accelerate this flow.These are
handled for each auto-opt subcode below:
•
TCP auto-optimization failed - NOSPS
Auto-optimization failed because the peer appliance is not
participating in automatic TCP acceleration. This can be due to various
reasons: 1. Peer appliance is configured to not participate in
optimization. 2. WCCP or PBR is not configured properly on the peer
side. 3. Routing is not configured properly to send traffic to the peer
appliance.
•
TCP auto-optimization failed - NOTUNNEL
Auto-optimization failed because there is no tunnel between this
appliance and its peer, for two possible reasons: 1) Auto-tunnel is
disabled. If so, manually create a tunnel. 2) Auto-tunnel is enabled, but
needs time to finish creating the tunnel. If so, wait ~30 seconds for
tunnel completion, and then reset this flow.
•
TCP auto-optimization failed - INVALID_OPT
This is generally due to an internal error. Contact Silver Peak Support
for further help.
•
TCP auto-optimization failed - MISC
Contact Silver Peak Support for further help.
•
TCP auto-optimization failed - TUNNELDOWN
Automatic optimization failed because the tunnel between this
appliance and its peer is down.
TCP state mismatch
Flow is not accelerated due to an internal error. This flow will be
automatically reset soon.
RESOLUTION: This is a transient condition. You can wait for this flow to
reset, or you can reset it manually now.
terminated by user
Flow has been reset by the user or automatically reset by the system.
RESOLUTION: This is a transient condition. The flow is in the process of
being reset.
tunnel down
Flow is not accelerated because the tunnel is down.
RESOLUTION: Investigate why the tunnel is down.
unknown cause
Flow is not accelerated for unknown reasons.
RESOLUTION: Contact Silver Peak Support for further help. You may
want to reset the connection to see if the problem resolves.
162
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Error Reasons for CIFS Acceleration Failure
When there is an acceleration failure, the appliance generates an Alert link that you can access from the
Current Flows page. The Alert details the reason and the possible resolution.
Following is a list CIFS reason codes. They use the following format:

No [reason] — The connection is not accelerated, and the “reason string” explains why not.

Yes [reason] — The connection is partially accelerated, and the “reason string” explains why the
connection is not fully accelerated.

Yes — The connection is fully accelerated.
Yes/
No
Reason Text
Description
No
CIFS optimization is disabled in the
Optimization Policy
CIFS is disabled in the optmap.
No
SMB signing is required by the server
SMB signing is enforced by the server, and this requirement
precludes optimization.
No
SMB version 2 is enforced by the client
SMB version 2 protocol is enforced by the client, and this
requirement precludes optimization.
No
The flow limit for CIFS optimization has
been exceeded
Maximum flow limit reach for CIFS optimized flows.
Yes
Sub-optimal read-write optimization Non standard server
Sub-optimal read/write optimization due to non-standard
server. For example, Windows XP cannot process more than
10 simultaneous outstanding requests.
Yes
Metadata optimization disabled NTNOTIFY failure
Metadata optimization is disabled due to change notification
failure.
Yes
Metadata optimization disabled - OPEN
failure
Metadata optimization is disabled because proxy cannot open
the root share.
To resolve, check the root share permissions.
Yes
Yes
Yes
PN 200030-001 Rev M
Metadata optimization disabled Unsupported Dialect
Endpoints are using an unsupported CIFS dialect.
Metadata optimization disabled Unsupported Server
Unsupported CIFS server, like UNIX/Samba.
Metadata optimization disabled Unsupported Client
Unsupported CIFS client, like UNIX/smbclient.
To resolve, upgrade the CLIFS client/server.
To resolve, switch to standard servers like Windows/NetApp..
To resolve, switch to standard clients like Windows/Mac.
163
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Error Reasons for SSL Acceleration Failure
When there is an acceleration failure, the appliance generates an Alert link that you can access from the
Current Flows page. The Alert details the reason and the possible resolution.
To deduplicate SSL (Secure Socket Layer) traffic, appliances must have a valid SSL
certificate and key. For information about installing SSL certificates and keys, see “Adding SSL
Certificates and Keys for Deduplication” on page 11.
Note
Following is a list of the reasons you may receive a failure message for SSL acceleration.
164
Error Reason
Description
error processing certificate
Failure in processing certificate.Please check the certificate/key.
error processing client hello1
Failed to create client hello, protocol error, invalid SSL packet or Internal
error
error processing client hello2
Unsupported client SSL protocol version or options
error processing client hello3
Invalid random number in SSLv2 client hello, protocol error, invalid SSL
packet, or internal error
error processing SAN certificate
Error while processing SAN certificate
error processing server hello
Error while processing server hello
extension parse error
TLS extension parse error, due to unknown TLS extensions
invalid certificate
SSL certificate is invalid
invalid client cipher
Client negotiated unsupported cipher algorithm
invalid client proto version
Client negotiated unsupported SSL version.
invalid handshake condition
Received invalid SSL packet or unsupported SSLv2 session resume
request during handshake
invalid key
SSL private key is invalid
invalid server cipher
Server negotiated unsupported cipher algorithm
invalid server proto version
Server negotiated unsupported SSL version
memory flow control
The appliance SSL memory is full and cannot accelerate additional flows.
miscellaneous error
Generic proxy layer internal error
missing active session
Active session not found, cannot accelerate the SSL session.
missing certificate
A matching SSL certificate was not found.
missing key
A matching SSL key was not found.
missing pending session
Pending session not found, possible failure in client hello.
missing resume session
Do not have a session to resume in session cache.
missing SAN certificate
Did not find a matching SAN certificate.
no ipsec on tunnel
IPsec is not configured on the tunnel and IPsec on tunnel must be
configured.
possibly no certs installed
Possibly no SSL certificate installed. Check the GMS.
server-side advertised no dedup
Peer appliance SSL did not optimize the flow.
ssl max flows limit
Exceeded maximum SSL optmized flows limit.
unsupported client cipher
Received unsupported cipher suite in SSLv2 client hello message.
PN 200030-001 Rev M
Viewing Current Flows
Chapter 9 Monitoring Traffic
Error Reason
Description (Continued)
unsupported compress method
Unsupported compression method negotiated.
unsupported extension
Unsupported TLS extension negotiated.
unsupported server cipher
Received unsupported cipher suite in SSLv2 server hello message.
unsupported server protocol
Unsupported SSL protocol: SSLv2 server hello message not supported.
PN 200030-001 Rev M
165
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Flows
Resetting Flows to Improve Performance
In the list of Alerts, you can look for the flows that aren’t being accelerated, but could be. Generally, this
means flows that use TCP protocol and are not TCP-accelerated:
•
This includes tunnelized TCP traffic that is not TCP-accelerated. TCP connections are not
accelerated if they already exist when the tunnel comes up or when the appliance reboots.
•
Pass-through connections are neither tunnelized nor accelerated if they already exist when a
new tunnel is added and/or when an ACL is added or edited.
Unaccelerated TCP flows can be reset to allow them to reconnect at a later time. It is assumed that the
connection end-points will re-establish the flows. When these flows are reconnected, the appliance
recognizes them as new and accelerates them. Note that the time it takes to reset a flow may vary,
depending on the traffic activity.
CAUTION Resetting a flow interrupts service for that flow. The appliance cannot restore the
connection on its own; it relies on the end points to re-establish the flow. Use it only if service
interruption can be tolerated for a given flow.
Tip For information about configuring the appliance to automatically reset TCP flows, see the
Advanced TCP Options in “TCP Acceleration” on page 106.
166
PN 200030-001 Rev M
Viewing QoS Statistics
Chapter 9 Monitoring Traffic
Viewing QoS Statistics
The QoS page summarizes optimized traffic on the basis of traffic class and/or WAN DSCP markings.

To view the QoS Statistics report
From the Monitoring menu, select QoS.
Choose the type of traffic.
The default is All Traffic.
Choose all traffic classes, or any one
from 1 through 10. The default is All.
Choose all DSCP markings or just
one. The default is All.
The QoS Statistics on Traffic Class area displays the following information:
Field
Definition
LAN Rx Bytes
Number of bytes received from the LAN
LAN Rx Pkts
Number of packets received from the LAN
LAN Tx Bytes
Number of bytes sent to the LAN
LAN Tx Pkts
Number of packets sent to the LAN
Lan Rx Dropped Pkts
Number of packets received from the LAN that were dropped
The QoS Statistics on DSCP area displays the following information:
Field
Definition
WAN Tx Bytes
Number of bytes sent to the WAN
WAN Tx Pkts
Number of packets sent to the WAN
WAN Rx Bytes
Number of bytes received from the WAN
WAN Rx Pkts
Number of packets received from the WAN
PN 200030-001 Rev M
167
Silver Peak Appliance Manager Operator’s Guide
Viewing Tunnel Statistics
Viewing Tunnel Statistics
The Tunnels page summarizes the overall inbound and outbound traffic statistics for the tunnels since the
last reboot. The Tunnels table condenses the total LAN and WAN counters.
When you select a tunnel from the table, the Appliance Manager provides the following detailed report:
Name
Description
LAN/WAN Statistics
•
•
Flows/Latency/
Packet Correction
Statistics
•
•
•
•
•
Specifies the number of bytes and packets received, processed, and transmitted by a
Silver Peak tunnel in both the outbound (LAN-to-WAN) and inbound (WAN-to-LAN)
directions.
Statistics are separated for inbound and outbound traffic.
Specifies packets by TCP flow versus non-TCP flow. Packets in a TCP flow are further
sorted by whether or not they’re accelerated.
Displays round trip latency time in milliseconds (minimum, maximum, and average).
Displays how many received packets were lost before and after Forward Error Correction
(FEC).
Displays how many received packets were out-of-order before and after Packet Order
Correction (POC).
Statistics represent combined, bi-directional data.
The default display unit is Bytes. If you want, you can choose MBytes,
Pkts [packets], or KPkts instead. If you select a specific tunnel and then
change the units, the page refreshes to display the table only.
When you choose manually, click the browser’s
Refresh icon to view up-to-the-minute data.
For detail, click a
tunnel name.
OUTBOUND traffic
(Transmit LAN to WAN)
How long the tunnel
has been up
INBOUND traffic
(Receive WAN to LAN)
LAN Rx - WAN Tx
LAN Rx
WAN Rx - LAN Tx
WAN Rx
The Appliance Manager reports all realtime tunnel statistics as raw data.
168
PN 200030-001 Rev M
Viewing Tunnel Statistics

Chapter 9 Monitoring Traffic
To view a specific tunnel’s detailed statistics
Click the tunnel’s Name. Typically, the following displays:
The Appliance Manager organizes an individual tunnel’s statistics into two parts:

LAN/WAN Statistics See page 170.

Flows / Latency / Packet Correction Statistics See page 171.
PN 200030-001 Rev M
169
Silver Peak Appliance Manager Operator’s Guide
Viewing Tunnel Statistics
LAN/WAN Statistics
The LAN/WAN Statistics summarize realtime data directly related to the Silver Peak tunnel’s processing.
These statistics answer the following questions:

For any given tunnel, how many bytes (or packets) did the tunnel receive and subsequently transmit?

Which tunnels have processed the most traffic? The least traffic?

What error types and quantities were encountered for traffic inbound from the WAN?

What error types and quantities were encountered for traffic inbound from the LAN?
The LAN/WAN Statistics area displays the following information:
170
Section
Field
Definition
LAN Rx
(outbound traffic)
Rx Bytes
Number of bytes received from the LAN.
Rx Pkts
Number of packets received from the LAN.
WAN Tx
(outbound traffic)
Tx Bytes
Number of bytes sent to the WAN.
Tx Pkts
Number of packets sent to the WAN.
LAN Tx
(inbound traffic)
Tx Bytes
Number of bytes sent to the LAN.
Tx Pkts
Number of packets sent to the LAN.
WAN Rx
(inbound traffic)
Rx Bytes
Number of bytes received from the WAN.
Rx Pkts
Number of packets received from the WAN.
PN 200030-001 Rev M
Viewing Tunnel Statistics
Chapter 9 Monitoring Traffic
Flows / Latency / Packet Correction Statistics
The Flows / Latency / Packet Correction Statistics area includes other general statistics. It answers the
questions:

How many of the traffic flows are based on TCP and how many are not?

How much of the TCP flow was accelerated?

What is the minimum, average, and peak latency in milliseconds?

How many packets were lost before Forward Error Correction (FEC), and how many were lost after?

How many out-of-order packets were there before and after Packet Order Correction?
TCP Flow / Latency / Packet Loss Statistics area displays the following statistics:
Section
Field
Definition
Traffic Flows
Non-TCP Flows
Number of flows that are not TCP-based.
TCP Flows
Number of flows that are TCP-based.
TCP Accel Flows
Number of TCP flows that are accelerated. Since CIFS
acceleration is a subset of TCP acceleration, they are included
herein.
TCP Non-Accel Flow
Number of TCP flows that are not accelerated.
Average
Length of the average round trip latency, in milliseconds.
Maximum
Length of the peak round trip latency, in milliseconds.
Minimum
Length of the shortest round trip latency, in milliseconds.
Pre FEC Loss
Number of packets lost before Forward Error Correction (FEC).
Post FEC Loss
Number of packets lost after Forward Error Correction (FEC).
Pre POC Out-of-Order
Number of out-of-order packets before Packet Order Correction
(POC).
Post POC Out-of-Order
Number of out-of-order packets after Packet Order Correction
(POC).
Round Trip Latency
Rx Packet Correction
PN 200030-001 Rev M
171
Silver Peak Appliance Manager Operator’s Guide
Viewing Tunnel Statistics
Fine-tuning Packet Correction
Enabling Forward Error Correction (FEC) in the tunnel configuration can sometimes result in the creation
of additional Out-of-Order Packets (OOP).
To view the performance after enabling FEC, do either of the following:

Access the Monitoring > Tunnels page and review the Delta Stats for Pre POC Out-of-Order and Post
POC Out-of-Order.

Access the Monitoring > Charts page, select the tunnel from Traffic, and review its Out-of-Order
chart.
Adjust if necessary, as follows:
172
1
If out-of-order packets exist, then you’ll need to try another Reorder Wait time for the tunnel in
question.
2
Go to Configuration > Tunnels, and in the row of the tunnel in question, click Advanced Tunnel.
3
At first, set the Reorder Wait time to 10ms, and save the configuration.
4
Return to the stats page(s) to see if the out-of-order packets have been eliminated.
5
If there are still out-of-order packets, then go back to the tunnel configuration and increase the
Reorder Wait time.
6
Repeat Steps 5 and 6 until there are no more out-of-order packets.
PN 200030-001 Rev M
Viewing Flow Redirection Statistics
Chapter 9 Monitoring Traffic
Viewing Flow Redirection Statistics
The Flow Redirection page displays the number of control packets sent and received between this
appliance and the other peer(s) in the cluster, as well as how much traffic was redirected to and from the
other peer(s).
It answers the following questions:

What are the mgmt1 IP addresses of the other peers in this cluster?

How many control packets were exchanged between this appliance and each of its peers?

How many redirected flows does this appliance currently own?

How many flows is this appliance currently redirecting to peers?

In total, how many packets/bytes have been redirected to/from any given peer?
A Sampling of Results
For each mgmt1 IP address in the cluster, the
Stats area summarizes the control packets that
keep open the connection to a peer appliance.
When you choose manually, click the browser’s
Refresh icon to view up-to-the-minute data.
This appliance owns all the
Flows Redirected From.
The Flows columns list
current flows only.
These numbers are cumulative for all redirected
flows, whether they’re active or terminated.
PN 200030-001 Rev M
173
Silver Peak Appliance Manager Operator’s Guide
Viewing Flow Redirection Statistics
The Flow Redirection page displays the following statistics:
Section
Field
Definition
Stats
Peer IP
The mgmt1 IP address of a peer appliance in the same cluster as
this appliance.
Hello
Control packets used to keep open the TCP connection between
two peers’ mgmt1 cluster interfaces.
Redirection
Requests to redirect flows
Tx Msgs
The number of messages transmitted.
Tx Bytes
The size of the transmitted messages, in bytes.
Rx Msgs
The number of messages received.
Rx Bytes
The size of the received messages, in bytes.
Peer
The mgmt1 IP address of a peer appliance in the same cluster as
this appliance.
Flows
The number of current flows redirected from the peer to this
appliance.
Pkts
To date, the total number of packets redirected from the peer to this
appliance.
Bytes
To date, the total number of bytes redirected from the peer to this
appliance.
Peer
The mgmt1 IP address of a peer appliance in the same cluster as
this appliance.
Flows
The number of current flows redirected to the peer by this
appliance.
Pkts
To date, the total number of packets redirected to the peer by this
appliance.
Bytes
To date, the total number of bytes redirected to the peer by this
appliance.
Flows Redirected
From
Flows Redirected To
Across all other reported statistics, only the owner of a flow reports a flow’s traffic statistics.
174
PN 200030-001 Rev M
Viewing NetFlow Statistics
Chapter 9 Monitoring Traffic
Viewing NetFlow Statistics
The NetFlow page displays the how many records were exported to the NetFlow collectors.
It answers the following questions:

How many flows were required to export the records to NetFlow?

How many packets were required export these flows?
A Sampling of Results
PN 200030-001 Rev M
175
Silver Peak Appliance Manager Operator’s Guide
Viewing Interface Statistics
Viewing Interface Statistics
The Interfaces page displays generic performance data for the actual physical LAN, WAN, and
management interfaces (primary and secondary). It answers the following questions:


How many bytes or packets is the appliance transmitting or receiving?

How many errors exist?

What types of errors exist?
To view the Interface Statistics
From the Monitoring menu, select Interfaces. The page displays the actual statistics accumulated for
wan0, lan0, mgmt0, and mgmt1 since the appliance’s last reboot.
If Refresh is set to manually, use the browser’s
refresh to view up-to-the minute data.
blan0 and bwan0 are visible when gigabit
etherchannel bonding is configured.
For more information, see “Configuring Gigabit
Etherchannel Bonding” on page 5.
Management connection to LAN
Management connection to PC
When the appliance is in Bridge mode, there are lan0
interface statistics. When the appliance is in Router
mode, there are not.
176
PN 200030-001 Rev M
Viewing Interface Statistics
Chapter 9 Monitoring Traffic
The Interfaces page displays the following statistics:
Network Receive Statistics
Field
Definition
Rx Bytes
Number of bytes received inbound from the WAN side
Rx Pkts
Number of packets received inbound from the WAN side, including all packets that were
either discarded, contained errors, arrived too quickly for the hardware to receive, or were
frame or mcast packets,
Rx Discard Pkts
Number of input packets selected to be discarded even though no errors are found.
Rx Error Pkts
Number of input packets that contained errors.
Rx Overrun Pkts
Number of times the receiver hardware was unable to hand a received packet to a hardware
buffer because the rate exceeded the receiver's ability to handle the data.
Rx MCast Pkts
Number of multicast packets received.
Rx Frame Pkts
Number of packets received incorrectly having a CRC error and a non-integer number of
octets. On a LAN, this is usually the result of collisions or a malfunctioning Ethernet device.
Network Transmit Statistics
Field
Definition
Tx Bytes
Number of bytes transmitted outbound toward the WAN side
Tx Pkts
Number of packets transmitted outbound toward the WAN side, including all packets that
were either discarded, contained errors, were overrun, had collisions, or were dropped
because the interface detection link is lost.
Tx Discard Pkts
Number of output packets selected to be discarded even though no errors are found.
Tx Error Pkts
Number of outbound packets that could not be transmitted because of errors.
Tx Overrun Pkts
Number of times the transmitter hardware was unable to hand a transmitted packet to a
hardware buffer because the rate exceeded the transmitter's ability to handle the data.
Tx Carrier Pkts
Number of packets dropped because the interface detection link is lost.
Tx Collision Pkts
Number of output collisions detected on this interface.
PN 200030-001 Rev M
177
Silver Peak Appliance Manager Operator’s Guide
Viewing Bridge Mode Statistics
Viewing Bridge Mode Statistics
The Bridges page displays data traffic traversing all the LAN and WAN interfaces when the appliance is
deployed in-line.
It answers the following questions:

Is the appliance receiving/sending on all interfaces?

Is the link up?
Sampling of Results
Ingress for
pass-through traffic
178
Egress for
pass-through traffic
PN 200030-001 Rev M
Viewing Next-hop Reachability
Chapter 9 Monitoring Traffic
Viewing Next-hop Reachability
To access the Next-hop Reachability page, select Monitoring > Routes.
This page displays the state of each management, WAN, and LAN next-hop.
Sampling of Results
The Next-hop Reachability page displays the following statistics:
Field
Definition
Next-hop IP
IP address of the router to which the Silver Peak appliance sends datapath traffic
Interface
The logical port associated with the Next-hop IP
Source
Direction of the next-hop router, relative to the appliance
State
There are four possible states:
•
•
•
•
Initializing
Reachable
Unreachable
Test disabled [when appliance is in Bypass mode]
Uptime
How long the next-hop router has been reachable
WAN Configured Role
Whether the next-hop router is Active or Backup. When Active, it’s delivering tunnelized
packets.
WAN Current Role
Actual WAN role. The options are Active, Backup, Down, and N/A [not applicable].
PN 200030-001 Rev M
179
Silver Peak Appliance Manager Operator’s Guide
180
Viewing Next-hop Reachability
PN 200030-001 Rev M
CHAPTER 10
Administration Tasks
This chapter describes various administration-related tasks.
In This Chapter

Setting the Date and Time See page 182.

Adding Domain Name Servers See page 183.

Configuring SNMP See page 184.

Configuring Flow Exports for Netflow See page 187.

Pre-Positioning Data for Enhanced Acceleration Benefits See page 188.

Managing User Accounts See page 190.

Configuring Banners See page 191.

Configuring Authentication, RADIUS, and TACACS+ See page 192.

Configuring Settings for Web Protocols and Web Users See page 194.

Understanding the Events Log See page 197.

Viewing a Log of All Alarms See page 198.

Viewing the Audit Log See page 199.

Managing Debug Files See page 200.

Support See page 206.
PN 200030-001 Rev M
181
Silver Peak Appliance Manager Operator’s Guide
Setting the Date and Time
Setting the Date and Time
Configure the appliance's date and time to reference a time you specify manually, or an NTP (Network
Time Protocol) server you subsequently designate.
1
From the Time Zone list, select the appliance's geographical location.
2
Select Manual and enter the Date [YYYY/MM/DD] and Time [HH:MM:SS] (based on a 24-hour
clock).
3
Click Apply.
4
If you want to enable reference to an NTP server, now select NTP Time Synchronization.
5
Click Add.
6
Enter the IP address of the server, and select the version of NTP protocol to use.
7
Click Apply.
When you list more than one NTP server, the Appliance Manager selects the servers in the order listed,
always defaulting to the available server uppermost on the list.
Data Collection
182

Silver Peak's GMS (Global Management System) collects and puts all stats in its own database in
Coordinated Universal Time (UTC).

When a user views stats, the appliance (or GMS server) returning the stats always presents the
information relative to its own time zone.
PN 200030-001 Rev M
Adding Domain Name Servers
Chapter 10 Administration Tasks
Adding Domain Name Servers
A Domain Name Server (DNS) keeps a table of the IP addresses associated with domain names. It
allows you to reference locations by domain name, such as mycompany.com, instead of using the routable
IP address.

You can configure up to three name servers.

Under Domain Names, add the network domains to which your appliances belong.
PN 200030-001 Rev M
183
Silver Peak Appliance Manager Operator’s Guide
Configuring SNMP
Configuring SNMP
This section describes the following about Simple Network Management Protocol (SNMP):

Loading SNMP MIBs See page 184.

Configuring SNMP Settings See page 185.
Loading SNMP MIBs
From Silver Peak’s website, you can download the Standard and the Silver Peak proprietary MIBs
(Management Information Base) files, for loading into whatever MIBs browser you’re using:
•
You can choose to install the Standard MIBs, the Silver Peak proprietary MIBs, or both.
•
The Standard list and the Silver Peak file list share the same first three files. These are
highlighted in green below.
•
Because there are dependencies, you must load the files in a list in a specific sequence.
•
If you choose to load both the Standard and the Silver Peak MIBs, load either list completely
and then append the non-common files from the remaining list.
List of Silver Peak MIBs
Load these files in the following order:
1
SNMPv2-SMI.txt
2
SNMPv2-TC.txt
3
SNMPv2-CONF.txt
4
SILVERPEAK-SMI.txt
5
SILVERPEAK-TC.txt
6
SILVERPEAK-PRODUCTS-MIB.txt
7
SILVERPEAK-MGMT-MIB.txt
List of Standard SMIBs
Load these files in the following order:
1
SNMPv2-SMI.txt
2
SNMPv2-TC.txt
3
SNMPv2-CONF.txt
4
RFC1155-SMI.txt
5
RFC1213-MIB.txt
6
SNMPv2-MIB.txt
7
SNMP-FRAMEWORK-MIB.txt
8
SNMP-MPD-MIB.txt
9
SNMP-TARGET-MIB.txt
10 SNMP-NOTIFICATION-MIB.txt
11 SNMP-USER-BASED-SM-MIB.txt
12 SNMP-VIEW-BASED-ACM-MIB.txt
184
PN 200030-001 Rev M
Configuring SNMP
Chapter 10 Administration Tasks
Configuring SNMP Settings
Use this page to configure the appliance's SNMP agent, the trap receiver(s), and how to forward
appliance alarms as SNMP traps to the receivers.

The Silver Peak appliance supports the Management Information Base (MIB) II, as described in
RFC 1213, for cold start traps and warm start traps, as well as Silver Peak proprietary MIBs.

The appliance issues an SNMP trap during reset--that is, when loading a new image, recovering from
a crash, or rebooting.

The appliance sends a trap every time an alarm is raised or cleared. Traps contain additional
information about the alarm, including severity, sequence number, a text-based description of the
alarm, and the time the alarm was created. For additional information, see
SILVERPEAK-MGMT-MIB.TXT in the MIBS directory.
For SNMP v1 and SNMP v2c, you only need configure the following:
Field
Description
Enable SNMP
Allows the SNMP application to poll this Silver Peak appliance.
Enable SNMP Traps
Allows the SNMP agent (in the appliance) to send traps to the
receiver(s).
Read-Only Community
The SNMP application needs to present this text string (secret) in
order to poll this appliance's SNMP agent. The default value is
public, but you can change it.
Default Trap Community
The trap receiver needs to receive this string in order to accept the
traps being sent to it. The default value is public, but you can change
it.
PN 200030-001 Rev M
185
Silver Peak Appliance Manager Operator’s Guide
Configuring SNMP
For additional security when the SNMP application polls the appliance, you can select Enable Admin
User for SNMP v3, instead of using v1 or v2c. This provides a way to authenticate without using clear
text:

To configure SNMP v3 admin privileges, you must be logged in as admin in Appliance Manager.

For SNMP v3, authentication between the user and the server acting as the SNMP agent is bilateral
and required. You can use either the MD5 or SHA-1 hash algorithm.

Using DES or AES-128 to encrypt for privacy is optional. If you don't specify a password, the
appliance uses the default privacy algorithm (AES-128) and the same password you specified for
authentication.
You can configure up to 3 trap receivers:
186
Field
Description
Host
IP address where you want the traps sent
Community
The trap receiver needs to receive a specific string in order to accept the
traps being sent to it. By default, this field is blank because it uses the
Default Trap Community string, which has the value, public. If the trap
receiver you're adding has a different Community string, enter the
community string that's configured on the trap receiver.
Version
Select either v1 (RFC 1157) or v2c (RFC 1901) standards. For both,
authentication is based on a community string that represents an
unencrypted password.
Enabled
When selected, enables this specific trap receiver.
PN 200030-001 Rev M
Configuring Flow Exports for Netflow
Chapter 10 Administration Tasks
Configuring Flow Exports for Netflow
You can configure your appliance to export statistical data to NetFlow collectors. The appliance exports
flows against two virtual interfaces -- sp_lan and sp_wan -- that accumulate the total of LAN-side and
WAN-side traffic, regardless of physical interface.

These interfaces appear in SNMP and are therefore "discoverable" by NetFlow collectors.

Flow Exporting Enabled allows the appliance to export the data to collectors (and makes the
configuration fields accessible).

The Collector's IP Address is the IP address of the device to which you're exporting the NetFlow
statistics. The default Collector Port is 2055.

In Traffic Type, you can select as many of the traffic types as you wish. The default is Outbound
WAN.
PN 200030-001 Rev M
187
Silver Peak Appliance Manager Operator’s Guide
Pre-Positioning Data for Enhanced Acceleration Benefits
Pre-Positioning Data for Enhanced Acceleration Benefits
The Appliance Manager allows you to pre-position data into Network Memory so that users can get the
benefits of second-pass performance without having to wait for Network Memory to populate.
In this scenario, the file server at the data center is the
FTP client, with multiple directories under /dir/home.
With the Administration - Pre-position page, you can enable FTP server capability on each branch’s
NX appliance:

After enabling pre-positioning, administrators can FTP files or directories to the appliances which
will, in turn, “warm” Network Memory.
Subsequently, any user who requests data that was pre-positioned will immediately enjoy the
acceleration benefits of the stored local instances.

Make sure that the relevant tunnels are admin-ed up before FTP transfer.

An Administrator can set up a script process for pre-positioning jobs that need to run automatically.
There is no down side to leaving this feature enabled by default.
188
PN 200030-001 Rev M
Pre-Positioning Data for Enhanced Acceleration Benefits

Chapter 10 Administration Tasks
To configure a branch or remote appliance to pre-position data
1
From the Administration menu, select Pre-position.
a
Select the Server Enable check box. This enables the appliance to act as an FTP server.
b
To exempt the FTP client from needing to use an existing account on the appliance, select
Anonymous Access Enable.
c
Enter the maximum number of clients that may access the appliance simultaneously. The
default value is 5. The range is 1 to 10.
2
Click Apply.
3
Click Save Changes.
PN 200030-001 Rev M
189
Silver Peak Appliance Manager Operator’s Guide
Managing User Accounts
Managing User Accounts
The Silver Peak appliance’s built-in user database supports user names, groups, and passwords.
Use this page to create, edit, and delete users.

The Active Sessions table lists who is logged in to the appliance, and from where.

The User Accounts table lists all users known to this appliance, whether or not their accounts are
enabled.

The system user names are admin and monitor.

•
They CANNOT be deleted.
•
You can only disable monitor.
•
You can, however, change each one's password.
A user has either admin or monitor privileges:
•
admin capability allows the user to view and modify.
•
monitor capability allows the user to view only.
Suggested Guidelines for Creating Passwords
190

Passwords should be a minimum of 8 characters.

There should be at least one lower case letter and one upper case letter.

There should be at least one digit.

There should be at least one special character.

Consecutive letters in the password should not form words found in the dictionary.
PN 200030-001 Rev M
Configuring Banners
Chapter 10 Administration Tasks
Configuring Banners
You can configure two different types of banners:

The Login Message appears on the Login page, before the login prompt.

The Message of the Day appears on the Network View page after a successful log in.
Mouse over the icon to reveal it.
You can configure either, neither, or both.
PN 200030-001 Rev M
191
Silver Peak Appliance Manager Operator’s Guide
Configuring Authentication, RADIUS, and TACACS+
Configuring Authentication, RADIUS, and TACACS+
Silver Peak appliances support user authentication and authorization as a condition of providing access
rights.

Authentication is the process of validating that the end user, or a device, is who or what they claim
to be.

Authorization is the action of determining what a user is allowed to do. Generally, authentication
precedes authorization.

Map order refers to the order in which the authentication databases are queried.

The configuration specified for authentication and authorization applies globally to all users
accessing that appliance.

If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs
them out and returns them to the login page. You can change that value, as well as the maximum
number of sessions, on the Administration - Session Management page.
Authentication and Authorization
To provide authentication and authorization services, Silver Peak appliances:

support a built-in, local database

can be linked to a RADIUS (Remote Address Dial-In User Service) server

can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.
Both RADIUS and TACACS+ are client-server protocols.
Appliance-based User Database
192

The local, built-in user database supports user names, groups, and passwords.

The two user groups are admin and monitor. You must associate each user name with one or the
other. Neither group can be modified or deleted.

The monitor group supports reading and monitoring of all data, in addition to performing all actions.
This is equivalent to the Command Line Interface's (CLI) enable mode privileges.
PN 200030-001 Rev M
Configuring Authentication, RADIUS, and TACACS+

Chapter 10 Administration Tasks
The admin group supports full privileges, along with permission to add, modify, and delete. This is
equivalent to the Command Line Interface's (CLI) configuration mode privileges.
RADIUS

RADIUS uses UDP as its transport.

With RADIUS, the authentication and authorization functions are coupled together.

RADIUS authentication requests must be accompanied by a shared secret. The shared secret must
be the same as defined in the RADIUS setup. Please see your RADIUS documentation for details.

Important: Configure your RADIUS server's priv levels within the following ranges:
•
admin = 7 - 15
•
monitor = 1 - 6
TACACS+

TACACS+ uses TCP as its transport.

TACACS+ provides separated authentication, authorization, and accounting services.

Transactions between the TACACS+ client and TACACS+ servers are also authenticated through
the use of a shared secret. Please see your TACACS+ documentation for details.

Important: Configure your TACACS+ server's roles to be admin and monitor.
What Silver Peak recommends
Use either RADIUS or TACACS+, but not both.


For Authentication Order, configure the following:
•
First = Local
•
Second = either RADIUS or TACACS+. If not using either, then None.
•
Third = None
When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as
follows:
•
Map Order = Remote First
•
Default User = admin
PN 200030-001 Rev M
193
Silver Peak Appliance Manager Operator’s Guide
Configuring Settings for Web Protocols and Web Users
Configuring Settings for Web Protocols and Web Users
Use the Administration - Web page to configure the web protocol settings and web user settings.
You can configure the following:
194
•
whether to enable HTTP, HTTPS, or both protocols
•
how long you can go without using the Application Manager before it times out and you’re
forced to log on again
•
the maximum number of simultaneous user sessions allowed on an appliance
PN 200030-001 Rev M
Configuring Log Settings
Chapter 10 Administration Tasks
Configuring Log Settings
Use the Administration - Log-Settings page to configure local and remote logging parameters.
Each requires that you specify the minimum severity level of event to log.

Set up local logging in the Log Configuration section.

Set up remote logging by using the Log Facilities Configuration and Remote Log Receivers sections.
For local logging
For remote logging
Minimum Severity Levels
In decreasing order of severity, the levels are as follows.
Level
Definition
EMERGENCY
The system is unusable.
ALERT
Includes all alarms the appliance generates: CRITICAL, MAJOR, MINOR, and
WARNING
CRITICAL
A critical event
ERROR
An error. This is a non-urgent failure.
WARNING
A warning condition. Indicates an error will occur if action is not taken.
NOTICE
A normal, but significant, condition. No immediate action required.
INFORMATIONAL
Informational. Used by Silver Peak for debugging.
DEBUG
Used by Silver Peak for debugging
NONE
If you select NONE, then no events are logged.
PN 200030-001 Rev M
195
Silver Peak Appliance Manager Operator’s Guide
Configuring Log Settings

The bolded part of the name is what displays in Silver Peak's logs.

If you select NOTICE (the default), then the log records any event with a severity of NOTICE,
WARNING, ERROR, CRITICAL, ALERT, and EMERGENCY.

These are purely related to event logging levels, not alarm severities, even though some naming
conventions overlap. Events and alarms have different sources. Alarms, once they clear, list as the
ALERT level in the Event Log.
Configuring Remote Logging

You can configure the appliance to forward all events, at and above a specified severity, to a remote
syslog server.

A syslog server is independently configured for the minimum severity level that it will accept.
Without reconfiguring, it may not accept as low a severity level as you are forwarding to it.

In the Log Facilities Configuration section, assign each message/event type (System / Audit / Flow)
to a syslog facility level (local0 to local7).
Both of these remote receivers have
a local1 facility, so they’ll each
receive System log events.
The only difference is that
172.20.2.106 accepts events with a
lower severity than 10.10.20.41
does.
You can use a different facility for each log, or you can select the same facility for all the logs.

196
For each remote syslog server that you add to receive the events, specify the receiver's IP address,
along with the messages' minimum severity level and facility level.
PN 200030-001 Rev M
Understanding the Events Log
Chapter 10 Administration Tasks
Understanding the Events Log
The event log, which you access by selecting Administration > Logging > Event Log Viewer, contains
timestamped messages for all system-level activity. It’s a locally saved, read-only log:
Previous page
Go to first page
Next page
Go to last page
Select how many alarms
per page
Configure the generic log settings on the Administration - Log Settings page. This includes specifying:
•
the minimum severity level logged
•
whether time intervals or log size determine when a new log begins
•
the maximum number of log files to keep, including the current log
•
to what other remote servers to send logged events
For more information, see “Setting the Date and Time” on page 182.
PN 200030-001 Rev M
197
Silver Peak Appliance Manager Operator’s Guide
Viewing a Log of All Alarms
Viewing a Log of All Alarms
The Administration - Alarm Log Viewer page displays all alarms—current and historical. It contains
timestamped messages each time an alarm is raised or cleared. It is a locally saved read-only log.
To access the alarm log, select Administration > Logging > Alarm Log Viewer.
Previous page
Go to first page
Next page
Go to last page
Select how many alarms
per page
Configure the generic log settings on the Administration - Log Settings page. This includes specifying:
•
the minimum severity level logged
•
whether time intervals or log size determine when a new log begins
•
the maximum number of log files to keep, including the current log
•
to what other remote servers to send logged events
For more information, see “Setting the Date and Time” on page 182.
198
PN 200030-001 Rev M
Viewing the Audit Log
Chapter 10 Administration Tasks
Viewing the Audit Log
The Administration - Audit Log Viewer page lists all configuration changes (create, modify, delete) and
all system actions such as login/logout made by any users (Command Line Interface [CLI], Appliance
Manager, and/or Global Management System [GMS]).
username@IP
(/gms of GMS user)
create /
modify /
delete /
action
SYSTEM /
INTERFACE /
ALARM /
CONFIG-DB
Appliance Hostname
succeeded /
failed /
requested
Additional parameters
(context dependent)
To access this page, select Administration > Logging > View Audit Log.
This log is only available to users with the Admin privilege level.
PN 200030-001 Rev M
199
Silver Peak Appliance Manager Operator’s Guide
Managing Debug Files
Managing Debug Files
This section describes how to manage the system files – log files, debug dump files, stat reports, and
tcpdump results. It also describes how to archive them by saving them to an SCP (Secure Copy) or FTP
(File Transfer Protocol) Server.

Types of Debug Files See page 200.

Saving Files to a Remote Server See page 202.

Deleting Log Files See page 205.
Types of Debug Files
The appliance automatically creates and stores a number of non-configuration data files as a result of
normal events, traffic monitoring, system crashes, and testing.
•
The Appliance Manager’s Administration - Debug Files page lists these files and provides a way
for you to save them to another location for storage or additional handling.
•
With the exception of the [Log] files, you cannot view these files on the Appliance Manager.
•
To free up memory in the appliance, you can delete the files.
Specifically, these five file types are as follows:
Log
The raw event log data, viewable on the Administration - Event Log Viewer page.
This includes historical alarms, not current ones. To access this page, select
Administration > Logging > Event Log Viewer.
By default, a new file begins when the file reaches 50 MB. However, you can change
the rotation criteria on the Administration - Log Settings page. To access this
page, select Administration > Logging > Log Settings.
Debug Dump
Created as a result of any system failure.
Can also be created on demand by clicking the Generate button next to the System
& Debug Information File field.
Transfer these files to Silver Peak’s Customer Support for evaluation.
Snapshot
Created as a result of any system failure.
Contains the same information as Debug Dump, and then includes additional
information needed by the engineering team.
Transfer these files to Silver Peak’s Customer Support for evaluation.
TCP Dump Result
User-named data file generated by running using the Command Line Interface
(CLI).
Transfer these files to Silver Peak’s Customer Support for evaluation.
Show Tech
Can also be created on demand by clicking the Generate button next to the Tech
Support File field.
Transfer these files to Silver Peak’s Customer Support for evaluation.
200
PN 200030-001 Rev M
Managing Debug Files
Shows the data disk space used and
available, in bytes and as a percentage
Chapter 10 Administration Tasks
To save a file to the local disk or an SCP or FTP remote
server, click on the filename itself.
To manually generate
Debug Dump file.
To generate the
Show Tech file.
Log
As a new log file is created, the earlier
files increment. For example, the file
messages will eventually be renamed
messages.3.gz.
Debug Dump
The file name format is
tunbug-[Hostname][YYYYMMDD-HHMMSS].tgz
Snapshot
The file name format is
[Hostname]-[sysd|statsd|soapd|snmpd|...][YYYYMMDD-HHMMSS].tar.gz
TCP Dump Result
User-named file generated by running tcpdump
in the Command Line Interface (CLI).
Show Tech
Generated when you execute the Tech Support
File. The file name format is
[Hostname]-[YYYYMMDD-HHMMSS].txt.gz
PN 200030-001 Rev M
201
Silver Peak Appliance Manager Operator’s Guide
Managing Debug Files
Saving Files to a Remote Server
The Application Manager lets you copy non-configuration files from the appliance to a remote server.
When you click to select the method, you can only edit the required fields.
Click to return to the main Administration - Debug Files page
The fields and options have the following definitions:
Field or Option
Definition/Content
File Name
(A read-only field) The name of the file you’ve chosen to save.
Save to Server with:
202
Local File
For saving the software image file to your local PC.
SCP (Secure Copy)
For saving the software image file to a remote Secure Copy server.
FTP (File Transfer Protocol)
For saving the software image file to a remote File Transfer Protocol (FTP)
server.
Remote Server Address
Use either the server IP address or the server name (if it’s mapped to a local host
table or a DNS server).
Remote User Name
The name of the user that server expects
Remote Password
The password of the user that the server expects
Remote Full Path
Remote Relative Path
The type of path requested depends on which method you choose:
Destination File Name
(Optional) If you want to rename the file, you can do so here.
Status
If the read-only value is Ready, you may proceed with transferring the file to a
remote server.
Last Save Status
The status at the end of the previous save operation.
Transfer Start Time
What time the file transfer began
Transfer End Time
What time the file transfer ended
•
•
If using the SCP server, enter the full path to the server.
(Optional) If using the FTP server, enter the relative path to the server.
PN 200030-001 Rev M
Managing Debug Files

Chapter 10 Administration Tasks
To save a log file to an SCP Server
1
Go to the Administration - Debug Files page.
2
In the File Management area, click the type of log you want to save: Log, Debug Dump, Snapshot,
Stat Report, or TCP Dump Result.
3
In the table, click on the file name of the file you want to save.
The Administration - Debug Files - Save File page appears.
4
Click SCP (Secure Copy).
5
Enter the data necessary to save the file to the SCP server.
Here, we’ll use the example of saving the file, alerts, to the following location:
scp <UserName>@170.2.2.65:/home/<UserName>/work/logs/alerts
a
For the Remote Server Address field, enter either:
•
the server IP address, as in 170.2.2.65, or
•
the server name, if it’s mapped to a local host table or a DNS server
b
Enter the Remote User Name and Remote Password for the Secure Copy (SCP) server.
c
For the Remote Full Path field, enter the full path.
A full pathname includes the drive (if required), starting or root directory, all attached
subdirectories and ends with the file or object name. Begin the path with a forward slash (/).
d
6
If you want to rename the file, enter the new file name in the Destination File Name field. If you
leave the field blank, the Appliance Manager saves the file with its existing file name.
Click Save. The Appliance Manager displays the progress.
PN 200030-001 Rev M
203
Silver Peak Appliance Manager Operator’s Guide

Managing Debug Files
To save a log file to an FTP Server
1
Go to the Administration - Debug Files page.
2
In the File Management area, click the type of log you want to save: Log, Debug Dump, Snapshot,
Stat Report, or TCP Dump Result.
3
In the table, click on the file name of the file you want to save. The Administration - File System Save File page appears.
4
Click File Transfer to Protocol (FTP).
5
Enter the data necessary to save the file to the FTP server.
Here, we’ll use the example of saving the file, alerts, to Andrew’s directories on an FTP server. In
the process, we’ll rename the file to alerts_SP41-NX-8600:
For FTP, no slash necessary before or
after the directory name
a
If you want to rename the original file, enter it
in this field. If you leave it blank, the file saves
with its existing name.
For the Remote Server Address field, enter either:
•
the server IP address, as in 170.2.2.65, or
•
the server name, if it’s mapped to a local host table or a DNS server
b
Enter the Remote User Name and Remote Password for the FTP server.
c
For the Remote Relative Path field, enter the relative path.
A relative path is a path relative to the current working directory. Its first character can be
anything but the pathname separator (here, a forward slash).
For example, if the ftp login directory is /home/<UserName>/, then the relative path would
begin at the next subdirectory, as in, work/logs. It is not necessary to begin or end the relative
path with a forward slash (/).
d
6
204
If you want to rename the file, enter the new file name in the Destination File Name field. If you
leave the field blank, the Appliance Manager saves the file with its existing file name.
Click Save. The Appliance Manager displays the progress.
PN 200030-001 Rev M
Managing Debug Files
Chapter 10 Administration Tasks
Deleting Log Files
All logs files are removed the same way.
Click the unchecked box(es) to select the file(s)
you want to delete...
The appliance name and the Debug Dump file’s creation date are
encoded in the file name. This folder may contain different types of
dump files, such as tunbug, statsdata, and sysdump. The
appliance creates some at regular intervals; others are user-initiated.
...then click Remove Selected. The Appliance
Manager deletes the files from the appliance.
PN 200030-001 Rev M
205
Silver Peak Appliance Manager Operator’s Guide
Support
Support
The Administration - Support page lists the appliance-specific information you need when calling
Technical Support. It also tells you how to contact Support via web, e-mail, and phone.
206
PN 200030-001 Rev M
CHAPTER 11
System Maintenance
This chapter describes how to perform various system maintenance tasks.
Note Although Disk Management is part of the Maintenance menu, the topic is covered in the
Silver Peak Field Replaceable Unit Guide.
In This Chapter

Viewing System Information See page 208.

Upgrading the Appliance Manager Software See page 210.

Backing Up and Restoring the Appliance Configuration File See page 216.

Testing Network Connectivity See page 223.

Erasing Network Memory See page 236.

Restarting the Appliance See page 237.
PN 200030-001 Rev M
207
Silver Peak Appliance Manager Operator’s Guide
Viewing System Information
Viewing System Information
The Maintenance - System Information page displays system information specific to this appliance.
This field only displays for virtual appliances.
The Maintenance - System Information page summarizes the following information:
Field
Definition/Content
Hostname
The name assigned to the appliance when using the initial configuration wizard. To
edit it later, you can use the Command Line Interface (CLI) and the hostname
command. The hostname is limited to a maximum of 24 characters.
Appliance ID
A network-wide unique number between 1 and 65534, assigned automatically
during initial configuration.
Model
The appliance’s model number. For example, NX-7600 or NX-5600.
System Status
The options are Normal and Bypass.
•
•
208
When the status is Normal, traffic goes through tunnels, as configured.
Bypass refers to hardware bypass. If there is a major problem with the appliance
hardware, software, or power, all traffic goes through the appliance without any
processing. Additionally, you can manually put the appliance into Bypass as an
aid to troubleshooting.
Uptime
The time elapsed since the last reboot. For example, 3d 3h 28m 28s means
“3 days, 3 hours, 28 minutes, and 28 seconds”.
Date/Time
The local date and time at the appliance’s location, specified by time zone.
Release
The currently running software version of the Appliance Manager.
Serial Number
The serial number of the appliance hardware.
Mode
Whether the appliance is configured for Bridge (in-line) or Router (out-of-path)
mode.
Appliance IP
The IP address of this Silver Peak appliance
PN 200030-001 Rev M
Viewing System Information
Chapter 11 System Maintenance
Field
Definition/Content (Continued)
Disk Encryption
Yes means that Network Memory is encrypted; No means that it’s not. Selecting
either enforces the choice from that moment until you change it, in which case you’d
have some network memory encrypted and some not. Although we don’t
recommend that you do this, the Appliance Manager manages both seamlessly.
Auto Tunnel
Whether or not the appliance is configured to create tunnels if there is network
connectivity and active flows.
The default is no.
Current Network
Memory Media Type
This field displays for virtual appliances.
PN 200030-001 Rev M
209
Silver Peak Appliance Manager Operator’s Guide
Upgrading the Appliance Manager Software
Upgrading the Appliance Manager Software
This section consists of the following topics:

Overview See page 210.

Installing a New Software Image into a Partition See page 212.

Installing the Software Image See page 213.

Switching to the Other Boot Partition See page 215.
Overview
The Appliance Manager provides multiple options for managing appliance software. You can:
•
Store two software images on the appliance
•
Select which software version to run from the installed images
•
Set up to switch to the other partition at the next reboot
•
Install a software image from a local file, URL, Secure Copy (SCP) server, or a File Transfer
Protocol (FTP) server, and install it into the appliance’s inactive partition.
•
Choose to reboot and begin running a newly installed software image either immediately, or at
the next reboot.
When appliances within a network are operating at different software release level, the higher numbered
software release determines interoperability. For more information, see “Tunnel Compatibility Mode”
on page 21, and check the Release Notes to verify software version compatibility.
210
PN 200030-001 Rev M
Upgrading the Appliance Manager Software
Chapter 11 System Maintenance
Reboots from the partition that has yes in the Next Boot column
For details, see “Switching to the
Other Boot Partition” on page 215.
When you select a file source,
only the appropriate fields
display.
To execute the Install Options
choice you made with the radio
buttons.
This section displays the
download progress and results.
Choose what, if anything, you want the Appliance Manager to do
after installing the new software image into the inactive partition.
Note Software upgrade files end with .img or .zip.
PN 200030-001 Rev M
211
Silver Peak Appliance Manager Operator’s Guide
Upgrading the Appliance Manager Software
Installing a New Software Image into a Partition
When you install a new software image, the Appliance Manager automatically downloads it into the
inactive partition. Depending on the option you choose, you can install the software image and:
•
Store it there indefinitely
•
Specify it as the image to use at the next reboot
•
Reboot immediately to begin running the newly installed software.
Some physical appliance models (NX) enter a hardware bypass state when rebooting. This allows traffic
to pass, but without the benefits of compression, acceleration, or Network Memory™.
Virtual appliances, and the remaining physical appliances, do not process or pass traffic while rebooting.
Therefore, Silver Peak suggests that you perform upgrades when traffic volume is lower, preferably after
hours.
Tip Best practices recommend that before upgrading (or switching to the other partition), you
preserve a copy of the running configuration file by saving it to a server. For this, use the
Maintenance - Backup/Restore page.
Tip Best practices also recommend scheduling a maintenance window to best accommodate the
appliance reboot when installing an image.
CAUTION The database schema may change with software image upgrades. Because the
database is in the same partition as its associated software version, going “backwards” is not an
issue. However, be aware that configuration changes made since you last ran the earlier version
will be lost. To verify the feasibility, consult first with Silver Peak Customer Support.
212
PN 200030-001 Rev M
Upgrading the Appliance Manager Software
Chapter 11 System Maintenance
Installing the Software Image
You can install the software image from any of four locations: your computer hard drive, a URL, an SCP
server, or an FTP server.

To install the software image
1
On the Maintenance - Software Upgrade page, select one of the following from the Install Options:
•
Install – to install the image into the inactive partition
•
Install and set next boot partition – to install the image into the inactive partition and designate
it as the partition to be used during the next boot
•
2
Install and Reboot. – to install the image into the inactive partition, switch to that partition, and
then reboot to begin running it immediately. While the Silver Peak appliance reboots, it goes
into the hardware bypass state, allowing all traffic to pass through the appliance without
intervention. Once the reboot is complete, the appliance comes out of the hardware bypass state
and requires you to log in again.
Select the software image’s location. Choices include Local File, URL, SCP (Secure Copy), and FTP
(File Transfer Protocol).
Your selection determines what fields display in the Install Image area:
•
For Local File, browse the hard drive to locate the file.
•
For URL, enter the image file’s URL after http://, ending with the filename.
PN 200030-001 Rev M
213
Silver Peak Appliance Manager Operator’s Guide
•
Upgrading the Appliance Manager Software
For SCP (Secure Copy), enter the data necessary to download the file from the SCP server.
In this example, we’ll download the file, image-6.2.5.0_51902.img from the location,
scp <UserName>@10.10.10.11:/home/<UserName>/SWimages/image-6.2.5.0_51902.img.
The full pathname includes the drive (if required), starting or root directory, and all relevant
subdirectories.
•
For FTP (File Transfer Protocol), enter the data necessary to download the file from the FTP
server.
The relative path is a path relative to the current working directory. For example, if the ftp login
directory is /home/<UserName>/, then the relative path would begin at the next subdirectory,
as in, /SWimages.
3
214
Click Install. The browser reports your progress during download and installation.
PN 200030-001 Rev M
Upgrading the Appliance Manager Software
Chapter 11 System Maintenance
Switching to the Other Boot Partition
You can specify that you want to switch to the other, inactive partition for the next reboot:

To select the partition now, for a later reboot, click Switch Boot Partition. The inactive image’s Next
Boot value changes from no to yes.

To select the partition now and reboot immediately, click Reboot.
In this example, the user clicked Switch Boot Partition. As a result,
Partition 1, which is not currently active, has yes in the Next Boot column.
PN 200030-001 Rev M
215
Silver Peak Appliance Manager Operator’s Guide
Backing Up and Restoring the Appliance Configuration File
Backing Up and Restoring the Appliance Configuration File
This section consists of the following topics:

Viewing the Appliance Configuration File See page 217.

Saving the Appliance Configuration File See page 218.

Restoring the Appliance Configuration File See page 220.
To protect the Appliance Manager database against loss or corruption, you can store a backup of the
configuration database file, either locally on the appliance or on a local hard drive, an SCP (Secure Copy)
server, or an FTP (File Transfer Protocol) server.
You can also restore or load a configuration database file from a local disk, SCP server, FTP server, or
web-based location (URL).
Lists all the appliance’s configuration files.
To view the contents of a configuration file, click
its name and a separate window opens.
For managing the running configuration file. That is,
an active file with unsaved changes
For copying a saved configuration file (active or
inactive) to/from an external location
216
PN 200030-001 Rev M
Backing Up and Restoring the Appliance Configuration File
Chapter 11 System Maintenance
Viewing the Appliance Configuration File
Indicates unsaved changes
in the configuration file
To view, click the file name. The
contents open in a separate window.
The content display does not
change after you open the file.
Browser’s menu...
IMPORTANT: You can only save this text file to
your computer’s local hard disk.
To apply this configuration to another appliance,
you must first open an SSH shell to the target
appliance and then copy and paste these
configuration commands into the shell.
PN 200030-001 Rev M
217
Silver Peak Appliance Manager Operator’s Guide
Backing Up and Restoring the Appliance Configuration File
Saving the Appliance Configuration File
The Appliance Manager supports saving a configuration file to three external destinations — a local disk,
an SCP server, or an FTP server.

To save the configuration file to an external location
1
On the Maintenance - Backup/Restore page, click [Save Configuration] and select the file you want
to backup.
2
Select the backup file’s destination. Choices include Local File, SCP (Secure Copy), and FTP (File
Transfer Protocol).
Your selection determines what fields display below the chosen file.
•
For Local File, click Save.
Your browser determines the file’s default destination.
218
PN 200030-001 Rev M
Backing Up and Restoring the Appliance Configuration File
•
Chapter 11 System Maintenance
For SCP (Secure Copy), enter the data necessary to save the file to the SCP server.
In this example, we’ll save the file, initial, to the location,
scp <UserName>@180.6.7.243:/home/<UserName>/work/image/initial
Initial slashes (/) are required for
full path. End slashes are not.
You can save the file to a new filename.
The full pathname includes the drive (if required), starting or root directory, and all relevant
subdirectories.
•
For FTP (File Transfer Protocol), enter the data necessary to save the file to the FTP server.
No slash necessary
before the directory name.
You can save with either the existing, or a
new, destination file name.
A relative path is a path relative to the current working directory. For example, if the ftp login
directory is /home/<UserName>/, then the relative path would begin at the next subdirectory,
as in, work/image/. The end slash isn’t required, but is accepted.
3
Click Save. The Appliance Manager displays the progress.
PN 200030-001 Rev M
219
Silver Peak Appliance Manager Operator’s Guide
Backing Up and Restoring the Appliance Configuration File
Restoring the Appliance Configuration File
The Appliance Manager supports restoring a configuration file from four sources external to the
appliance.

To restore the configuration file from an external location
1
On the Maintenance - Backup/Restore page, click [Load Configuration] and select the file you want
to restore to the appliance.
2
Select the backup file’s destination. Choices include Local File, URL, SCP (Secure Copy), and FTP
(File Transfer Protocol).
Your selection determines what fields display below the chosen file.
•
For Local File, browse the hard drive to locate the file.
If you want the file you’re downloading to the
appliance to have a new name, enter it here.
220
PN 200030-001 Rev M
Backing Up and Restoring the Appliance Configuration File
Chapter 11 System Maintenance
•
For URL, enter the image file’s URL after http://, ending with the filename.
•
For SCP (Secure Copy), enter the data necessary to download the file from the SCP server to
the appliance.
Here, we’ll use the example of renaming and restoring the file, testfile, from the following
location:
scp <UserName>@180.6.7.243:/home/<UserName>/work/configfiles/testfile
Initial slashes (/) are required for
full path. End slashes are not.
You can rename the file
when you retrieve it.
The full pathname includes the drive (if required), starting or root directory, and all relevant
subdirectories.
•
For FTP (File Transfer Protocol), enter the data necessary to restore the file from the FTP server.
Here, we’ll use the example of loading the file, testfile, from Roger’s directory on an FTP
server. In the process, we’ll rename it to newfilename.
No slash necessary
before the directory name.
You can rename the file when you retrieve it.
PN 200030-001 Rev M
221
Silver Peak Appliance Manager Operator’s Guide
Backing Up and Restoring the Appliance Configuration File
A relative path is a path relative to the current working directory. It begins without a forward
slash.
For example, if the ftp login directory is /home/<UserName>/, then the relative path would
begin at the next subdirectory, as in, work/configfiles/. The end slash isn’t required, but is
accepted.
3
222
Click Load. The Appliance Manager displays the progress.
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
Testing Network Connectivity
The Appliance Manager enables you to test network connectivity, using three commands: ping,
traceroute, and tcpdump.

•
There can only be one connectivity test session per appliance at any time, regardless of which
command you’re using.
•
Click Stop to terminate a test.
•
If you log in to an appliance while a testing session is in progress, only the Abort button is
accessible. Otherwise, that button is not visible.
To run a Network Connectivity test
1
From the Maintenance menu, select ping/traceroute/tcpdump.
The Maintenance - ping/traceroute/tcpdump page appears.
•
The ping and traceroute tests provide an IP/Hostname field.
•
The tcpdump test displays a File Name field instead, and automatically enters a
name in the format, tcpdump_<hostname>. After running a tcpdump test, you
can locate the captured results on the Administration - Debug Files page, via the
TCP Dump Result link. You can download the resulting file to your PC for viewing
and analyzing via Wireshark® or Ethereal®.
When a test begins, Start
changes to Stop. Use as needed.
After a test has begun, this area displays
its status and start/end times.
To view the arguments that the
selected command can take
PN 200030-001 Rev M
Abort allows a user with admin privileges to terminate
another user’s connectivity test session. It’s available
whenever there’s a session in progress.
223
Silver Peak Appliance Manager Operator’s Guide
2
Testing Network Connectivity
Complete the fields as follows:
a
From the Type field, click to select the test you want.
b
If the IP / Hostname field is present, enter the IP address or hostname of the destination device.
If the File Name field displays, its field is populated by a default name.
c
In the Option field, enter the command option you want. For example, for ping, you could enter
-c 3 to stop after sending three ECHO_REQUEST packets. For available arguments, click Help.
Options for each command are listed after these steps.
3
Click Start. The Network Connectivity Result area displays intermediate results every few seconds.
To stop the test and see the complete results, click Stop. For example:
ping
224
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
traceroute
tcpdump
The Option field populates with -n by default. This flag results in
tcpdump not trying to resolve IP addresses, so that the process doesn’t
try to perform a DNS lookup on every new IP address it encounters.
Access this file on the Administration - Debug
Files page, under the TCP Dump Result link.
PN 200030-001 Rev M
225
Silver Peak Appliance Manager Operator’s Guide
Testing Network Connectivity
Using ping
Use the ping command to send Internet Control Message Protocol (ICMP) echo requests to a specified
host.
By default, the ping command uses the mgmt0 interface. If you want to ping out of datapath interfaces,
use the -I option with the local appliance IP address. For example:
ping -I <local appliance IP> — sends the ping out a datapath interface
The following ping options are supported:
226
Option
Explanation
-A
Adaptive ping. Interpacket interval adapts to round-trip time, so that effectively not more than one
(or more, if preload is set) unanswered probes present in the network. Minimal interval is 200 msec
if not super-user. On networks with low rtt this mode is essentially equivalent to flood mode.
-b
Allow pinging a broadcast address.
-B
Do not allow ping to change source address of probes. The address is bound to one selected when
ping starts.
-c
count: Stop after sending count ECHO_REQUEST packets. With deadline option, ping waits for
count ECHO_REPLY packets, until the time- out expires.
-d
Set the SO_DEBUG option on the socket being used. Essentially, this socket option is not used by
Linux kernel.
-F
flow label: Allocate and set 20 bit flow label on echo request packets. (Only ping6). If value is zero,
kernel allocates random flow label.
-i
interval: Wait interval seconds between sending each packet. The default is to wait for one second
between each packet normally, or not to wait in flood mode. Only super-user may set interval to
values less 0.2 seconds.
-I
interface address: Set source address to specified interface address. Argument may be numeric IP
address or name of device. When pinging IPv6 link-local address this option is required.
-l
preload: If preload is specified, ping sends that many packets not waiting for reply. Only the
super-user may select preload more than 3.
-L
Suppress loopback of multicast packets. This flag only applies if the ping destination is a multicast
address.
-M
MTU discovery hint: Select Path MTU Discovery strategy. hint may be either do (prohibit
fragmentation, even local one), want (do PMTU discovery, fragment locally when packet size is
large), or dont (do not set DF flag).
-n
Numeric output only. No attempt will be made to lookup symbolic names for host addresses.
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
Option
Explanation (Continued)
-p
pattern: You may specify up to 16 “pad” bytes to fill out the packet you send. This is useful for
diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to
be filled with all ones.
-Q
tos: Set Quality of Service -related bits in ICMP datagrams. tos can be either decimal or hex number.
Traditionally (RFC1349), these have been interpreted as: 0 for reserved (currently being redefined
as congestion control), 1-4 for Type of Service and 5-7 for Precedence.
Possible settings for Type of Service are: minimal cost: 0x02, reliability: 0x04, throughput: 0x08,
low delay: 0x10.
Multiple TOS bits should not be set simultaneously.
Possible settings for special Precedence range from priority (0x20) to net control (0xe0). You must
be root (CAP_NET_ADMIN capability) to use Critical or higher precedence value. You cannot set
bit 0x01 (reserved) unless ECN has been enabled in the kernel.
In RFC2474, these fields has been redefined as 8-bit Differentiated Services (DS), consisting of:
bits 0-1 of separate data (ECN will be used, here), and bits 2-7 of Differentiated Services Codepoint
(DSCP).
-q
Quiet output. Nothing is displayed except the summary lines at startup time and when finished.
-R
Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and
displays the route buffer on returned packets. Note that the IP header is only large enough for nine
such routes. Many hosts ignore or discard this option.
-r
Bypass the normal routing tables and send directly to a host on an attached interface. If the host is
not on a directly attached network, an error is returned. This option can be used to ping a local host
through an interface that has no route through it provided the option -I is also used.
-s
packetsize: Specifies the number of data bytes to be sent. The default is 56, which translates into 64
ICMP data bytes when combined with the 8 bytes of ICMP header data.
-S
sndbuf: Set socket sndbuf. If not specified, it is selected to buffer not more than one packet.
-t ttl
Set the IP Time to Live.
-T
timestamp option: Set special IP timestamp options. timestamp option may be either tsonly (only
timestamps), tsandaddr (timestamps and addresses) or tsprespec host1 [host2 [host3 [host4]]]
(timestamp prespecified hops).
-U
Print full user-to-user latency (the old behavior). Normally ping prints network round trip time,
which can be different f.e. due to DNS failures.
-v
Verbose output.
-V
Show version and exit.
-w
deadline: Specify a timeout, in seconds, before ping exits regardless of how many packets have
been sent or received. In this case ping does not stop after count packet are sent, it waits either for
deadline expire or until count probes are answered or for some error notification from network.
When you click the Help button, the following displays in the Network Connectivity Result area.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
PN 200030-001 Rev M
227
Silver Peak Appliance Manager Operator’s Guide
Testing Network Connectivity
Using traceroute
Use the traceroute command to trace the route that packets take to a destination.
The following traceroute options are supported:
228
Option
Explanation
-d
Enable socket level debugging.
-f
Set the initial time-to-live used in the first outgoing probe packet.
-F
Set the “don’t fragment” bit.
-g
Specify a loose source route gateway (8 maximum).
-i
Specify a network interface to obtain the source IP address for outgoing probe packets. This is
normally only useful on a multi-homed host. (See the -s flag for another way to do this.)
-I
Use ICMP ECHO instead of UDP datagrams.
-m
Set the max time-to-live (max number of hops) used in outgoing probe packets. The default is 30
hops (the same default used for TCP connections).
-n
Print hop addresses numerically rather than symbolically and numerically (saves a nameserver
address-to-name lookup for each gateway found on the path).
-p
Set the base UDP port number used in probes (default is 33434). Traceroute hopes that nothing is
listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP
PORT_UNREACHABLE message will be returned to terminate the route tracing). If something is
listening on a port in the default range, this option can be used to pick an unused port range.
-q
nqueries
-r
Bypass the normal routing tables and send directly to a host on an attached network. If the host is
not on a directly-attached network, an error is returned. This option can be used to ping a local host
through an interface that has no route through it (for example, after the interface was dropped by
routed (8C)).
-s
Use the following IP address (which usually is given as an IP number, not a hostname) as the source
address in outgoing probe packets. On multi-homed hosts (those with more than one IP address),
this option can be used to force the source address to be something other than the IP address of the
interface the probe packet is sent on. If the IP address is not one of this machine’s interface
addresses, an error is returned and nothing is sent. (See the -i flag for another way to do this.)
-t
Set the type-of-service in probe packets to the following value (default zero). The value must be a
decimal integer in the range 0 to 255. This option can be used to see if different types-of-service
result in different paths. (If you are not running 4.4bsd, this may be academic since the normal
network services like telnet and ftp don’t let you control the TOS). Not all values of TOS are legal
or meaningful - see the IP spec for definitions. Useful values are probably â-t 16â (low delay) and
â-t 8â (high throughput). If TOS value is changed by intermediate routers, (TOS=<value>!) will be
printed once: value is the decimal value of the changed TOS byte.
-v
Verbose output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs
are listed.
-w
Set the time (in seconds) to wait for a response to a probe (default 5 sec.).
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
Option
Explanation (Continued)
-x
Toggle ip checksums. Normally, this prevents traceroute from calculating ip checksums. In some
cases, the operating system can overwrite parts of the outgoing packet but not recalculate the
checksum (so in some cases the default is to not calculate checksums and using -x causes them to
be calculated). Note that checksums are usually required for the last hop when using ICMP ECHO
probes (-I). So they are always calculated when using ICMP.
-z
Set the time (in milliseconds) to pause between probes (default 0). Some systems such as Solaris and
routers such as Ciscos rate limit icmp messages. A good value to use with this is 500 (e.g. 1/2
second).
PN 200030-001 Rev M
229
Silver Peak Appliance Manager Operator’s Guide
Testing Network Connectivity
Using tcpdump
Use the tcpdump command to display packets on a network.
For example, to capture 100 packets on the wan0 interface, use the command, -n -i wan0 -c 100.
The following tcpdump options are supported:
Option
Explanation
-A
Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.
-c
Exit after receiving count packets.
-C
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and,
if so, close the current savefile and open a new one. Savefiles after the first savefile will have the
name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The
units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
-d
Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd
Dump packet-matching code as a C program fragment.
-ddd
Dump packet-matching code as decimal numbers (preceded with a count).
-D
Print the list of the network interfaces available on the system and on which tcpdump can capture
packets. For each network interface, a number and an interface name, possibly followed by a text
description of the interface, is printed. The interface name or the number can be supplied to the -i
flag to specify an interface on which to capture.
This can be useful on systems that don’t have a command to list them (e.g., Windows systems, or
UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems,
where the interface name is a somewhat complex string.
The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks
the pcap_findalldevs() function.
-e
230
Print the link-level header on each dump line.
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
Option
Explanation (Continued)
-E
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain
Security Parameter Index value spi. This combination may be repeated with comma or newline
separation.
Note that setting the secret for IPv4 ESP packets is supported at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is
des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography
enabled.
secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.
The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes,
and the use of this option with a true ‘secret’ key is discouraged. By presenting IPsec secret key onto
command line you make it visible to others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided
file in. The file is opened upon receiving the first ESP packet, so any special permissions that
tcpdump may have been given should already have been given up.
-f
Print ‘foreign’ IPv4 addresses numerically rather than symbolically (this option is intended to get
around serious brain damage in Sun’s NIS server â usually it hangs forever translating non-local
internet numbers).
The test for ‘foreign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on
which capture is being done. If that address or netmask are not available either because the interface
on which capture is being done has no address or netmask or because the capture is being done on
the Linux “any” interface, which can capture on more than one interface, this option will not work
correctly.
-F
Use file as input for the filter expression. An additional expression given on the command line is
ignored.
-i
Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest
numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest
match.
On Linux systems with 2.2 or later kernels, an interface argument of “any” can be used to capture
packets from all interfaces. Note that captures on the “any” device will not be done in promiscuous
mode.
If the -D flag is supported, an interface number as printed by that flag can be used as the interface
argument.
-l
Make stdout line buffered. Useful if you want to see the data while capturing it. For example,
tcpdump -l | tee dat or tcpdump -l > dat & tail -f dat
-L
List the known data link types for the interface and exit.
-m
Load SMI MIB module definitions from file module. This option can be used several times to load
several MIB modules into tcp-dump.
-M
Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5
option (RFC 2385), if present.
-n
Don’t convert host addresses to names. This can be used to avoid DNS lookups.
-nn
Don’t convert protocol and port numbers etc. to names either.
-N
Don’t print domain name qualification of host names. For example, if you give this flag then
tcpdump will print nic instead of nic.ddn.mil.
PN 200030-001 Rev M
231
Silver Peak Appliance Manager Operator’s Guide
Testing Network Connectivity
Option
Explanation (Continued)
-O
Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the
optimizer.
-p
Don’t put the interface into promiscuous mode. Note that the interface might be in promiscuous
mode for some other reason; hence, -p cannot be used as an abbreviation for ‘ether host
{local-hw-addr} or ether broadcast’.
-q
Quick output. Print less protocol information so output lines are shorter.
-R
Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). If specified,
tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH
specification, tcpdump cannot deduce the version of ESP/AH protocol.
-r
Read packets from file (which was created with the -w option). Standard input is used if file is ‘’-’’.
-S
Print absolute, rather than relative, TCP sequence numbers.
-s
Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS’s NIT, the
minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol
information from name server and NFS packets.Packets truncated because of a limited snapshot are
indicated in the output with [|proto], where proto is the name of the protocol level at which the
truncation has occurred.
Note that taking larger snapshots both increases the amount of time it takes to process packets and,
effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should
limit snaplen to the smallest number that will capture the protocol information you’re interested in.
Setting snaplen to 0 means use the required length to catch whole packets.
-t
Don’t print a timestamp on each dump line.
-tt
Print an unformatted timestamp on each dump line.
-ttt
Print a delta (in micro-seconds) between current and previous line on each dump line.
-tttt
Print a timestamp in default format proceeded by date on each dump line.
-T
Force packets selected by “expression” to be interpreted the specified type. Currently known types
are:
aodv
cnfp
rpc
rtp
rtcp
snmp
tftp
vat
wb
Ad-hoc On-demand Distance Vector protocol
Cisco NetFlow protocol
Remote Procedure Call
Real-Time Applications protocol
Real-Time Applications control protocol
Simple Network Management Protocol
Trivial File Transfer Protocol
Visual Audio Tool)
distributed White Board
-u
Print undecoded NFS handles.
-U
Make output saved via the -w option “packet-buffered”; that is, as each packet is saved, it will be
written to the output file, rather than being written only when the output buffer fills.
The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks
the pcap_dump_flush() function.
-v
When parsing and printing, produce (slightly more) verbose output. For example, the time to live,
identification, total length and options in an IP packet are printed. Also enables additional packet
integrity checks such as verifying the IP and ICMP header checksum.
When writing to a file with the -w option, report, every 10 seconds, the number of packets captured.
232
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
Option
Explanation (Continued)
-vv
Even more verbose output. For example, additional fields are printed from NFS reply packets, and
SMB packets are fully decoded.
-vvv
Even more verbose output. For example, telnet SB... SE options are printed in full. With -X Telnet
options are printed in hex as well.
-w
Write the raw packets to file rather than parsing and printing them out. They can later be printed with
the -r option. Standard output is used if file is “-”.
-W
Used in conjunction with the -C option, this will limit the number of files created to the specified
number, and begin overwriting files from the beginning, thus creating a ‘rotating’ buffer. In
addition, it will name the files with enough leading 0s to support the maximum number of files,
allowing them to sort correctly.
-x
Print each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen
bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g.
Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the
required padding.
-xx
Print each packet, including its link level header, in hex.
-X
Print each packet (minus its link level header) in hex and ASCII. This is very handy for analyzing
new protocols.
-XX
Print each packet, including its link level header, in hex and ASCII.
-y
Set the data link type to use while capturing packets to datalinktype.
-Z
Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.
This behavior can also be enabled by default at compile time.
PN 200030-001 Rev M
233
Silver Peak Appliance Manager Operator’s Guide

234
Testing Network Connectivity
To retrieve tcpdump results
1
From the Administration menu, select Debug Files. The Administration - Debug Files page appears.
2
In the File Management area, click TCP Dump Result. Any saved tcpdump files display.
PN 200030-001 Rev M
Testing Network Connectivity
Chapter 11 System Maintenance
3
To access the tcpdump file, click on its name link. The Administration - Debug Files - Save File page
appears.
4
Select whether you want to save the file to your PC, an SCP server, or an FTP server, and click Save.
5
Complete the fields for the method you’ve chosen.
PN 200030-001 Rev M
235
Silver Peak Appliance Manager Operator’s Guide
Erasing Network Memory
Erasing Network Memory
The Maintenance - Erase Network Memory page is useful in lab and evaluation environments, when you
need first-pass numbers to establish a baseline before Network Memory is applied.
You can use this page to clear Network Memory, without having to reboot.
For this to succeed, erase Network Memory from the appliances at each end of the tunnel.
236
PN 200030-001 Rev M
Restarting the Appliance
Chapter 11 System Maintenance
Restarting the Appliance
This section describes the types of reboots available for restarting the appliance, the possible reasons for
choosing a particular method, and the consequences of each.
Some physical appliance models (NX) enter a hardware bypass state when rebooting. This allows traffic
to pass, but without the benefits of compression, acceleration, or Network Memory™.
Virtual appliances, and the remaining physical appliances, do not process or pass traffic while rebooting.
Restart Type
What it does...
You might need to use it if...
Reboot
Reboots the appliance gracefully. This is your
typical, “vanilla” restart.
•
You’re changing the deployment mode and other
configuration parameters that require a reboot.
Reboot Clean
Reboots the appliance and cleans out the Network
Memory™.
•
You need to restart the appliance with clean
Network Memory™ data.
Shutdown
Shuts down the appliance and turns the power off.
To restart, you’ll need to go to the appliance and
physically turn the power on with the power switch.
•
•
You’re decommissioning the appliance.
You need to physically move the appliance to
another location.
You need to recable the appliance for another type
of deployment
•

To restart the appliance
1
From Maintenance menu, select Restart System.
2
Click the type of reboot you want. The appliance asks you to confirm your decision.
3
Click Yes. The appliance reboots.
PN 200030-001 Rev M
237
Silver Peak Appliance Manager Operator’s Guide
238
Restarting the Appliance
PN 200030-001 Rev M
CHAPTER 12
Monitoring Alarms
This chapter describes alarm categories and definitions. It also describes how to view and handle alarm
notifications.
In This Chapter

Understanding Alarms See page 240.

Types of Alarms See page 241.
PN 200030-001 Rev M
239
Silver Peak Appliance Manager Operator’s Guide
Understanding Alarms
Understanding Alarms
This section defines the four alarm severity categories and lists all Silver Peak appliance alarms.
The Alarms - Current Alarms page lists alarm conditions on the appliance. Each entry represents one
current condition that may require human intervention. Because alarms are conditions, they may come
and go without management involvement.
Whereas merely acknowledging most alarms does not clear them, some alarm conditions are set up to
be self-clearing when you acknowledge them. For example, if you remove a hard disk drive, it generates
an alarm; once you’ve replaced it and it has finished rebuilding itself, the alarm clears.
Categories of Alarms
The Appliance Manager categorizes alarms at four preconfigured severity levels: Critical, Major,
Minor, and Warning.
240

Critical and Major alarms are both service-affecting. Critical alarms require immediate attention,
and reflect conditions that affect an appliance or the loss of a broad category of service.

Major alarms, while also service-affecting, are less severe than Critical alarms. They reflect
conditions which should be addressed in the next 24 hours. An example would be an unexpected
traffic class error.

Minor alarms are not service-affecting, and you can address them at your convenience. An example
of a minor alarm would be a user not having changed their account’s default password, or a degraded
disk.

Warnings are also not service-affecting, and warn you of conditions that may become problems
over time. For example, a software version mismatch.
PN 200030-001 Rev M
Understanding Alarms
Chapter 12 Monitoring Alarms
Types of Alarms
The appliance can raise alarms based on issues with tunnels, software, equipment, and Threshold
Crossing Alerts (TCAs). The latter are visible on the appliance but managed by the GMS (Global
Management System).
Although Appliance Manager doesn’t display Alarm Type ID (Hex) codes, the data is available for
applications that can do their own filtering, such as SNMP.
Table 12-1
Silver Peak Appliance Alarms
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Tunnel
00010003
CRITICAL
Tunnel keepalive version mismatch
RESOLUTION: Tunnel peers are running incompatible
software versions.
•
Normal during a software upgrade.
Run the same or compatible software releases among the
tunnel peers.
00010001
CRITICAL
Tunnel state is Down
RESOLUTION: Cannot reach tunnel peer.
00010009
CRITICAL
•
Check tunnel configuration
[Admin state, Source IP/Dest IP, IPsec]
•
Check network connectivity.
An unexpected GRE packet was detected from tunnel peer.
RESOLUTION: Check for tunnel encapsulation mismatch.
00010007
MAJOR
Duplicate license detected in peer
(only applies to virtual appliance)
RESOLUTION: Install unique license on all virtual appliances.
To check and/or change license:
•
•
00010000
MAJOR
In GMS: Initial Configuration page at Configuration >
System (Single Appliance)
In WebUI: Configuration - System page
Tunnel remote ID is misconfigured
RESOLUTION: System ID is not unique.
0001000a
MAJOR
•
Virtual Appliance: Was the same license key used?
•
Physical Appliance: Change System ID in the rare case of a
duplicate ID (CLI command: system id < >)
Software version mismatch between peers results in reduced
functionality.
RESOLUTION: Upgrade all connected appliances for full
optimization.
00010005
MINOR
Tunnel software version mismatch
RESOLUTION: Tunnel are not running the same release of
software. They will function, but with reduced functionality.
PN 200030-001 Rev M
•
Normal during an upgrade.
•
Run the same software version to eliminate the alarm and
fully optimize.
241
Silver Peak Appliance Manager Operator’s Guide
Table 12-1
Understanding Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Software
00040003
CRITICAL
The licensing for this virtual appliance has expired.
[For VX series only]a
RESOLUTION: Enter a new license.
00040004
CRITICAL
There is no license installed on this virtual appliance.
[For VX series only]a
RESOLUTION: Enter a valid license.
0004000c
CRITICAL
Invalid virtual appliance license.
RESOLUTION: Enter a new license key on the <System Page>
to proceed.
0004000a
MAJOR
Virtual appliance license expires on mm/dd/yyy.
[15-day warning]
RESOLUTION: Enter a new license key on the <System Page>
to avoid loss of optimization or potential traffic disruption.
00040005
MAJOR
A disk self-test has been run on the appliance.
RESOLUTION: Reboot the appliance. Traffic will not be
optimized until this is performed.
00040002
MAJOR
Significant change in time of day has occurred, and might
compromise statistics. Please contact TAC.
RESOLUTION: Appliance statistics could be missing for a
substantial period of time. Contact Customer Service.
00040001
MAJOR
System is low on resources
RESOLUTION: Contact Customer Service.
0004000d
MAJOR
Dual wan-next-hop topology is no longer supported.
RESOLUTION: Create an additional bridge and use previous
second WAN next-hop as its WAN next-hop.
NOTE: Second Silver Peak requires another IP address that is
in the same network as the first bridge.
00040010
MAJOR
Major inconsistency among tunnel traffic class settings found
during upgrade.
RESOLUTION: New QoS traffic class/Queue configuration has
changed from a tunnel-based QoS system to one based on the
system/WAN interface. Automatic mapping of existing tunnel
traffic class configuration to new QoS Shaper traffic has failed.
Check QoS Shaper configuration and adjust Traffic Class
settings as necessary.
00040011
MAJOR
Tunnel IP header disable setting was discarded during upgrade.
RESOLUTION: IP Header configuration has moved from tunnel
context to the Optimization Policy. Use Optimization Policy to
disable IP Header compression.
0004000b
WARNING
Virtual appliance license expires on mm/dd/yyy.
[45-day warning]
RESOLUTION: Enter a new license key on the <System Page>
to avoid loss of optimization or potential traffic disruption.
242
PN 200030-001 Rev M
Understanding Alarms
Table 12-1
Chapter 12 Monitoring Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Software
(cont.)
00040007
WARNING
The SSL certificate is not yet valid.
RESOLUTION: The SSL certificate has a future start date. It will
correct itself when the future date becomes current. Otherwise,
install a certificate that is current.
00040008
WARNING
The SSL certificate has expired.
RESOLUTION: Reinstall a valid SSL certificate that is current.
00040009
WARNING
The NTP server is unreachable.
RESOLUTION: Check the appliance’s NTP server IP and
version configuration:
00040006
WARNING
•
Can the appliance reach the NTP server?
•
Is UDP port 123 open between the appliance’s mgmt0 IP and
the NTP server?
The SSL private key is invalid.
RESOLUTION: The key is not an RSA standard key that meets
the minimum requirement of 1024 bits. Regenerate a key that
meets this minimum requirement.
0004000e
WARNING
Setting default system next-hop to VLAN next-hop no longer
necessary.
RESOLUTION: No action required. Current system is capable
of using multiple WAN next-hops. It routes tunnel traffic to
tunnel’s source IP interface’s WAN next-hop.
0004000f
WARNING
Minor inconsistency among tunnel traffic class settings found
during upgrade.
RESOLUTION: New QoS traffic class/Queue configuration has
changed from a tunnel-based QoS system to one based on the
system/WAN interface. Automatic mapping of existing tunnel
traffic class configuration to new QoS Shaper traffic has failed.
Check QoS Shaper configuration and adjust Traffic Class
settings as necessary.
00040012
WARNING
A very large range has been configured for a local subnet.
RESOLUTION: Subnet sharing/advertisement module has
detected a network mask of less than 8 bits. Verify your
configured subnets in the Configuration > Subnets page.
Equipment
00030007
CRITICAL
Encryption card hardware failure
RESOLUTION: Contact Customer Service.
00030003
CRITICAL
Fan failure detected
RESOLUTION: Contact Customer Service.
00030024
CRITICAL
Insufficient configured memory size for this virtual appliance
RESOLUTION: Assign more memory to the virtual machine,
and restart the appliance. Traffic will not be optimized until this is
resolved.
00030025
CRITICAL
Insufficient configured processor count for this virtual appliance
RESOLUTION: Assign more processors to the virtual machine,
and restart the appliance. Traffic will not be optimized until this is
resolved.
PN 200030-001 Rev M
243
Silver Peak Appliance Manager Operator’s Guide
Table 12-1
Understanding Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Equipment
(cont.)
00030026
CRITICAL
Insufficient configured disk storage for this virtual appliance
RESOLUTION: Assign more storage to the virtual machine,
and restart the appliance. Traffic will not be optimized until this is
resolved.
00030005
CRITICAL
LAN/WAN fail-to-wire card failure
RESOLUTION: Contact Customer Service.
00030021
CRITICAL
NIC interface failure
RESOLUTION: Contact Customer Service.
00030004
CRITICAL
System is in Bypass mode
RESOLUTION: Normal with factory default configuration,
during reboot, and if user has put the appliance in Bypass mode.
Contact Customer Service if the condition persists.
0003001d
MAJOR
Bonding members have different speed/duplex
RESOLUTION: Check interface speed/duplex settings and
negotiated values on wan0/wan1 and lan0/lan1 etherchannel
groups.
0003001c
MAJOR
[Flow redirection] cluster peer is down
RESOLUTION:
•
•
•
00030017
MAJOR
Check flow redirection configuration on all applicable
appliances.
Check L3/L4 connectivity between the peers.
Open TCP and UDP ports 4164 between the cluster peer IPs
if they are blocked.
Disk removed by operator
RESOLUTION: Normal during disk replacement. Insert disk
using UI/GMS. Contact Customer Service if insertion fails.
00030001
MAJOR
Disk is failed
RESOLUTION: Contact Customer Service to replace disk.
00030015
MAJOR
Disk is not in service
RESOLUTION:
•
•
0003000b
MAJOR
Check to see if the disk is properly seated.
Contact Customer service for further assistance.
Interface is half duplex
RESOLUTION: Check speed/duplex settings on the
router/switch port.
0003000c
MAJOR
Interface speed is 10 Mbps
RESOLUTION:
•
•
244
Check speed/duplex settings.
Use a 100/1000 Mbps port on the router/switch.
PN 200030-001 Rev M
Understanding Alarms
Table 12-1
Chapter 12 Monitoring Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Equipment
(cont.)
00030022
MAJOR
LAN next-hop unreachableb
RESOLUTION: Check appliance configuration:
•
•
•
•
0003001a
MAJOR
LAN–side next-hop IP
Appliance IP / Mask
VLAN IP / Mask
VLAN ID
LAN/WAN interface has been shut down due to link propagation
of paired interface
RESOLUTION: Check cables and connectivity. For example, if
lan0 is shut down, check why wan0 is down. Applicable only to
in-line (bridge) mode.
00030018
MAJOR
LAN/WAN interfaces have different admin states
RESOLUTION: Check interface admin configuration for
lan0/wan0 (and lan1/wan1). Applicable only to in-line mode.
00030019
MAJOR
LAN/WAN interfaces have different link carrier states
RESOLUTION: Check interface configured speed settings and
current values (an0/wan0, lan1/wan1). Applicable only to in-line
mode.
0003000a
MAJOR
Management interface link down
RESOLUTION:
•
•
00030009
MAJOR
Check cables.
Check interface admin status on the router.
Network interface link down
RESOLUTION: Is the system in Bypass mode?
•
•
00030020
MAJOR
Check cables.
Check interface admin status on the router.
Power supply not connected, not powered, or failed
RESOLUTION:
•
•
00030023
MAJOR
Connect to a power outlet.
Check power cable connectivity.
Unexpected system restart
RESOLUTION: Power issues? Was the appliance shutdown
ungracefully? Contact Customer Service if the shutdown was
not planned.
00030012
MAJOR
VRRP instance is down
RESOLUTION: Check the interface. Is the link down?
00030014
MAJOR
WAN next-hop router discovered on a LAN port (box is in
backwards)
RESOLUTION:
•
•
•
PN 200030-001 Rev M
Check WAN next-hop IP address.
Check lan0 and wan0 cabling (in-line mode only).
If it cannot be resolved, call Customer Service.
245
Silver Peak Appliance Manager Operator’s Guide
Table 12-1
Understanding Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Equipment
(cont.)
00030011
MAJOR
WAN next-hop unreachableb
RESOLUTION:
0003001e
MAJOR
•
Check cables on Silver Peak appliance and router.
•
Check IP/mask on Silver Peak appliance and router.
Next-hop should be only a single IP hop away.
•
To troubleshoot, use:
show cdp neighbor,
show arp,
and ping -I <appliance IP> <next-hop IP>.
WCCP adjacency(ies) down
RESOLUTION: Cannot establish WCCP neighbor:
•
•
•
0003001f
MAJOR
Check WCCP configuration on appliance and router.
Verify reachability.
Enable debugging on router: debug ip wccp packet
WCCP assignment table mismatch
RESOLUTION: Check WCCP mask/hash assignment
configuration on all Silver Peak appliances and ensure that they
match.
00030002
MINOR
Disk is degraded
RESOLUTION: Wait for disk to recover. If it does not recover,
contact Customer Service.
00030016
MINOR
Disk is rebuilding
RESOLUTION: Normal. If rebuilding is unsuccessful, contact
Customer Service.
0003001b
MINOR
Disk SMART threshold exceeded
RESOLUTION: Contact Customer Service to replace disk.
00030008
WARNING
Network interface admin down
RESOLUTION: Check Silver Peak interface configuration.
00030013
WARNING
VRRP state changed from Master to Backup
RESOLUTION: VRRP state has changed from Master to
Backup.
•
•
Threshold
Crossing Alerts
(TCAs)
00050001
WARNING
Check VRRP Master for uptime.
Check VRRP Master for connectivity.
The average WAN–side transmit throughput of X Mbps over the
last minute [exceeded, fell below] the threshold of Y Mbps
RESOLUTION: User configured. Check bandwidth reports for
tunnel bandwidth.
00050002
WARNING
The average LAN–side receive throughput of X Mbps over the
last minute [exceeded, fell below] the threshold of Y Mbps
RESOLUTION: User configured. Check bandwidth reports.
246
PN 200030-001 Rev M
Understanding Alarms
Table 12-1
Chapter 12 Monitoring Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Threshold
Crossing Alerts
(TCAs)
(cont.)
00050003
WARNING
The total number of X optimized flows at the end of the last
minute [exceeded, fell below] the threshold of Y
RESOLUTION: User configured. Check flow and real-time
connection reports.
00050004
WARNING
The total number of X flows at the end of the last minute
[exceeded, fell below] the threshold of Y
RESOLUTION: User configured. Check flow and real-time
connection reports.
00050005
WARNING
The file system utilization of X% at the end of the last minute
[exceeded, fell below] the threshold of Y
RESOLUTION: Contact Customer Service.
00050006
WARNING
The peak latency of X during the last minute [exceeded, fell
below] the threshold of Y
RESOLUTION: User configured.
•
•
00050007
WARNING
Check Latency Reports. If latency is too high, check routing
between the appliances and QoS policy on upstream
routers.
Check tunnel DSCP marking. If latency persists, contact ISP
and Silver Peak support.
The average pre-FEC loss of X% over the last minute
[exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
•
•
•
•
00050008
WARNING
Check Loss Reports.
Check for loss between Silver Peak appliances (interface
counters on upstream routers).
Use network bandwidth measurement tools such as iperf to
measure loss.
Contact ISP (Internet Service Provider).
The average post-FEC loss of X% over the last minute
[exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
•
•
•
•
•
00050009
WARNING
Check Loss Reports.
Check for loss between Silver Peak appliances (interface
counters on upstream routers).
Use network bandwidth measurement tools such as iperf to
measure loss.
Enable/Adjust Silver Peak Forward Error Correction (FEC).
Contact ISP (Internet Service Provider).
The average pre-POC out-of-order packets of X% over the last
minute [exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
•
Check Out-of-Order Packets Reports.
Normal in a network with multiple paths and different QoS
queues.
Normal in a dual-homed router or 4-port in-line [bridge]
configuration.
•
PN 200030-001 Rev M
Contact Customer Service if out-of-order packets are not
100% corrected.
247
Silver Peak Appliance Manager Operator’s Guide
Table 12-1
Understanding Alarms
Silver Peak Appliance Alarms (Continued)
Subsystem
Alarm Type
ID (Hex)
Alarm
Severity
Alarm Text
Threshold
Crossing Alerts
(TCAs)
(cont.
0005000a
WARNING
The average post-POC out-of-order packets of X% over the last
minute [exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
•
Check Out-of-Order Packets Reports.
Normal in a network with multiple paths and different QoS
queues.
Normal in a dual-homed router or 4-port in-line [bridge]
configuration.
•
0005000b
WARNING
Contact Customer Service if out-of-order packets are not
100% corrected.
The average tunnel utilization of X% over the last minute
[exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
Check bandwidth reports for tunnel bandwidth utilization.
0005000c
WARNING
The average tunnel reduction of X% over the last minute
[exceeded, fell below] the threshold of Y%
RESOLUTION: User configured.
•
•
0005000d
WARNING
Check bandwidth reports for deduplication.
Check if the traffic is pre-compressed or encrypted.
The total number of flows <num-of-flows> is approaching the
capacity of this appliance. Once the capacity is exceeded, new
flows will be <dropped|bypassed>.
RESOLUTION: If this condition persists, a larger appliance will
be necessary to fully optimize all flows.
a. The VX appliances are a family of virtual appliances, comprised of the VX-n000 software, an appropriately paired
hypervisor and server, and a valid software license.
b. If there is either a LAN Next-Hop Unreachable or WAN Next-Hop Unreachable alarm, resolve the alarm(s)
immediately by configuring the gateway(s) to respond to ICMP pings from the Silver Peak appliance IP Address.
248
PN 200030-001 Rev M
Viewing Current Alarms
Chapter 12 Monitoring Alarms
Viewing Current Alarms
Most Silver Peak appliance alarms cannot be cleared by the user. Instead, the appliance generally corrects
the alarm condition and clears the alarm by itself.
The alarm summary appears in the banner. You can view current alarms as follows:
To view the Alarms - Current Alarms page,
click anywhere in this area.
This appliance is in System Bypass.
To disable System Bypass:
1. Go to the Configuration - System page
2. Click to deselect System Bypass
3. Click Apply.
...and the Alarms - Current Alarms page displays.
For acknowledging alarms
The Alarm - Current Alarms page displays the following information:
Field
Definition/Content
Seq No.
The sequential number of the alarm, based on the time the alarm raised.
Date/Time
The local date and time at the appliance’s location, specified by a 24-hour clock.
Type
The type of alarm:
•
•
•
•
PN 200030-001 Rev M
Tunnel
TC
EQU
SW
A tunnel-based alarm
A traffic class-based alarm
An equipment-based alarm
A code- or software-based alarm
249
Silver Peak Appliance Manager Operator’s Guide
Viewing Current Alarms
Field
Definition/Content (Continued)
Severity
The severity of the alarm, listed here in decreasing order of severity:
•
•
•
•
•
Critical
Major
Minor
Warning
Info
A critical alarm, such as “Tunnel Down”
A major alarm, such as “Disk out of Service”
A minor alarm, such as “Disk Degraded”
A warning, such as “Software Process Restart”
For Silver Peak debugging purposes.
These are purely related to alarms severities, not event logging levels, even though
some of the naming conventions overlap. Events and alarms have different
sources. Alarms, once they clear, list as the ALERT level in the Alarms - Log
Viewer page.
Source
Refers to the particular subsystem or equipment that is causing the alarm. For
example, we can raise the tunnel-based alarm, “Tunnel Down”, where the source
would refer to a particular tunnel.
Description
A brief description of the alarm.
Recommended Action
Describes what action to take and, when appropriate, provides a link to the page
where you need to do it.
Clear
If a checkbox is accessible, a user can clear the alarm.
To clear the alarm, click the Clear box, and click Apply. Once cleared, the row is
removed and the content is viewable in the read-only page, Alarms - Log Viewer.
Ack
250
Select Yes to acknowledge the alarm; Select No to remove acknowledgement.
PN 200030-001 Rev M
APPENDIX A
Specifications, Compliance, and
Regulatory Statements
This appendix contains specifications, as well as compliance and regulatory statements.
In This Appendix

Model Specifications See page 252.

Warning Statements See page 258.

Compliance Statements See page 261.

What Ports the NX and the GMS Use See page 262.

Appliance Views See page 266.
PN 200030-001 Rev M
251
Silver Peak Appliance Manager Operator’s Guide
Model Specifications
Model Specifications
This section includes general and model-specific specifications for the Silver Peak appliances:

Model-specific Specifications See page 252.

Fiber Specifications See page 257.

NX-Series Specifications See page 257.
Note To verify the most current VXOA host system requirements, refer to the Quick Start
Guides listed in the User Documentation section of http://www.silver-peak.com/Support.
Note To see which hypervisors Silver Peak’s VXOA software currently supports, refer to the
Quick Start Guides listed in the User Documentation section of
http://www.silver-peak.com/Support.
Model-specific Specifications
Capacity
Connectivity
Power
Dimensions
and Weight
252
NX-1700
NX-1700
NX-1700 DC
[PN 200404]
[PN 200576]
[PN 200464]
WAN Capacity
(All Features)
4 Mbps
4 Mbps
4 Mbps
Local Data Store
1 x 500 GB HDD
1 x 500 GB HDD
1 x 500 GB HDD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 47–63Hz,
90 W / 307 BTU
90–240VAC 47–63Hz,
46 W / 157 BTU
-31VDC to -72VDC,
86 W / 295 BTU
Power Supplies
Single
Single
Single
Height
1.8 in. (45 mm) 1 RU
1.75 in. (44.4 mm) 1 RU
1.8 in. (45 mm) 1 RU
Width
17.5 in. (445 mm)
16.9 in. (430 mm)
17.5 in. (445 mm)
Depth
8.2 in. (209 mm)
10.9 in. (277 mm)
8.2 in. (209 mm)
Weight
8.5 lbs (3.9 kg)
8.8 lbs (4.0 kg)
8.5 lbs (3.9 kg)
PN 200030-001 Rev M
Model Specifications
Capacity
Connectivity
Power
Dimensions
and Weight
Capacity
Connectivity
Power
Dimensions
and Weight
PN 200030-001 Rev M
Appendix A Specifications, Compliance, and Regulatory Statements
NX-2600
NX-2610
NX-2700
[PN 200178]
[PN 200193]
[PN 200401]
WAN Capacity
(All Features)
4 Mbps
8 Mbps
10 Mbps
Local Data Store
1 x 250 GB HDD
2 x 250 GB HDD
2 x 500 GB HDD
LAN/WAN
Ethernet
2 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
145 W / 496 BTU
100–240VAC 50-60Hz,
165 W / 563 BTU
100–240VAC 47-63Hz,
285 W / 973 BTU
Power Supplies
Single
Single
1+1 redundant
Height
1.7 in. (43.5 mm) 1 RU
1.7 in. (43.5 mm) 1 RU
3.5 in. (89 mm) 2 RU
Width
16.9 in. (430 mm)
16.9 in. (430 mm)
16.9 in. (430 mm)
Depth
22.4 in. (569 mm)
22.4 in. (569 mm)
26 in. (660 mm)
Weight
22.0 lbs (10.0 kg)
24.2 lbs (11.0 kg)
40.5 lbs (18.4 kg)
NX-2700
NX-3600
NX-3700
[PN 200697]
[PN 200348]
[PN 200400]
WAN Capacity
(All Features)
10 Mbps
20 Mbps
20 Mbps
Local Data Store
2 x 240 GB SSD
2 x 500 GB HDD
2 x 500 GB HDD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
94 W / 321 BTU
100–240VAC 47-63Hz,
250 W / 853 BTU
100–240VAC 47-63Hz,
305 W / 1041 BTU
Power Supplies
1+1 redundant
1+1 redundant
1+1 redundant
Height
1.69 in. (43 mm) 1 RU
3.5 in. (89 mm) 2 RU
3.5 in. (89 mm) 2 RU
Width
17.1 in. (434 mm)
17.0 in. (432 mm)
16.9 in. (430 mm)
Depth
26.1 in. (663 mm)
26.0 in. (661 mm)
26 in. (660 mm)
Weight
24.0 lbs (10.8 kg)
41.0 lbs (18.6 kg)
40.5 lbs (18.4 kg)
253
Silver Peak Appliance Manager Operator’s Guide
Capacity
Connectivity
Power
Dimensions
and Weight
Capacity
Connectivity
Power
Dimensions
and Weight
254
Model Specifications
NX-3700
NX-5600
[PN 200698]
[PN 200231]
WAN Capacity
(All Features)
20 Mbps
50 Mbps
Local Data Store
2 x 240 GB SSD
8 x 250 GB HDD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
94 W / 321 BTU
100–240VAC 50-60Hz,
440 W / 1501 BTU
Power Supplies
1+1 redundant
2+1 redundant
Height
1.69 in. (43 mm) 1 RU
5.2 in. (132 mm) 3 RU
Width
17.1 in. (434 mm)
17 in. (432 mm)
Depth
26.1 in. (663 mm)
26 in. (659 mm)
Weight
24.0 lbs (18.4 kg)
62 lbs (28.1 kg)
NX-5700
NX-5700
NX-6700
[PN 200399]
[PN 200699]
[PN 200828]
WAN Capacity
(All Features)
50 Mbps
50 Mbps
100 Mbps
Local Data Store
8 x 500 GB HDD
8 x 240 GB SSD
8 x 240 GB SSD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 47-63Hz,
345 W / 1178 BTU
100–240VAC 50-60Hz,
126 W / 430 BTU
100–240VAC 50-60Hz,
126 W / 430 BTU
Power Supplies
1+1 redundant
1+1 redundant
1+1 redundant
Height
3.5 in. (89 mm) 2 RU
1.69 in. (43 mm) 1 RU
1.69 in. (43 mm) 1 RU
Width
16.9 in. (430 mm)
17.1 in. (434 mm)
17.1 in. (434 mm)
Depth
26 in. (660 mm)
26.1 in. (663 mm)
26.1 in. (663 mm)
Weight
43 lbs (19.6 kg)
26.0 lbs (11.8 kg)
26.0 lbs (11.8 kg)
PN 200030-001 Rev M
Model Specifications
Capacity
Connectivity
Power
Dimensions
and Weight
Capacity
Connectivity
Power
Dimensions
and Weight
PN 200030-001 Rev M
Appendix A Specifications, Compliance, and Regulatory Statements
NX-7600
NX-7700
NX-7700
[PN 200225]
[PN 200398]
[PN 200702]
WAN Capacity
(All Features)
155 Mbps
200 Mbps
200 Mbps
Local Data Store
12 x 250 GB HDD
10 x 500 GB HDD
8 x 240 GB SSD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
580 W / 1979 BTU
100–240VAC 47-63Hz,
475 W / 1621 BTU
100–240VAC 50-60Hz,
126 W / 430 BTU
Power Supplies
2+1 redundant
1+1 redundant
1+1 redundant
Height
5.2 in. (132 mm) 3 RU
3.5 in. (89 mm) 2 RU
1.69 in. (43 mm) 1 RU
Width
17 in. (432 mm)
16.9 in. (430 mm)
17.1 in. (434 mm)
Depth
26 in. (659 mm)
26 in. (660 mm)
26.1 in. (663 mm)
Weight
68 lbs (30.8 kg)
44 lbs (20 kg)
26.0 lbs (11.8 kg)
NX-8600
NX-8700
NX-8700
[PN 200181]
[PN 200397]
[PN 200767]
WAN Capacity
(All Features)
500 Mbps
622 Mbps
622 Mbps
Local Data Store
16 x 500 GB HDD
10 x 500 GB HDD
4 x 100 GB SSD
14 x 240 GB SSD
LAN/WAN
Ethernet
4 x 10/100/1000 LAN
WAN
4 x 10/100/1000 LAN
WAN; 2 x 10 Gbps fiber
LAN WAN
4 x 10/100/1000 LAN
WAN; 2 x 10 Gbps fiber
LAN WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
650 W / 2218 BTU
100-240VAC 47–63Hz,
520 W / 1775 BTU
100–240VAC 50-60Hz,
491 W / 1675 BTU
Power Supplies
2+1 redundant
1+1 redundant
1+1 redundant
Height
5.2 in. (132 mm) 3 RU
3.5 in. (89 mm) 2 RU
3.4 in. (87 mm) 2 RU
Width
17 in. (432 mm)
16.9 in. (430 mm)
17.5 in. (444 mm)
Depth
26 in. (659 mm)
26 in. (660 mm)
29.2 in. (741 mm)
Weight
75 lbs (34.0 kg)
46.5 lbs (21.2 kg)
47.5 lbs (21.4 kg)
255
Silver Peak Appliance Manager Operator’s Guide
Capacity
Connectivity
Power
Dimensions
and Weight
Capacity
Connectivity
Power
Dimensions
and Weight
256
Model Specifications
NX-9610
NX-9700
NX-9700
[PN 200362]
[PN 200396]
[PN 200768]
WAN Capacity
(All Features)
1 Gbps
1 Gbps
1 Gbps
Local Data Store
16 x 500 GB HDD
10 x 500 GB HDD
4 x 100 GB SSD
14 x 240 GB SSD
LAN/WAN
Ethernet
4 x 1 Gbps fiber LAN WAN;
2 x 10 Gbps fiber LAN WAN
4 x 1 Gbps fiber LAN WAN;
2 x 10 Gbps fiber LAN WAN
4 x 1 Gbps fiber LAN WAN;
2 x 10 Gbps fiber LAN WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100–240VAC 50-60Hz,
682 W / 2327 BTU
100-240VAC 47–63Hz, 600
W / 2048 BTU
100–240VAC 50-60Hz,
493 W / 1682 BTU
Power Supplies
2+1 redundant
1+1 redundant
1+1 redundant
Height
5.2 in. (132 mm) 3 RU
3.5 in. (89 mm) 2 RU
3.4 in. (87 mm) 2 RU
Width
17 in. (432 mm)
16.9 in. (430 mm)
17.5 in. (444 mm)
Depth
26 in. (659 mm)
26 in. (660 mm)
29.2 in. (741 mm)
Weight
75.5 lbs (34.5 kg)
47 lbs (21.2 kg)
47.5 lbs (21.4 kg)
NX-10700
NX-10700
NX-11700
[PN 200519]
[PN 200769]
[PN 200711]
WAN Capacity
(All Features)
2.5 Gbps
2.5 Gbps
5 Gbps
Local Data Store
2 x 500 GB HDD
16 x 100 GB SSD
18 x 100 GB SSD
18 x 100 GB SSD
LAN/WAN
Ethernet
4 x 10 Gbps fiber LAN WAN
4 x 10 Gbps fiber LAN WAN
4 x 10 Gbps fiber LAN WAN
Management
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
2 x 10/100/1000;
RS-232 serial port
Requirement
100-240VAC 47–63Hz, 600
W / 2048 BTU
100–240VAC 50-60Hz,
590 W / 2013 BTU
100–240VAC 50-60Hz,
590 W / 2013 BTU
Power Supplies
1+1 redundant
1+1 redundant
1+1 redundant
Height
3.5 in. (89 mm) 2 RU
3.4 in. (87 mm) 2 RU
3.4 in. (87 mm) 2 RU
Width
16.9 in. (430 mm)
17.5 in. (444 mm)
17.5 in. (444 mm)
Depth
26 in. (660 mm)
29.2 in. (741 mm)
29.2 in. (741 mm)
Weight
46.5 lbs (21.1 kg)
48.5 lbs (22.0 kg)
48.5 lbs (22.0 kg)
PN 200030-001 Rev M
Model Specifications
Appendix A Specifications, Compliance, and Regulatory Statements
Fiber Specifications
1 Gbps Fiber Interfaces
10 Gbps Fiber Interfaces
NX-9610 / NX-9700
NX-8700 / NX-9610 / NX-9700
lan / wana
Fiber Support
•
•
•
lan / wana
Fail-to-Close
4 interfaces
LC connectors
Support multi-mode 50μ fiber /
62.5μ fiber
a.
NX-9610 — no
NX-9700 — yes
tlan0 / twan0
Fiber Support
•
•
•
tlan0 / twan0
Fail-to-Close
2 interfaces
LC connectors
Support multi-mode 50μ fiber
no
This can be for lan0/wan0 or lan1/wan1.
NX-10700 / NX-11700: 10 Gbps Fiber Interfaces
tlan0 / twan0 / tlan1 / twan1
•
•
2 interfaces
LC connectors
•
•
Support multi-mode 50μ fiber
Fail-to-close — no
NX-Series Specifications
Environmental
Regulatory
PN 200030-001 Rev M
Temperature (Operating)
10°C to 40°C (50°F to 104°F)
Temperature (Storage)
-40°C to 65°C (-40°F to 149°F)
Humidity
8% to 90% relative humidity, non-condensing
EMC
FCC Part 15 Class A, EN 55022 Class A,
EN 61000-3-2/3-3, EN 55024
Safety
UL/cUL 60950, EN 60950
257
Silver Peak Appliance Manager Operator’s Guide
Warning Statements
Warning Statements
Class 1 Laser Products

NX-8700

NX-9600

NX-9700

NX-10700

NX-11700
Maintenance Port Precautions
The serial console is only used for periodic maintenance and not to be used under normal operation.
General Safety
CAUTION Please note the following:
1
The server will not be used in a home, school or other public area where the general population
would have access to it.
2
The manufacturer specifies that the thumbscrew normally should be tightened with a screwdriver.
Use of a thumbscrew is not considered to compromise the basic principles of safety associated with
the standard.
WARNING
To prevent potential for personal injury, property damage or death, please
observe the following instructions:
258
•
Do not use damaged equipment, including exposed, frayed or damaged power cords. Use only
the approved power cable that is rated for the equipment. The voltage and current rating of the
cable should be greater than the ratings marked on the equipment.
•
Plug the power cables into properly grounded electrical outlets
•
Do not use adapter plugs or remove the grounding prong from a cable.
If you must use an extension cable, use a 3-wire cable with properly grounded plugs.
•
Observe extension cable and power strip ratings to ensure that the total ampere rating of all
equipment plugged into the extension cable or power strip does not exceed 80 percent of the
ampere ratings limit for the extension cable or power strip.
•
When connecting or disconnecting power to hot-swappable power supplies, observe the
following precautions:
•
Install the power supply before connecting the power cable to it.
•
Unplug the power cable before removing a power supply.
•
To disconnect power from the server, disconnect all power cables from all power supplies.
(If you only disconnect one hot-swappable power supply, the system will automatically
switch to a redundant one.)
PN 200030-001 Rev M
Warning Statements
Appendix A Specifications, Compliance, and Regulatory Statements
•
The power supplies in the server may produce high voltages and potential energy hazards. By
opening the cover of the server you may be exposed to a risk of electric shock. The components
inside the server housing should only be serviced by a trained service technician.
•
Inside the housing, the power supply may have more than one power supply cable. To reduce
the risk of electric shock, a trained service technician may need to disconnect all power supply
cables before servicing the system.
•
The server should not be operated with the cover removed.
•
Components inside the server housing may become extremely hot during normal operations.
These components include the memory and CPU modules. Allow sufficient time for
components to cool before handling.
•
The server should not be operated in environments that can get wet. Protect the server at all
times from liquid intrusion.
•
If your server gets wet, turn off the AC power at the circuit breaker before attempting to remove
the power cables from the electrical outlet. Then disconnect power to the equipment and to any
attached devices.
•
Avoid obstructing the air vents on the server or pushing objects into the openings. This could
lead to fire or electric shock.
CAUTION
To prevent hardware damage or loss of data, observe the following precautions:
•
Follow installation instructions carefully.
•
Do not attempt to service the equipment yourself. The server should be serviced by a trained
service technician.
•
You should operate this equipment from the type of external power source indicated on the
electrical ratings label.
•
Wait 30 seconds after turning off the equipment before removing a component from the system
or disconnecting a peripheral device from the server.
•
Always leave at least 4 inches (10.2cm) of physical clearance on all vented sides of the server.
This permits the airflow required for proper ventilation.
•
Avoid placing equipment too close together such that it is subject to re-circulated (pre-heated)
air. Avoid placing equipment too close to an server or exhaust vent.
•
Ensure that cables are connected to the server without stress and that nothing rests on the cables.
•
If the equipment is located in a rack, move it with caution. Ensure that all casters and/or
stabilizers are firmly connected. While moving the equipment, avoid uneven surfaces and
sudden stops.
•
Do not place other equipment, monitors, or other devices on top of the server.
•
To protect the server from fluctuations in electrical power, use a surge suppressor, line
conditioner or uninterruptible power supply (UPS).
BATTERY WARNING: Installing an incompatible battery on the server board may
increase the risk of fire or explosion. Observe the following precautions:
WARNING
PN 200030-001 Rev M
259
Silver Peak Appliance Manager Operator’s Guide
Warning Statements
•
The battery should only be replaced with a battery that is the same or equivalent as the factory
installed battery.
•
Do not attempt to open or service the battery. Do not dispose of the battery in a fire or with
household waste. Contact the local waste disposal agency for the location of the nearest battery
deposit site.
CAUTION
Please observe the following additional precautions for rack-mounted systems:
•
Slide/rail mounted equipment is not to be used as a shelf or a work space.
•
Elevated Operating Ambient – If the server is installed in a closed or multi-unit rack assembly,
the operating ambient temperature in the rack environment may be greater than the room
ambient temperature. Therefore, consideration should be given to the maximum operating
temperature specified in the environmental specifications.
•
Reduced Air Flow – Installation of the server in a rack should be such that the amount of air
flow required for safe operation is not compromised.
•
Mechanical Loading – Mounting of the server in the rack should not create a hazardous
condition from uneven mechanical loading.
•
Circuit Overloading – Connection of the equipment to the supply circuit should not create an
overloaded situation. Pay close attention to equipment nameplate ratings.
•
Reliable Grounding – Appliances mounted in racks should be grounded properly. If using
power strips to connect the server to the supply circuit, make certain that the power strips are
also grounded properly.
•
It is your responsibility to ensure that the rack and the provided rail system are compatible with
each other before installing the server.
•
Install the front and side stabilizers prior to installing equipment in a rack. Failure to install
stabilizers may cause a rack to tip over.
•
Load racks from the bottom up, loading the heaviest items near the bottom of the rack.
•
Do not stand or step on components in the rack.
•
Do not use slide-rail-mounted equipment as a shelf or workspace. Do not add weight to the top
of the server.
WARNING
Grounding Instructions for Qualified Electricians Only:
•Grounding techniques may vary. However, a positive connection to a safety (earth) ground is
required.
260
•
Make the ground connection first and disconnect it last to prevent hazards.
•
Never defeat the ground conductor or operate the equipment in the absence of a suitably
installed ground conductor.
•
If the system is installed in a rack, ensure that the system chassis is securely grounded to the
rack cabinet frame. Do not connect power to the system until grounding cables are connected.
PN 200030-001 Rev M
Compliance Statements
Appendix A Specifications, Compliance, and Regulatory Statements
Compliance Statements
This section includes the following required compliance statements:

FCC Compliance Statement See page 261.

ICES-003 statement See page 261.

Requirements for Rack-Mount Equipment See page 261.

Requirements for Knurled Thumb Screws See page 261.
FCC Compliance Statement
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be
required to correct the interference at his own expense.
ICES-003 statement
The Class A digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe A est conforme á la norme NMB-003 du Canada.
Requirements for Rack-Mount Equipment
Observe the following requirements for all rack-mount equipment:
1
Elevated Operating Ambient Temperature – If installed in a closed or multi-unit rack assembly, the
operating ambient temperature of the rack environment may be greater than room ambient.
Therefore, consideration should be given to installing the equipment in an environment compatible
with the maximum ambient temperature (Tma) specified by the manufacturer.
2
Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow
required for safe operation of the equipment is not compromised.
3
Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous
condition is not achieved due to uneven mechanical loading.
4
Circuit Overloading – Consideration should be given to the connection of the equipment to the
supply circuit and the effect that overloading of the circuits might have on overcurrent protection
and supply wiring.
Appropriate consideration of equipment nameplate ratings should be used when addressing this
concern.
5
Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained. Particular
attention should be given to supply connections other than direct connections to the branch circuit
(for example, use of power strips).
Requirements for Knurled Thumb Screws
Thumbscrews should be tightened with a tool after both initial installation and subsequent access to the
panel.
PN 200030-001 Rev M
261
Silver Peak Appliance Manager Operator’s Guide
What Ports the NX and the GMS Use
What Ports the NX and the GMS Use
Following are lists of ports that are used by the appliances and by the Global Management System
(GMS). These are the ports used for “listening”.
If you intend to use a port, make sure that it is open in the firewall(s).
List of ports used by the GMS
Following is the list of ports used by the GMS. All are part of the management plane.
It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your
network, applications, and chosen deployment.
Must
open
port?
TCP
yes
UDP
Port
Application
Direction
relative to the
GMS
Comments
x
22
SSH
bidirectional
SNMP trap receivers
yes
x
443
HTTPS
bi-directional
communications between the GMS and a
physical or virtual appliance (NX or VX)
opt.
x
21
FTP
outgoing
for GMS backup
This is the default port. If you’ve configured
a different port, then you also need to
configure the firewall with that port number.
opt.
x
22
SCP
outgoing
for GMS backup
This is the default port. If you’ve configured
a different port, then you also need to
configure the firewall with that port number.
262
opt.
x
opt.
x
opt.
x
x
49
TACACS+
outgoing
user authentication and authorization
53
DNS
outgoing
domain name services
80
HTTP
outgoing
If the appliance’s web configuration is for
HTTP only, then you must open this port.
opt.
x
123
NTP
outgoing
synchronizes clocks
opt.
x
162
SNMP
outgoing
SNMP trap receivers
opt.
x
1812
RADIUS
outgoing
user authentication and authorization
opt.
x
2055
Netflow
outgoing
Netflow collector
PN 200030-001 Rev M
What Ports the NX and the GMS Use
Appendix A Specifications, Compliance, and Regulatory Statements
List of ports used by the NX
Data Plane
This is for packets that traverse the optimization path. For creating tunnels, at least one of the first three
applications — GRE, IPsec, or UDP — is required.
Application
Ports and Protocols
Use
GRE
Protocol 47
If tunnel mode is GRE
IPsec
Protocol ESP 50;
UDP port 500 (for IKE key exchange)
If tunnel mode is IPsec
UDP
UDP Port 4163
If tunnel mode is UDP
WCCP
UDP Port 2048
For WCCP redirection
Flow redirection
TCP Port 4164 and UDP Port 4164
If flow direction is enabled and
clustered via routers
iperf
TCP Port 5001 and UDP Port 5001
For testing link integrity outside the
tunnel.
Management Plane
It is mandatory for certain ports to be open. Opening other ports is optional (opt.), depending on your
network, applications, and chosen deployment.
Must
open
port ?
TCP
UDP
Port
Application
Direction relative
to the appliance
Used for ...
yes
x
22
SSH and SCP
bidirectional
•
•
yes
x
80
HTTP
bidirectional
communication with NX
clients and with GMS
yes
x
443
HTTPS
bidrectional
communication with NX
clients
opt.
x
20 [data channel]
FTP
bidirectional
•
•
49
TACACS+
outgoing
user authentication and
authorization
x
53
DNS
outgoing
domain name services
opt.
x
123
NTP
outgoing
synchronizes clocks
opt.
x
1812
RADIUS
outgoing
user authentication and
authorization
opt.
x
162
SNMP
outgoing
SNMP trap receivers
opt.
x
2055
Netflow
outgoing
Netflow collector
21 [control channel]
opt.
x
opt.
x
configuration backup
software upgrades
configuration backup
software upgrades
Diagrams of TCP/IP Port Use
See the following two pages.
PN 200030-001 Rev M
263
Silver Peak Appliance Manager Operator’s Guide
264
What Ports the NX and the GMS Use
PN 200030-001 Rev M
What Ports the NX and the GMS Use
PN 200030-001 Rev M
Appendix A Specifications, Compliance, and Regulatory Statements
265
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
Appliance Views
This section includes each NX appliance model and provides information about its physical
characteristics and layout.
Hard Disks
Power Supplies
Model
Part
Number
Qty
Allow user
to replace
Hot
swappable
Qty
Allow user
to replace
Hot
swappable
NX-1700 AC
200404
1
no
--
1
no
--
page 267
NX-1700 AC
200576
1
no
--
1
no
--
page 267
NX-1700 DC
200464
1
no
--
1
no
--
page 269
NX-2600
200178
1
no
--
1
no
--
page 270
NX-2610
200193
2
yes
no
1
no
--
page 270
NX-2700
200401
2
yes
yes
2
yes
yes
page 271
NX-2700
200697
2
yes
yes
2
yes
yes
page 273
NX-3600
200349
2
yes
no
2
yes
yes
page 274
NX-3700
200400
2
yes
yes
2
yes
yes
page 275
NX-3700
200698
2
yes
yes
2
yes
yes
page 277
NX-5600
200231
8
yes
yes
3
yes
yes
page 278
NX-5700
200399
8
yes
yes
2
yes
yes
page 280
NX-5700
200699
8
yes
yes
2
yes
yes
page 282
NX-6700
200828
8
yes
yes
2
yes
yes
page 283
NX-7600
200225
12
yes
yes
3
yes
yes
page 284
NX-7700
200398
10
yes
yes
2
yes
yes
page 286
NX-7700
200702
8
yes
yes
2
yes
yes
page 288
NX-8600
200181
16
yes
yes
3
yes
yes
page 289
NX-8700
200397
14
yes
yes
2
yes
yes
page 291
NX-8700
200767
14
yes
yes
2
yes
yes
page 294
NX-9610
200362
16
yes
yes
3
yes
yes
page 296
NX-9700a
200396
14
yes
yes
2
yes
yes
page 298
NX-9700
200768
14
yes
yes
2
yes
yes
page 301
NX-10700
200519
18
yes
yes
2
yes
yes
page 303
NX-10700
200769
18
yes
yes
2
yes
yes
page 305
NX-11700
200711
18
yes
yes
2
yes
yes
page 307
a
Where to find
a. Two disk configurations — regular and “v”
266
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-1700 AC [PN 200404 and PN 200576]
NX-1700
Hard Disks
Power Supplies
Quantity
1
1
User authorized to replace?
no
no
Hot swappable?
--
--
There are a couple of different physical chassis for AC current. The functional distinction is only in
whether the physical interfaces are on the front panel or the rear panel.
Option #1 – NX-1700 AC with Interfaces on Rear Panel [PN 200404]
NX-1700 (AC) — Front View
Power switch
When you toggle the Power switch, verify
that the Power LED illuminates green.
Power LED
NX-1700 (AC) — Rear View
parallel port
power supply LED
NX-1700
network interfaces
[lan0 / wan0 / lan1 / wan1]
console
[serial port]
PN 200030-001 Rev M
VGA port
auxiliary
port
management interfaces
[mgmt0 / mgmt1]
267
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
Option #2 – NX-1700 AC with Interfaces on Front Panel [PN 200576]
NX-1700 (AC) — Front View
Power LED
NX-1700
management interfaces
[mgmt0 / mgmt1]
console
[serial port]
auxiliary
port
network interfaces
[lan0 / wan0 / lan1 / wan1]
NX-1700 (AC) — Rear View
Power switch
Power plug
mgmt0 & mgmt1
NX-1700
Link/Activity:
blinking = traffic
Not
connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
lan0 / wan0 /
lan1 / wan1
1000 Mbps
Link/
Activity
Speed
Link/
Activity
Speed
-Speed = solid
268
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-1700 DC [PN 200464]
NX-1700 DC
Hard Disks
Power Supplies
Quantity
1
1
User authorized to replace?
no
no
Hot swappable?
--
--
NX-1700 (DC) — Front View
Power switch
When you toggle the Power switch, verify
that the Power LED illuminates green.
Power LED
NX-1700 (DC) — Rear View
Connect one wire from the NX-1700’s 0V terminal to
the DC source 0V terminal.
b
Connect the second wire from the NX-1700’s –48V
terminal to the DC source –48V terminal.
side view
a
DC terminal connector (DC)
parallel port
power supply LED
network interfaces
[lan0 / wan0 / lan1 / wan1]
console
[serial port]
VGA port
auxiliary
port
management interfaces
[mgmt0 / mgmt1]
mgmt0 & mgmt1
NX-1700
Link/Activity:
blinking = traffic
Not
connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
lan0 / wan0 /
lan1 / wan1
Link/
Activity
Speed
-Speed = solid
PN 200030-001 Rev M
269
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-2600 [PN 200178] / NX-2610 [PN 200193]
NX-2600 and NX-2610 — Front Views
On the front panel, verify that the
Power LED illuminates blue.
Power LED [blue]
mgmt0
Hard Disk Drive
activity
System Reset
Alarm Mute
Not used
mgmt1
Power switch
NX-2600 — Disk Layout
User replacement NOT authorized
NX-2610
NX-2600 — Rear View
NX-2610
NX-2600
NX-2610
Speed = solid
--
mgmt0 & mgmt1
Not connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Auto
Link/
Activity
Speed
Link/Activity:
blinking = traffic
270
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-2700 [PN 200401]
NX-2700
Hard Disks
Power Supplies
Quantity
2
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-2700 — Front View
Illuminates red when a power
supply is disconnected or off
Alarm mute
Power LED [blue = ON]
System reset
Power button
[plugging the power cords
in automatically powers
up the appliance]
NX-2700 — Disk Layout
PN 200030-001 Rev M
271
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-2700 — Rear View
Each power cord socket has a corresponding green LED to its
left. When a socket receives power, its LED illuminates green.
.
mgmt0 & mgmt1
NX-2700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
Not connected
Link/
Activity
Speed
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Network interfaces
NX-2700
Link/Activity:
10 Mbps
Link/
Activity
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
272
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-2700 [PN 200697]
NX-2700
Hard
Disks
Power
Supplies
Quantity
2
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Status
Activity
Drive online
Drive failed
(4 blinks/sec)
Power LED [blue = ON]
Traffic
Rear View
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
PN 200030-001 Rev M
273
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-3600 [PN 200349]
NX-3600
Hard Disks
Power Supplies
Quantity
2
2
User authorized to replace?
yes
yes
Hot swappable?
no
yes
NX-3600 — Front View & Disk Layout
Disk 0
These two slots house the hard
disks you can remove and replace.
Disk 1
NX-3600 — Rear View
.
NX-3600
Speed = solid
--
mgmt0 & mgmt1
Not connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Auto
Link/
Activity
Speed
Link/Activity:
blinking = traffic
274
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-3700 [PN 200400]
NX-3700
Hard Disks
Power Supplies
Quantity
2
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-3700 — Front View
Illuminates red when a power
supply is disconnected or off
Alarm mute
Power LED [blue = ON]
System reset
Power button
[plugging the power cords
in automatically powers
up the appliance]
NX-3700 — Disk Layout
PN 200030-001 Rev M
275
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-3700 — Rear View
Each power cord socket has a corresponding green LED to its
left. When a socket receives power, its LED illuminates green.
.
mgmt0 & mgmt1
NX-3700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
Not connected
Link/
Activity
Speed
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Network interfaces
NX-3700
Link/Activity:
10 Mbps
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
276
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-3700 [PN 200698]
NX-3700
Hard
Disks
Power
Supplies
Quantity
2
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Status
Activity
Drive online
Drive failed
(4 blinks/sec)
Power LED [blue = ON]
Traffic
Rear View
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
PN 200030-001 Rev M
277
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-5600 [PN 200231]
NX-5600
Hard Disks
Power Supplies
Quantity
8
3
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-5600 — Front Views
Power LED [blue = ON]
Hard Disk Drive activity
[Yellow = busy]
System Reset
Alarm Mute
mgmt0
mgmt1
Not used
NX-5600 — Front Views
NX-5600 — Rear View
278
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
.
mgmt0 & mgmt1
Not
connected
NX-5600
Speed = solid
Link/
Activity
10 Mbps
Link/
Speed Activity
100 Mbps
Link/
Speed Activity
1000 Mbps
Link/
Speed Activity
Auto
Link/
Speed Activity
Speed
-Link/Activity:
blinking = traffic
PN 200030-001 Rev M
279
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-5700 [PN 200399]
NX-5700
Hard Disks
Power Supplies
Quantity
8
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-5700 — Front View
Illuminates red when a power
supply is disconnected or off
Alarm mute
Power LED [blue = ON]
System reset
Power button
[plugging the power cords
in automatically powers
up the appliance]
NX-5700 — Disk Layout
280
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-5700 — Rear View
Each power cord socket has a corresponding green LED to its
left. When a socket receives power, its LED illuminates green.
.
mgmt0 & mgmt1
NX-5700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
Not connected
Link/
Activity
Speed
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Network interfaces
NX-5700
Link/Activity:
10 Mbps
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
PN 200030-001 Rev M
281
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-5700 [PN 200699]
NX-5700
Hard
Disks
Power
Supplies
Quantity
8
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Status
Activity
Drive online
Drive failed
(4 blinks/sec)
Traffic
Power LED [blue = ON]
Rear View
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Link
Connected at max speed
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
282
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-6700 [PN 200828]
NX-6700
Hard
Disks
Power
Supplies
Quantity
8
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Status
Activity
Drive online
Drive failed
(4 blinks/sec)
Traffic
Power LED [blue = ON]
Rear View
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Link
Connected at max speed
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
PN 200030-001 Rev M
283
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-7600 [PN 200225]
NX-7600
Hard Disks
Power Supplies
Quantity
12
3
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-7600 — Front Views
Power LED [blue = ON]
Hard Disk Drive activity
[Yellow = busy]
System Reset
Alarm Mute
mgmt0
mgmt1
Not used
NX-7600 — Disk Layout
NX-7600 — Rear View
284
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
mgmt0 & mgmt1
Not
connected
NX-7600
Speed = solid
Link/
Activity
10 Mbps
Link/
Speed Activity
100 Mbps
Link/
Speed Activity
1000 Mbps
Link/
Speed Activity
Auto
Link/
Speed Activity
Speed
-Link/Activity:
blinking = traffic
PN 200030-001 Rev M
285
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-7700 [PN 200398]
NX-7700
Hard Disks
Power Supplies
Quantity
10
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-7700 — Front View
Illuminates red when a power
supply is disconnected or off
Alarm mute
Power LED [blue = ON]
System reset
Power button
[plugging the power cords
in automatically powers
up the appliance]
NX-7700 — Disk Layout
286
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-7700 — Rear View
Each power cord socket has a corresponding green LED to its
left. When a socket receives power, its LED illuminates green.
.
mgmt0 & mgmt1
NX-7700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
Not connected
Link/
Activity
Speed
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
Network interfaces
NX-7700
Link/Activity:
10 Mbps
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
PN 200030-001 Rev M
287
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-7700 [PN 200702]
NX-7700
Hard
Disks
Power
Supplies
Quantity
8
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Status
Activity
Drive online
Drive failed
(4 blinks/sec)
Traffic
Power LED [blue = ON]
Rear View
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
288
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-8600 [PN 200181]
NX-8600
Hard Disks
Power Supplies
Quantity
16
3
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-8600 — Front View
Power LED [blue = ON]
Hard Disk Drive activity
[Yellow = busy]
System Reset
Alarm Mute
mgmt0
mgmt1
Not used
NX-8600 — Disk Layout
NX-8600 — Rear View
PN 200030-001 Rev M
289
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
mgmt0 & mgmt1
Not
connected
NX-8600
Speed = solid
Link/
Activity
10 Mbps
Link/
Speed Activity
100 Mbps
Link/
Speed Activity
1000 Mbps
Link/
Speed Activity
Auto
Link/
Speed Activity
Speed
-Link/Activity:
blinking = traffic
290
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-8700 [PN 200397]
NX-8700
Hard Disks
Power Supplies
Quantity
14
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-8700 — Front View
Power supply warning LED
[red = 1 PS down or missing]
Alarm mute
Power LED [blue = on]
System reset
Power switch
DISK LEDs:
green = disk activity
red = error [no access to drive]
blue = disk on
NO LIGHT = OFF
The two NX-8700s differ only in the placement of the solid state drives.
NX-8700 — Disk Layout
Note that the NX-9700 and NX-8700 appliances contain a mix
of SATA hard disk drives and SSDs (solid-state drives).
Solid-state disks
SATA hard
disk drives
PN 200030-001 Rev M
SATA hard
disk drives
291
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-8700v — Disk Layout
Note that the NX-9700 and NX-8700 appliances contain a mix
of SATA hard disk drives and SSDs (solid-state drives).
Solid-state disks
SATA hard
disk drives
SATA hard
disk drives
NX-8700 — Rear View
Power Supply LEDs
green = power on
copper
network interfaces
VGA port
console [serial port]
auxiliary port
10 Gbps fiber
network interfaces
management
interfaces
Management interfaces
NX-8700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
292
mgmt0 & mgmt1
Not connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
Network interfaces
Network interfaces
NX-8700
Link/Activity:
lan0
solid green = link good
blinking green = traffic
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
10 Gbps fiber interfaces
NX-8700
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-8700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
293
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-8700 [PN 200767]
NX-8700
Hard
Disks
Power
Supplies
Quantity
14
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Drive online
Status
Activity
Drive failed
(4 blinks/sec)
Power LED [blue = ON]
Traffic
Rear View
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Link
Connected at max speed
Activity
Link
Connected at lower speed
Activity
Traffic
Network interfaces
Link/Activity:
solid green = link good
blinking green = traffic
lan0
Link/Activity
system bypass mode
wan0
Link/Activity
lan1
Link/Activity
wan1
Link/Activity
lan0
wan0
lan1
wan1
lan0
wan0
lan1
wan1
Ports 0 + 2 – solid green
Ports 1 + 3 – OFF
slave ports
not in system bypass
Ports 0 + 2 – OFF
Ports 1 + 3 – solid green
294
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
10 Gbps fiber interfaces
NX-8700
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-8700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
295
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-9610 [PN 200362]
NX-9610
Hard Disks
Power Supplies
Quantity
16
3
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-9610 — Front Views
Power LED [blue = ON]
mgmt0
Hard Disk Drive activity
[Yellow = busy]
System Reset
Alarm Mute
mgmt1
Not used
NX-9610 — Disk Layout
NX-9610 — Rear View
10 Gbps fiber
network interfaces
1 Gbps fiber
network interfaces
296
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
mgmt0 & mgmt1
Not
connected
NX-9610
Speed = solid
Link/
Activity
10 Mbps
Link/
Speed Activity
100 Mbps
Link/
Speed Activity
1000 Mbps
Link/
Speed Activity
Auto
Link/
Speed Activity
Speed
-Link/Activity:
blinking = traffic
PN 200030-001 Rev M
297
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
NX-9700 [PN 200396]
NX-9700
Hard Disks
Power Supplies
Quantity
14
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
NX-9700 — Front View
Power supply warning LED
[red = 1 PS down or missing]
Alarm mute
Power LED [blue = on]
System reset
Power switch
DISK LEDs:
green = disk activity
red = error [no access to drive]
blue = disk on
NO LIGHT = OFF
The two NX-9700s differ only in the placement of the solid state drives.
NX-9700 — Disk Layout
Note that the NX-9700 appliance contains a mix of SATA hard
disk drives and SSDs (solid-state drives).
Solid-state disks
SATA hard
disk drives
298
SATA hard
disk drives
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-9700v — Disk Layout
Note that the NX-9700 and NX-8700 appliances contain a mix
of SATA hard disk drives and SSDs (solid-state drives).
Solid-state disks
SATA hard
disk drives
SATA hard
disk drives
NX-9700 — Rear View
Power Supply LEDs
green = power on
1 Gbps fiber
network interfaces
VGA port
console [serial port]
10 Gbps fiber
network interfaces
management
interfaces
auxiliary port
Management interfaces
NX-9700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
PN 200030-001 Rev M
mgmt0 & mgmt1
Not connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
299
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
1 Gbps fiber interfaces
NX-9700
lan0 / wan0 / lan1 / wan1
all LEDs are
solid
10 Gbps fiber interfaces
NX-9700
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-9700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
300
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-9700 [PN 200768]
NX-9700
Hard
Disks
Power
Supplies
Quantity
14
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Drive online
Power LED [blue = ON]
Rear View
10 Gbps fiber
network interfaces
Status
Activity
Status
Activity
Drive failed
(4 blinks/sec)
Traffic
1 Gbps fiber
network interfaces
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Connected at lower speed
Link
Activity
Traffic
1 Gbps fiber interfaces
lan0 / wan0 / lan1 / wan1
all LEDs are
solid
PN 200030-001 Rev M
301
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
10 Gbps fiber interfaces
NX-9700
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-9700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
302
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-10700 [PN 200519]
NX-10700
Hard Disks
Power Supplies
Quantity
18
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Power supply warning LED
[red = 1 PS down or missing]
Alarm mute
Power LED [blue = on]
System reset
Power switch
DISK LEDs:
green = disk activity
red = error [no access to drive]
blue = disk on
NO LIGHT = OFF
Disk Layout
Note that the NX-10700 appliance contains a mix of SATA
hard disk drives and SSDs (solid-state drives).
SATA hard disk drives
Solid-state disks
Rear View
Power Supply LEDs
green = power on
console [serial port]
auxiliary port
PN 200030-001 Rev M
10 Gbps fiber
network interfaces
VGA port
management
interfaces
303
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
Management interfaces
NX-10700
Speed = solid
Link/Activity:
solid = link
blinking = traffic
mgmt0 & mgmt1
Not connected
Link/
Activity
Speed
10 Mbps
Link/
Activity
Speed
100 Mbps
Link/
Activity
Speed
1000 Mbps
Link/
Activity
Speed
10 Gbps fiber interfaces
NX-10700
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-10700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
304
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-10700 [PN 200769]
NX-10700
Hard
Disks
Power
Supplies
Quantity
18
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Drive online
Status
Activity
Drive failed
(4 blinks/sec)
Power LED [blue = ON]
Traffic
Rear View
10 Gbps fiber network interfaces
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Connected at lower speed
Link
Activity
Traffic
10 Gbps fiber interfaces
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
PN 200030-001 Rev M
305
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-9700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
306
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
Appliance Views
Appendix A Specifications, Compliance, and Regulatory Statements
NX-11700 [PN 200711]
NX-11700
Hard
Disks
Power
Supplies
Quantity
18
2
User authorized to replace?
yes
yes
Hot swappable?
yes
yes
Front View
Disk Layout
Status
Activity
Status
Activity
Drive online
Power LED [blue = ON]
Status
Activity
Drive failed
(4 blinks/sec)
Traffic
Rear View
10 Gbps fiber network interfaces
.
mgmt0 & mgmt1
Link
Activity
Not connected
Link
Activity
Connected at max speed
Link
Activity
Connected at lower speed
Link
Activity
Traffic
10 Gbps fiber interfaces
tlan0 / twan0
all LEDs are green
Link = solid
Activity = blinking
PN 200030-001 Rev M
307
Silver Peak Appliance Manager Operator’s Guide
Appliance Views
You have the option to separately order LR (Long Range) 10 Gbps Fiber Interfaces to replace the default
SR (Short Reach) modules in the NX-9700 appliance.

Silver Peak supports different module combinations. For example, you may have an SR (Short
Reach) interface for the LAN side and an LR (or long range) for the WAN.

These modules are hot-swappable.
You can distinguish the SR module from the LR module by the number on the label and the color of the
handle.
308
FTLX8571D3BCL — SR — Short Reach
FTLX1471D3BCL — LR — Long Range
• Bail (handle) is beige
• Default shipping module
• Bail (handle) is blue
• Optional, separate purchase
PN 200030-001 Rev M
APPENDIX B
Power Cords & Cable Pinouts
This appendix lists and illustrates power cords, by country, and cable pinouts.
In This Appendix

Power Cords by Country See page 310.

Fiber Connectors See page 313.

Cable Pinouts See page 314.

Configuring DB-9 Console Access to the Appliance See page 315.
PN 200030-001 Rev M
309
Silver Peak Appliance Manager Operator’s Guide
Power Cords by Country
Power Cords by Country
This section includes country-specific power cord plug and receptacle specifications for the Silver Peak
appliances.
Table 2-1
Power Cord Specifics by Country
COUNTRY
APPROVALS
POWER
CORD P/N
Rating
PLUG
RECEPTACLE
Argentina
IRAM
9000.098
10A / 250V
IRM 2073: 1982
Argentina Plug
IEC-60320_C13
Australia
SAA
8530.098
10A / 250V
AS 3112, Australia Plug
IEC-60320_C13
China
CCC
8590.098
10A / 250V
GB2099, China Plug
IEC-60320_C13
Continental Europe
VDE, KEMA,
CEVEC,
NEMKO,
DEMKO,
SETI, OVE,
SEV
8500.098
10A / 250V
CEE 7/7 Europe Plug
“Schuko” CE
IEC-60320_C13
Denmark
DEMKO
8540.098
10A / 250V
SRAF 1962/DB 16/87,
Danish Plug
IEC-60320_C13
India / South Africa
SABS, VDE
8580.098
10A / 250V
BS 546, Indian Plug
IEC-60320_C13
Israel
SII
8560.098
10A / 250V
SI32, Israeli Plug
IEC-60320_C13
Italy
IMQ
8550.098
10A / 250V
CEU -23-16m, Italian
Plug
IEC-60320_C13
Japan
PSE
2000.098
10A / 125V
JIS 8303, Japanese
Plug
IEC-60320_C13
Korea
KETI
8704.098
10A / 250V
KSC 8305, Korean Plug
IEC-60320_C13
North America
UL, CSA
2500.072
10A / 125V
NEMA 5-15P
IEC-60320_C13
Switzerland
SEV
8520.098
10A / 250V
SEV 1011, Swiss Plug
IEC-60320_C13
United Kingdom /
Ireland
BSI
9650.098
10A / 250V
BS 1363, U.K. Plug
IEC-60320_C13
310
PN 200030-001 Rev M
Power Cords by Country
Appendix B Power Cords & Cable Pinouts
ARGENTINA POWER CORD
AUSTRALIA POWER CORD
CHINA POWER CORD
CONTINENTAL EUROPE POWER CORD
DENMARK POWER CORD
INDIA & SOUTH AFRICA POWER CORD
ISRAEL POWER CORD
PN 200030-001 Rev M
311
Silver Peak Appliance Manager Operator’s Guide
Power Cords by Country
ITALY POWER CORD
JAPAN POWER CORD
KOREA POWER CORD
NORTH AMERICA POWER CORD
SWITZERLAND POWER CORD
UNITED KINGDOM & IRELAND POWER CORD
312
PN 200030-001 Rev M
Fiber Connectors
Appendix B Power Cords & Cable Pinouts
Fiber Connectors
Fiber modules accept the following fiber cable:
multimode duplex Fibre Channel optic
LC/LC patch cable
PN 200030-001 Rev M
313
Silver Peak Appliance Manager Operator’s Guide
Cable Pinouts
Cable Pinouts
Following is the pinout for the console (RS-232 serial) port, which uses a null modem cable.
314
PN 200030-001 Rev M
Configuring DB-9 Console Access to the Appliance
Appendix B Power Cords & Cable Pinouts
Configuring DB-9 Console Access to the Appliance
For console port access, the appropriate settings are as follows:
Bits per second
9600
Data bits
8
Parity
none
Stop bits
1
Flow control
none
PN 200030-001 Rev M
315
Silver Peak Appliance Manager Operator’s Guide
316
Configuring DB-9 Console Access to the Appliance
PN 200030-001 Rev M
APPENDIX C
Glossary
802.1q encapsulation. Also known as VLAN tagging. An IEEE standard (and process) which allows
multiple bridged networks to transparently share the same physical network link without leakage of
information between networks and, in common usage, the name of the encapsulation protocol used to
implement this mechanism over Ethernet networks.
ACL. Access Control List.
ARP. Address Resolution Protocol. An IP protocol for finding a host’s link layer (hardware) address
when only its Internet Layer or some other Network Layer address is known.
asymmetric routing. When new writes can be made without having to wait for the secondary or remote
storage site to also finish its writes.
asynchronous replication. A type of disk storage replication, where write is considered complete as
soon as local storage acknowledges it. Remote storage is updated, but probably with a small lag.
Performance is greatly increased, but in case of losing a local storage, the remote storage is not
guaranteed to have the current copy of data and most recent data may be lost.
authentication. The process of validating the claimed identity of an end user or a device wuch as a host,
server, switch, router, etc.
authorization. The act of granting access rights to a user, groups of users, system, or program.
auto discovery. Within the NX Series appliances, the ability of an appliance to discover and register
with the Global Management System (GMS) server when first deployed.
auto-negotiation. The process by which terminating devices automatically negotiate for maximum
bandwidth.
bandwidth. A rate of data transfer, throughput, or bit rate, measured in bits per second.
bit. A binary digit, taking a logical value of either "1" or "0" (also referred to as "true" or "false"
respectively). It is also a unit of measurement, the information capacity of one binary digit.
blan0. When configuring for gigabit etherchannel bonding, lan0 plus lan1 bond to form blan0, which
uses the lan0 IP address.
Bridge mode. In-line deployment of an appliance, placing it between an Ethernet LAN switch and a
WAN edge router.
PN 200030-001 Rev M
317
Silver Peak Appliance Manager Operator’s Guide
bwan0. When configuring for gigabit etherchannel bonding, wan0 plus wan1 bond to form the virtual
interface, bwan0, which uses the wan0 IP address.
bypass. Refers to hardware bypass. If there is a major problem with the appliance hardware, software,
or power, all traffic goes through the appliance without any processing. Additionally, you can manually
put the appliance into Bypass as an aid to troubleshooting.
chattiness. A common problem with naively designed application protocols is that they are too
“chatty”. That is, they imply too many “round-trip” cycles.
CIFS. Common Internet File System. CIFS is the remote file system access protocol used by Windows
servers and clients to share files across the network. Some specific capabilities of CIFS include file
access, record locking, read/write privileges, change notification, server name resolution, request
batching, and server authentication
CIFS acceleration. A set of techniques for mitigating the impacts of latency across the WAN. They
include read-aheads and write-behinds to pipeline CIFS requests and the respective acknowledgements.
This dramatically minimizes roundtrip delays when using CIFS over a WAN.
CLI. See Command Line Interface.
client. An application or system that accesses a remote service on another computer system, known as
a server, by way of a network.
Command Line Interface. A method of configuring the appliance by typing in commands via the local
serial interface or remote SSH session. [Peribit]
CoS. Class of Service (CoS) is a way of managing traffic in a network by grouping similar types of
traffic (for example, e-mail, streaming video, voice, large document file transfer) together and treating
each type as a class with its own level of service priority. Unlike Quality of Service (QoS) traffic
management, Class of Service technologies do not guarantee a level of service in terms of bandwidth and
delivery time; they offer a "best-effort." On the other hand, CoS technology is simpler to manage and
more scalable as a network grows in structure and traffic volume. One can think of CoS as
"coarsely-grained" traffic control and QoS as "finely-grained" traffic control.
crossflow compression. A technique that applies compression across various flows of traffic.
data streaming. The transfer of data at a steady high-speed rate sufficient to support such applications
as high-definition television (HDTV) or the continuous backup copying to a storage medium of the data
flow within a computer. Data streaming requires some combination of bandwidth sufficiency and, for
real-time human perception of the data, the ability to make sure that enough data is being continuously
received without any noticeable time lag.
datagram. An independent, self-contained message sent over the network whose arrival, arrival time,
and content are not guaranteed.
default gateway. A gateway is a router on a computer network, serving as an access point to another
network.
DHCP. Dynamic Host Configuration Protocol. A TCP/IP protocol that enables PCs and workstations to
automatically get temporary or permanent IP addresses (out of a pool) from centrally administered
servers.
DNS. Domain Naming System or Domain Name Server. It serves as the "phone book" for the Internet
by translating human-friendly computer hostnames into IP addresses.
318
PN 200030-001 Rev M
Appendix C Glossary
DSCP. Differentiated Services Code Point. A 6-bit value that encoudes Per-Hop Behavior (PHB) into
the 8-bit Differentiated Services (DS) field of the IP packet header. The DS field is the same as the TOS
(Type of Service) field.
domain. The main purpose of a domain name is to provide a recognizable names to mostly numerically
addressed Internet resources. This abstraction allows any resource (for example, website) to be moved to
a different physical location in the address topology of the network, globally or locally in an intranet, in
effect changing the IP address.
failover. The capability to switch over automatically to a redundant or standby computer server, system,
or network upon the failure or abnormal termination of the previously active server, system, or network.
Failover happens without human intervention and generally without warning, unlike switchover.
FEC. Forward Error Correction. When Adaptive Forward Error Correction (FEC) is enabled, the
appliance introduces a parity packet, which helps detect and correct single-packet loss within a stream of
packets, reducing the need for retransmissions. Silver Peak dynamically adjusts how often this parity
packet is introduced in response to changing link conditions. This maximizes error correction while
minimizing overhead.
flow. In a packet switching network, packet flow or traffic flow is a sequence of packets from a source
computer to a destination, which may be another host, a multicast group, or a broadcast domain. As
packets traverse successive communication links towards their destination, the packets from one flow
(for example, A1, A2, A3) will be intermingled with packets from other flows also traversing the network
to form a multiplexed stream (for example, A1, B7, C9, A2, C10, A3). This represents a form of
statistical multiplexing because the link is shared as required.
FTP. File Transfer Protocol. A network protocol used to exchange and manipulate files over a TCP
computer network, such as the Internet. An FTP client may connect to an FTP server to manipulate files
on that server.
full duplex. Bidirectional, simultaneous two-way communications.
gateway. Also called protocol converters, can operate at any layer of the OSI model. The job of a
gateway is much more complex than that of a router or switch. Typically, a gateway must convert one
protocol stack into another.
GMS. Global Management System.
GRE. Generic Routing Encapsulation. Tunneling protocol developed by Cisco that can encapsulate a
wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco
routers at remote points over an IP internetwork.
GUI. Graphical User Interface.
half duplex. A circuit designed for data transmission in both directions, but not at the same time.
hardware bypass. If there is a major problem with the appliance hardware, software, or power, all
traffic goes through the appliance without any processing. Additionally, you can manually put the
appliance into Bypass as an aid to troubleshooting.
header compression. This technique can provide additional bandwidth gains by reducing packet
header information using specialized compression algorithms.
high availability. For maximizing uptime, deploying NX appliances redundantly in 1+1 or N+1
configurations, with failover and load balancing.
PN 200030-001 Rev M
319
Silver Peak Appliance Manager Operator’s Guide
host. In computer networking, a network host, Internet host or host is a computer connected to the
Internet. A network host can host information as well as client and/or server software.
host address. The host address, or more properly the host id portion of an IP address is the portion of
the address used to identify hosts (which can be any device requiring a Network Interface Card, such a
personal computer or networked printer) on the network.
HTTP. HyperText Transfer Protocol. The protocol web browsers use to communicated with web
servers.
HTTPS. HyperText Transfer Protocol Secure. A combination of the HyperText Transfer Protocol and
a cryptographic protocol, for accessing a secure web server.
ICMP. Internet Control Message Protocol. An internet protocol used by networked computers’
operating systems to manage errors and generate control messages.
Internet. A global network of interconnected computers, enabling users to share information along
multiple channels.
IP. Internet Protocol. Network layer protocol in the TCP/IP stack that enables a connectionless
internetwork service.
IP Address. An Internet Protocol (IP) address is a numerical identification and logical address that is
assigned to devices participating in a computer network utilizing the Internet Protocol for
communication between its nodes.
IPsec. Internet Protocol Security Protocol.
IP VPN. Internet Virtual Private Network.
LAN. Local Area Network.
LAN Rx. Traffic received from the LAN.
LAN Tx. Traffic transmitted to the LAN.
latency. A time delay between the moment something is initiated, and the moment one of its effects
begins or becomes detectable. Network latency is the time it takes for information to go from a sender to
a receiver and back.
load balancing. A technique to spread work between two or more computers, network links, CPUs,
hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, and
minimize response time. Using multiple components with load balancing, instead of a single component,
may increase reliability through redundancy. The balancing service is usually provided by a dedicated
program or hardware device.
lossy. A WAN prone to dropped and out-of-order packets. This is most common on shared networks,
like MPLS and Internet VPNs.
MAPI. Messaging Application Programming Interface. A Microsoft Windows program interface that
enables you to send e-mail from within a Windows application and attach the document you are working
on to the e-mail note. Applications that take advantage of MAPI include word processors, spreadsheets,
and graphics applications.
MIB. Management Information Base. A type of database for managing devices in a communications
network.
320
PN 200030-001 Rev M
Appendix C Glossary
Microsoft Exchange. Messaging and groupware software for Windows from Microsoft. The Exchange
server is an Internet-compliant messaging system that runs under Windows systems and can be accessed
by web browsers, the Windows In-box, Exchange client or Outlook. The Exchange server also stores
files for sharing.
MPLS. MultiProtocol Label Switching is an IETF initiative that integrates Layer 2 information into
Layer 3 (IP) packets.
MTU. Maximum Transmission Unit. The largest size packet that a device can transmit on a network.
Network Acceleration. Addresses high WAN latency and TCP chattiness. This is achieved using
standard TCP acceleration techniques, such as adjustable windows and selective acknowledgements.
Network Integrity. Protects traffic from collateral congestion in a shared service provider network by
mitigating the impact of dropped and out-of-order packets.
Network Memory™. Addresses limited bandwidth. This technology uses advanced fingerprinting
algorithms to examine all incoming and outgoing WAN traffic. Network Memory localizes information
and transmits only modifications between locations.
NFS. Network File System. The file sharing protocol in a UNIX network.
OOO.
Out-of-Order [packets]
out-of-path. Same as Router mode. In an out-of-path deployment, policy-based routing (PBR), VRRP,
or WCCP redirect the traffic to the Silver Peak appliance for processing.
packet coalescing. When packets are small, packet headers consume substantial bandwidth in
comparison to the amount of end-user data transferred. Packet coalescing combines multiple user packets
traveling between the same two sites into a single coalesced packet. Used in conjunction with header
compression, this amortizes a single header over multiple packets thus decreasing overhead, and
therefore bandwidth requirements. Packet coalescing is particularly beneficial for web applications,
VoIP, and interactive applications, like Citrix.
pass-through traffic. Traffic that is sent to the WAN without being optimized.
payload compression. Uses algorithms to identify relatively short byte sequences that are repeated
frequently over time. These sequences are then replaced with shorter segments of code to reduce the size
of transmitted data. Simple algorithms can find repeated bytes within a single packet; more sophisticated
algorithms can find duplication across packets and even across flows
PBR. Policy-based routing is a technique used to make routing decisions based on policies set by the
network administrator.
Propagate Link Down. Forces the WAN interface to go down when the corresponding LAN interface
goes down, or vice versa. By default, this option is enabled on the Configuration - System page.
ping. A programs used to test whether a particular network destination is online, by sending an Internet
Control Message Protocol (ICMP) echo request and waiting for a response. [Peribit]
POC. Packet Order Correction. To avoid retransmissions that occur when packets arrive out of order,
Silver Peak NX appliances use Packet Order Correction (POC) to resequence packets on the far end of a
WAN link, as needed.
QoS. Quality of Service is the ability to provide different priority to different applications, users, or data
flows, or to guarantee a certain level of performance to a data flow. QoS involves several functions: 1)
classification of packets into traffic classes based on characteristics such as source, destination addresses,
PN 200030-001 Rev M
321
Silver Peak Appliance Manager Operator’s Guide
and/or applications and 2) queuing and service mechanisms that are used to apply service policies based
on these classifications, including bandwidth allocation.
RADIUS. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that
provides centralized Authentication, Authorization and Accounting (AAA) management for computers
to connect and use a network service. It is a client/server protocol that uses UDP as transport.
Router mode. Out-of-path deployment, where data traffic is redirected by using policy-based routing
(PBR), Web Cache Coordination Protocol (WCCP), or Virtual Router Redundancy Protocol (VRRP).
RTT. Round-trip time. the time it takes to send a packet to a remote host and receive a response; used
to measure delay on a network at a given time. [Peribit]
SMB. Server Message Block. An application-level network protocol mainly used to provide shared
access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
SMB2. Server Message Block, version 2.
SMTP. Simple Mail Transfer Protocol. A de facto standard for electronic mail (e-mail) transmissions
across the Internet.
SNMP. Simple Network Management Protocol. A standard TCP/IP protocol for network management.
Network administrators use SNMP to monitor network devices, performance, and security, and to
manage configurations and collect statistics.
SSL. Secure Socket Layer. These are cryptographic protocols that provide secure communications for
such things web browsing, email, and other data transfers over the internet.
subnet. A portion of a network that shares a common address component. On TCP/IP networks,
subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with
IP addresses that start with 100.100.100. would be part of the same subnet. Dividing a network into
subnets is useful for both security and performance reasons. IP networks are divided using a subnet mask.
switch. A network device that filters and forwards frames based on the destination address of each
frame. The switch operates at Layer-2 (data link layer) of the Open System Interconnection (OSI) model.
TACACS+. Terminal Access Controller Access-Control System Plus is a protocol which provides
access control for routers, network access servers and other networked computing devices via one or
more centralized servers. TACACS+ provides separate authentication, authorization and accounting
services. It uses TCP for its transport. Transactions between the TACACS+ client and TACACS+ servers
are also authenticated through the use of a shared secret.
TCP. Transmission Control Protocol. The error-correcting Transport layer (Layer-4) in the TCP/IP
protocol suite. It ensures that all data arrive at the other end accurately and completely intact.
TCP acceleration. A set of techniques for mitigating the impacts of latency across the WAN. They
include adjustable window sizing and selective acknowledgements.
TCP/IP. Transmission Control Protocol/Internet Protocol. A protocol suite for communication between
computers, used as a standard for transmitting data over networks and as the basis for standard Internet
protocols.
Telnet. A terminal emulation protocol used on the Internet and TCP/IP-based networks. A Telnet
program allows a user at a terminal or PC to log in to a remote computer and run a program and execute
other Unix commands.
throughput. The average rate of successful message delivery over a communication channel.
322
PN 200030-001 Rev M
Appendix C Glossary
tunneling. Encapsulating one type of network protocol (called the payload protocol) within a different
delivery protocol. Reasons to use tunneling include carrying a payload over an incompatible delivery
network, or to provide a secure path through an untrusted network.
UDP. User Datagram Protocol. Part of the TCP/IP protocol suite, it was created to provide a way for
applications to access the connectionless features of IP. UDP provides for exchange of datagrams without
acknowledgements or guaranteed delivery.
VLAN. Virtual Local Area Network. A means by which LAN users on different physical LAN segments
are afforded priority access privileges across the LAN backbone so that they appear to be on the same
physical segment of an enterprise-level logical LAN.
VLAN tag. See 802.1q encapsulation.
VoIP. Voice-Over-Internet-Protocol. A protocol optimized for the transmission of voice through the
Internet or other packet-switched networks.
VRRP. Virtual Router Redundancy Protocol is a standard redundancy protocol designed to increase the
availability of servicing hosts on the same subnet.
WAN. Wide Area Network
WAN Rx. Traffic received from the WAN.
WAN Tx. Traffic transmitted to the WAN.
WCCP. Web Cache Communications Protocol. A Cisco-developed content-routing protocol that
provides a mechanism to redirect traffic flows in real-time. It has built-in load balancing, scaling, fault
tolerance, and service-assurance (failsafe) mechanisms.
X.11. An application redirect protocol; a distributed window system that is based on the client/server
model.
PN 200030-001 Rev M
323
Silver Peak Appliance Manager Operator’s Guide
324
PN 200030-001 Rev M
Index
Index
Symbols
151
A
Access Control Lists 30–32
application groups in 42
characteristics of 30
how they filter traffic 31–32
modifying an ACL rule 30
Alarm Log Viewer 198
alarms
clearing 240
current
viewing 249–250
list of types and text 241–248
severity levels 240
bandwidth shaping 14
See also Configuration - Tunnels
page
banners
login message 191
Message of the Day 191
blan0
See etherchannel bonding
bridge mode
statistics 136
bwan0
See etherchannel bonding
bypass
See System Bypass
appliance configuration file
See configuration file
C
application groups
creating 42–43
properties of 42
using in MATCH criteria 42
CIFS Acceleration 108
disabled in Tunnel Compatibility
Mode 21
applications
built-in
list of 33–39
viewing 39
statistics 141, 149–150, 151
asymmetric networks or flows
See flow redirection
Audit Log 199
Auto Tunnel 4, 14, 16, 46
auto-optimization 4, 14, 27, 45, 48,
58, 69–71, 72, 74
SET actions diagram 77
TCP, Router mode handshaking 70
B
bandwidth
dynamic chart 145
bandwidth management
auto bandwidth 93
best practices 88
PN 200030-001 Rev M
saving to
a remote server 202
an FTP server 204
an SCP server 203
Show Tech 200, 201
Snapshot 200, 201
TCP Dump Result 200, 201
types of 200
See also logs
for multiple tunnels 88
multiple traffic classes 88
cluster interface 116, 118
configuration file
downloading
fron a local disk 220
saving 218
current flows
customizing which columns display
155
details of 156–159
resetting for improved performance
166
statistics 136, 152–166
unaccelerated TCP 166
See also flows
D
Debug Dump 200, 201
debug files
Debug Dump 200, 201
deleting 205
Log 200, 201
DSCP markings 84, 85, 109
apply to
pass-through traffic 98–100
applying to
optimized traffic 95–97
definitions list 100–101
E
encapsulation 14
encryption
hard disk 209
etherchannel bonding
configuring 6
gigabit, for 4-port devices 5
Events Log 197
F
FEC
See Forward Error Correction
flow counts
statistics 146
TCP and non-TCP 171
See also current flows
flow redirection
asymmetric networks and flows 112
configuration example 115–118
for LAN-initiated traffic 114
for removing asymmetry 112
reporting 119
statistics 136, 173–174
for WAN-initiated traffic 113
Forward Error Correction
dynamic chart 147
325
Silver Peak Appliance Manager Operator’s Guide
statistics 147, 171, 172
in Tunnel Compatibility Mode 21
FTP server capability in appliance 188
O
CIFS Acceleration
See also Optimization policies 108
I
inbound traffic 138, 170
interfaces
manually configuring for DHCP 9
statistics 136, 176–177
Optimization policies 77, 104–110
Configuration page organization
110
default behaviors 27
when the appliance can apply them
110
L
Payload Compression
See also Optimization policies 106
latency
statistics 171
login message banner 191
logs
Alarm Log Viewer 198
Audit Log 199
deleting files 205
Event Log Viewer 197
loss
dynamic chart 147
TCP Acceleration
See also Optimization policies 106
outbound traffic 138, 170
Out-of-Order Packets (OOP)
dynamic chart 148
See Packet Order Correction
P
packet coalescing
in Tunnel Compatibility Mode 21
M
Packet Order Correction
statistics 171
in Tunnel Compatibility Mode 21
MATCH criteria
5-tuple 28
application groups in 42
how they filter traffic 31–32
specifying applications and
protocols in 29
Payload Compression 106
disabled 21
Message of the Day 191
MIBs, list of standard and proprietary
184
ping 224, 226–227
POC
See Packet Order Correction
N
power, connecting and verifying
266–304
pre-positioning data 188, 189
NetFlow
statistics 136
network connectivity, testing 223–225
See also ping, traceroute, and
tcpdump
Network Memory
available settings 105
benefit scenarios 105
definition 105
disabled in Tunnel Compatibility
Mode 21
erasing 236
hard disk encryption 209
pre-positioning data into 188, 189
326
for TCP flow symmetry 7, 37, 68,
71
out-of-path traffic 4, 14, 16, 46,
72–75
See also Optimization policies
pass-through traffic
applying DSCP markings 98–100
Q
QoS policies 83–101
Configuration page organization 94
default behaviors 27, 84
QoS shaping and marking 21
QoS statistics 136, 167
R
reboot clean 237
rebooting the appliance 237
redirection
Reorder Wait Time 172
restarting the appliance 237
Route policies 45–81
auto optimization ??–71
auto-optimization 69–??
Configuration page organization 81
default behaviors 27
where to direct flows 76–80
S
SET actions 27, 30, 31
in Optimization policies 104, 110
in QoS policies 94
in Route policies 46, 76–80, 81
Shaper 14, 27, 77, 83, 84, 86, 88, 94
defining Traffic Classes and limits
with 89–92
Show Tech 200, 201
shutdown 237
Snapshot 200, 201
SNMP
configuring SNMP settings 185
loading SNMP MIBs 184
software management
installing a software image
into a partition 212
options 210–211
switching partitions 215
software version
listed 208
statistics
about viewing 138–140
applications 141, 149–150
bridge mode 136
counters
clearing non-destructively
139
view since reboot 138
current flows 136, 152–166
Delta Stats 139
flow counts 146
flow redirection 136, 173–174
Forward Error Correction 147
interfaces 136, 176–177
NetFlow 136
QoS 136, 167
refreshing 139
PN 200030-001 Rev M
Index
tunnel 168–172
subnet sharing 4, 14, 46, 72, 73
how to use in common deployments
47–68
W
web
protocol settings 194
user settings 194
Support, contacting 206
System Bypass 17, 208
system information, displayed 208
T
TCP Acceleration 106
disabled 21
TCP flows
asymmetric
See flow redirection
tcpdump 200, 201, 225
options 230–233
retrieving results 234–235
Technical Support, contacting 206
traceroute 225, 228–229
traffic
direction of flows 138
inbound 138
outbound 138
tunnel
characteristics 15
diagram of directing flows to 76–77
encapsulation 21
manually creating a 17–20
parallel 15
parameters
FEC 21
POC 21
QoS shaping and marking 21
reduced functionality, indicating 21
statistics 168–172
traffic
how Route Policies affect 14
Tunnel Compatibility Mode 21
disabled optimizations 21
preserved functionalities 21
U
uptime, of appliance 208
V
VLANs
in Current Flows Details 157
PN 200030-001 Rev M
327
Silver Peak Appliance Manager Operator’s Guide
328
PN 200030-001 Rev M
PN 200030-001 Rev M
329
Silver Peak Systems, Inc.
2860 De La Cruz Boulevard, Suite 100
Santa Clara, CA 95050
1.877.210.7325
+1.408.935.1850
www.silver-peak.com