|Home||Reviews||Tools||Forums||FAQs||Find Service||ISP News||Maps||About|
how-to block ads
Riverbed Steelhead as WAN accelerator is deployed in WAN environment when traffic between WAN network (i.e. MPLS, Frame Relay) need to be optimized, hence creating so-called "WAN acceleration". With "standard" WAN network consists of WAN routers and LAN switches, typically the Riverbed Steelhead is in place inline between the WAN routers and LAN switches. Following is an illustration.
In some cases, this WAN network consist of site-to-site IPSec VPN tunnel where ASA/PIX Firewall is used as the IPSec VPN termination. Instead of between routers and switches, the Riverbed Steelhead is in place between the ASA/PIX Firewall and the LAN switches in case of the site-to-site IPSec VPN tunnel with ASA/PIX Firewall as the IPSec VPN termination. Following is an illustration.
Riverbed Steelhead Mechanism
Riverbed Steelhead optimizes TCP SYN and SYN-ACK transaction between sites in order to achieve the so-called WAN optimization. By default, TCP option 76 is only carried in the SYN and SYN-ACK packets of each TCP connection. This is used for autodiscovery.
In addition, Riverbed Steelhead uses TCP option 78 that is carried in every TCP segment of a connection. This is necessary to allow the Steelheads distinguish full transpareny packets.
Note that the above 76 and 78 option numbers are the default values, and that they can be changed through the Steelhead configuration. Check out the following official Riverbed links for more info (PDF file).
Riverbed Steelhead Technical Overview
Riverbed Steelhead Guide
Since ASA/PIX Firewall by default is a security device, there must be specific configuration in place to permit TCP option 76 and TCP option 78 as that is used by Riverbed Steelhead to be operational, should the Steelhead is in place between ASA/PIX Firewall and LAN switches.
Following is sample configuration using ASA/PIX Firewall version 7.0 or above
access-list Riverbed_TCP_Option_76 extended permit tcp any any log access-list Riverbed_TCP_Option_78 extended permit tcp any any log tcp-map Riverbed_TCP_Option_76_Tmap tcp-options range 76 76 allow tcp-map Riverbed_TCP_Option_78_Tmap tcp-options range 78 78 allow class-map Riverbed_TCP_Option_76_Cmap match access-list Riverbed_TCP_Option_76 class-map Riverbed_TCP_Option_78_Cmap match access-list Riverbed_TCP_Option_78 policy-map global_policy class Riverbed_TCP_Option_76_Cmap set connection advanced-options Riverbed_TCP_Option_76_Tmap class Riverbed_TCP_Option_78_Cmap set connection advanced-options Riverbed_TCP_Option_78_Tmap
In many organizations, the Riverbed Steelhead is configured to use TCP option 76 for both the autodiscovery and the full transpareny packets. When this is the case, then following is the sample configuration using ASA/PIX Firewall version 7.0 or above.
access-list Riverbed_TCP_Option_76 extended permit tcp any any log tcp-map Riverbed_TCP_Option_76_Tmap tcp-options range 76 76 allow class-map Riverbed_TCP_Option_76_Cmap match access-list Riverbed_TCP_Option_76 policy-map global_policy class Riverbed_TCP_Option_76_Cmap set connection advanced-options Riverbed_TCP_Option_76_Tmap