Professional Documents
Culture Documents
For the first part of this lab, we will use m0n0wall as the sample package. m0n0wall is a free firewall package that is based on
BSD and it was chosen because of its small foot print in terms of memory and disk size. However, the process involved in the
first part of this lab is applicable to all packages whether it’s m0n0wall or Windows® 2003.
You can find more information on m0n0wall by going here: http://m0n0.ch/wall/ The m0n0wall package used in this lab has been
modified to include an extra NIC for management purpose.
In the second and third portion of the lab, we will look into specific deployment types and how to configure the data flow rules to
redirect the traffic to the package.
• Somewhat familiar with the concept of virtualization and that you have a basic understanding of VMWare Workstation
or VMWare Server;
• You have already upgraded the Steelhead’s memory per the RSP requirement;
Network Topology
This is the topology that we’ll be using for this lab. Note that there is no Network Nightmare in this topology and that it is a
bridged network.
172.30.1.11
P – 172.30.1.50 P – 172.30.1.40
` InP – 172.30.1.51 InP – 172.30.1.41
PC
172.30.1.0/24
Part 1
Using the RSP Package Creator to create the package
Convert the growable VMDK to a pre-allocated VMDK
Creating VMWare images with growable VMDK is a common practice as it doesn’t require the allocation of disk space at the time
of creation. However, the current release of RSP doesn’t support this feature. If you have VMWare images that use growable
VMDK, you’ll need to convert them to pre-allocated VMDK using the vmware-vdiskmanager.
Vmware-vdiskmanager is a tool that comes with VMWare Workstation/Server/ESX. This tool is not available with VMWare
Player.
The author of m0n0wall created the package using a growable VMDK and therefore it needs to be converted to a pre-allocated
VMDK.
Your vmware-vdiskmanager should be in the search path. If that is not the case, specify the absolute path
Running the renaming command will overwrite the original VMDK. This is intentional.
You should see, amongst other files, two files in the directory: m0n0wall.vmdk and m0n0wall-flat.vmdk. The m0n0wall.vmdk file
should be < 1K, and the m0n0wall-flat.vmdk should be approximately 27MB.
You should have already downloaded the RSP image. If not, please download the RSP image now.
Browser upload is the simplest method of the three but there is also a size limitation of 2GB. If your package is > 2GB, you
cannot use this method to upload the package.
If your package is > 2GB, you can place the image on a HTTP server and configure the RSP to download the image instead.
However, you will need to place the image on a HTTP server.
For the purpose of this exercise, we will use pscp (Putty secure copy) as the other two methods are self-explanatory.
Binding the package’s management interface to the primary/aux interface of the Steelhead
Not every package has a management interface, but if it does, you can choose to bind it to either the primary or auxiliary
interface. For m0n0wall, we will bind the management interface to the Steelhead’s primary interface.
End of Part 1
Congratulations! You’ve successfully loaded a package on the RSP! Regardless of the package, these are the necessary steps
to load the package on the RSP. In the next section, we will look at the different deployment types and how to configure specific
features.
Part 2
Accessing and configuring the package
There are two ways to access the packages: through VMWare Infrastructure client or through the console itself.
NB: After logging in, you may see an error message that says you don’t have permission to access this console. This is a
VMWare plug-in issue. If you wait for ~ 30 secs, the message will disappear.
6. You may be asked to install the browser plug-in. If so, install the plug-in and log back into the Steelhead.
7. Click in the black window to open the virtual machine.
Deployment scenarios
RSP supports the following mode of deployments: in-path, out-of-band, virtual in-path, virtual in-path (span port), and virtual in-
path (destination NAT).
In-path/In-band package
Configuring the m0n0wall package
As mentioned previously, m0n0wall is a stateful firewall based on BSD. m0n0wall also has the capability of inducing latency into
the network – similar to the function of Network Nightmare. For the purpose of this exercise, we will configure m0n0wall to
induce 100ms of latency and set the network bandwidth to 512Kbps.
1. Access the m0n0wall package via the console or through the VM Infrastructure client.
2. You should see a screen similar to the following
A note regarding m0nwall’s interfaces: the default m0n0wall package does not include a dedicated management interface.
The m0n0wall VM was modified to include a third interface so that a dedicated interface can be used for management.
m0n0wall uses the LAN interface as its management interface. Therefore, the interface maps as follow:
10. Once the firewall comes back up, enter “2” to assign an IP address to the LAN interface.
11. If you’re using the Branch Steelhead with m0n0wall, use the IP address 172.30.1.42
12. Enter “24” for the number of bits
13. Enter “n” for enabling DHCP on the LAN
14. You can now perform the rest of the configuration through the client’s browser.
15. RDP into a client PC. Launch your browser and navigate to the IP address that you’ve given to m0n0wall.
16. Login as “admin”, password “mono” (alphabet “o” and not zeroes “0”)
17. On the left hand side under “Interfaces (assign), click on “OPT1”.
18. Click on the checkbox for “Enable Optional 1 interface”
19. In the pull-down for “Bridge with”, select “WAN”. Click “Save”
20. On the left hand side under “Interfaces (assign)”, click on WAN. Scroll to the bottom and uncheck the box for “Block
private networks”. Click “Save”
21. On the left hand side under “Firewall”, click on “Rules”
22. Click on “WAN”
23. Click on the “+” sign
24. Make sure the “Interfaces” says “WAN” and change the “Protocol” to “Any”. Click “Save”
25. On the same page, click on “OPT1”
26. Click on the “+” sign
27. Make sure the “Interfaces” says “OPT1” and change the “Protocol” to “Any”. Click “Save”
28. Click on “Apply changes”
29. On the left hand side under “Firewall”, click on “Traffic Shaper”.
30. Check the box “Enable traffic shaper”. Click “Save”
31. On the same page, click on “Pipes”, then click on the “+” sign
32. For “Bandwidth”, enter 512. For “Delay”, enter 50. Click “Save”
33. Click “Apply changes”
34. You should now be in the “Firewall:Traffic shaper:Rules” page. Click on the “+” sign.
35. For “Interface”, choose “OPT1”. For “Protocol”, choose “any”. Click “Save”
36. Click on either one of the “+” sign.
37. For “Interface”, choose “WAN”. For “Protocol”, choose “any”. Click “Save”
38. There should now be two rules in the list. Click “Apply Changes”
39. m0n0wall is now configured to induce 100ms of latency (50ms in each direction).
40. From the client, initiate a ping to the server’s IP (172.30.1.30). What do you see? You should see the latency remains
at LAN speed.
If your Steelhead has a 4 port card, you will see two data flow tables: one for the inpath0_0 and the other for inpath0_1. We will
only be using inpath0_0. However, it’s important to note that in a real life scenario, if you want the package to cover multiple in-
path interfaces, you need to make sure that the package itself is capable of doing so.
Even after adding the package’s VNI to the dataflow, the default behavior is to pass-through the traffic. To start redirecting traffic
to the package, you can do one of two things: change the default IP and non-IP policy to redirect all the traffic to the package; or
create specific data flow rules to redirect the traffic that you’re interested in and bypass all other traffic.
Data flow rules are similar to in-path rules. Data flow governs what traffic should be redirected to the package. For this exercise,
we will change the default IP and non-IP policy to redirect all traffic to the package.
Dataflow rules are VNI specific. This means that if you will need to manually create rules for each VNI depending on the
direction of the traffic.
Configuring Watchdog
When deploying the Steelheads in-path, you have the option of choosing fail-to-wire or fail-to-block. The same concept applies
to RSP packages. For in-path and virtual in-path packages, you can choose either fail-to-wire or fail-to-block if the package fails.
In this section, we will demonstrate the fail-to-wire feature. It is best for each partner to take turns in performing this exercise.
1. Ping the server from the client and ensure the latency is ~ 100ms
2. Navigate to Configure > Branch Services > RSP Packages
3. Under slots, click on 5 or m0n0wall
4. Complete the configuration per the settings below:
a. Watchdog: Bypass on failure
b. Watchdog IP: 172.30.1.42
c. Watchdog Frequency: 1
d. Watchdog Timeout: 3
5. Click on “Update Slot”.
6. Initiate a continuous ping from the client to the server.
7. Access the m0n0all console via the console or VMWare Infrastructure client.
8. Select option “5” to reboot m0n0wall
9. Watch what happens to the latency as the firewall reboots. The latency should decrease from 100ms to LAN speed for
the duration of the reboot.
10. You can also repeat the above exercise for fail-to-block.
End of Part 2
Great! You’ve successfully created and configured you first in-path RSP package! In the next section, things will be slightly
more complex as we introduce virtual in-path, destination NAT, and stream splitting.
Part 3
There are some extra pre-requisites for this part of the lab.
Note that Riverbed do not distribute the Windows® 2008 or Windows® 2003 packages. You will need to create those VM
packages yourself.
Creating VMWare images is beyond the scope of the lab. If you need additional documentation on creating VMWare images,
please refer to VMWare’s website.
172.30.1.43
`
PC1
7. Next to the “repeatCount” field, type in indefinite. Save your changes to the playlist.
8. Click on the play button to restart the publishing point
You should now see the broadcast stream (the stream will loop indefinitely).
10. On the second client PC, initiate the second connection to the broadcast stream
11. RDP to the server and launch Windows Media Services to verify that there are two clients connected and that the
bandwidth consumed is ~ 628Kbps
12. Stop the Windows Media Player on both clients.
1. After powering on the package, login to Windows 2008 via the console of VMWare Infrastructure client. You can use
Ctrl+Alt+Ins to send Ctrl+Alt+Delete to the server.
2. Click on Start > Administrative Tools > Windows Media Services
If you do not see the Windows Media Services, make sure you have downloaded this from Microsoft. The Windows
Media Services does not come standard with Windows® 2008.
1. Click on Configuration > Branch Services > RSP Data Flow > Add a VNI. Select the following:
Interface: 2:Win2K8-NIC
Click Add
2. Click on Win2K8-NIC
3. Under “LAN to WAN rules”, create three rules such that the table looks similar the following:
NB: After configuring the redirect rules, you will not be able to access the Server-side Steelhead via HTTP from the clients.
If you try and access the Server-side Steelhead, the Windows Media Player may pop-up. The reason for this strange
behavior is because second redirect rule forward the traffic to the Windows ® 2008 server. If you need to access the
Server-side Steelhead, you can use HTTPS or create a more specific redirect rule.
4. Under “Destination NAT rule”, check the box “Enable Destination NAT”
5. For “Default Destination NAT Target IP:”, enter the IP address 172.30.1.43 and click “Apply”
Verifying stream splitting is working
1. On the first client PC, click on Start > Run and type in
mms://<server IP or name>/Sample_Broadcast
2. One the second client PC, click on Start > Run and type in
mms://<server IP or name>/Sample_Broadcast
3. RDP to Server and launch Windows Media Services. You should now see the number of connected clients is one and
the bandwidth is ~ 314Kbps.
Note that due to a bug WMS in Windows® 2008, it will show zero clients connected to it even though there may be clients
connected to the server.
Out-of-band package
Configuring the Windows 2003 package
You should have slotted the Windows® 2003 package onto the Branch-side Steelhead. You should now power on the
Windows® 2003 package.
As the underlying virtualization engine is VMWare, it allows customers to download applications from VMWare Marketplace
(http://www.vmware.com/appliances/) and run the pre-built applications on the Steelhead without having to create the VM images
themselves.
Not all deployment scenarios are covered in this document. If you have any questions about the RSP, please contact your
Riverbed Sales Engineer.
Riverbed Technology, Inc. Riverbed Technology Ltd. Riverbed Technology Pte. Ltd. Riverbed Technology K.K.
199 Fremont Street No 1, The Courtyard, Eastern Road 391A Orchard Road #22-06/10 Shiba-Koen Plaza Building 9F
San Francisco, CA 94105 Bracknell, Berkshire RG12 2XB Ngee Ann City Tower A 3-6-9, Shiba, Minato-ku
Tel: (415) 247-8800 United Kingdom Singapore 238873 Tokyo, Japan 105-0014
www.riverbed.com Tel: +44 1344 354910 Tel: +65 6508-7400 Tel: +81 3 5419 1990
© 2009 Riverbed Technology, Inc. All rights reserved. Riverbed Technology, Riverbed, Steelhead and the Riverbed logo are trademarks or registered trademarks of Riverbed
Technology, Inc. Portions of Riverbed’s products are protected under Riverbed patents, as well as patents pending. WP-UT021506