Re: Explain "Multiple Interface Support"

darenmatthews · 07-19-2010

By default, the Interceptor only redirects traffic on the inpath0_0 interface; traffic to all other interfaces is passed through.

If an interceptor has multiple in-path interfaces and you see a message similar to the following in your log:
priority 0:C->S: Received PURE SYN pkt on Lan5_0 from 1.2.1.2 for an existing connection. Redirect state INVALID.

In the Peer Neighbors page in the web UI, select Enable Multiple Interface Support. This allows the Interceptor to redirect traffic on interfaces in addition to the default inpath0_0.

NOTE: Peer Steelheads must be running RiOS versions 5.0.7 or later or 5.5.2 or later.

jhelmly · 02-16-2009

Good questions Al. We are trying to get some answers about how these interfaces are used since we are preparing to migrate to new WAN edge routers and configured and brought up the interfaces for the new routers facing the LAN (through the Interceptors). Even though there is no WAN traffic passing through these new routers, we are seeing Interceptor-to-Interceptor and Interceptor-to-Steelhead traffic passing over these new additional interfaces. It appears there is some sort of load sharing involved.

gscallan · 06-18-2010

This was a big reliability problem, as in the interceptors 1.0 y 1.2 on each Interceptor you could configure only 1 interface for Peer neighbours (for connection to SH), and only 1 interface for Peer Interceptor, so if there was a problem on the interface then the Interceptor would have problems,

in the case of the fowarding an interface failure on 1 unit of a interceptor cluster this would cause the whole cluster to go into by-pass (to avoid asymmetircal routing)!

in the case of the neighbour peer this would mean that the Int could no longer redirect traffic to any steelhead!

This was a BIG suprise we found out only by chance following the sale to a big customer, and it made us a little nervious.

By the way Int2.0 documentation is still pretty lousy compared to the SteelHead documentation.

al_roethlisberger · 07-31-2009

In researching the "Interceptor Appliance Deployment Guide" and "Interceptor Appliance User's Guide" I see that in the "Peer Interceptors" and "Peer Neighbors" configuration that there is an option for: "Enable Multiple Interface Support".

Unfortunately this function is not well explained in either document. Although I can make some assumptions into what may seem an obvious function, I'd feel more comfortable understanding this function/option and how it works when enabled for the peer interceptor(s) and peer steelhead(s).

I'd like to clearly understand:
1) The benefit
2) Any "gotchas" or tradeoffs
3) How it functions technically(from a high level)
4) How it behaves in a failure scenario(the benefit scenario)

Also, in the "Peer Interceptor" configuration window, there is an option for "Additional Addresses" when adding a new peer. I have some questions as I would assume(perhaps incorrectly) that these "Additional Addresses" are only applicable when "Multiple Interface Support" is enabled:

1) Are the "Additional Addresses" the IP addresses of other inpath IP addresses on the new peer Interceptor being added?
2) Can one specify the Primary(mgmt) IP address of a peer Interceptor as an "Additional Addresses" or just an inpath IP address?
3) How do these "Additional Addresses" get utilized, are they only available for use when "Multiple Interface Support" is enabled?
4) If there are several "Additional Addresses", should these be entered separated by a comma, with a space following, or not?

Also seemingly related, questions about "Failover":

1) Does the "Enable Multiple Interface Support" function tie-in, conflict, or require enabling "Failover" for serial deployments(which is our architecture) in any way?
2) Also within the "Failover" configuration window, there is a reference to "Other Appliance's Alternate Addresses" much like for the peer configurations noted above. My question about the "Failover" alternate addresses mirror those for the peers above. Can someone explain any similarities, differences to the peer "Alternate Addresses", and how this functions with "Failover"?
3) If there are several "Other Appliance's Alternate Addresses", should these be entered separated by a comma, with a space following, or not?

Can someone explain, or link to a Riverbed support document that explains these topics clearly?

Thanks,
Al