Dec 8, 2009

Out-of-Band (OOB) Splice


What is the OOB Splice?

An OOB splice is an independent, separate TCP connection made on the first connection between two peer Steelhead appliances used to transfer version, licensing and other OOB data between peer Steelhead appliances. An OOB connection must exist between two peers for connections between these peers to be optimized. If the OOB splice dies all optimized connections on the peer Steelhead appliances will be terminated.

The OOB connection is a single connection existing between two Steelhead appliances regardless of the direction of flow. So if you open one or more connections in one direction, then initiate a connection from the other direction, there will still be only one connection for the OOB splice. This connection is made on the first connection between two peer Steelhead appliances using their in-path IP addresses and port 7800 by default. The OOB splice is rarely of any concern except in full transparency deployments.

Case Study
In the example below, the Client is trying to establish connection to Server-1:

Issue 1: After establishing inner connection, the Client will try to establish an OOB connection to the Server-1. It will address it by the IP address reported by Steelhead (SFE-1) which is in probe response (10.2.0.2). Clearly, the connection to this address will fail since 10.2.x.x addresses are invalid outside of the firewall (FW-2).

Resolution 1: In the above example, there is one combination of address and port (IP:port) we know about, the connection the client is destined for which is Server-1. The client should be able to connect to Server-1. Therefore, the OOB splice creation code in sport can be changed to create a transparent OOB connection from the Client to Server-1 if the corresponding inner connection is transparent.

How to Configure
There are three options to address the problem of the OOB splice connection established mentioned in Issue 1 above. In a default configuration the out-of-band connectio uses the IP addresses of the client-side Steelhead and server-side Steelhead. This is known as correct addressing and is our default behavior. However, this configuration will fail in the network topology described above but works for the majority of networks. The command below is the default setting in a Steelhead appliance’s configuration.

in-path peering oobtransparency mode none

In the network topology discussed in Issue 1, the default configuration does not work. There are
two oobtransparency modes that may work in establishing the peer connections; destination and
full. When destination mode is used, the client uses the first server IP and port pair to go through the Steelhead appliance with which to connect to the server-side Steelhead appliance and the client-side Steelhead IP and port number chosen by the client-side Steelhead appliance. To change to this configuration use the following CLI command:

in-path peering oobtransparency mode destination

In oobtransparency full mode, the IP of the first client is used and a pre-configured on the clientside Steelhead appliance to use port 708. The destination IP and port are the same as in destination mode, i.e., that of the server. This is the recommended configuration when VLAN transparency is required. To change to this configuration use the following CLI command:

in-path peering oobtransparency mode full

To change the default port used the by the client-side Steelhead appliance when oobtransparency mode full is configured, use the following CLI command:

in-path peering oobtransparency port

It is important to note that these oobtransparency options are only used with full transparency. If the first inner-connection to a Steelhead was not transparent, the OOB will always use correct
addressing.
Post a Comment