Applies To:
Show VersionsWANJet
- 4.2.10, 4.2.3, 4.2.2, 4.2.1, 4.2.0
3
Installation
WANJet appliance deployment
This chapter provides conceptual guidelines concerning WANJet appliance installation and configuration. The Quick Start Card included in the shipping box with your WANJet appliance provides the initial hardware installation and setup instructions. You can also find the Quick Start Card on the F5 Networks Technical Support web site, http://tech.f5.com.
Types of deployment
Following are the primary ways to deploy a WANJet appliance within a corporate network:
The way you choose to deploy the WANJet appliance depends on your current network topology and requirements.
Inline deployment
Inline deployment is the most common way to deploy WANJet appliances. In this configuration, you place WANJet appliances directly in the path of traffic, or inline, between a WAN router and LAN switch.
You can scale inline deployment from a simple point-to-point configuration to a more complex point-to-multi-point configuration.
Point-to-point configuration
Point-to-point configuration is a simple one-to-one topology where you place WANJet appliances at each end of the WAN between their respective WAN routers and LAN switches.
Each WANJet appliance is configured to search for traffic that matches specified source and destination subnets, and ports. If the local WANJet appliance detects a match, it processes the traffic and sends it through a tunnel to the remote WANJet appliance, which, in turn, reverses the process and delivers the packets exactly as they originally were. If there is no match, the local WANJet appliance acts as a bridge, and passes the packets unaltered to the WAN.
Figure 3.1 shows inline deployment with two WANJet appliances in a point-to-point configuration, connecting a corporate data center and one remote office.
Point-to-multipoint configuration
Point-to-multipoint configuration is more complex and involves three or more WANJet appliances. Figure 3.2 illustrates a point-to-multipoint deployment that consists of five appliances that connect to each other across intranets and the Internet.
As with the point-to-point configuration, the WANJet appliance processes traffic that matches user-specified source and destination subnets and ports, and then delivers the traffic across the WAN through a tunnel to the appropriate WANJet appliance.
One-arm deployment
In certain cases, it is not desirable or even possible to deploy the WANJet appliance inline. For example, in the case of a collapsed backbone where the WAN router and LAN switch are in one physical device, you may not be able to deploy the WANJet appliance inline.
When inline deployment is not an option, you can use one-arm deployment. In this deployment, the WANJet appliance has a single (hence the term one-arm) connection to the WAN router (or LAN switch) and has all relevant traffic redirected to it by the WAN router. Figure 3.3 shows a simple one-arm deployment in a corporation that has two networks. Network 1 includes the servers, and network 2 is where the clients are located.
Figure 3.4 shows the basic topology and traffic flow for a one-arm deployment.
The traffic flow sequence shown in Figure 3.4 is as follows.
For more information on how to configure one-arm deployment, refer to Configuring one-arm topology , located in Chapter 6.
One-arm deployment methods
You deploy the WANJet appliance using a one-arm configuration in a transparent or non-transparent manner. The transparent method is most common, but there may be certain circumstances when the non-transparent method is more appropriate. This decision depends on your network configuration and specific needs.
As the name implies, the transparent method is totally transparent on the network and requires no modification to any client settings (such as the default gateway). However, you must reconfigure the WAN router.
You can configure the WAN router to redirect traffic by using one of the following methods:
Using static routing
Static routing is a non-transparent one-arm deployment most suitable for smaller offices. If using static routing, the WANJet appliance connects to a LAN switch, and the LAN switch connects to all of the clients on the network, as well as to the router. Every client on the LAN uses the WANJet appliance as its default gateway. In this deployment, all client traffic is routed to the WANJet appliance. The WANJet appliance can optimize specific traffic, apply different services to specific traffic, and leave other traffic untouched.
This method is non-transparent because, for this to work, all clients have to be reconfigured to use the WANJet appliance IP address as their default gateway. You can reconfigure the clients by either individually modifying each client's default gateway address or, more typically, by updating the DHCP server to provide the WANJet appliance IP address as the default gateway for all of its DHCP clients. All outbound traffic from any client is then first sent to the WANJet appliance for optimization (or passthrough), and the WANJet appliance, in turn, forwards the traffic to the WAN router.
Static routing supports only one subnet (all clients must be in the same subnet as the WANJet appliance), and there is no redundancy. If the WANJet appliance were to fail, clients would no longer have a way to forward traffic to the WAN, just as if a WAN router failed. In a branch office, where support for multiple subnets and redundancy are not as crucial, this deployment mode may be ideal because its principle benefit is its simplicity. All WAN-bound traffic is automatically sent to the WANJet appliance, which processes it according to defined policies, and sends the traffic on to the WAN. You do not have to reconfigure the WAN router.
In the WANJet appliance Web UI, you set up static routing on the Operational Mode screen by selecting Static Routing as the redirection method.
Using static transparent proxy
If using static transparent proxy, the WANJet appliance connects directly to the router and is transparent to the rest of the LAN clients.
The router (by means of a configured routing rule) directs to the WANJet appliance only traffic that the WANJet appliance is configured to process (optimize or applying specific services). You configure the router not to send passthrough traffic to the WANJet appliance. Otherwise, the WANJet appliance drops the passthrough traffic. In this deployment, the WANJet appliance optimizes traffic according to specified policies and then sends all traffic back to the router.
Using transparent proxy with WCCP v2 protocol
Web Cache Communication Protocol (WCCP) was originally developed by Cisco SystemsÃÂÃÂÃÂî to specify interactions between one or more routers (or Layer 3 switches) and one or more devices, such as a web cache. The purpose of the interaction is to establish and maintain the transparent redirection of selected types of traffic flowing through a group of routers. WCCP v2 supports traffic redirection to other devices, such as the WANJet appliance. For detailed specifications about the WCCP protocol, see http://www.faqs.org/rfcs/rfc3040.html.
The WANJet appliance can use the WCCP protocol to advertise itself to a LAN router as a web cache. Local routers and web caches together form a service group. Routers redirect traffic to the group-member web caches, for example, the local WANJet appliance, in accordance with an algorithm defined for the service group.
The advantage to this deployment method is that it is more tolerant of a failure. If the WANJet appliance fails, the router detects that and handles the traffic properly without sending it back to the WANJet appliance.
If using transparent proxy with WCCP v2 protocol, the WANJet appliance connects to the router directly and is transparent to the LAN clients. You route all LAN traffic to the WANJet appliance just as you do for static transparent proxy.
The difference is that the WANJet appliance communicates with the router using WCCP v2 protocol (the router must support WCCP v2 and you must configure it on the router). In accordance with configured optimization policies, the WANJet appliance determines which traffic to optimize, and which traffic to apply services to. The rest of the traffic is sent back to the router for proper handling.
Using transparent proxy with generic routing encapsulation tunneling
If your network topology uses generic routing encapsulation (GRE), the WANJet appliance may need to process encapsulated traffic within a GRE tunnel. Typically, GRE tunneling connects private IP networks over an Internet connection using two routers (or switches) that support GRE encapsulation.
If you are using GRE tunneling, you can deploy the WANJet appliances using a one-arm configuration so they connect to the routers on both ends of the GRE tunnel. Each router is configured to forward GRE traffic to the WANJet appliance which either optimizes the traffic or sends it through as pass-through traffic.
Figure 3.5 illustrates GRE tunneling and shows how the WANJet appliance optimizes traffic through a TCP tunnel but sends passthrough traffic through the GRE tunnel.
To use this method, on the Operational Mode screen, you select Transparent Proxy as the redirection method and Static as the discovery method on both WANJet appliances. If you are using GRE tunneling, you also need to configure local (source) and remote (destination) GRE IP addresses on both appliances. You set the Local GRE IP (the local end of the GRE tunnel) and Remote GRE IP (the remote end of the GRE tunnel) from the Remote WANJets screen. See Configuring one-arm topology , located in Chapter 6, for more details.
When the WANJet appliance receives a GRE packet and recognizes the local and remote GRE IP addresses included in the header, the appliance processes the original encapsulated packet in accordance with its optimization policies. Traffic that the WANJet appliance can optimize uses the TCP tunnel, and pass-through traffic uses the GRE tunnel.
Firewall guidelines
If the WANJet appliance is placed behind a firewall, you must open certain ports for the WANJet appliance to operate properly. Table 3.1 lists the ports that you must open to allow the traffic to pass through the firewall.
You must also allow the ICMP protocol to pass through the firewall, so that you can ping the WANJet appliance.
Hardware installation
See the WANJetÃÂÃÂÃÂî Appliance Quick Start Card for the WANJet 200, 400, or 500 appliance for instructions on installing WANJet appliances and connecting them to your network. If you have a WANJet 500, refer also to the Platform Guide: WANJetÃÂÃÂÃÂî 500 for additional details on hardware installation.
Site information worksheet
Use the following site information worksheet to capture relevant site data. When you complete the site information sheet, we recommend that you attach a detailed network diagram for each WANJet appliance site.