Technical > Deployment

Suggested deployment between two firewalled sites

(1/2) > >>

blazarov:
Hello,
I am a network engineer and a customer of mine likes WANOS and is looking for a deployment.
The environment is much more complex than all the examples in the documentation, so i am still wondering what would be a good approach and will it even work at all.

the objective is to implement WAN optimization between two sites connected by a long fat pipe (300+ Mbps; 20+ ms latency).
Currently the sites run IPSec VPN.

Now my question is on the actual WANOS appliances deployment. The customer requires virtual appliances.

Attaching a sample topology diagram.

Initially i though i would deploy the two appliances in Tunnel mode and put their WAN directly in Internet and totally replace the IPSec on the firewalls.
From my quick research it seems WANOS can not encrypt the traffic, so this is not acceptable - we should still retain the current IPSec and just use the optimization of the WANOS.

Since it will be a virtual appliance bridge deployment makes little sense to me, because there are too many VLANs on both sides and VLAN configuration will be very tricky and fragile.
so we're left with router/tunnel mode. obviously we need to route both directions of the traffic through the appliance - how would you suggest to do that?
changing servers default gw is not acceptable (critical environment) so are we looking at some sort of PBR?

ahenning:
Just checking, 300Mbps and 20ms? That would be a short fat pipe, unless the 20 should be 200+?

PBR sounds like the way to go, with some IP Track SLA type of config for redundancy.

Wanos has IPsec, but if you have the infrastructure already, go with what is working now and just add Wanos for Optimization.

blazarov:
Hi,
My calculations result in bandwidth-delay product for this particular link is > 750KB, so it definitely qualifies as LFN as per RFC1072 :)
Aside from theory, real life shows the typical undesirable LFN effects, such as poor TCP performance, also very dependent on the endpoint OS'es, hence the use case for WANOS.

Regarding PBR - what bothers me is the right-hand network. As you can see all subnets are directly connected to the firewall which acts as their default GW for the segment. The same firewall terminates the IPSec to the remote site, no hops in between. In this case I dont see any good PBR implementation, am I missing something?

ahenning:
It depends on the firewall capability. In similar scenarios we use an additional Interface on the firewall where Wanos connects to and the FW PBR is set to redirect traffic from the local subnets (Internal Interface) to the Wanos interface. Wanos has the firewall as default gateway, so traffic flow looks as follows:

LAN Subnets -> (Internal)-FW  -> Wanos -> FW-(external) -> VPN

What is the max speed per TCP session that you get over the 20ms?

blazarov:
Thanks for the suggestion, i imagined similar approach as well. That would probably work, however i should verify if that will not break the stateful firewall session mapping in terms of ingress/egress interface for each session.
I just hoped i can get around with something with less overall impact, so i can first test it and introduce it in a phased approach.
IPSec directly on the WANOS suits better the overall architecture design, but since its purely software on VM i have no idea will it perform good enough in terms of throughput.
Max speed per TCP session varies a lot depending mostly on end-host OSes. Usually, worst case is newer (2016) Windows server versions where i believe their intelligent TCP stack features are intervening. With careful TCP tuning on the end-hosts, even on windows 2016 server I am able to achieve the desired speed even in a single session, but there are too many hosts on both sides, not all of them under my control, so OS tuning is not a solution.
All the Linuxes usually perform excellent too.

Navigation

[0] Message Index

[#] Next page