Blue Coat Home Page Choose a PacketGuide version  Search Index


What's New?



 Advanced UI Tasks

 Blue Coat Sky Tasks

 PolicyCenter Tasks


 Product Information

High Availability Overview

In a general sense, high availability is a network topology feature that ensures mission critical applications are available 100% of the time. This goal is typically accomplished by having multiple access routers with multiple WAN interfaces. PacketShapers can sit in these redundant router topologies and perform their traffic management responsibilities, without disrupting the existing high availability configuration. PacketShapers integrate in high availability and redundant environments including HSRP (Hot Standby Routing Protocol) and VRRP (Virtual Router Redundancy Protocol).

As part of the high availability solution, PacketShapers can be installed in redundant network paths to provide PacketShaper redundancy in case one of the units fails. This capability is called direct standby. It is described more fully below.

Another part of the solution is access-link monitoring. This feature allows the PacketShaper to automatically adjust Inbound and Outbound partition sizes as WAN links go down and back up. In addition, this feature can help prevent link overload that may occur when a load-balancing scheme is less than perfect. See Access-Link Monitoring.

Direct Standby

The direct standby function allows two PacketShapers to work in a redundant network topology, with each unit connected to a different router, and the two units directly connected to each other. Both units are considered active and each unit can receive and forward traffic. To ensure that both units accumulate the same traffic tree and measurement data, each PacketShaper processes the packets received by the other unit. When a unit directly receives traffic, it will copy that traffic and transmit it to the other unit. The other unit will classify the traffic, just as if it had received it directly, but it will never forward the traffic onward to the LAN. As a result, each unit is ready at any time to take over full PacketShaper responsibility should the other unit go down.

The direct standby feature can operate in a redundant topology that is set up to do load balancing (in other words, traffic flows through both paths) or one that is set up as a backup in case of component failure (traffic flows through one path). When using the direct standby feature in a load-sharing topology, you should set the link speed to the sum of both WAN links. Because each unit receives copied packets from its partner, the PacketShaper must have overall Inbound and Outbound partition sizes that will support that level of extra traffic. On the PacketShaper 12000, the total of Inbound and Outbound traffic must be less than approximately 900 Mbps since the Standby port can handle up to 1 Gbps of traffic. If traffic exceeds 900 Mbps, packets cannot be copied to the partner PacketShaper and direct standby is considered to be disconnected.

Note: You may want to use the access-link monitoring feature (advanced mode) to monitor the routers’ WAN interfaces and avoid oversubscribing the WAN bandwidth.

Additionally, the direct standby feature works well in a topology in which inbound traffic goes through one path and outbound traffic goes through the other. Without the direct connection, PacketWise would classify these flows as asymmetric and would be unable to manage application traffic or take advantage of PacketShaper’s TCP rate control, a technology that smoothes bursty traffic. With the direct connection and the direct standby feature, each PacketShaper is able to see both inbound and outbound traffic and manage the traffic appropriately.

To see diagrams of redundant topologies into which PacketShapers can fit, see Connect PacketShapers into Redundant Topologies. For special notes about using direct standby, see Direct Standby Notes.

Direct Standby Requirements

The direct standby feature has the following requirements and limitations:

  • The following PacketShaper features cannot be used in conjunction with the direct standby feature: Frame Relay, ATM, and watch mode.

  • PacketShaper 12000: The units are directly connected using their Standby ports, or if you have disabled the built-in Standby port, you can connect the units between the OUTSIDE interfaces of the right-most pairs on each installed LEM.

  • PacketShaper 3500, 7500, 10000: The units must be directly connected to the OUTSIDE ports on the upper-most or right-most LEM. In other words, if the PacketShaper has two LEMs, the upper or right LEM must be used for the direct connection. This LEM cannot be configured for Xpress.

  • Both units must be running the same version of PacketWise and have the same plug-ins installed.

  • Both units must have the same configuration limits. For example, both units must be 512-class PacketShaper 3500s. You should not mix units with different capacities since the units will be passing the same traffic and require identical configurations.

  • Both units must have identical hardware configuration: the same PacketShaper model, link speed, installed memory, number of LEMs installed, and type of LEMs (fiber optic vs. copper Ethernet).

  • If there is any difference in the two partner units, the direct standby feature will not function optimally.

  • The two units must have the same touch password for the direct connection to be established.

  • The bypass functionality in the PacketShaper and all LEMs must be disabled in order to use the direct standby feature. See Disable Bypass.

  • Because the bypass functionality has been disabled, PacketShapers should not be powered off when they sit in a redundant configuration — doing so will cause loss of connectivity on that link and all traffic will be routed to the other path.

  • The direct link connection between the two PacketShapers must be equal to or greater in speed than each of the WAN links. This requirement ensures that each unit receives copies from the other unit fast enough to prevent out-of-order packets.

    On the PacketShaper 12000, the total of Inbound and Outbound traffic must be less than approximately 900 Mbps since the Standby port can handle a maximum of 1 Gbps of traffic. If traffic exceeds 900 Mbps, packets cannot be copied to the partner PacketShaper and direct standby is considered to be disconnected.

  • A customer portal IP address should not be configured.

  • The following types of packets are not copied over the direct connection: broadcast/multicast/unicast packets and attack packets.

  • Link state mirroring (described below) is automatically enabled when direct standby is enabled if the redundant management link is connected.

Link State Mirroring

With link state mirroring, PacketWise will bring down the second port of a NIC pair if the first goes down. This feature allows each PacketShaper to sit between a WAN router and a switch without blocking detection of switch outages by the router. Link state mirroring is automatically enabled when direct standby is enabled and the redundant management link is connected. You can enable/disable link state mirroring on the System Variables setup page.

Note: Link state mirroring is not active on the LEM being used for the direct link; this allows you to disconnect the redundant management port without impacting connectivity. However, link state mirroring is disabled when the redundant management link is disconnected.

Access-Link Monitoring

Redundant network configurations typically involve some type of load-balancing or load-sharing scheme that determines how traffic is distributed across the available WAN links. In some configurations, the load-balancing scheme may be unable to enforce distribution of traffic so that each available WAN link is utilized 100%, nor can it ensure that no links will ever be overloaded. In addition, there is always the potential that any given link or router could go down, reducing the total available capacity to the WAN links remaining.

PacketShaper’s access-link monitoring feature allows PacketShaper to deal with this “imperfect” load-balancing issue and has the ability to respond to the occurrence of WAN link failure. When access-link monitoring is enabled, PacketWise can adjust partitions appropriately to prevent overloading any given WAN link and to account for lost available capacity due to router or link failure. Access-link monitoring has two modes: basic and advanced.

When the basic mode is enabled, the PacketShaper polls the configured router(s) every 30 seconds to assess the WAN interface status (link up or link down) of the WAN link interfaces. If a link goes down, PacketWise will automatically adjust the total available capacity by subtracting out the capacity of the down link. As part of this process, it will adjust the access link size and resize Inbound and/or Outbound partitions to reflect the available bandwidth.

When advanced mode is enabled, PacketWise can help prevent the overloading of an interface. The PacketShaper will use SNMP polling to assess the actual throughput of each configured WAN link interface; the configured routers are polled every 30 seconds. When an interface approaches 25% of its configured capacity, PacketWise will begin pacing the traffic sent to the router to prevent overloading any interface. This pacing will also greatly reduce the number of retransmissions. PacketWise begins adjusting the partition sizes early in order to ensure gradual, smooth adjustments, as well as to give you time to modify policies if desired. PacketWise will poll the router frequently, and once there is evidence that the links are out of danger of being overloaded, it will gradually increase the size of the partition(s).

Access-Link Monitoring Requirements

The access-link monitoring feature has the following requirements and limitations:

  • In order to have the ability to adjust partition sizes (a critical part of the access-link monitoring feature), you must enable traffic shaping on your PacketShaper.

  • Although there is no pre-set limit for the number of routers each PacketShaper can monitor, the polling process consumes both CPU and memory resources. For best access-link monitoring performance, make sure that your unit is not already operating at its maximum capacity. For more information, see Configuration Limits for PacketWise 9.2.

MIB Variables Polled by the Access-Link Monitoring Feature

As mentioned previously, the access-link monitoring feature uses SNMP polling to assess the interface status and throughout. The following MIB variables are requested in both basic and advanced mode:

  • sysName — name that identifies the router
  • ifName — name that identifies the interface
  • ifOperStatus — indicates if the given interface is up or down
  • ifSpeed — link speed

In advanced mode, the following additional MIB variables are polled:

  • ifInOctets— number of Inbound bytes of traffic seen on the interface
  • ifOutOctets — number of Outbound bytes of traffic seen on the interface

See Configure a High Availability Topology for details on configuring access-link monitoring.

PacketGuide™ for PacketWise® 9.2