http://text.broadbandreports.com/forum/r24080743-OT-Help-Testing-my-WAN-Accelerator
Links: Reply New Topic
Forums » Hardware By Brand » Cisco » [OT] Help Testing my WAN Accelerator
yaplej @ 10th Apr 05:48AM:
[OT] Help Testing my WAN Accelerator
Hello,
I am trying to find anyone interested in testing, and providing some feedback on an Open Source network accelerator I have been working on. Its pretty basic and currently only compresses the TCP segment data, and then decompresses it leaving the TCP header fields intact so it works with point-to-point, partial meshed, and full meshed WANs. At least it should :)
In my own testing I was moving files over 200MB with CIFS transmitting only 120MB over the WAN. I was also able to stop/start the accelerator software without interrupting any TCP sessions. I just want to know if it works for anyone else, and see if there is an interest in it.
I have setup a portal for the project if anyone is interested in testing the software.
»packetsqueezer.portal.codespaces.com
Thanks.
reply
nosx @ 10th Apr 07:52AM:
Re: [OT] Help Testing my WAN Accelerator
So the problem i have with rolling out any kind of appliance like that is as follows:
If i place it inline or use PBR, and the device fails, i just took down a site with dual wan routers attached to dual mpls l3 vpns with real user traffic. PBR is staticly configured, and while i could probablly write some hokey TCL script with an EEM trigger to remove the PBR configuration if ths box stopped pinging, there is still no guarantee that the redirect service itself didnt just crash or stop, etc.
Is there any chance of getting WCCP (version 2) support so that traffic can be selectively redirected when the service is functioning normally but in a failure scenario traffic could continue through the network unaccelerated?
reply
yaplej @ 10th Apr 02:08PM:
Re: [OT] Help Testing my WAN Accelerator
Thanks for responding. Those were exactly the type of issues I had in mind when writing the software. Some of that is covered in the getting started guide, but I dont have its features listed anywhere yet. I should probably do that.
Using PBR you can select what traffic you want to be redirected to the accelerator host, and with IP SLA you can stop redirecting should the host stop responding totally. The software can also be stopped, started, restarted without interrupting any TCP sessions. At least it worked when I was testing it. Its a fail-safe feature I wrote in case the host or software were to crash.
So if your routing traffic to the host, and the software crashes then the host just acts like a router so traffic would still flow through it. If the host were to crash you IP SLA should stop redirecting traffic to the host, and traffic would still flow through your router. You could have some packet loss while IP SLA detects the failure.
A WCCPv2 client is on the to-do list, but I probably wont get to it until after I have some more acceleration features implemented. My main focus is to rewrite the module as a multi-threaded service and implement some method to create signatures for common TCP data to be sent in place of the actuall data. It will involve saving the TCP segment data field to the host, and creating a signature for it. There is not really a security issue because each signature would just represent a series of 1s and 0s that happen to be transmitted regularly not any actual data.
reply
nosx @ 10th Apr 07:11PM:
Re: [OT] Help Testing my WAN Accelerator
That last bit is also a good point regarding security. An issue i have run into in the past with devices like Cisco WAAS is that due to the nature of secure transactions such as HTTPS, little if any acceleration or data-de-duplication was possible.
Another WCCPv2 concern is performance. WCCP offers multiple methods of forwarding and returning traffic (GRE vs L2). Depending on platform (cisco wise at least) different methods are done in software vs hardware.
PBR also has the added performance hinderance of (in cases) ending up punting every packet to the processor as well. This could have some scalability limitations in the platform. WCCP permits load balancing (inherent) across multiple appliances, so i could stack 2 or 4 or 8 servers running the wan optimization software to keep up with performance demand.
A common design for this type of service is to have one on either end. Is there any plan to integrate a caching engine that will work without the endpoint across the WAN from also needing a partner appliance?
Im going to reply again with a quick diagram i drew to cover a few scenarios to consider too for corp deployments.
reply
nosx @ 10th Apr 07:34PM:
Re: [OT] Help Testing my WAN Accelerator
Attached Image 1:
The attached diagram is a common WAN architecture for a sample corporation.
Redundant clouds, redundant datacenters (one usually on a corporate campus) and various remote sites.
In this example, we have remote site 1 with WAN accelerators, but remote site 2 has nothing.
Datacenter 1 has wan accelerators for its enterprise wan connection (as thats the only way into the datacenter) for traffic coming to www.intranet.corp.
Datacenter 2 has wan accelerators for its enterprise wan as well, but adds internet facing wan accelerators to cache bandwidth heavy websites like site1.com since campus users dont enter the datacenter via the corp wan, but have a back door connection into the core for speed.
Imagine the different traffic flows from remote sites to the internet, or to the corp intranet websites in the datacenters.
Attached Images 2 and 3:
Traffic could leave the wan accelerator to the red MPLS VPN cloud, and return traffic could come in via the blue MPLS VPN cloud. Asynchronous traffic flow is to be expected.
What is the impact of return traffic not hitting the same wan accelerator appliance? Can we use a dual-attached wan accelerator to both routers and manage to have the return traffic from the appliance sent to the correct router? Hairpinning traffic back to the right router requires either routing table virtualization or some kind of affinity (wccp) to know which sender needs which reply without doing accidental packet duplication or creating some kind of forwarding loop.
Im really not trying to discourage you, im just trying to bring up all the weird scenarios that are going to be encountered deploying a technology like wan optimization in different companies.
Edit: I attached the visio incase anybody wants to doodle with the images for replies and other topologies.
Double edit: how are you marking the tcp segments so that a wan accelerator knows that the session is being accelerated?
What happens in the case where it transits 3 accelerators between src and dst? Does the middle one ignore the stream as the farthest end accelerators are already taking care of it, or do only the first 2 accelerate between eachother and a third does nothing?
 | ||
 | ||
 | ||
  wan accel di···.vsd.zip 478,107 bytes | ||
yaplej @ 11th Apr 02:41AM:
Re: [OT] Help Testing my WAN Accelerator
You have a lot of good questions. Lets see if I can answer them all.
PBR allows you to add multiple destinations to the route policy. In my testing only one is used at a time, but by adding two you could have an active/passive setup with two accelerators. When I get around to a WCCPv2 client load balancing will be one of the requirements if that's what your wondering.
WAN acceleration really requires two devices one at each location on the WAN. One does the optimizing, and the other undoes what the first did so the traffic arrives at the destination in its original form. I have not seen any method around this, and I have not thought of any way to do it on my own either.
So now lets try your examples. I tried to read things a few times, but I apologise if I misread or didn't fully understand what you were trying to say.
Image 1 example.
Your campus site does not have any accelerators so traffic to/from site1.com would not be optimized. There must be an accelerator near the server, and other near the client.
While you could optimize Internet traffic once it arrives inside your WAN the focus of this software is for Internal traffic, applications, and CIFS. Not going to say it would not work its just not the goal I had in mind.
Image 2 example.
Craziness I say. I don't see how that issue could be addressed by any of the current WAN accelerators either. All the TCP session traffic must be returned to the same accelerator. In this case the return traffic would have to return back through the same path as the initiated traffic. Destination IP load balancing maybe?
Actually that isn't true if your strictly talking about payload compression, and payload caching the software could probably be written to handle terminating on different accelerators. I don't know if there are any WAN accelerators that currently work in this scenario though. I have not read about all WAN accelerators nor have I read about all deployment scenarios though.
If your talking about application acceleration such as CIFS object caching, or anything that would manipulate the entire TCP session data stream then this traffic flow would prevent that from working correctly. That much I am sure of.
Image 3 example.
This looks like it builds on the issue presented previously, but tries to address it by having all traffic routed to the same accelerator. Currently the software simply routes traffic back using the hosts default route. I could be possible to track what router the traffic originated, and return it to the same, but it currently does not do this.
I do not feel discouraged at all. Honestly its exciting to have some input about these issues, and try to develop solutions for them.
To mark segments I am using custom TCP options with bits of data that the accelerators use to determine what sessions to accelerator, and when to turn it off should one of them fail. The accelerators save all new sessions to a list. Once the session is in the list it will start adding its ID (currently the IP address on eth0) to the TCP segment as a TCP option unless another ID is already present.
Any accelerators in between the outer most (the "first", and "last") accelerators are ignored. All the logic took me weeks with a white board to figure out. :)
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
yaplej @ 11th Apr 03:18AM:
Re: [OT] Help Testing my WAN Accelerator
I did some additional reading, and WCCPv2 seems to takes care of all the issues created by asymetric flows. At least if all the accelerators are in the same service group. You can check Deploying Cisco Wide Area Application Services page 92. I may have to go buy this book.
So the solution is WCCPv2, and one cluster of accelerators at each location that all the WAN routers redirect traffic to.
When I do write the WCCPv2 client I might be able to do something tricky with the redirected traffic and return it back to the source MAC (the router that redirected it) this would prevent the outbound traffic from being "pinned" to the default router of the accelerator. I would probably just have to save the MAC of the source router for each session that way each session would be returned to the original router that redirected the traffic. If a new MAC were received for that session you could just update it, and start sending back to that new MAC.
Sorry thinking out loud again.
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
nosx @ 11th Apr 09:32AM:
Re: [OT] Help Testing my WAN Accelerator
I love to hear other peoples internal monologues and thought processes =P its very insightful as to how others think through problems.
Looking back at a previous employer (WAAS heavy implementation) with multirouter sites they deffinetly used a single cluster of WCCPv2 optimizers hanging off all the routers rather than dedicated per router.
In the case of a single accelerator in the traffic path, i was thinking less about TCP optimization and more about simply caching proxy service. I know you can setup squid today with wccp to just cache large content requested by a site to save on WAN bandwidth.
If possible with WCCP, i would prefer L2 return (rather than GRE return). Also important design decisions regarding hash assignment or mask assignment (negotiated between WCCP client/server). On some gear L2 return is all thats supported in hardware, and you can get pretty deep into the weeds with the cluster-member traffic assignment selection criteria on the routers. Depending on the mask value chosen, you can either limit the number of clustered accelerators supported, or inadvertantly assign a large share of the traffic to a single cluster member due to the bitwise and'ing with the particular mask.
The direction i would prefer is a more multipurpose platform. If we had good WCCPv2 support for linux that tied into a wan optimization engine, web cache engine, filtering engine, etc. it would be a powerful single tool to start dropping out on the WAN.
Regarding software distribution: It would be very nice if you could package it as a VMware virtual appliance for people to download on the VMware app site and just drop in and test with. That way there is no compiling or distribution-specific support concerns to slow things down, upgrades could be quick and easy (download the new VM, spin it up and shutdown the old. If it breaks shut down the new and boot the old back up)
Question: Because the squeezer is a kernel module, are there any limitations in regards to memory and processor utilization? For example, if i put it on an 8 core machine, is the actual processing going to be limited to 1 or 2 of those cores? Or can it utilize all the hardware you can throw at it already?
Also, if you need a test box on the interwebs, i have a vmware cluster in an LA datacenter you could spin up a host on for testing and development. Let me know if ur interested.
Im doodling again in visio, ill post it if anything interesting comes out of it.
reply
yaplej @ 11th Apr 01:15PM:
Re: [OT] Help Testing my WAN Accelerator
Single Accelerator.
Oh well I am not going to focus on content caching as squid already does that quite well from what I hear. Squid caching on the same platform would limit resources available for TCP payload caching, and reduce the resources available for its primary job.
I hope to release the software via rBuilder as a CentOS based appliance image, but I have never used it rBuilder before so it might take me some time to figure out how to do that. That is once I have something production ready. All testing builds will probably require they be compiled.
Currently it is limited to a single CPU, and to around 800MB of memory. Thats why my next focus is to rewrite it all as a multi-threaded service with a small kernel module to hook into netfilter, and redirect the traffic to the userspace service. By moving it to userspace it will have access to highmem, and multi-threading. Not to mention the database access thats required to write the TCP payload caching feature.
Once in userspace I will split the IP packets into work queues that will be processed by a separate thread. All packets for a particular TCP session will be assigned to a single queue to maintain the SEQ order of the session.
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
nosx @ 11th Apr 03:09PM:
Re: [OT] Help Testing my WAN Accelerator
Interesting bits of information, im excited to hear more as development continues.
Could you add the IOS config snippit to the getting started guide for people playing with it to test?
Also, are there any visibility hooks into the platform to display how much bandwidth is being saved, or how effective the optimization is?
reply
yaplej @ 11th Apr 05:02PM:
Re: [OT] Help Testing my WAN Accelerator
I should be able to work up some IOS config snippits sometime, and add them to the getting started guide.
Currently when you stop the module it displays how many GB/MB/Bytes were compressed to the console/log.
reply
aryoba @ 12th Apr 02:12PM:
Re: [OT] Help Testing my WAN Accelerator
So the problem i have with rolling out any kind of appliance like that is as follows:
If i place it inline or use PBR, and the device fails, i just took down a site
Any decent WAN acceleration appliance should act as dumb switch even when the appliance is powered off, which is still passing traffic although the traffic is not optimized or accelerated. With that in mind, then the site should not be down just because the WAN accelerator is down.
reply
yaplej @ 12th Apr 02:40PM:
Re: [OT] Help Testing my WAN Accelerator
That is if your using the accelerator in-line. Not my favorite deployment scenario. I would prefer having the accelerators out-of-line, and using PBR, or WCCPv2 to redirect traffic.
Currently my software does not work in bridged mode where the fail-to-wire feature would be of any use. It might be something to look at doing later though if there turns out to be a large enough demand for it. I know they sell fail-to-wire NICs for a few hundred dollars.
In a bridged in-line scenario I don't think you have any option for scaling like you could with WCCPv2, and even with PBR you can have an active/passive deployment.
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
aryoba @ 12th Apr 03:22PM:
Re: [OT] Help Testing my WAN Accelerator
That is if your using the accelerator in-line. Not my favorite deployment scenario. I would prefer having the accelerators out-of-line, and using PBR, or WCCPv2 to redirect traffic.
WAN acceleration appliance deployment in most organizations from small to big especially small shops is inline scenario due to its simplicity. Note that if you have to use PBR or WCCPv2 (Cisco-specific solution), then the appliance deployment scenario is limited and only works with specific vendor equipments, which are typically not as marketable as WAN acceleration solution from competitors.
reply
nosx @ 12th Apr 03:34PM:
Re: [OT] Help Testing my WAN Accelerator
If you look at appliances from riverbed or cisco waas (both the most common solutions i have seen) they both offer transparent inline and WCCP aware service. This is done for scalability (WCCP) and simplicity (inline transparent)
While cisco may have developed wccp, it has nearly universal acceptance between vendors as the prefered way to offer divert-dependant services such as wan acceleration, web content filtering, etc.
See the wikipedia page or google for a larger list of appliances and companies supporting WCCP.
reply
yaplej @ 12th Apr 03:35PM:
Re: [OT] Help Testing my WAN Accelerator
I have worked mostly on Cisco, and Adtran equipment. I am pretty sure Adtran has a policy based routing like feature on some of their routers, but maybe not all of them. I don't know about other vendors.
I agree the in-line bridged mode has the advantage of no config changes being required to deploy it. So as things move along its something to keep in mind.
reply
yaplej @ 13th Apr 01:23AM:
Re: [OT] Help Testing my WAN Accelerator
I just finished the first part of rewriting the code to a kernel module + userspace service, and I really like how its turning out.
It should be quite easy to write a new kernel module that would support bridged mode, and support a fail-to-wire NIC. I really like this because it separates the traffic interception module from the packet processing code.
It could be as easy as a config line entry to determine what module gets loaded when the service starts. Switching between the two could be as easy as a config change, and service restart.
- mode bridged
or
- mode routed
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
yaplej @ 25th Apr 05:02PM:
Re: [OT] Help Testing my WAN Accelerator
Iv been going over some of these issues, and wanted to see what would be an acceptable solutions for each of them.
First is availability.
Concern that if the accelerator failed it would bring the network down.
For an out-of-line deployment using PBR you can use IP SLA. I added an example on the project portal on how to configure a basic SLA so the router would stop forwarding traffic to the accelerator if it stopped responding. In addition multiple accelerators can be used in an active/passive configuration so even if a single accelerator failed optimization could continue. I will try, and get an example of the active/passive configuration on there also.
Another option in the future is a fully functional WCCPv2 client that would enable not only a more elegant fail-over to normal routing, but also enable the active/active use of multiple accelerators. This has been on my to-do list from day one of starting this project. Its not a huge priority until some of the other acceleration features have been finished though. In particular payload caching.
In case of an in-line bridged deployment I started working on modifying the kernel module so the software should work in bridged mode. For fail-over you would need to purchase a bypass NIC like the Intel EXPI9014PTBLK. I don't have one of these yet, but Ill see about getting one to test this. Anyone have one to donate?
Another option I thought of is a hybrid in-line routed mode. It would allow you to place the accelerator in the same subnet as the clients, and use VRRP between the accelerator and the gateway router. The accelerator would act as the gateway for all the client unless it failed then the router would take ownership of the VRRP virtual IP. The actual router IP would be used as the accelerator gateway not the VRRP virtual IP. The problem here is how to direct return traffic from the gateway router to the accelerator. The only solution I thought of to this is to have the accelerator poison the gateway routers ARP table. The router would then think the accelerator MAC access is the destination, and forward the traffic to the accelerator.
Dual WAN networks async flows.
I am still working out some of the details for this, but it is possible for the kernel module to check if a packet were originally received on the same interface that its being retransmitted on. By storing the original inbound packet source MAC address it could swap the new destination MAC address with the original source MAC address. This would deliver the packet back to the original router that redirect it. It could cause some packet loss in the event the original redirecting router were to fail, but only for packets it had already redirected to the accelerator. This should work suitably for both PBR, and WCCP deployments once the WCCP client is completed. The reason for checking the in-out interface is that you could configure an out-of-line deployed accelerator with an interface in the subnet being accelerated. This would allow the accelerator to bypass sending decompressed traffic back through the router, and drop it directly onto the destination network.
Another issue was deployment.
I have started learning how to using rBuilder to package the software into its own installable platform. It will be based on CentOS, and have options for most virtualization platforms, and bare-metal installation. Still figuring out how to package it all together, but I am making progress.
Any other issues, or thoughts? Thank you for the input.
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
nosx @ 25th Apr 05:11PM:
Re: [OT] Help Testing my WAN Accelerator
If you could get it into a vmware ready kind of package, i have an environment in mind to test some real world traffic through it.
Content caching and data deduplication are of particular interest for me. There are of course filesystem concerns based on the method of doing that kind of thing. Do you plan to use a simple block based approach? (NxB substitution?) or are you going to try to cache entire files?
reply
yaplej @ 25th Apr 05:51PM:
Re: [OT] Help Testing my WAN Accelerator
I will work on getting it all packaged together. I did not want to package it until I had done more testing, but not everyone is into compiling stuff just to try it out. I hope by real world you mean in a lab, and not in production. I would not recommend putting it into a production network because it has not been tested that much.
I plan on using a block based approach for payload caching rather than file based. It provided better security because no file is actually saved, and also provides better overall acceleration because blocks can be used for transmitting any data not just one particular file. This will include some ability for tracking block hits, and keeping blocks that have the highest hit count while allowing less used blocks to be purged.
Any file based caching will be application/session specific, and used primarily to send a differences back when saving changes to files rather than resending the entire file back. It will not be used to cache a file for when someone else opens it. I have not really worked on this much yet, but it should be very helpful for remote sites that have lower upload speed than download.
--
sk_buff what?
Open Source Network Accelerators
»trafficsqueezer.sourceforge.net
»packetsqueezer.portal.codespaces.com
reply
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
