2.6. WAN Visibility

As described earlier, an inner channel between two Steelhead appliances is a TCP session with the IP addresses of the in-path interfaces of the Steelhead appliances and the destination TCP port of 7800.

This means that your WAN devices don't know about the different traffic types anymore: All traffic is seen on TCP port 7800. As a result, QoS based on port number or IP subnet will fail and NetFlow collectors will show everything coming from only two hosts.

To overcome these issues, there are two additional WAN visibility methods:

Port Transparency and Full Transparency work by adding a TCP option in the TCP packet header of the inner channel which identifies the IP addresses and TCP port numbers of the inner channel to the two Steelhead appliances. For Full Transparency, as long as the IP routing in the network makes sure that the traffic towards the IP subnets goes through the respective Steelhead appliances, this method will work fine.

Figure 2.16. Tcpdump output showing the Transparency TCP options

11:54:02.740843 IP 10.0.1.100.43802 > 192.168.1.1.445: Flags [S], seq 2130333957, win 5840 \
    , options [mss 1460,sackOK,TS val 284297166 ecr 0,nop,wscale 2,rvbd-trans Transp sSH:1 \
    0.0.1.6:54608 dSH:192.168.1.6:7800 00000a000106c0a80106d5501e78], length 0
11:54:02.872968 IP 192.168.1.1.445 > 10.0.1.100.43802: Flags [S.], seq 1657645820, ack 213 \
    0333958, win 5792, options [mss 1460,sackOK,TS val 284639662 ecr 284297166,nop,wscale  \
    2,rvbd-trans Transp sSH:192.168.1.6:7800 dSH:10.0.1.6:54608 0000c0a801060a0001061e78d5 \
    50], length 0