Sites with Multiple WAN Routers

Jan 03, 2013

More than one WAN router at the same site raises the possibility of asymmetric routing. Normally, IP networks are not affected by what path the packets take, so long as they arrive at their destination. However, the appliance relies on seeing every packet in the connection. "End-around" packets are not acceptable.

In a site with only one WAN router, asymmetric routing is not a problem, because the appliance can be placed in the path between the router and the rest of the site, so that traffic into or out of the router also passes through the appliance. But with two WAN routers, asymmetric routing can become an issue.

Asymmetric routing problems can appear during installation or later, as a result of failover to a secondary link, or other forms of dynamic routing and load balancing. The following figure shows an example sites that might suffer from asymmetric routing. If sites C and D always use the direct path, C-D or D-C, when sending traffic to each other, everything is fine. However, packets that take the longer path, C-E-D or D-E-C, bypass the appliances, causing new connections to be unaccelerated and existing connections to hang.

Figure 1. Asymmetric Routing

Asymmetric routing can be addressed by router configuration, appliance placement, or appliance configuration.

If the router is configured to ensure that all packets of a given connection always pass through the appliance in both directions, there is no asymmetry.

If the appliance is positioned after the point where all the WAN streams are combined, asymmetry is avoided, and all traffic is accelerated, as shown in the following figure.

Figure 2. Avoiding Asymmetric Routing through Proper Placement of the Appliance

Configuring the appliance to use one of the following asymmetry-resistant forwarding modes can eliminate the problem:
  • Multiple Bridges. An appliance with two accelerated bridges, or accelerated pairs, (for example, apA and apB), allows two links to be accelerated in inline mode. The two links can be fully independent, load-balanced, or primary/backup links.
  • WCCP mode allows a single appliance to be shared between multiple WAN routers, allowing it to handle all the WAN traffic regardless of which link it arrives on.
  • Virtual inline mode allows a single appliance to be shared between multiple WAN routers, allowing it to handle all the WAN traffic regardless of which link it arrives on.
  • Group mode allows two or more inline appliances to share traffic with each other, ensuring that traffic that arrives on the wrong link is handed off properly. Because group mode requires multiple appliances, it is an expensive solution that is best suited to installations where the accelerated links have wide physical separation, making the other alternatives difficult. For example, if the two WAN links are on different offices in the same city (but the campuses are connected by a LAN-speed link), group mode might be the only choice.
Figure 3. Eliminating Asymmetric Routing by Using Group Mode or Virtual Inline Mode

Note: One end of the link can use virtual inline mode while the other end uses group mode. The two ends of a link do not have to use the same forwarding mode.
Figure 4. Sites with Only One WAN Link Cannot Have Asymmetric Routing Problems