What is Bluecoat Packet Shaper and why we need it ?? :-
Does your network know the difference between important web traffic like online meetings, and lower-priority traffic like games or streaming media? In a world that is increasingly more interactive, mobile, and content-driven, Blue Coat PacketShaper helps enterprises control bandwidth cost, deliver a superior user experience and align network resources with business priorities.
Below are some of the benefits of Bluecoat Packetshaper :-
- Superior user experience.
- Lower bandwidth cost.
- Reserve bandwidth for critical applications
- Contain disruptive traffic and slow bandwidth increases
- Easily embrace new trends such as BYOD, video, cloud and social media
- Eliminate potential bandwidth increases
Requirement :-
The very first step in deploying any new hardware into the production network is to understand the requirement and actual need of the hardware to be deployed. It is evident that addition of a new hardware adds complexity and sometime creates more problems rather than solving them. Also , placement of the device in the production network directly relates to the requirement or the purpose we want that device to serve.
.png)
In our scenario, the main reason of adding Bluecoat packet shaper is to classify, shape and prioritize outgoing internet traffic so that bandwidth hungry application (like facebook, youtube,etc) can be limited to certain level and business related internet traffic can be prioritized accordingly.
The second reason was to see internet traffic in real time aka visibility.
Ordering the right Hardware :-
We have ordered Bluecoat PS400 with one year support and additionally we ordered 4 port expansion NIC card in order to connect more devices. Below is the snap of actual bill of material.
Deployment Strategy :-
After understanding the requirement , the second step is to plan for deployment. As the primary goal was to shape outgoing internet traffic , so the best place to install packetshaper is just behind the internet router and above all firewalls so that it can capture all traffic.
Although this deployment cannot classify encrypted traffic (for example , site to site or remote client VPN traffic terminating on firewalls ).
After finalizing device placement the next step was to design the strategy and phases in which the installation will take place. Initially we thought of doing this in two phases , watch mode and inline mode. Watch
For minimal impact on production network , initially we thought that we will deploy Bluecoat packet shaper in two Phases.
1. Watch Mode
We will connect Bluecoat Packet-shaper in watch mode in DMZ area first , and monitor and understand the traffic flow. We will use SPAN to copy traffic from Internet interface to bluecoat interface.
2. Inline Mode
After traffic segregation, we will connect Bluecoat into the internet traffic flow .
1. Watch Mode
We will connect Bluecoat Packet-shaper in watch mode in DMZ area first , and monitor and understand the traffic flow. We will use SPAN to copy traffic from Internet interface to bluecoat interface.
2. Inline Mode
After traffic segregation, we will connect Bluecoat into the internet traffic flow .
But after discussion with Bluecoat experts we finalized that in first phase we will deploy packet shaper directly in Inline mode and will turn shaping off while discovery on , so that it can pass through all traffic without applying any shaping rules.
In second phase, We will monitor traffic for at least two weeks and after understanding traffic types and flows we will put shaping rules in place.
Implementation :-
There are lots of good documents available on bluecoat website that I will provide in the end of the topic as reference points. Here I will only discuss the approach that I took and problems I faced.
Below are the steps I performed :-
1.Unbox the bluecoat package and verify that all required parts are available inside box.
2.If you have ordered any separate NIC cards then install it into the slot. Here I have faced difficulty in opening the slot , after sometimes I figured out that there is button on the top of the Bluecoat packetshaper that you need to open first and then remove the entire module in order to install the NIC. I would suggest doing configuration first and then rack and cable the device.
3.Now you need to access Blueocat via GUI or CLI through console. Because bluecoat comes with factory set ip that is 207.78.98.254 , so the easiest way I found is to connect laptop through a RJ45 cable into Management port and provide one ip on the laptop in the same range without any default gateway (For example 207.78.98.250/24) . And then open the browser and type https://207.78.98.254
the default read-write username/password is “touch/touch”. Alternatively you can also get CLI access (as it is required for running some critical commands) through console port.
I would suggest to do the initial configuration through CLI and the steps are self explanatory and easy.
Only two things that I found little bit tricky is Inbound and outbound bps rate that I set to 100m as my switch and router interfaces are also hardcoded to 100m/full duplex. The next thing is the class tree , as there are two option Default or Model , I selected default. Also make sure Shaping is turned off if you donot have rules in place as this might drop traffic.
4.Now once you are in the bluecoat , the next important thing is to license the device. You can get the license by providing serial number on the bluecoat site or to the vendor from where you have purchased the device. After getting license (in .bcl format), you need to upload it via inbuilt file browser into bluecoat file directories.
and then run command (license load <file location>) in order to install the license. In order to complete license installation you need to reset the device as well.
Here I faced some challenges in finding the directory where I loaded the license , so make sure the directory location must start with” file://localhost” and then the file location.
Sample Output :-
PacketShaper# license load file://localhost/9.258/license.bcl
Updating license from: file://localhost/9.258/license.bcl
License is updated.
Run the “reset” command to activate the new license.
PacketShaper# reset
Please confirm if you really want to proceed (YES):
5.After license installation , the next step is to install the latest software/image into the Bluecoat. The method is same , we need to first upload software in to the directory called “9.258/images” and then run command “setup images add file://ps_11_3-.bcs” .The latest software recommended by Bluecoat was 11.3 at the time of installation.
Sample Output :-
PacketShaper# setup images add file://ps_11_3-.bcs
Installing image. Please wait…
Image upgrade successful. Please reset to activate new image.
PacketShaper# reset
Please confirm if you really want to proceed (YES): y
Run below command for verification.
PacketShaper# setup image show
——————————————————————————-
List of Installed Images
——————————————————————————-
PacketShaper 11.2.1.3 Release Id: 146516
PacketShaper 11.3.2.1 Release Id: 157419 (A)
——————————————————————————-
List of Installed Images
——————————————————————————-
PacketShaper 11.2.1.3 Release Id: 146516
PacketShaper 11.3.2.1 Release Id: 157419 (A)
Total 2 images. (A) Active image
——————————————————————————-
6. Now your bluecoat is ready to be racked and cabled.
Racking instruction :- As bluecoat comes with RAIL type kit so make sure you are familiar of racking rail mounted devices.
Cabling Instruction :-
Bluecoat and Router :- Cross Over cable (out port)
Bluecoat and Switch :- Straight through (in port)
7. After successfully installing bluecoat device I faced a strange thing that all bluecoat ports negotiated speed as 100 mbps and half duplex although all upstream and downstream devices was hard coded for 100 mbps and full duplex. This was critical as it might hamper entire internet performance of users on the production day .
After troubleshooting for sometime , I realized that it is better to hard code at Blueocoat interface level as well.
And voila it worked like a champ. Below are the sample outputs.
PacketShaper# setup nic Slot4_in1 100bt full
slot4_in1 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_out1 100bt full
slot4_out1 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_in2 100bt full
slot4_in2 interface set to 100Mbps full-duplex
PacketShaper# setup nic Slot4_out2 100bt full
slot4_out2 interface set to 100Mbps full-duplex
PacketShaper#
8. If everything is fine and traffic is passing through Bluecoat as expected , we will see below graph on the home screen.
Testing :-
Testing is very critical for any kind of deployment.
Although we are putting Bluecoat in inline mode , initially all traffic will be pass through and we will observe traffic for two week and collect data before putting any rules.
1.Unplug first physical connection from Internet Router and see if traffic going through second connection.
2.Switch off the Bluecoat and test whether traffic is passing or not.. –> Very Important
3. Test all of its VPN’s and Wensense traffic before and after bluecoat PS Installation.
4.Test all DMVPN tunnels from the DMVPN router before and after bluecoat PS installation.
5.Test public services from LAN before and after bluecoat PS installation.
1.Unplug first physical connection from Internet Router and see if traffic going through second connection.
2.Switch off the Bluecoat and test whether traffic is passing or not.. –> Very Important
3. Test all of its VPN’s and Wensense traffic before and after bluecoat PS Installation.
4.Test all DMVPN tunnels from the DMVPN router before and after bluecoat PS installation.
5.Test public services from LAN before and after bluecoat PS installation.
Useful Links :-
