Silver Peak | White Paper 1

Silver Peak SD-WAN liberates enterprises from the cost, complexity and headaches associated with traditional router-centric WAN infrastructure.

Routers were invented when

posting pictures meant taping up

Polaroids.

Silver Peak | White Paper 2

Cloud Demand and the Internet are Redefining the Wide Area NetworkAs organizations continue to adopt Software-as-a-Service (SaaS) applications and cloud infrastructure (IaaS), exploding traffic levels and changing traffic patterns are prompting enterprises to reevaluate their Wide Area Networks (WANs). In virtually every market segment, applications are moving to the cloud and a decreasing number are hosted on-premise in the data center. To compound the networking challenge, application bandwidth requirements continue to increase to deliver a superior user experience.

The traditional model of backhauling traffic from branch offices to the data center for robust security inspection is no longer optimal as it wastes bandwidth and adds laten-cy, ultimately impairing application performance. There is a real need for a better way to send traffic directly over the internet from branch locations to trusted SaaS and cloud-based applications, while maintaining compliance with enterprise security mandates.

Over the past two years, Software-Defined WAN (SD-WAN) solutions have emerged to address these challenges, creating a new paradigm for connecting users to applica-tions, while dramatically reducing WAN costs. Rather than relying on traditional routing protocols such as BGP or OSPF, an SD-WAN provides a new, application-driven way to intelligently steer traffic across the WAN by leveraging the most direct paths to SaaS and web applications.

A complete SD-WAN solution also must assure consistent application performance and resiliency, automate traffic steering in an application-driven manner based on busi-ness intent, improve network security and dramatically simplify the WAN architecture. Ideally, this simplification would extend to the physical implementation of the solution in the branch. As depicted in Figure 1, traditional router-centric architectures typically comprise multiple physical devices including a router, WAN optimization appliance, firewall, and the addition of SD-WAN introduces yet another function to the branch WAN architecture—each with a distinct management system. Contrast this with the advanced, application-driven architecture shown in Figure 2, where foundational network functions such as routing, stateful firewall, WAN optimization and SD-WAN are delivered as a single, integrated solution managed thru a central orchestration platform.

A rigid WAN architecture based on legacy branch routers is expensive and complex to manage.Figure 1

ComplexRequires specialized IT expertise across multiple disparate management tools to configure, deploy and maintain

InefficientUnable to fully utilize and optimize all the appliances for cloud-first environment

ExpensiveCostly and hard to manage and maintain

1

2

3

Router-centric WAN Architecture

Broadband

MPLS

4G LTE

LAN Switch WAN Optimization Firewall

mgmt mgmt

Router

mgmt

SD-WAN

mgmt

SimpleBusiness intent architecture responds quickly to business needs

AgileApplication-driven architecture and management drastically reduces IT resources to operate a site

Cost EffectiveOrchestrated, consolidated network functions result in tremendous savings. Enables use of cost-effective broadband connectivity to access critical apps

1

2

3

Application-driven WAN Architecture

LAN Switch Unity EdgeConnect

Broadband

MPLS

4G LTE

An EdgeConnect thin branch architecture integrates SD-WAN, WAN optimization, routing and stateful firewall functionality into a single, fully integrated solution, simplifying and consolidating the WAN edge and increasing operational efficiency.

Figure 2

Architecting an Application-Driven WAN Edge

Silver Peak | White Paper 3

Simplifying WAN Architecture with an Application-Driven WAN Edge The Silver Peak Unity EdgeConnect SD-WAN solution enables a thin branch that dramatically simplifies the branch WAN edge architecture and is purposefully engineered to power today’s cloud-first, distributed enterprises. It simplifies branch office infrastructure by consolidating network functions like SD-WAN, WAN optimization routing and security into a single software instance that runs on a single physical or virtual appli-ance. Management of the thin branch is streamlined through the centralized orchestration of application- driven policies based in alignment with business require-ments. By deploying a thin branch SD-WAN solution, enterprises can dramatically improve business agility and lower costs, while simultaneously improving network and application performance, availability and security.

Deploying a thin branch architecture requires more than simply consolidating multiple network functions into a single physical or virtual device. Also required is support for flexible, orchestrated service chaining to additional network functions, particularly for application layer security processing. An application-driven model supports granular application QoS and security policies, improves application resilience and performance and automatically enforces business intent across the WAN. This is all managed centrally from a single pane-of-glass, Silver Peak Unity Orchestrator, streamlining configuration, deployment and administration of the WAN (Figure 3). Zero-touch provisioning allows network managers to easily add new sites to the SD-WAN without specialized IT resources require at branch office locations.

Orchestrator provides an intuitive graphical user inter-face, enabling IT to centrally assign policies to secure and control application traffic across the SD-WAN. Different virtual WAN overlays – business intent overlays – may be defined, each with unique logical topologies and QoS

From the Silver Peak Unity Orchestrator business intent overlay template, network managers can easily assign policies and enable WAN optimization with simple clicks and a drag-and-drop interface.

Figure 3

Granular application classification

Automating local internet breakout— drag-and-drop policy assignment

Single click enables WAN optimization

Silver Peak | White Paper 4

EdgeConnect

3456 2 1

10,000+ Apps | 300 Million+Web DomainsTrusted Business Apps

“Home fromWork” Apps

Untrusted/Suspicous Apps

CorporateNG-FirewallIdentify apps and

web domains on the first packet Granular

InternetBreakout

and security policies based on application characteristics and business priorities. IT defines business intent overlay configurations, security service chaining as well as any subsequent changes centrally, and Orchestrator automat-ically distributes them to every site across the SD-WAN.

In contrast to the repetitive, CLI-intensive management model employed by traditional router-based WAN architectures, the EdgeConnect centralized SD-WAN man-agement model, powered by Orchestrator, streamlines the operational aspects of managing the WAN, improving operational efficiency and minimizing the potential for human errors that can impact application availability.

Secure Applications and Local Internet Breakout The EdgeConnect SD-WAN solution accelerates the performance of all applications, whether they reside in the data center or the cloud. According to 451 Research, by mid-2018, 60% of enterprise workloads will run in the cloud*. This new application consumption model mandates a new, application-driven WAN architecture. Traditional router-centric WAN architectures with limited capabilities offer an all-or-nothing approach to steering internet traffic and cloud applications. Traffic is either sent directly to the internet or backhauled to headquarters. Enterprise security policies often mandate different levels of processing based on the nature of applications, resulting in the requirement for granular steering on an

* https://451research.com/blog/764-enterprise-it-executives-expect-60-of-workloads-will-run-in-the-cloud-by-2018

application-by-application basis. The inability to identify HTTP/HTTPs applications traffic immediately and steer it across its optimal path wastes bandwidth and impairs cloud and web application performance.

Many enterprises want to leverage the favorable eco-nomics of broadband to connect users directly to cloud applications from branch locations, but face a two-fold challenge. They must first have the ability to identify and classify application traffic based on first packet of each flow so that traffic can be automatically steered to the correct destination. Without this advanced capability, all web-bound traffic is either sent directly to the internet or backhauled to a regional hub or corporate data center firewall. Second, when steering applications traffic directly to the internet, security becomes a key requirement.

Silver Peak First-packet iQ, an intelligent application iden-tification technology, goes beyond traditional Deep Packet Inspection (DPI) and port-level techniques by adding a cloud-hosted internet map and geolocation database with DNS response cache and HTTP get request cache. First-packet iQ incorporates real-time machine learning to provide the highest levels of application intelligence available today. The combination of these advanced techniques with machine learning has already enabled EdgeConnect to accurately identify more than 10,000 ap-plications and more than 300 million web domains on the first-packet, providing customers with granular visibility and control of their HTTP/HTTPs applications traffic for the first time (Figure 4).

First-packet iQ application classification enables EdgeConnect to granulary steer traffic on an application basis to meet QoS and security policies based on business intent.

Figure 4

Silver Peak | White Paper 5

Furthermore, the security of granular internet breakout is assured thru the combination of an integrated stateful firewall for locations that do not host applications, and simple service chaining to next generation firewalls should application traffic require further security inspection. Traffic is easily and automatically service chained to next-generation firewalls from industry leading technology alliance partners Palo Alto Networks, Fortinet, CheckPoint, or alternatively traffic can be steered to a cloud-based secure gateway from alliance partner Zscaler. Network managers can easily define how to route applications for security inspection via a simple drag-and-drop interface in the Orchestrator business intent overlay template as shown in Figure 3.

Configuration workflow example for securing applications with a cloud web security gateway like Zscaler (Figure 5):

1. Obtain a tunnel request destination with Zscaler to receive a GRE tunnel configuration

2. Add a new label called Zscaler as shown in the template

3. Setup internet breakout tunnels and preferred policy order.

Moving Beyond the Traditional WAN RouterLook at any distributed enterprise and you are sure to find a variety of mission-critical applications that are critical to business functions supported across branch locations.

† http://searchsdn.techtarget.com/news/450403303/Gartner-SD-WAN-providers-to-disrupt-edge-router-market, 11/21/16

Therefore, “always-on” access to applications no matter where they reside becomes a “foundational requirement” to keep business running. The Silver Peak EdgeConnect HA cluster architecture enables deployment of EdgeConnect devices in pairs, delivering device, LAN and WAN resiliency while ensuring connectivity over any combination of trans-port including consumer broadband. EdgeConnect runs as a VM on any x86 platform or as a physical device based on x86 architecture to maintain low cost.

The application-driven WAN edge provides a more intelligent way to direct applications traffic across the wide area based on business requirements. Rather than relying on inflexible, application-independent protocols to route traffic, an SD-WAN identifies application and steers traffic to the correct virtual WAN overlay in accordance with pre-configured QoS and security policies. The intelligent, application-driven WAN edge model has proven to significantly improve business agility and worker produc-tivity while lowering WAN costs. These benefits are fueling the rapid adoption of SD-WAN solutions, and according to Gartner, more than half of WAN edge infrastructure refreshes will be based on SD-WAN versus traditional routers by 2020.†

However, “routing” continues to play a role in an SD-WAN architecture. An SD-WAN solution must still support BGP and OSPF protocols to enable interoperability with envi-ronments that are not part of the SD-WAN infrastructure.

Silver Peak enables customers to migrate to an SD-WAN at their own pace. In order to satisfy rapidly changing busi-ness requirements, network teams require the flexibility to determine when, where and how they deploy WAN

Simplified security service chaining.Figure 5

Silver Peak | White Paper 6

Routing interoperability enables graceful migration to SD-WAN.Figure 6

mollyduggan.comSilver Peak Network Diagrams

Virtual Overlay(No BGP)

BGP

BGP Thin Branch

SD-WAN Branch

Legacy Branch

infrastructure. Whether they want to bring up a new site, interoperate with legacy sites not yet SD-WAN enabled, or replace traditional routers altogether with an SD-WAN solution, the pace of implementation and migration can vary from enterprise to enterprise.

To address SD-WAN migration and interoperability challenges, EdgeConnect integrates BGP and OSPF routing interoperability into the SD-WAN solution, resulting in sev-eral key benefits. First, it enables seamless interoperability with sites not yet part of the SD-WAN, eliminating the need to manually program local subnets. Second, it automates deployments in the data center through Layer 3 BGP advertisement without using PBR or WCCP (Figure 6).

Configuration templates make it easy to configure EdgeConnect’s BGP routing and peering.

With EdgeConnect, the configuration of advertisement and redistribution rules is peer-based, not global. It provides three peer types: Branch, Branch-transit, and PE (Provider Edge) Router. A branch-transit peer can reach another peer through a “back door” via routes shared through another protocol such as OSPF, ISIS, or BGP.

The types of routes that the appliance can advertise (or not advertise) to the peer are numbered in the Add Peer screen (Figure 7).

Unity Orchestrator intuitive routing configuration screens.Figure 7

� Branch – all route types are permitted

� Branch-transit – all route types are permitted except Remote BGP branch-transit routes (type 7)

� PE Router – only BGP branch and BGP branch- transit (types 1, 3, and 4) are permitted

The end result is a dramatic simplification of the WAN architecture without compromising network and application performance or security. Furthermore, it provides the ability to gracefully migrate to SD-WAN while maintaining interoperability with branches still employing traditional routers.

Fig7

Silver Peak | White Paper 7

Accelerating Latency- Sensitive Applications to Improve ProductivityIn addition to the ability to breakout traffic locally at the branch, WAN optimization can be enabled and assigned on a per-site and per-application basis to overcome latency challenges when connecting to IaaS or data centers. Geographically distributed branch sites often require a WAN optimization solution to ensure acceptable applica-tion performance. No matter how much WAN bandwidth is provisioned at the branch, latency caused by distance can ultimately degrade application performance. For applications that create large file transfers, such as backup and recovery operations, data deduplication and compres-sion algorithms assure Recovery Time and Recovery Point Objectives are achieved.

The optional Silver Peak Unity Boost WAN optimization software license may be applied on an application-by- application or site-by-site basis, only when and where it’s required. Boost is fully integrated with EdgeConnect, delivered and managed as a single solution. Supporting WAN optimization with traditional router-centric WAN edge architectures requires yet another appliance along with its companion management application.

The result? Users are connected securely and experience a consistent application experience whether the applica-tions are hosted in the data center or the cloud.

Ensuring No Single Point of Failure: A Resilient BranchLook at any distributed enterprise and you are sure to find a variety of mission-critical applications that are critical to business functions supported across branch locations. Therefore, “always-on” access to applications no matter where they reside becomes a “foundational requirement” to keep business running. The Silver Peak EdgeConnect HA cluster architecture enables deployment of EdgeConnect devices in pairs, delivering device, LAN and WAN resiliency while ensuring connectivity over any combination of trans-port including consumer broadband. EdgeConnect runs as a VM on any x86 platform or as a physical device based on x86 architecture to maintain low cost.

A resilient, active-active HA cluster is built from two EdgeConnect devices or VMs, operates as a single logical device, and is assigned a single VIP (Virtual IP Address) as shown in Figure 8. This eliminates the added cost and complexity of provisioning and managing multiple IP addresses for each WAN service utilized by the cluster. In the event of a transport or device failure, EdgeConnect software automatically detects and routes traffic around the failure. The HA (High Availability) link between the devices enables local and WAN traffic to move between devices without complexity or additional management while preserving EdgeConnect advanced application performance feature such as tunnel bonding and packet-based load-sharing.

Packet-BasedLoad Sharing

WAN 0

VRRPHA Link

VIP

WAN 1

EdgeConnect 2

EdgeConnect

EdgeConnect 1

5 4 3 267 18

Application Flow

5 4 3 267 18

Application Flow

L2 Switch Broadband

MPLS

4G LTE

WAN 0

LAN 0

LAN 0

EdgeConnect HA cluster architecture for LAN, WAN and device survivability.Figure 8

Silver Peak | White Paper 8

Capabilities EdgeConnect Features Benefits

SD-WAN Secure ZTP, business intent overlays, path conditioning (FEC, POC), tunnel bonding, link bonding policies (high availability, high quality, high throughput, high efficiency), First-packet iQ, QoS, BGP routing interoperability, dynamic path control, SaaS optimization, automatic IPsec VPN, Boost (optional), orchestration

Simplify and accelerate branch office deployments as well as application provisioning/de-provisioning

Layer 3 Routing BGP, VRRP, OSPF, PBR, WCCP Interoperable with Traditional routers

NAT Static NAT, Dynamic NAT, PAT, CG-NAT

DHCP Client, Server, Relay

Open Programmability RESTful API Integrate easily with orchestration tools

Quality of Service and Traffic Shaping

Shaping, Policing, weighted fair queuing, flow by flow weighted fair queuing, Min/Max bandwidth, LAN & WAN DSCP marking, Inbound/Outbound QoS, 10 traffic classes, CoS (high availability, high quality, high throughput, high efficiency)

Ensures high quality end user experience

Segmentation VLAN; ACL; Business intent overlays Traffic isolation reducing surface attack

Reliability and Availability

HA cluster, tunnel bonding, load balancing, Forward Error Correction, Packet Order Correction

<1 sec link failover

Security Stateful firewall, service chaining with CheckPoint, Fort-inet, Palo Alto Networks, Zscaler, ACL, IPsec, IPsec UDP, AES-256, SHA-1, SHA-2, GRE, AAA, TACACS+, RADIUS, secure ZTP, overlays

Application, access and system level security

Monitoring & Network Visibility

NetFlow, SYSLOG, SNMP, real-time network and applica-tion visibility, Health map, Top Talkers/Domains/Sites, and Real-time visibility into latency, jitter & packet loss, reporting, Ping, Traceroute, Flow Troubleshooting, IPERF

Accelerate troubleshooting and reports show cost savings

Application Visibility 10,000+ applications and 300 million web domains; Protocol, port number deep packet inspection, First-packet iQ

Granular application steering to based on QoS and security policies

Application Performance Acceleration

WAN optimization (Unity Boost – optional license), SaaS optimization, Internet breakout, tunnel bonding (packet by packet load balancing), path conditioning, dynamic path control

Up to 40X increase in application performance

Management Unity Orchestrator on-premise, private cloud or optional subscription “as-a-service” model, DHCP

Business level intent model

Summary of Capabilities

Silver Peak | White Paper 9

© Silver Peak Systems, Inc. All rights reserved. All other brands, products, or service names are or may be trademarks or service marks of, and are used to identify, products or services of their respective owners. 11/2017

Company Address

Silver Peak Systems, Inc2860 De La Cruz Blvd.Santa Clara, CA 95050

Online

Email: info@silver-peak.comWebsite: www.silver-peak.com

Phone & Fax

Phone: +1 888 598 7325Local: +1 408 935 1800

Silver Peak | White Paper 9

Feature EdgeConnect System Capabilities

WAN Bandwidth Up to 10Gbps (up to 5Gbps for virtual instance)

Simultaneous Connections Up to 2 million

Data Path Interfaces Only RJ45, Only Fiber, Mix of RJ45 & Fiber

Boost Up to 5Gbps (up to 1Gbps for virtual instance)

ConclusionGeographically distributed enterprises embracing cloud-first initiatives require a different model to build the branch office WAN edge. The traditional router-centric ap-proach has worked supporting WAN architectures where all applications resided in the corporate data center. However, with distributed applications, a new solution is required to handle the shift in traffic patterns and the increased use of internet services to connect directly to web-based applications.

The Silver Peak Unity EdgeConnect SD-WAN solution empowers distributed enterprises to build a thin branch that combines a single platform for SD-WAN, WAN optimi-zation, routing and a stateful firewall to deliver operational efficiencies and enhance user productivity. The solution delivers predictable performance for cloud and web-based applications with bandwidth optimization and consistent application security policies - no matter where the application resides. EdgeConnect integrates BGP and OSPF routing for interoperability with existing

WAN architectures, enabling organizations to move beyond traditional router-centric architectures to an ad-vanced application-driven SD-WAN. Centralized manage-ment with Unity Orchestrator automates and accelerates branch office WAN provisioning, increasing IT resource efficiency while lowering operational costs.

Furthermore, Silver Peak provides world-class service and support that includes:

� 7 x 24 x 365 follow-the-sun support

� Global network of spares depots

� Online knowledge base

� Free SD-WAN training classes and SD-WAN certifications

� SPSP Silver Peak SD-WAN Professional

� SPSX Silver Peak SD-WAN Expert

� Self-paced training courses