Does Security Belong Near Endpoints?
Silver Peak’s presentation to the Network Field Day delegates was about their EdgeConnect SD-WAN product. They created EdgeConnect in early 2015 to provide products based on x86 platforms to perform WAN acceleration, WAN optimization, and software-defined WAN link aggregation.
It is easy to see the justification for EdgeConnect. With many applications moving to public cloud infrastructures, traffic flows from clients are changing again. Instead of clients connecting to the corporate data center, they are now connecting to applications hosted at Amazon, Google, SalesForce, Microsoft, etc. So why should traffic be sent across the WAN to the corporate data center, which then forwards it to the Internet to get to the application servers? It makes more sense to provide secure connectivity between the clients and this infrastructure.
But that’s not all. What about branch-to-branch connectivity, which many businesses need for Unified Communications and Collaboration?
Silver Peak’s EdgeConnect was created for organizations that have a large number of geographic installations – in other words, a lot of branches. The traditional way to provide secure branch connectivity has been MPLS, but it is more expensive than Internet and takes longer to provision or change. However, putting another appliance at each branch may be a hurdle for IT organizations, simply due to the added task of configuring each of the appliances, even if they are virtualized.
So an EdgeConnect accelerator simplifies its administration by connecting to Silver Peak’s servers to learn how and where to join the corporate network. One of these appliances is installed at each branch, yet they are centrally managed through Unity Orchestrator. The management system includes a “heat map” that allows easy monitoring of many, many branch systems.
The SD-WAN functionality comes from EdgeConnect’s ability to use any form of broadband connectivity, including MPLS, DSL, Internet, and LTE (wireless cellular). To keep communications secure, the EdgeConnect systems create a full mesh of connectivity between branches, protecting the virtual links with AES-256 encryption. Silver Peak claims up to a 90% reduction in connectivity and equipment costs. They had an interesting observation about the physical layer: legacy WAN connectivity will be replaced with Ethernet interfaces. It can handle up to 10 separate paths, although there are six connectors on the hardware platform.
Of course, with something looking at all the network traffic from a branch, it makes sense to include application acceleration. Instead of optimizing TCP/IP, their Unity Boost optimizes applications.
OK, so much for the basics. How does it handle the difficult scenarios like out of order packets or packet errors that can create havoc with application performance?
First, EdgeConnect can bond multiple links together to provide greater bandwidth. Alternatively, some links can be used as backup to other links, such as using LTE to backup an MPLS link. Link selection is dynamic, which may result in out-of-order packets. One mechanism to handle out-of-order packets is to use simple timers – nominally set to 100ms, but can be set lower, perhaps to 20ms for voice/video applications. The time is customizable by the customer on a per-overlay basis. Of course, for real-time applications, packets can be directed over one set of links while non-real-time traffic is sent over higher latency links. Up to 10 traffic classes are supported, which is plenty for normal business use. (Too many classes are detrimental to overall performance.)
Another interesting technique employed by EdgeConnect is sending parity packets so they can do forward error correction. In one form of connectivity, the system sends eight packets and the receipt of any three of the packets can be used to recreate the original datagram. All packets are time-stamped and identified so that any lost packets are easily identified, and latency is measured over each path.
The error handling techniques are very dynamic. If a link is reliable, then there is no need to use extra bandwidth to achieve reliability. Silver Peak reported that they normally see single-digit percentage overhead with most links. However, the worst case is as much as 100% overhead (one parity packet per data packet). A link this bad will appear in the heat-map management console and should be investigated and fixed.
EdgeConnect sits on an Ethernet, so how does WAN traffic get directed to it? Some combination of Policy Based Routing, WCCP, or static routing must be used today. They plan to release OSPF and BGP dynamic routing in the future.
I was favorably impressed with Silver Peak’s functionality. They have thought about some of the hard problems and have reasonable solutions to those problems. They certainly should be on the list of vendors to consider for combined WAN acceleration and SD-WAN functionality.
Does Security Belong Near Endpoints?
Replicating at Speed
Practice Safe BGP
Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.
John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services. Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.
He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.