Documente Academic
Documente Profesional
Documente Cultură
STEELHEAD
HYBRID
NETWORKING
INCREASE NETWORK APPLICATION PERFORMANCE
AND AVAILABILITY WHILE REDUCING COSTS WITH
RIVERBED PATH SELECTION
THE RISE OF THE HYBRID INFRASTRUCTURE
Today, businesses are rapidly adopting cloud Until recently, enterprises followed a model Global enterprises are rapidly
infrastructure and SaaS applications broadly where the vast majority of applications adopting cloud infrastructure and
across the enterprise. Enterprise workforces where hosted within private datacenters, SaaS applications broadly, and
are using applications, managing data, with standardized WAN on MPLS network the Internet is now a part of their
and conducting research along with other services. In a world with public and private
business critical infrastructure.
activities on the Internet and in the Cloud. resources, however, a hybrid network that
In fact, more than half of all enterprises combines the strengths of highly reliable With combined public and private
are using the cloud for storage, ERP, email, MPLS networks with the ubiquity and lower resources, the network itself
collaboration, and more. cost of Internet infrastructure can be more needs to go hybrid, combining the
economical. strengths of the highly reliable
Yet data, including large files, unified
communications, recreational traffic, and MPLS with the ubiquity, price, and
more that are destined for the public speed of the Internet. The hybrid
Internet still travel through the costly MPLS networking model from Riverbed
network. That’s an inefficient way to access
Technology enables organizations to
services and applications, such as cloud
collaboration or cloud CRM, which can be adopt hybrid networks to maximize
accessed directly on the Internet without the performance of applications,
ever touching the corporate MPLS network. increase network availability, and
And the cost is high, especially when reduce costs while retaining IT
compared to broadband Internet. Typical control and minimizing complexity.
studies tell us that a MPLS megabyte can
cost up to 200 times more than a broadband This paper explains how Riverbed
megabyte, per month.
path selection technology is a
superior approach for designing
1
2012 Cisco Global Cloud Networking Survey
hybrid networks.
2
http://www.networkworld.com/community/blog/why-does-mpls-cost-so-much-more-internet-connectivity
WHITE PAPER: Steelhead Hybrid Networking
Move from MPLS to MPLS + Internet Leverage local-Internet breakouts Turn unused backup-lines into
backhaul and triple the available for SaaS traffic business lines
bandwidth Hybrid networks can be used to easily direct Many enterprises use a primary MPLS
For enterprises struggling with demand for a selected part of the Internet traffic to local network backed up by an IPSec-based Internet
bandwidth, moving from a pure MPLS to a Internet gateways. line that is reserved only for MPLS failover.
hybrid network truly combining MPLS and In other words, that backup line typically sits
Let’s consider a user in San Francisco, who is
Internet-based links to backhaul traffic to the unused and lonely for traffic. Hybrid networks
forced to go through MPLS to a default central
datacenter is a cost effective option. It can let you convert that rarely used Internet link
Internet breakout in New York to access a
yield a dramatic 300% growth of the available into an active business line by routing certain
SaaS application, which is actually hosted in
bandwidth on branches, without increasing types of traffic over it, such as non-business-
a datacenter based in Seattle. This situation
overall networking budget. critical traffic.
creates a “tromboning” effect marked by
added latency and unnecessary usage of
expensive MPLS bandwidth. If a local Internet
connection is present in the San Francisco
branch, hybrid networks can selectively direct
the user’s SaaS traffic to be forwarded directly
to the Seattle-based datacenter, while other
Internet traffic could continue to flow through
the New York secured gateway. The result is
faster performance and a smarter utilization of
network resources.
APPLICATION-AWARE
Legacy solutions classify traffic using port complexity and increased operational risks. For example, it even offers the ability to
numbers and IP addresses. Business applications With Riverbed path selection technology, flows clearly distinguish between SSL-encrypted
based on HTTP are by default classified in the are classified using deep packet inspection applications. Or instead of looking at Facebook
same bucket as non-critical YouTube traffic. (DPI)-based application awareness allowing as a consumer app, it can allow Facebook news
This can only be resolved using classification to precisely steer traffic on different paths feeds and updates but block non-business
based on IP addresses, leading to configuration according to their true nature and criticality. applications such as Farmville.
WHITE PAPER: Steelhead Hybrid Networking
BUSINESS IMPERATIVES
This shift to a hybrid network satisfies the core imperatives for any enterprise network:
At its broadest level, path selection technology performs four critical functions:
Classifies traffic on. In this way, operators can the Steelhead solution is not in a default and a prioritized set
Steelhead solutions use instruct Steelhead solutions to the same Layer 2 domain, the of backup paths. Should the
information from the Riverbed precisely associate applications to Steelhead appliance uses DSCP default path be unavailable, the
Application Flow Engine about networks based on their nature, marking with upstream policy- higher-priority backup is instantly
more than 600 individual performance requirements, and based routing. used (and then the lower one
applications and processes to business criticality. if needed). Operators can even
Monitors availability
understand where data is coming decide to block certain type of
Forwards packets Steelhead solutions monitor path
from, which application sent it, applications when the primary
Once the Steelhead solution availability and quality end-to-end. path becomes unavailable with a
and what function that application
has selected the right path, You define the endpoint IP address goal of reserving the remaining
is trying to accomplish. The
the preferred next step is for for every path, and the Steelhead available bandwidth for more
Riverbed Application Flow Engine
it to steer traffic to the newly solution will send an ICMP ping critical applications. As soon as the
utilizes a variety of techniques,
selected path. This operation is every two seconds. To validate default path becomes available,
often in combination, like port-
transparent to the client, server, availability, each path can have a traffic is routed back to it.
based classification, application
and any networking devices different remote host.
signature matching, protocol
such as routers or switches. It
dissection, behavioral classification Manages failover
can either be performed directly
and others. Traffic can also be If three consecutive pings are
using distinct Steelhead physical
classified using the full assortment missed, the path is considered
interfaces or indirectly using MAC
of packet rules, including IP to be unavailable, and the
address rewriting. When that’s not
addresses, 5-tuple, DCSP, TCP backup path is selected. Every
possible, for instance with virtual
and UDP port numbers, and so application has a list of paths:
in-path deployments or where
WHITE PAPER: Steelhead Hybrid Networking
2 3
2 3
DESIGN CONSIDERATIONS
Return traffic flows in Firewalls and application Client default gateways for
the Datacenter flow engine detection single-subnet branches
As a transparent overlay solution, path The Riverbed Application Flow Engine (all If path selection technology is deployed
selection technology does not interfere Deep Packet Inspection—DPI—technologies in a branch with clients on the same
with the routing layer. Accordingly, to for that matter) can require multiple packets subnet as the routers terminating the
ensure both directions of a given flow to appropriately classify an application. different paths, care must be taken to
use the same path, customers should place ensure the clients’ default gateway IP
Stateful inspection firewalls generally need
Steelhead appliances with the same path address remains highly available. Riverbed
to see all traffic on a flow, starting with the
selection policy configuration on both recommends using Virtual Router
initial SYN packet. Because of that, firewalls
sides of the path. Redundancy Protocol (VRRP), or a similar
merit special consideration if using AFE-based
mechanism, to ensure responses to client
rules for traffic selection.
Address Resolution Protocol (ARP) requests
If path selection using AFE-based rules in the event of router failure.
classifies an application after the initial SYN
packet, and then switches that path to a path
with a firewall running stateful inspection,
that firewall will most likely drop that flow,
as the firewall has no connection entry for
that session. You can resolve this by making
the firewall path the “default” path for
unclassified traffic. (See the Path Selection
Design Guide for the Steelhead Product
Family for full details.)
ABOUT RIVERBED
Riverbed® Technology is the leader in Application Performance Infrastructure, delivering the most complete platform for location-
independent computing. Location-independent computing turns location and distance into a competitive advantage by allowing IT
to have the flexibility to host applications and data in the most optimal locations while ensuring applications perform as expected,
data is always available when needed, and performance issues are detected and fixed before end users notice. Riverbed’s 24,000+
customers include 97% of the Fortune 100 and 95% of the Forbes Global 100. Learn more at www.riverbed.com.
©2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used
herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.