WHITE PAPER: Steelhead Hybrid Networking

STEELHEAD
HYBRID
NETWORKING
INCREASE NETWORK APPLICATION PERFORMANCE
AND AVAILABILITY WHILE REDUCING COSTS WITH
RIVERBED PATH SELECTION
THE RISE OF THE HYBRID INFRASTRUCTURE
Today, businesses are rapidly adopting cloud
infrastructure and SaaS applications broadly
across the enterprise. Enterprise workforces
are using applications, managing data,
and conducting research along with other
activities on the Internet and in the Cloud.
In fact, more than half of all enterprises
are using the cloud for storage, ERP, email,
collaboration, and more.
Yet data, including large files, unified
communications, recreational traffic, and
more that are destined for the public
Internet still travel through the costly MPLS
network. That’s an inefficient way to access
services and applications, such as cloud
collaboration or cloud CRM, which can be
accessed directly on the Internet without
ever touching the corporate MPLS network.
And the cost is high, especially when
compared to broadband Internet. Typical
studies tell us that a MPLS megabyte can
cost up to 200 times more than a broadband
megabyte, per month.
1
2012 Cisco Global Cloud Networking Survey
2
http://www.networkworld.com/community/blog/why-does-mpls-cost-so-much-more-internet-connectivity
Until recently, enterprises followed a model
where the vast majority of applications
where hosted within private datacenters,
with standardized WAN on MPLS network
services. In a world with public and private
resources, however, a hybrid network that
combines the strengths of highly reliable
MPLS networks with the ubiquity and lower
cost of Internet infrastructure can be more
economical.
Global enterprises are rapidly
adopting cloud infrastructure and
SaaS applications broadly, and
the Internet is now a part of their
business critical infrastructure.
With combined public and private
resources, the network itself
needs to go hybrid, combining the
strengths of the highly reliable
MPLS with the ubiquity, price, and
speed of the Internet. The hybrid
networking model from Riverbed
Technology enables organizations to
adopt hybrid networks to maximize
the performance of applications,
increase network availability, and
reduce costs while retaining IT
control and minimizing complexity.
This paper explains how Riverbed
path selection technology is a
superior approach for designing
hybrid networks.
WHITE PAPER: Steelhead Hybrid Networking

CREATING A NETWORK THAT MAKES MORE SENSE

Enterprises have three new compelling options involving an hybrid of MPLS and Internet:

Move from MPLS to MPLS + Internet
backhaul and triple the available
bandwidth
For enterprises struggling with demand for
bandwidth, moving from a pure MPLS to a
hybrid network truly combining MPLS and
Internet-based links to backhaul traffic to the
datacenter is a cost effective option. It can
yield a dramatic 300% growth of the available
bandwidth on branches, without increasing
overall networking budget.
Leverage local-Internet breakouts Turn unused backup-lines into
for SaaS traffic business lines
Hybrid networks can be used to easily direct Many enterprises use a primary MPLS
a selected part of the Internet traffic to local network backed up by an IPSec-based Internet
Internet gateways. line that is reserved only for MPLS failover.
In other words, that backup line typically sits
Let’s consider a user in San Francisco, who is
unused and lonely for traffic. Hybrid networks
forced to go through MPLS to a default central
let you convert that rarely used Internet link
Internet breakout in New York to access a
into an active business line by routing certain
SaaS application, which is actually hosted in
types of traffic over it, such as non-business-
a datacenter based in Seattle. This situation
critical traffic.
creates a “tromboning” effect marked by
added latency and unnecessary usage of
expensive MPLS bandwidth. If a local Internet
connection is present in the San Francisco
branch, hybrid networks can selectively direct
the user’s SaaS traffic to be forwarded directly
to the Seattle-based datacenter, while other
Internet traffic could continue to flow through
the New York secured gateway. The result is
faster performance and a smarter utilization of
network resources.

RIVERBED PATH SELECTION TECHNOLOGY MAKES

HYBRID NETWORKS EASY
Until now, creating seamless hybrid networking
architecture has been obstructed by the
complexity of defining which traffic goes
on which network. Hard-coded router
configurations and policy-based routing are an
intrusive burden on network administration,
and ultimately neither are reliable nor granular
enough to provide value. Without a simple
way to define rules and configure the hybrid
network, implementation of hybrid networking
has remained difficult.
With Riverbed, organizations can embrace
hybrid networks to maximize the performance
of business-critical applications, boost network
availability, and reduce costs while retaining IT
control and minimizing complexity.
With Riverbed® Optimization System (RiOS®)
8.5 path selection technology, IT organizations
can deploy and manage complex hybrid
networks to deliver greater application reliability
and performance for less cost. (RiOS is the
software that runs inside Riverbed Steelhead®
WAN optimization solutions). Unlike legacy
policy-based routing technologies, Riverbed
path selection technology:
• Is application-aware and able to precisely
distinguish business-critical applications
from less important applications
• Constantly senses path availability in real
time using active probes for dynamic
path failover
• Is simple to manage with centralized
user interfaces
• Works with application visibility and
WAN optimization for complete
management of business critical
applications over the WAN

APPLICATION-AWARE
Legacy solutions classify traffic using port
numbers and IP addresses. Business applications
based on HTTP are by default classified in the
same bucket as non-critical YouTube traffic.
This can only be resolved using classification
based on IP addresses, leading to configuration
complexity and increased operational risks.
With Riverbed path selection technology, flows
are classified using deep packet inspection
(DPI)-based application awareness allowing
to precisely steer traffic on different paths
according to their true nature and criticality.
For example, it even offers the ability to
clearly distinguish between SSL-encrypted
applications. Or instead of looking at Facebook
as a consumer app, it can allow Facebook news
feeds and updates but block non-business
applications such as Farmville.
WHITE PAPER: Steelhead Hybrid Networking

ACTIVELY SENSING PATHS AVAILABILITY

In legacy solutions, path availability is
determined using routing-based metrics that
are slow to converge and unable to report
brownout situations (when the network link
is still up but quality of the path is below the
usability threshold). As a result, organizations
are not compelled to offload more than low
importance applications over less reliable paths
like Internet. With Riverbed path selection,
path availability is constantly monitored;
active probes rapidly detect both blackout
and brownout situations where the path
quality is degraded to the point that sensitive
applications can no longer be delivered with
a good quality of experience. Path selection
rapidly and dynamically adapts the paths before
end users are impacted, thus allowing even
business-critical applications to utilize paths like
the Internet if needed.

TRANSPARENCY AND SIMPLICITY

Unlike other approaches, Riverbed path
selection technology utilizes a transparent
overlay service versus changing the packet-
forwarding plane. This approach results in
a clean abstraction between network layers
and obviates the need to reconfigure routers
with complex rules. Thus, the technology is
transparent to the existing network and is easy
to configure through an intuitive graphical
interface.

WORKS WITH APPLICATION VISIBILITY AND WAN OPTIMIZATION

Path selection technology is an integrated
element of an application performance suite.
The suite provides integrated application
visibility that simplifies policy construction and
troubleshooting. Deployed across the network,
the suite allows for network configuration
and monitoring with application-level Quality
of Service (QoS). It also provides a range of
application optimizations to ensure peak
performance of critical applications.

BUSINESS IMPERATIVES
This shift to a hybrid network satisfies the core imperatives for any enterprise network:

• Lower costs • Increased performance • Increased reliability

Growing a network with commercial-
grade Internet to complement
premium-priced MPLS bandwidth
lets you scale the network to match
growth and usage patterns, with a
flat or even reduced impact on IT
spend.
When a hybrid network is managed
with path selection, the bandwidth
available to applications is
dramatically improved. Internet links
can be fully utilized, freeing precious
MPLS bandwidth. Bottlenecks and
latency are minimized. That translates
into optimal performance and high
levels of user satisfaction.
A hybrid network driven by Riverbed
path selection technology offers
a rapid failover capability. When
the primary network becomes
unavailable, the other becomes an
instant backup, leading to an overall
increase of network reliability.
WHITE PAPER: Steelhead Hybrid Networking

DESIGNING HYBRID NETWORKS WITH

CASE IN POINT
Zero Dollars and 3x the Bandwidth
A large engineering firm with 180
offices in 31 countries needed to
support the traffic from their traditional
enterprise applications and their ever-
increasing web traffic. Buying more
WAN bandwidth was an unsustainable
approach. Their goal was to increase
aggregate bandwidth across the WAN
  Cloud
(from 3 Gbps to 9 Gbps) with a flat
budget impact.
They deployed Steelhead appliances
 Office
  Data
 Center
RIVERBED PATH SELECTION TECHNOLOGY
Path selection technology in Steelhead in cascading order. The path selection
solutions empowers IT organizations technology deterministically redirects
with greater controls to maximize select traffic and application flows
multiple WAN services based on business through alternate networks based on
needs, service quality, and costs. It service metrics, such as path availability,
redirects specific traffic or applications application priority, and the rules
Control:
through one of three alternate paths
determined by destination availability
you create.
What’s NEW with Path Selection
Internet
MPLS
Branch

to continue to backhaul all Internet-

destined traffic to headquarters for Path
Classification Forward Monitor
Failover
a simplified Internet security design,
while augmenting their bandwidth with •  Application •  Next Hop MAC •  End-to-end path •  Apps configured
Flow Engine address availability with prioritized
commodity Internet links and IPSec- classification monitoring list of paths
based Virtual Private Networks (VPNs) •  Packet rule •  Upstream •  Active probing •  Dynamic path
for greater aggregate bandwidth. classification policy based selection in case
routing of performance
degradation
Figure 1. The four functions of RiOS 8.5 Path Selection Technology

At its broadest level, path selection technology performs four critical functions:

Classifies traffic
Steelhead solutions use
information from the Riverbed
Application Flow Engine about
more than 600 individual
applications and processes to
understand where data is coming
from, which application sent it,
and what function that application
is trying to accomplish. The
Riverbed Application Flow Engine
utilizes a variety of techniques,
often in combination, like port-
based classification, application
signature matching, protocol
dissection, behavioral classification
and others. Traffic can also be
classified using the full assortment
of packet rules, including IP
addresses, 5-tuple, DCSP, TCP
and UDP port numbers, and so
on. In this way, operators can
instruct Steelhead solutions to
precisely associate applications to
networks based on their nature,
performance requirements, and
business criticality.
Forwards packets
Once the Steelhead solution
has selected the right path,
the preferred next step is for
it to steer traffic to the newly
selected path. This operation is
transparent to the client, server,
and any networking devices
such as routers or switches. It
can either be performed directly
using distinct Steelhead physical
interfaces or indirectly using MAC
address rewriting. When that’s not
possible, for instance with virtual
in-path deployments or where
the Steelhead solution is not in
the same Layer 2 domain, the
Steelhead appliance uses DSCP
marking with upstream policy-
based routing.
Monitors availability
Steelhead solutions monitor path
availability and quality end-to-end.
You define the endpoint IP address
for every path, and the Steelhead
solution will send an ICMP ping
every two seconds. To validate
availability, each path can have a
different remote host.
Manages failover
If three consecutive pings are
missed, the path is considered
to be unavailable, and the
backup path is selected. Every
application has a list of paths:
a default and a prioritized set
of backup paths. Should the
default path be unavailable, the
higher-priority backup is instantly
used (and then the lower one
if needed). Operators can even
decide to block certain type of
applications when the primary
path becomes unavailable with a
goal of reserving the remaining
available bandwidth for more
critical applications. As soon as the
default path becomes available,
traffic is routed back to it.
WHITE PAPER: Steelhead Hybrid Networking
CASE IN POINT
Hybrid Networks To Increase
Performance and Reduce Costs
A global consumer goods company
was approaching a major MPLS WAN
refresh cycle and contract renewal. But
growing the existing infrastructure to
meet projected bandwidth needs would
be very costly. The company wanted to
control MPLS circuit upgrades, and, at
the same time, expand network capacity
significantly.
The company deployed Steelhead
solutions to fully leverage a hybrid
network combining MPLS, Internet
backhauling, and local Internet
breakouts. Riverbed path selection
ensures the right traffic travels the
right path. That means directing high-
bandwidth internal applications (such as
internal videos, email, anti-virus updates,
Microsoft SCCM and SharePoint, and
backup and replication) to Internet VPN
links. Internet and SaaS traffic is sent to
the public Internet in regional hubs.
BRANCH DEPLOYMENT EXAMPLES
The examples that follow illustrate a network with a single Steelhead appliance
connected to multiple upstream routers, and a network with a second Steelhead
appliance for redundancy. Each router is the gateway to a particular path. Both
examples show MPLS and Internet/VPN.
1
3
2 3
Figure 2. Single Steelhead Appliance (with multiple upstream routers) in a Layer-Two Connected Branch
1. Traffic from the clients 2. Traffic is then 3. The appropriate
arrives at the active forwarded from the upstream router receives
Steelhead appliance Steelhead WAN interface the traffic (based on the
and is classified by path and sent to that updated destination MAC address)
selection rules. That MAC address. and forwards it down the
traffic’s source and appropriate path.
destination MAC address
updated appropriately.
In this configuration, failure is best handled through a Steelhead appliance’s “fail to
wire” setting, which directly connects LAN and WAN as if the Steelhead appliance
was not part of the network flow. This causes all traffic to flow down the default,
routed path in the event of an appliance failure.
2 3
2 3
Figure 3. Dual Steelhead Appliances in Redundant Branch
1. Traffic from the clients 2. Traffic is then 3. The appropriate
arrives at the active forwarded out the upstream router receives
Steelhead appliance appropriate Steelhead the traffic and forwards
and is classified by path appliance’s WAN interface it down the appropriate
selection rules. according to the rules. path.
In this configuration, failure is best handled through a Steelhead appliance’s “fail to
block” setting, which sends the traffic to the redundant Steelhead appliance.
WHITE PAPER: Steelhead Hybrid Networking

DESIGN CONSIDERATIONS
Return traffic flows in Firewalls and application Client default gateways for
the Datacenter flow engine detection single-subnet branches
As a transparent overlay solution, path The Riverbed Application Flow Engine (all If path selection technology is deployed
selection technology does not interfere Deep Packet Inspection—DPI—technologies in a branch with clients on the same
with the routing layer. Accordingly, to for that matter) can require multiple packets subnet as the routers terminating the
ensure both directions of a given flow to appropriately classify an application. different paths, care must be taken to
use the same path, customers should place ensure the clients’ default gateway IP
Stateful inspection firewalls generally need
Steelhead appliances with the same path address remains highly available. Riverbed
to see all traffic on a flow, starting with the
selection policy configuration on both recommends using Virtual Router
initial SYN packet. Because of that, firewalls
sides of the path. Redundancy Protocol (VRRP), or a similar
merit special consideration if using AFE-based
mechanism, to ensure responses to client
rules for traffic selection.
Address Resolution Protocol (ARP) requests
If path selection using AFE-based rules in the event of router failure.
classifies an application after the initial SYN
packet, and then switches that path to a path
with a firewall running stateful inspection,
that firewall will most likely drop that flow,
as the firewall has no connection entry for
that session. You can resolve this by making
the firewall path the “default” path for
unclassified traffic. (See the Path Selection
Design Guide for the Steelhead Product
Family for full details.)

LEARN MORE ABOUT HYBRID NETWORKING

A hybrid network—when controlled by Riverbed path selection technology for Steelhead solutions—combines the WAN and
private and public Internet to increase available bandwidth and increase application performance and network reliability at the
lowest cost possible. It allows enterprises to get the benefits of a hybrid network without the underlying complexity of managing
multiple links in a branch. Steelhead appliances with path selection technology can help you maximize return on your application
and infrastructure investments. To learn all the details, contact us today at http://www.riverbed.com/hybridnetwork

ABOUT RIVERBED
Riverbed® Technology is the leader in Application Performance Infrastructure, delivering the most complete platform for location-
independent computing. Location-independent computing turns location and distance into a competitive advantage by allowing IT
to have the flexibility to host applications and data in the most optimal locations while ensuring applications perform as expected,
data is always available when needed, and performance issues are detected and fixed before end users notice. Riverbed’s 24,000+
customers include 97% of the Fortune 100 and 95% of the Forbes Global 100. Learn more at www.riverbed.com.

©2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used
herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.