Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Attendees
• You should already have completed the Deploying SDWAN Technologies (DST) course.
• This class moves very quickly
• It is mostly lab
• Stay focused
• Lunch / Breakfast
• Restrooms
• Exits
• WiFi
• You can annotate pdf copies of your slides provided to you using the comments and sticky notes
feature in Adobe Acrobat.
• The following diagram shows the topology of your virtual lab environment.
o All Data Path addresses are in 10.110.xx.0 subnets
o The out of band management network uses 192.168.1.0
o All masks are 24 bit (255.255.255.0).
o Next hops
• WAN emulators are used for Broadband and MPLS clouds. Next hop addresses are shown next to the emulator
connections.
• Routers at site 3 are Cisco CSR routers (virtual - free version)
• All machines are virtual, installed in a hosted server in the cloud (at ReadyTech)
• TG0x
• hMail Server (you should never need to use this –
hint hint)
o Administrator / Silverpeak1
o Silverpeak1
• Cisco CSRs
o No password required
• Kwanem login
o root / silverpeak
• Traffic that is directed using manual route policies into a manual (underlay) tunnel is Flow based
o All packets in a flow not sent to an overlay will go into the same tunnel
o Manually routed traffic can load share between underlay tunnels, but on a flow, not packet basis, using %
tunnel BW utilization
These options in the system template or appliance
system config do NOT apply to overlay traffic.
1. Longest Match
• E.g. 10.10.10.0/24 preferred over 10.10.0.0/16
2. Local Preference
• Any local subnet match is preferred over learned subnet learned via advertisement regardless of metric
• Note: Routes learned via BGP are NOT local
3. Lowest Metric
• E.g. 0.0.0.0/0 metric 50 from device A preferred over 0.0.0.0/0 metric 60 from device B
• SaaS service subnets treated as remote (metric is considered)
5. Random
• All the above being equal, path selection will be random
• First check the subnet table for a match for the packet’s destination IP address
o If there's a match, put it in an underlay (not overlay) tunnel to the destination that the subnet was learned from
and honor any Path config options in the policy
o If no match in the subnet table, it depends on the setting of the system config for auto opt
• If the auto opt option boxes are not checked in the sytem config, then execute the fallback option
• If the boxes are checked, then try to do classical auto opt (see next slides)
o Note: classical auto opt is a relic from before we had subnet sharing
4. #2 Delivers the packet into the LAN Syn/Ack<-BA <-SP#1 SP#2 (Syn/Ack<-BA) <-SP#1 SP#2 (Syn/Ack<-BA) Syn/Ack<-BA
Thereafter, all traffic for this flow goes through the tunnel
LAN WAN
10.10.10.0 10.10.20.0
SP1 SP2
10.10.20.0 10.10.10.0
at SP2 at SP1
• No traffic is allowed in and out of site that is not IPSEC tunneled (with a few exceptions).
allowed through hardened interfaces.
Comcast
AT&T
• SNAT
o Applied outbound to passthrough traffic only
• Tunnel traffic is not NAT’d by Stateful+SNAT
o Source address will be NAT’d to interface IP
o Source port will be preserved if available, otherwise a new source port will be mapped
o Allows 64k connections per destination address
• Tuple = sourceIP+64k_source_ports+DestIP
o Use if no upstream NAT (e.g. local external firewall)
32
IP Whitelist
Restrict access to Orchestrator
• OrchestratorIP Whitelist
• Allow only configured subnets to
access Orchestrator
• Devices from sources not in the list
will be denied
• Link to see denies at bottom of dialog
• Recommended if no FW or using
cloud orchestrator.
1. T/F – If an interface leading to the internet is hardened, local traffic will need to be backhauled to
a data center through a tunnel to connect to Google.
2. T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec tunnel.
3. Could an interface connected to the Internet and configured to be a Stateful Firewall, allow local
access to SalesForce.com?
4. T/F – All the appliances in a network can simultaneously change to a new IPsec encryption key
on a predetermined schedule.
5. Are ipsec_udp tunnels the only type available in Orchestrator 8.2.0 and above?
6. Is it possible to limit the address spaces from which logins to Orchestrator are allowed?
• Bridge mode
o Must be deployed in path
o 2 Management interfaces
o Up to 3 bridges (lan-WAN pair) for current HW platforms
• Check website for current HW specs
• When one bridge goes into bypass/open, they all do
o Forwards multicast traffic across the bridges
• Router mode
o In path or out of path
o 2 management interfaces
o Up to 6 data path interfaces (virtual or physical)
o Drops multicast traffic
• Interactive
o Matches ‘Interactive’ ACL
• Common desktop apps (PCIOP,
Citrix, vnc, MS terminal svcs etc.)
o Uses HQ bonding
• Default
o Matches ‘AnyTraffic’ ACL
• Matches everything
o Uses HQ bonding
• In this course we will deploy both out-of-path, and ILRM (Inline Router Mode)
LAN
In Router Mode, there are at least 2 Silver Peak
interfaces. LAN
In Path (ILRM)
LAN
Add interface to WAN or LAN, wherever you need them WAN
LAN
Out of Path
mgmt0
Packet-Based
Load Sharing
8 7 6 5 4 3 2 1 LAN 0 WAN 0 8 7 6 5 4 3 2 1
Application Flow Application Flow
HA Link
VRRP
LAN
L2 Switch
LAN 0
WAN 1
• Tunnel bonding between any transport services • Dynamic path control with instantaneous fail-over
• Packet-based load sharing • Path conditioning
DRC configured on
Inbound Shaper page
on appliance only
HUB
Spoke
2.2.2.0
Local
Traffic
2. SP forwards to default LAN next-hop 1. Packet enters WAN int.
WAN
attached
Branch Data Center
o May require static subnet table entries
o Might also require static routes to tell local 1.1.4.0
appliances which next-hop to use 1.1.3.0
• Note
o Branch appliance could handle NAT and basic
L3/L4 firewall functionality, which might be Branch Data Center
sufficient w/o backhauling Subnet 0.0.0.0/0 metric 60
o Doesn’t provide packet content inspection etc.
49 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
IN PATH NETWORKING
ILRM is the recommended deployment mode
PE
lan0 wan0 Internet lan0 wan0 Internet
SP1
wan1 Branch
wan1
MPLS PE
SP2 Internet
50
Out of Path Networking Flavors
BGP / PBR / WCCP BGP / VRRP / Host Based Forwarding
LAN WAN
End End
Devices Devices
Same
Different
Subnet
Subnets
VRRP w/ PBR
L2 Switch Router using PBR
LAN WAN
End
Devices VIP
Different
Subnets
VRRP Peers
lan0 wan0
• Omitting certain information can result in extraneous tunnel formation. Correct this condition.
• Observe the effects of WAN hardening and Overlay Down actions, some of them not so obvious.
Understand the causes, and correct unwanted side effects.
o You will see pings fail from the branch to the data center, and identify the suspected root cause by
examining the flow detail, then prove it with a temporary work around. Then you will correct the root cause.
o You will see pings work in one direction but not the other, and identify the root cause.
o In this section, remember the ECV-2 and ECV-3 are out of path, and there is not any traffic redirection. This
means that traffic can go in the tunnels leaving the branch site (because it is inline), but will not be directed
to the appliances to go into a tunnel at the data center site. You will use 3 methods of traffic redirection in
upcoming labs, but for now, your goal is to learn flow behavior, and how to identify why a flow was routed in
a particular way.
• Many networks require traffic going to the internet or other internal sites be backhauled through
the data center. Configure data center machines to advertise default routes to achieve this.
6 5 4 3 2 1
EdgeConnect
Untrusted /
Suspicious Apps
10,000+ Apps | 300 Million+ Web Domains “Home from
Work” Apps
100s of 1000s of IP Addresses
Trusted Business
Apps
Steer Apps Intelligently Improve App Response Time Reduce Backhaul Save Valuable WAN Bandwidth
Granular, intelligent breakout of Avoid added latency through direct Backhaul only untrusted Avoid consumption of expensive
SaaS and trusted internet-bound access to where the app resides traffic to corporate FW MPLS circuits where not necessary
traffic directly from the branch
• Flexibility
o PT tunnel / Breakout allows you to forward incoming local PT
traffic through a chosen WAN interface
o Standard Passthrough L2W traffic goes to next-hop for wan0
≠
This policy set will This policy set will
1. Break out non-internal traffic to the selected PT tunnel(s) 1. Put all traffic in the overlay if there’s a route. But if there
is no path to the destination in the subnet table (e.g. it’s
2. Put anything else in the overlay (assuming there’s a route etc.) no longer being advertised by any peers),
…But If the local breakout goes down (e.g. next-hop becomes 2. Then break out non internal traffic to the PT tunnel(s).
unreachable)
3. If the breakout interface (e.g. Internet) goes down, the
3. Put non-internal traffic in the overlay instead of breaking it out if internet traffic will be dropped.
there’s a route (could be a default route)
4. Else, do Peer Unavailable Action if possible, or Drop
Internet
Internet
Configure Route Policy with appropriate match Destination is ‘Internet’ Path is ‘load balance’
criteria, and point Destination to Peer
65 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Overlay Flow
66
Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 4: Internet Breakout and Traffic Classification
1. T/F – An EdgeConnect can snoop DNS lookups and cache the results for domain based
packet classification.
2. T/F – As part of its 1st packet classification strategy, Silver Peak appliances maintain a cache
of millions of domains and addresses that is dynamically updated.
3. What is the difference between the
Policy Orders shown?
4. T/F – It is necessary to manually configure at least two Internet passthrough tunnels to load
balance breakout traffic?
6
IP SLA - PING
• Address
• Domain names or IP addresses
• Comma Separated if multiple
• Tested as ‘Or’ (all destinations do not need to be
reachable for ‘up’ condition – any single one will
do)
7
IP SLA – MONITOR INTERFACE
• Monitors local interface and
takes up or down action
• Monitor Sampling Interval –
How often higher level
processes (like overlay
manger) check the status of
the SLA
7
IP SLA – VRRP MONITOR
• Checks to see if this
device is the VRRP
Master (up) or Backup
(down)
• Monitor Sampling Interval
– How often higher level
processes (like overlay
manger) check the status
of the SLA
7
DEFAULT IP SLA RULES
• Use Case 2
• LAN Interface Down -> Remove local subnets from subnet table
• Reason: Don’t send traffic to a device that has nowhere to route it
• Use Case 3
• WAN IP Address Down -> Failover from Primary WAN tunnel to Secondary
• Reason: zScaler GRE Tunnels to POP1 and POP2
use that.
Cloud Portal
LTE
MPLS
Edge Connect Internet Orchestrator
• This example
shows a user
(admin) making a
change to the
overlay config,
then Overlay
Manager making
changes to the
appliances…
• Mouseover shows
details
• Traceroute option can show you hop-by-hop latency for underlay tunnels
Two Types:
Rising Alerts
Nominal (safe) zone
And
Falling
Alerts
ISY ?
ISY WAN
X
RA X
10.110.33.0 WAN
10.110.11.0
LAN WAN
Reverse Mask for
ACLs
LAN redirect
WAN redirect
• If WAN-side redirects are required, the source and destination addresses will be reversed for ACL
that is applied to the WAN interface
o E.g. access-list 102 permit ip 10.110.11.0 0.0.0.255 10.110.33.0 0.0.0.255
• Since you’ll be using two protocols, you’ll need two service groups. Therefore, create two WCCP service groups (as
placeholders) and associate the ACL with it. Here, we’ll create 53 to use (later) with TCP and 54 to use (later) with
UDP. Service Groups can be numbers between 51 and 255 inclusive:
CSR-1(config)# ip wccp 53 redirect-list 101
CSR-1(config)# ip wccp 54 redirect-list 101 10.110.33.0
gi 1 10.110.11.0 WAN
• Using local subnets in ACLs makes this more scalable as it LAN WAN
will be easier to add additional sites without changes to
existing locations. 10.1.20.0/24
• LAN-side Redirect 51- LAN
redirect
ip access-list extended SP-LAN 52- WAN
redirect
deny ip host 10.1.21.2 any
permit ip 10.1.20.0 0.0.0.255 any Note the location of
ip wccp 51 redirect-list SP-LAN the ANY statement 10.1.21.2/29
• WAN-side Redirect
Denies for traffic
ip access-list extended SP-WAN
destined for appliance.
deny ip host 10.1.21.2 any Use subnet sharing and
Add if there is a
permit ip any 10.1.20.0 0.0.0.255 problem or SP must be avoid WAN-side
ip wccp 52 redirect-list SP-WAN on same subnet w/ end redirects!
devices
• WAN-side Redirect
10.1.21.2/29
ip access-list extended SP-WAN
Use subnet sharing!
permit ip any 10.1.20.0 0.0.0.255
No WAN-side redirects needed!
permit ip any 10.1.25.0 0.0.0.255
• Best Practices
o Create 2 service groups per router – one for TCP and one for UDP. This will catch most of the traffic
o Add a 3rd group for ICMP if you want to test redirection with Pings
o Add additional service groups for any other IP protocols that need to be optimized and choose the protocol
from the dropdown list
100 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Advanced Settings: Weight
• Weight causes the designated web cache to
manipulate the bits in the hash/mask
assignment sent to a router
• Used for proportional load balancing between
devices in a service group
• Default – leave everything at 100 and traffic
distribution will be equally distributed
• Could be used to limit traffic going to (a)
particular device(s)
o Maybe tunnels connected to that device go
over slower links
o The device might be a much smaller appliance
than others in the service group that can’t
handle as much load (not recommended)
o Active/backup (100 on active, 0 on backup)
101 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Advanced Settings: Assignment and Return
Methods LAN Svc WAN Svc
Groups 53, 54 Groups 55, 56
• Assignment Method
o ‘either’ is fine, the appliance will negotiate
LAN WAN
o L2 is preferred and Silver Peak should be on its own
subnet
• Force L2 Return mgmt0
wan0
102 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitoring WCCP on the Router
• Show wccp summary
• Show wccp xx
• Show wccp interfaces detail
103 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitor WCCP on the Router
• Show ip wccp xx clients These commands show slightly more detail
• Show ip wccp xx detail on the service groups…
104 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitoring WCCP in Orchestrator
• Configuration WCCP
• Look at the ‘Oper Status’ column. Should be ACTIVE, DESIGNATED, or ACTIVE.
• Use ‘Refresh from appliance’ to fetch current status
105 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Application Notes
• Setting up a 3rd service group for icmp can be useful to test the redirection path with pings
o Without it, pings will not be redirected to the Silver Peaks
106 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 7: WCCP
1. How does a router know whether a device in the WCCP farm is working?
2. What determines how the router distributes packets among the devices in the service group?
3. What happens when a device in a service group with multiple members goes down?
4. What does the router do if the only device in a service group goes down?
5. When would you need WAN-side redirection with WCCP?
6. When would L3 return negatively impact router operation and how?
107 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Border Gateway Protocol
BGP
108 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
What is BGP?
109 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Autonomous Systems
110 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
BGP Sessions and Peers
111 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
E-BGP Updates – Inter-AS Loop Prevention
AS-3
112 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
BGP & AS Path vs. Subnet Sharing
• Silver Peak DOES propagate complete AS-PATH to BGP neighbors for prefixes
learned via BGP.
• Starting in 8.1.6 Silver Peak DOES propagate AS-PATH when it advertises a learned
BGP prefix via subnet sharing to another Silver Peak, but the advertising Silver
Peak’s own AS# will not be in the subnet sharing info.
2.2.2.0/24 AS 65002
1.1.1.0/24 AS 65001 65002
AS 65004
1.1.1.0/24
2.2.2.0/24
Subnet Sharing through tunnel
2.2.2.0/24 AS 65002 1.1.1.0/24 1.1.1.0/24 AS 65001
2.2.20/24 2.2.20/24
AS 65001 AS 65003
AS 65002
1.1.1.0/24 AS 65001
2.2.20/24
113 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
What Prefixes Should Be Advertised?
eBGP
eBGP • Neighbors in different AS
int gi 3 int gi 2
10.110.30.1 10.110.30.2 • Routes learned from an eBGP peer can be
advertised to iBGP peers or eBGP peers
AS 65002 AS 65003 • Advertised routes between eBGP peers
bgp router-id 1.1.1.1 bgp router-id 1.1.1.2 have appended ASPath for loop prevention
neighbor 10.110.30.2 neighbor 10.110.30.1
115 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
BGP Config: Router AS number (private in this
case)
AS 65001
Router ID. Best practice is to
configure one using a loopback
iBGP address. This does not need to
int gi 2 int gi 3 int gi 2 int gi 3
3.3.3.1 10.110.30.1 10.110.30.2 4.4.4.1 be routable.
116 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Silver Peak BGP Config 8.1.4+
Configure
• AS number
• Router ID
o Use an interface IP
• Select Options
• Explicitly define neighbor IP
addresses and AS #s
Monitor
• Use Refresh from Appliance for
current status
• See Neighbor State Details for
status
o Established means peer-to-peer
session is up
117 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
BGP Peer Config 8.1.6+ Learn Routes from
• Peer Type governs what kinds of routes the this Peer
appliance is allowed to advertise to this BGP peer.
These routes are itemized as Route Export Policies.
Currently, there are three peer Selection checks
types: Branch, Branch-transit, and PE (Provider appropriate Route
Edge) Router. A branch-transit peer can reach Export Policy boxes
another peer through a "back door" via routes shared
through another protocol such as OSPF, ISIS, or
BGP.
• AS Prepend Count
o Can affect another devices route selection
o Allows the advertising device to ‘pad’ the AS path count with local AS
number up to 10 times
o Shortest AS Path is preferred, so prepending to AS path would make a
path less preferred.
119 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
BGP Peer Config 8.1.6+
• Hold Timer
o Reset each time a keepalive is received
o If a keepalive is not received before the timer expires, the
peer is marked down and all routes learned from that peer
are discarded.
o Usually set to 3x Keepalive timer
• Notes:
o These values can be negotiated when the session starts. The
lower value should win and be used by both peers
o Shorter values enable faster failure detection
o Setting the timers too low can cause route flaps in a lossy network
120 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Router Types in Silver Peak speak
Branch Router
Branch Router Branch Router
BGP BGP
AS 65001 AS 65001 AS 65002 AS 65003
Comcast
Internet AS 65002
AS 65088 AS 65099
AS 65004
PE Router PE Router
AS 65020 AS 65040
Comcast
Internet
BGP BGP BGP BGP
AT&T
AS 65001 AS 65001 MPLS AS 65002 AS 65003
AS 65030 AS 65030
PE Routers
• Router advertises external routes to the Silver Peaks, including routes to remote sites with which
an appliance might bring up a tunnel
• Should be eBGP between PE router and Silver Peak
o Silver Peak can advertise public routes from local site to PE routers (not RFC 1918)
• Silver Peaks should NOT advertise routes learned via subnet sharing to PE routers via BGP
o May cause loops and/or outages
• Routes learned via BGP from a PE router will not be subnet shared to other appliances
123 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Subnet Table Example
BGP sourced routes will indicate advertising router type it was learned from
Limit on # of learned BGP prefixes increased from 3800 (8.1.2) to 9500 (8.1.5+)
124 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Silver Peak & Community Attribute
• The BGP community attribute is a numerical value that can be assigned to a specific prefix and
advertised to other neighbors.
• Silver Peak uses the community values below to internally identify route types e.g. 65001:102
• The community values are also advertised to BGP peers, allowing them to filter if desired
Route Type Value
Locally Added Subnet <local AS#>:100
Remote EC Local route received via Subnet Sharing <local AS#>:101
Learned via local PE BGP neighbor <local AS#>:102
Learned via local Branch BGP neighbor <local AS#>:103
Learned via local Branch Transit BGP neighbor <local AS#>:104
Remote EC Branch BGP neighbor learned routes received via Subnet Sharing <local AS#>:105
Remote EC Branch Transit BGP neighbor learned routes received via Subnet Sharing <local AS#>:106
Any other routes/unknown <local AS#>:107 or <local AS#>:199
125 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Silver Peak BGP Metrics in the Subnet Table
• If a route is learned from a Neighbor with a MED value, then that metric is
used in the Silver Peak subnets table
• If no MED value is attached to the route, default metrics are used:
o iBGP = 250
o eBGP = 70 Community Value = 103
126 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Router Route Selection if > 1 Route to a Prefix
No, or not resulting in single route
127 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Session Startup – ‘A’ initiates
Trying to open A B
a session State Message Message State
IDLE IDLE
CONNECT SYN
SYN/ACK CONNECT (passive)
ACTIVE ACK
OPENSENT OPEN
Fully
Connected OPEN OPENSENT
OPENCONFIRM KEEPALIVE
KEEPALIVE OPENCONFIRM
ESTABLISHED ESTABLISHED
UPDATE UPDATE
128 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
129 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 8: BGP
130 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Flow Redirection
Correcting Asymmetry
131 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review: TCP Acceleration Requires Symmetric
Flows
Asymmetry: Either or both
SYN
SYN
appliances fail to see both
sides of the conversation
• Packets are routed around WAN
one or both appliances
–or-
Asymmetry
• might be PT/PTU because of
Route Policy or Optimization
Policy misconfigured SYN/ACK
SYN/ACK
Asymmetric flows can’t be Network Accelerated, but we can still apply NM and NI
132 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Flow Redirection 1
133 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Flow Redirection 4
• Packets are redirected to the flow owner over the cluster interface
o Redirected flows will only appear in the owning appliance’s Current Flows
SYN/ACK
o If timer expires first, flow is marked asymmetric (possibly by two SPs) and
forwarded to destination
134 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Configuring Flow Redirection
• Enable
135 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitoring Flow Redirection
• Monitoring Current Flows
o Flows should not be asymmetric (filter for asymmetric flows). Reset stale flows if needed.
o Only displayed on owning appliance
136 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
CAVEAT: REDUNDANT WCCP AND ASYMMETRY
• If there are multiple WCCP devices in a SYN
service group at a site SYN/ACK
137 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 9: Asymmetry & Flow Redirection
1. What is a TCP proxy?
2. Why must a flow be symmetric in order to be TCP accelerated?
3. Can a flow traverse a Silver Peak at two sites connected via a tunnel and still be asymmetric?
Explain your answer.
4. T/F: With Flow Redirection the Silver Peaks tell the routers to redirect traffic to the correct appliance
5. What information do Flow Redirection cluster peers exchange in their control messages?
6. Do redirected packets traverse the same interfaces as the control messages in a cluster?
7. T/F: Flow redirection peers should be in different subnets for high availability reasons.
8. Which device is the owner of a TCP flow in a Flow Redirection cluster?
9. Which interfaces can be used for Flow Redirection?
10. Flow redirection might fail in a properly configured cluster if _______?
11. T/F: In Current Flows, redirected flows will be marked as such on the redirecting (non-owning) peer.
138 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Lab 5 Overview
140 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
60
20
Lab 5: BGP
Lab 6: Flow Redirection
141 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
PBR and VRRP
142 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Policy Based Routing (PBR) Review 4
ACL/PBR
• Routing Policies / Route Maps
determine where traffic is sent
LAN
WAN
SLA Detects
• SLA tells the router if the SP is
SP outage up or not
143 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Out-of-Path: Policy-Based Routing Review 2
144 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Configuring PBR on a cisco router 3
interface gigabitEthernet 3
ip route-cache policy Route-map uses ACL, sets
ip policy route-map silverpeak
next-hop IP and uses
Apply redirection to tracker 1
interface(s).
LAN=yes, WAN=maybe
145 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitoring PBR (Cisco)
10.10.10.253
10.10.10.254
Devices in 10.10.10.0/24 X
A
MASTER
Subnet
LAN vIP = 10.10.10.254
vMAC =
00-00-5E-00-01-XX WAN
Default GW=
10.10.10.254 GA
B
10.10.10.252
147 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Out-of-Path: VRRP 5
One Silver Peak
Devices in 10.10.10.0
Subnet Priority 100
10.10.10.251
LAN
WAN
vIP = 10.10.10.254
vMAC =
Default GW=
X
00-00-5E-00-01-XX
10.10.10.254
Preempt =
YES
MASTER
10.10.10.252
Priority 255
148 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
4
Out-of-Path: VRRP
Redundant Appliances
Devices in 10.10.10.0/24
Subnet
LAN
10.10.10.253
Default GW= WAN
10.10.10.254 vIP = 10.10.10.254
vMAC =
X
00-00-5E-00-01-XX
Preempt =
NO
149 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Out-of-Path: VRRP – Hybrid Approach 2
Redundant Appliances
Devices in 10.10.11.0/24
Subnet
WAN
LAN
10.10.11.254
10.10.10.1
Default GW=
10.10.11.254 PBR redirects traffic to
vIP =
VIP 10.10.10.254
150 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Configuring Appliance VRRP from Orchestrator
• Configuration VRRP • Required
Click edit icon o Group ID
o Interface
o VIP
151 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Monitoring VRRP in the Orchestrator
• Configuration VRRP
152 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 10: PBR & VRRP
153 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Lab 7 Overview
• Configure PBR on router interfaces to direct traffic to a VRRP VIP address shared by redundant
SPs which use Flow Redirection.
• Verify Traffic flow
• Simulate a network outage and observe automatic network reconvergence
• Verify proper operation using CLI commands on the routers and various UI displays on the
appliances
See next slide for details on VRRP group and how traffic will be redirected by PBR
154 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Lab 7 Overview: PBR/VRRP Lab Config
156 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
High availability
Sharing WAN connections resiliently between two appliances
MPLS Internet
VRRP
• CE Router Replacement
• Single IP Needed Per WAN Link
• Resilient for Port or Appliance Failures
BGP BGP
(Primary) (Secondary)
• Enable HA Mode
Choose HA Peer
site names should be the same.
Internet
MPLS
166 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 11: High Availibility
1. T/F – Local Internet breakout is not supported with H/A C
2. T/F – Flow Redirection is not supported with H/A Internet
167 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
LAB 7: HA - OVERVIEW
• Disable BGP peering between the CSRs
• Routers from different ISPs would be unlikely to be peered
• Enable H/A
• Show traffic between TG-35-11 and UBU-1 is:
• Routed to the VRRP VIP via PBR
• Sent to the Internet via local breakout from the DefaultOverlay
• Observe how SNAT is applied in two places
168 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
60
169 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
QoS Review
170 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review: QoS Policies
• Determine which Traffic Class a packet corresponding to the Match Criteria is placed in
• Work together with Shaper configuration to manage the prioritization of traffic
• Set Actions:
o Traffic Class
o LAN QoS (sets DSCP marking for payload packet headers)
o WAN QoS (sets DSCP marking for tunnel packet headers)
o Note: Default LAN QoS /WAN QoS policy is ‘trust lan’ – DSCP markings like packet that came in from LAN
171 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
High Level Data Flow: Tunnelized Traffic
• Remember the 3 policy types:
o Route
o QoS QoS Policy determines which Shaper Config determines the
o Optimization traffic class a packet goes to behavior of a traffic class
172 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Deployment Profile
173 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Shaper Configuration Details (appliance)
• Priority: Determines the order in which to
Max BW / Total Outbound
allocate each class's minimum bandwidth
- 1 is first, 10 is last. Set in Deployment Profile
• Min Bandwidth: Percentage of bandwidth
guaranteed to each traffic class, allocated
by priority.
• Excess Weighting: If there is bandwidth
left over after satisfying the minimum
bandwidth percentages, then the excess
is distributed among the traffic classes, in
proportion to the weightings specified in
the Excess Weighting column. Values
range from 1 to 10,000.
• Max Bandwidth: You can limit the
maximum bandwidth that a traffic class
uses by specifying a percentage in
the Max Bandwidth column.
• Max Wait Time: Any packets waiting
longer than the specified Max Wait
Time are dropped.
• Rate Limit: Per Flow limiting within class
requires 8.1.5+ (see next slide)
174 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
QoS in 8.1.10+ Orchestrator, 8.1.5+ Appliance
• 5 predefined Traffic Classes
o First 3 are used by default BIOs in Orch
o Note that default Priority of classes 1-5 is
equal (1)
Q Minimum BW 34%
O
S Traffic Class 2 - Priority 1
P
Minimum BW 33%
O
L Traffic Class 3 - Priority 2
The only way TC 4 will
I
C
Y
Minimum BW 33%
176 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Traffic Class Minimums Must be Set Carefully 2
tunnels
o TC mins are all set to 1 Mbps LAN
o Weights control the excess
WAN
10 Mbps
•
mgmt0 mgmt0
Now we add a new smaller
site with a 1 Mbps link
mgmt0
177 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Effect of Weights
If Min BWs have not been met,
If Min BWs Traffic Class 1 Weight is not used
have been Weight 50
met, Weight
is used and Traffic Class 2
Max WAN BW
Priority no Weight 30
longer
affects BW Traffic Class 3
allocation Weight 20
• When Min BWs are met for traffic classes, if system BW remains, Weights are used to
allocate BW until Max WAN BW is met.
• e.g. Above, sum of Weights = 100. TC 1 has a 50/100 (50%) chance of getting BW
• BW is allocated according to the ratio of the weights for all traffic classes with traffic
queued. Empty TCs are ignored.
178 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Using Weights to Proportionately Balance 3
Traffic in Tunnels Hint: If weights total 100, then you can
Traffic Class 1 think of them as a percentage of BW
If all traffic
class Min BW=0, Weight 50
minimums are
set to 0, then Traffic Class 2
weights will
control the Min BW=0, Weight 30
traffic
proportions in Traffic Class 3
the tunnels
Min BW=0, Weight 20
• Imagine a configuration where all traffic class minimums are set to 0
• The relative sizes of the weights for each class will then control the proportion of System
BW, and therefore tunnel BW each class receives.
• Remember, BW is allocated according to the ratio of the weights for all traffic classes
with traffic queued. Empty TCs are ignored, so the proportion will vary with traffic mix
179 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Conceptual Data Flow – Multiple Traffic Types
Traffic Type Encapsulation
Accel/OPT NA - TCP/CIFS NM
Q
Processing Tunnel 1
R TCP Compression
S
o (Proxy etc.) O
o
S H N
u Tunnel 2 u
OPT A I
t
UDP/Other t
P P
FEC
LAN e etc.
Tunnel … p
o
, E
l u
Pass Through R
i Shaped t
O
c
p > Max Wait Time = Dropped
i I
t
e Pass Through
, F
s Unshaped
180 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Multiple Shapers
• In 7.0+ you can add a shaper for each interface if needed, or use default global shaper
181 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
QoS Map Activation Scheduling
• Allows you to change QoS settings on a scheduled basis
• Adjust for changes in usage, e.g.: Peak hours, nightly backups, weekends etc.
182 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
DSCP – Trust / Trust
183 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
DSCP – ef / Trust
184 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
DSCP – Trust / cs5
185 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 12: QoS & DSCP
186 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review
187 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 1: Flow Handling and Path Selection
Order
1. T/F – When traffic is routed by Business Intent Overlays to a site with multiple available paths, all
packets in a flow will always be placed in the same tunnel.
2. When a manual route policy is used to choose a path for certain traffic to a destination reachable via
multiple underlay tunnels, can packets for individual flows be distributed across all the available paths
to the destination?
3. T/F – In a subnet table, all else being equal, the route with the lowest metric is preferred.
4. Will the packet to 10.110.30.5 be sent to appliance A or B?
10.110.0.0/16 Metric 40 Learned from A
10.110.30.0/24 Metric 50 Learned from B
5. Will the packet to 10.110.30.5 be sent to appliance A or the local interface?
10.110.30.0/24 Metric 40 Learned from A
10.110.30.0/24 Metric 50 Auto – (added by system)
6. T/F - If a Route Policy destination of auto optimize is matched, the appliance will ignore subnet table
entries.
7. T/F – You should always use classical auto opt instead of subnet sharing if possible.
188 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 2: Security Features
1. T/F – If an interface leading to the internet is hardened, local traffic will need to be backhauled to
a data center through a tunnel to connect to Google.
2. T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec tunnel.
3. Could an interface connected to the Internet and configured to be a Stateful Firewall, allow local
access to SalesForce.com?
4. T/F – All the appliances in a network can simultaneously change to a new IPsec encryption key
on a predetermined schedule.
5. Are ipsec_udp tunnels the only type available in Orchestrator 8.2.0 and above?
6. Is it possible to limit the address spaces from which logins to Orchestrator are allowed?
189 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 3: Deployment Notes
1. T/F - Dynamic Rate Control may cause an appliance to limit it’s transmission speed to a receiving appliance.
2. What two things are required for an appliance to act as a hub that can relay traffic between two spoke sites?
3. Can a packet that enters a local WAN facing port outside of a tunnel be placed into a tunnel? If so, how?
4. T/F – Appliances cannot advertise default routes (0.0.0.0/0). This requires an external router.
5. You have two WAN facing interfaces: wan0 goes to an MPLS network, and wan1 goes to the Internet. By default,
can passthrough traffic be forwarded from lan0 to the Internet when the destination subnet is unknown?
6. T/F – The Peer Unavailable (overlay down) action is triggered only when all underlay tunnels to all destinations
are down.
7. You have two LAN interfaces and two WAN interfaces. A packet arrives at wan0 destined to a local destination
(no tunnelization needed) reachable via wan1. Which mode does the Silver Peak need to be in to forward the
packet to the correct interface? Bridge Mode or Router Mode?
lan0 wan0
4. T/F – It is necessary to manually configure at least two Internet passthrough tunnels to load
balance breakout traffic?
193 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 7: WCCP
1. How does a router know whether a device in the WCCP farm is working?
2. What determines how the router distributes packets among the devices in the service group?
3. What happens when a device in a service group with multiple members goes down?
4. What does the router do if the only device in a service group goes down?
5. When would you need WAN-side redirection with WCCP?
6. When would L3 return negatively impact router operation and how?
194 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 8: BGP
195 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 9: Asymmetry & Flow Redirection
1. What is a TCP proxy?
2. Why must a flow be symmetric in order to be TCP accelerated?
3. Can a flow traverse a Silver Peak at two sites connected via a tunnel and still be asymmetric?
Explain your answer.
4. T/F: With Flow Redirection the Silver Peaks tell the routers to redirect traffic to the correct appliance
5. What information do Flow Redirection cluster peers exchange in their control messages?
6. Do redirected packets traverse the same interfaces as the control messages in a cluster?
7. T/F: Flow redirection peers should be in different subnets for high availability reasons.
8. Which device is the owner of a TCP flow in a Flow Redirection cluster?
9. Which interfaces can be used for Flow Redirection?
10. Flow redirection might fail in a properly configured cluster if _______?
11. T/F: In Current Flows, redirected flows will be marked as such on the redirecting (non-owning) peer.
196 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 10: PBR & VRRP
197 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 11: High Availability
1. T/F – Local Internet breakout is not supported with H/A. C
2. T/F – Flow Redirection is not supported with H/A. Internet
198 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 12: QoS & DSCP
199 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Silver Peak SDWAN eXpert (SPSX)
Certification Exam
200 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
SPSX Certification Exam
1. You must answer and submit all questions before submitting the test for grading.
2. You must submit the test before time expires or you will score ‘0’ and fail.
3. You should submit the test a couple of minutes before the indicated time expires (the timer in the
browser doesn’t seem to always run at the same speed as the learning management system
clock). SPSX allows 60 minutes.
4. If at any point your browser seems to hang and you see a horizontal red bar across the screen,
close your browser (not just the tab), reopen it, and log back in. Any answers you had previously
submitted will be saved and you can resume the test. The timer continues to run.
5. A passing score is 70%. If you fail and desire another attempt, you may retake the exam at any
time.
1. Go to https://training.silver-peak.com
2. Login using your userid/pw (it should have been in your registration email)
3. Click on ‘My Courses’
4. Click on ‘Stand Alone Exams’
5. Access the test.
6. Tell your instructor immediately if you have any problems accessing the test.
202 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Thank You!
203 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.