Riverbed SD WAN

Transcription

White PaperRiverbed SD-WANTransform your WAN from a cost center into abusiness enabler. Increase agility, reliability,security and application performance, whilesimultaneously reducing costs. That’s thepower of Riverbed SD-WAN.leverage the WAN as a driver for the business.The rise of the hybrid enterpriseToday businesses are rapidly adopting cloudinfrastructure and SaaS applications broadly across theenterprise. Enterprise workforces are using applications,managing data, and conducting research along withOverviewGlobal enterprises are rapidly adopting cloudinfrastructure such as Amazon Web Services (AWS) orMicrosoft Azure and Software as a Service (SaaS)applications such as Microsoft Office 365,Salesforce.com, ServiceNow and Box. The Internet andthe cloud are now part of business-critical infrastructures.other activities in the cloud. In fact, over 40% ofbusinesses with 1,000 plus customers surveyed byForrester in 2014 have already replaced, or plan toreplace within two years, most/all applications with SaaSin categories including marketing automation, sales forceautomation, commerce software, customer service andsupport, and industry-specific software.1Enterprises are becoming a hybrid mix of on-premisesYet data, including large corporate files, unifiedand off-premises assets.communications, and recreational traffic that areTo efficiently support the combined public and privateresources, the network itself needs to go hybrid, addingthe strengths of highly reliable Multiprotocol LabelSwitching (MPLS) and the ubiquity, price, and capacityof Public Internet Broadband. Riverbed SD-WANenables delivers excellent user experience for both youron-premises and cloud-based applications while tyingbusiness-priorities to application performance, todestined for the public Internet, still travel through thecostly MPLS network. That is an inefficient way toaccess services and applications such as cloudcollaboration or cloud Customer RelationshipManagement (CRM) that can be accessed directly onthe Internet without ever touching the corporate ssTechnographicsGlobalSoftwareSurvey,2014

Riverbed SD-WANnetwork. The MPLS cost is high, especially whenin the available bandwidth for branches withoutcompared to broadband Internet. Typical studies tell usincreasing the overall networking budget.that an MPLS megabyte can cost up to 200x more than2a broadband megabyte per month.Business ImperativesUntil recently, enterprises followed a model where theThis shift to SD-WAN satisfies the core imperativesvast majority of applications were hosted within privatefor any enterprise network:data centers and accessed through a Wide AreaLower costsNetwork (WAN) relying on MPLS network services. But in an IT environment with public and private resources, aGrowing a network with commercial-grade Internetsoftware-defined network that combines the strengths ofto complement premium-priced MPLS bandwidthhighly reliable MPLS links with the ubiquity and lowerlets you scale the network to match growth andcost of an Internet infrastructure can deliver both higherusage patterns, with a flat or even a reducedperformance and more economy.impact on IT spend.SD-WAN: A network optimized for thehybrid enterprise Software-defined WANs represent the new approach,defined WAN principles such as path control, theoffering cost-effectiveness, agility and performance forbandwidth available to applications is dramaticallyorganizations seeing growth in Internet traffic or thoseimproved. Internet links can be fully utilized, freeingcombining on-premises with off-premises IT assetsprecious MPLS bandwidth. Bottlenecks andthrough SaaS or Infrastructure as a Service (IaaS).latency are minimized. Additionally, whenSD-WAN offers two complementary capabilities.Increase performanceWhen a hybrid network is managed with software-implemented, local Internet breakouts allow adirect connection to cloud-based applicationsInternet backhaul to off-load traffic from MPLS- tripling the bandwidth available to userswithout a “boomerang” to the corporate dataFor enterprises struggling with demand for bandwidth,performance and high levels of user satisfaction.center. Both solutions translate into optimalmoving from pure MPLS to a SD-WAN that trulycombines MPLS and Internet-based secured overlaylinks to backhaul traffic to the data center or acrossbranches (such as with Unified Communication andCollaboration traffic) is a cost-effective option. Riverbedcustomers report an average of a dramatic 300% growthLocal Internet breakouts to off-load Internettraffic and optimize performance for SaaStrafficPath control in SD-WANs can be used to easily direct aselected part or all of the Internet-bound traffic to hy- ‐does- ‐mpls- ‐cost- ‐so- ‐much- ‐more- ‐Internet gateways. Let’s consider a user in Saninternet- ‐connectivityFrancisco who is forced to go through MPLS to a default 2015 Riverbed Technology. All rights reserved.2

Riverbed SD-WANcentral Internet breakout in New York to access a SaaSWith Riverbed, organizations can embrace SD-WANs toapplication that is actually hosted in a data center basedmaximize the performance of business-criticalin Seattle. This situation creates a "boomerang effect”applications, boost network availability, and reduce costsmarked by added latency and unnecessary usage ofwhile retaining IT control and minimizing complexity. Inexpensive MPLS bandwidth. If a local Internetaddition, they can benefit from optimized use of networkconnection is present in the San Francisco branch, SD-resources as well as accelerated end user experienceWANs can selectively direct the forwarding of the user'sfor all of their applications on-premises and thoseSaaS traffic to the Seattle-based data center, while otherhosted in the Cloud.Internet traffic could continue to flow through the securedgateway in New York. The result is faster performanceand a smarter utilization of network resources.Riverbed makes software-definednetworks easy and high performingSteelHead includes all of the major components to buildhigh-performance yet simple to manage SD-WANs,including: direct traffic on the appropriate network (MPLS,Until now, two key issues have obstructed the creation ofInternet, etc.)a networking architecture able to fully support a mix ofon-premises and cloud-based workloads, at the right corporate data center and other branches across theThe complexity of defining which traffic goes onInternetwhich network or the complexity of setting upappropriate secured tunnels. Hard-coded router breakouts without requiring further investment in on-based routing are an intrusive burden on networkpremises Internet security appliancesadministration and, ultimately, are neither reliable Inbound QoS to manage local Internet breakoutssimple way to define rules and configure theand protect business Internet traffic against surgesnetwork, implementation of agile networkingin recreational Internet trafficmethodologies has remained difficult. Simple interface to zScaler or other cloud-basedsecurity service providers that enables local Internetconfigurations and legacy technologies like policy-nor granular enough to provide value. Without aDynamic tunneling with a central control plane thatenables secure backhauling of branch traffic to thecost: Network and application-aware path selection to Best-in-class WAN optimization capabilities for on-Lack of a proper level of integration with WANpremises applications – optimization that is able tooptimization capabilities to reduce applicationmitigate latency for critical business processes,latency. Unfortunately, SD-WAN does not makeprotect real-time and interactive applications, andlatency go away or mitigate the importance ofoptimize network resource usageproperly optimizing traffic. 2015 Riverbed Technology. All rights reserved.3

Riverbed SD-WAN Unique WAN optimization capabilities for cloudUnlike legacy policy-based routing technologies,applications delivered across the Internet: includingSteelHead path selection technology offers compellingSaaS apps such as Office 365, Salesforce.com,capabilities:Box.net, and Success Factors and IaaS/PaaS suchas Amazon Web Services or Microsoft Azure 1300 applications and precisely distinguishbusiness-critical applications from less importantat each branch for all on-premises and cloud trafficapplicationsintegrationContinuous and easy troubleshooting capabilities at NetShark and SteelHead, which captures thepackets for real-time and retrospective analysisBreakthrough capability to monitor end-userexperience for not only on-premises but also SaaSapplications end-to-end with integration betweenSteelHead and SteelCentral AppResponse Constantly senses path availability in real time usingactive probes for dynamic path failover the branch with the integration of SteelCentral Application-aware with the capability to identify overCrucial insights into network performance and usagewith SteelCentral NetProfiler and SteelHead Simple to manage with SteelCentral Controller forSteelHead and its global management plane Integrated application visibility and WANoptimization for complete management of businesscritical applications over the WANApplication-awareLegacy solutions classify traffic using port numbers andIP addresses. Business applications based on HypertextManagement plane provided by SteelCentral Transfer Protocol (HTTP) are by default classified in theController for SteelHead to drive global SD-WANssame bucket as non-critical traffic, such as YouTubeusing simple abstractionstraffic. This default can only be resolved usingRiverbed delivers the most comprehensive solution byfar to enable a smooth transition to a hybrid enterprise.Network- and application-aware pathselection capabilitiesclassification based on IP addresses, leading toconfiguration complexity and increased operational risks.With SteelHead path selection technology, flows areclassified using deep packet inspection (DPI)-basedapplication awareness, allowing you to precisely steerPath selection is required to efficiently use the multipletraffic on different paths according to the true nature andavailable paths in the branch and data center. A typicalcriticality of traffic. For example, SteelHead pathbranch configuration has three paths:selection technology even offers the capability to clearly MPLSdistinguish between secure sockets layer (SSL)- Internet link combined with a secured overlayencrypted applications. Instead of looking at Facebookconnecting the branch back to the data center usingas a consumer app, SteelHead path selection can allowInternet protocol security (IPsec)Facebook news feeds and updates but block non-Direct to the Internetbusiness applications such as Candy Crush. 2015 Riverbed Technology. All rights reserved.4

Riverbed SD-WANTransparency and simplicitysecure transport groups.Unlike other approaches, SteelHead path selectionOnce the group has been defined, SteelHead appliancestechnology uses a transparent overlay service versusautomatically and dynamically create the appropriatechanging the packet-forwarding plane. This approachoverlay tunnels between each other in a full meshresults in a clean abstraction between network layersfashion. The overlay tunnels dynamically form a newand obviates the need to reconfigure routers withsecured network that can be seamlessly used bycomplex rules. Thus, the technology is transparent to theSteelHead path selection technology to securely routeexisting network and is also easy to configure.traffic between any sites, including from the branch toA dynamic tunneling capability with acentral control plane that enablessecure backhaulingthe data center and from branch to branch.Riverbed SD-WAN technology includes a dynamictunneling capability that enables secure backhauling ofbranch traffic to the corporate data center across theInternet using IPsec.Traditional management of secured overlay tunnels forthe purpose of backhauling traffic relies on router orfirewall configurations that typically: With SteelHead secure transport technology, enterprisesCASE IN POINTHybrid Networks Increase Performance andReduce CostsA global consumer goods company wasapproaching a major MPLS WAN refresh cycle andcontract renewal. But growing the existinginfrastructure to meet projected bandwidth needswould be very costly. The company wanted toRequire hardware upgrades to cope with thecontrol MPLS circuit upgrades and expand networkcomputational load of encryptioncapacity significantly at the same time. Are complex to configure and difficult to manage Do not support building overlay tunnels beyond hubleverage a hybrid network combining MPLS,and spoke topologies and therefore do not supportInternet backhauling, and local Internet breakouts.branch-to-branch overlays as required by unifiedSteelHead path selection ensures the right trafficcommunication and collaboration (UCC) peer-to-travels the right path: High-bandwidth internalpeer trafficapplications (such as internal videos, email, anti-The company deployed SteelHead solutions to fullyUnlike a traditional IPsec configuration that requiresvirus updates, Microsoft System Centerexplicit tunnel buildup, SteelHead secure transportConfiguration Manager (SCCM) and SharePoint,technology is based on the notion of secured groups.and backup and replication) is sent to Internet VPNSteelHead allows for the regrouping of applianceslinks; Internet and SaaS traffic is sent to the publicconnected to a network that requires encryptionInternet in regional hubs.(typically an Internet-based network) into one or more 2015 Riverbed Technology. All rights reserved.5

Riverbed SD-WANlike the Internet to backhaul their traffic. SteelHeadA simple interface to zScaler or othercloud security service providerssecure transport technology:As they embrace local Internet breakouts, enterprisescan benefit from secured communication over networks Permits secured overlay without requiring anymust strengthen their security environments within theupgrade of routers or firewallsbranch. To do so, enterprises typically implement SecureSupports branch-to-branch communications,including UCC peer-to-peer traffic Is simple to manage with SteelCentral Controller forSteelHead and its global management plane Has a minimal cost of configuration and cost ofchange management thanks to automated tunnelconfigurationWeb Gateways (SWGs) that analyze specific ports likeHTTP/ hypertext transfer protocol secure (HTTPS) portsand often use SWGs in combination with advancedthreat detection (ATD) to detect the more advancedattacks.These capabilities are now being made available as acloud service. Companies like zScaler have deployedhundreds of points of presence across the globe whereCASE IN POINTSWG and ATD capabilities are hosted, managed, andZero Dollars and 3x the Bandwidthsold as a cloud service. Such a distributed infrastructureA large engineering firm with 180 offices in 31branch security for Internet-bound traffic without acountries needed to support the traffic from theirtraditional enterprise applications and ever-increasingWeb traffic. Buying more WAN bandwidth was anunsustainable approach. Their goal was to increaseaggregate bandwidth across the WAN (from 3 Gbpseffectively allows flexible implementation of the requiredsignificant impact on performance. However, asenterprises embrace cloud-based security services, theymust seamlessly integrate them into their networkingarchitecture.to 9 Gbps) with a flat budget impact.Riverbed SD-WAN includes a simple “cloud-tethering”They deployed SteelHead to continue to backhaul allproviders in the form of easy-to-configure generic routingInternet-destined traffic to their headquarters for asimplified Internet security design, while augmentingtheir bandwidth with commodity Internet links andIPsec-based security for greater aggregatebandwidth.interface to zScaler or other cloud-based security serviceencapsulation (GRE) tunneling. In combination withother Riverbed technology, this cloud-tethering capabilityallows enterprises to enable local Internet breakoutswithout requiring further investment in on-premisesInternet security appliances.Inbound QoS to manage local InternetbreakoutsSteelHead includes advanced quality of service (QoS)capabilities to protect business-critical applications 2015 Riverbed Technology. All rights reserved.6

Riverbed SD-WANagainst less important ones. This capability is typicallyIn addition, SteelCentral NetProfiler when integrated withused in an outbound fashion as traffic leaves its source.SteelHead provides visibility into SteelHead QoS toWhen enterprises use local Internet breakouts in theunderstand whether quality of service settings are meetingbranch, the incoming (inbound) traffic from the Internetexpectations by application or where and when changesoriginates from multiple disparate sources that are notshould be made to ensure end user performance.equipped with a SteelHead solution. As a result, the finiteBest-in-class WAN optimizationcapabilities for on-premises applicationsbandwidth of the local Internet pipe can be filled as branchusers consume a variety of business-critical SaaSapplications combined with less critical and sometimesbandwidth-heavy applications like YouTube. To expandprotection of business-critical applications to Internetbound applications, SteelHead includes a unique inboundQoS capability that manages traffic from the destinationinstead of from the source as with traditional QoS.SD-WAN does not make latency go away nor does itmitigate the importance of properly optimizing traffic.SteelHead is the market-leading solution for applicationaware optimization of on-premises workloads,supporting the latest versions of Microsoft applications,clients, and leading business critical applications,including those based on file transfers but also real-timeThis technology, which cannot be found in typical routers,applications such as Microsoft Lync and video streaming,uses dynamic configuration of SteelHead QoS queues toor interactive applications based on Citrix. SteelHeadachieve a feedback loop with any remote sources usingaward-winning deduplication technology furthertransmission control protocol (TCP).increases the throughput available to users in the branchWhen required to prevent congestion, SteelHeadby removing any redundancies. Finally, SteelHead QoSinbound QoS effectively slows down less critical inboundenables a total control on how the bandwidth of thetraffic to make room for more business-critical flows,hybrid network is used among critical and non-criticalthus protecting experience and productivity for users ofapplications.those applications. (Figure1) 2015 Riverbed Technology. All rights reserved.7

Riverbed SD-WANFigure 1Riverbed SD-WANcapabilitiesUnique WAN optimization capabilitiesfor cloud applications delivered acrossthe Internetmust select an instance, and therefore a location, whereAs enterprises are adopting local Internet breakouts, theorganizations are consciously choosing those users whonotion of optimizing the performance of applicationswill be far away from the data and those who will bedelivered across the Internet is becoming increasinglyclose. Yet the same level of service is required to makeimportant. SteelHead includes 3 classes of solutions forthose users productive, independent of the location ofimproving end-user experience for Internet-boundthe SaaS instance.applications.Riverbed SteelHead SaaS accelerates Microsoft OfficeSteelHead SaaS for end-to-end optimization ofMicrosoft Office 365, Salesforce.com, Box.netand more365, Salesforce.com, Box.Net and more from the cloudMicrosoft Office 365 and Dynamics CRM, Box.net,networks. SteelHead SaaS mitigates the impact ofSalesforce.com, and ServiceNow are among the mostlatency and aligns performance to the maximum for allused SaaS applications accessed daily by usersusers whether they are close or far from the SaaSworldwide. Organizations using these SaaS servicesapplication. 2015 Riverbed Technology. All rights reserved.their data will be hosted. By doing so, just like when theypick a location for any on-premises workload,in the same way that traditional SteelHead productsaccelerate enterprise applications running on corporate8

Riverbed SD-WANSteelHead SaaS dynamically instantiates virtualbandwidth for the Internet portion of the SaaSSteelHead appliances as close as possible from theapplication delivery chain.SaaS instance, leveraging the formidable Akamaifootprint, thus enabling an end-to-end management ofthe application without any intrusion in the SaaS providerdatacenters. SteelHead SaaS also leverages Akamai’sSureRoute Internet overlay for optimized latency andDelivered as a service, SteelHead SaaS is easy todeploy and requires no changes to the user side or inthe SaaS provider cloud. IT can increase the serviceavailability based on user demand, while meeting andexceeding IT service agreements. (Figure 2)Figure 2Unique SaaS accelerationleveraging SteelHeadtechnology over the AkamaifootprintSteelHead CX for IaaS to optimize MicrosoftAzure and Amazon workloads and more endto-endovercoming application and network performanceSteelHead CX for IaaS extends the optimization solutionpublic cloud and accelerates access for users fromfor the hybrid enterprise to IaaS cloud environmentsvirtually any location.such as Microsoft Azure, Amazon Web Services (AWS),VMware ESX-hosted clouds and vCloud Air. By 2015 Riverbed Technology. All rights reserved.problems with data, application, and transportstreamlining, SteelHead CX speeds migration to theSteelHead CX is available in the marketplace of both9

Riverbed SD-WANAmazon and Azure services.easy to handle as SteelHead and SteelCentralSteelHead Web-Proxy to cache any Internetbased applications over HTTP/S, includingYouTube videosNetProfiler share the same application definitions:SteelHead also includes a solution for applications thatIn addition, SteelHead products are computing individualcannot be accelerated using SteelHead end to end - around trip time (RTT) on each section of an optimizedsingle-ended Web proxy that transparently intercepts allTCP session, enabling users to rebuild a consistent viewtraffic bound to the Internet. The Web proxy improvesof end-to-end RTT inside SteelCentral NetProfilerperformance by providing Web object caching on bothreports.HTTP and HTTPS traffic. The efficient caching algorithmdramatically reduces the use of Internet traffic whenmultiple users are accessing the same content. Theproxy includes a unique feature to cache videosincluding YouTube videos, thus enabling the use of HDcontent for business use, like training videos, without theneed to overprovision the Internet links.Crucial insights into networkperformance and usage at each branchfor all on-premises and cloud trafficapplication labels used in the SteelHead UI are the sameas in SteelCentral NetProfiler reports.SteelHead CX has embedded NetShark capabilities. Asa result, it offers on-demand, rather than continuous,packet capture. SteelHead EX also integrates withSteelCentral NetShark for SteelHead EX to provideonboard packet capture and storage. This feature offerscontinuous packet capture anywhere SteelHeadappliances have been deployed within an enterprisenetwork.With SD-WAN, obtaining holistic visibility on the trafficA breakthrough capability to monitorend-user experience for SaaSapplicationsand the network becomes a distributed problem. ItAs organizations are leveraging cloud basedrequires more instrumentation devices than ever.applications, monitoring and troubleshooting end-userSteelHead devices are ideally placed at each branch orexperience has never been so challenging and important.cloud location to solve this problem.Even if, for cloud based applications, the WAN is not aSteelHead can be seamlessly integrated withSteelCentral NetProfiler to deliver visibility beyondtraditional NetFlow reporting for on-premises and cloud-major component of the application delivery chain,network teams will be faced by the need to respond toperformance issues over the public Internet.bound traffic. SteelHead acts as a remote probe thatSteelHead leverages SteelCentral AppResponse tocaptures information about all sessions flowing to andprovide end-user experience information wherefrom the branch (and also to and from cloud locationsapplications are delivered, at the branch. SteelHeadwhen SteelHead CX for IaaS is in use).appliances deployed in remote locations instrumentCombined visibility and control workflows are extremely 2015 Riverbed Technology. All rights reserved.HTTP/S flows to build an accurate view of the page loadtime of all web applications that are optimized by10

Riverbed SD-WANSteelHead. Operators can clearly see a breakdown ofSteelCentral Controller for SteelHead’s centralthe end-user experience as it relates to the server, themanagement console dramatically improves thenetwork and the SteelHead appliances.management and usability of control capabilities. WhileThis capability works in conjunction with SteelHeadappliances placed close to the source of traffic, in theon-premises datacenter, in cloud-based datacenters withSteelHead CX for IaaS, and when using SteelHeadSaaS acceleration. As a result, and for the first time, it’spossible to get end-user experience information for alloptimized web applications including SaaS applicationslike SalesForce.com. With SteelHead appliancesdeployed as close as possible to the distributedinstances of the cloud provider across the Akamainetwork, reports can show the root cause ofperformance degradation – whether the network or thecloud provider instance. SteelCentral AppResponse andSteelHead integration provide a unique combination tomonitor service levels as delivered by the cloud provider.(Figure 3)A new management plane to driveglobal SD-WAN using simpleabstractions 2015 Riverbed Technology. All rights reserved.SteelHead optimization has always been praised for itsease of use, control capabilities that the industry hasdelivered for years – all QoS, path selection or VPNsolutions delivered by the industry - have been anightmare to manage. With the new controller, Riverbedexposes users to an intuitive interface and managementplane based on high-level abstractions such asapplications, sites, uplinks, or networks that match theway they see their IT environment. SteelCentralController for SteelHead relies on a control planedesigned to support intent-based configuration thatprovides a translation of global parameters into localSteelHead policies. With SteelCentral Controller forSteelHead, customers can implement new, moreefficient configuration and change managementworkflows that make SD-WAN capabilities truly usable atscale.11

Riverbed SD-WANFigure 3End-user experiencevisibility on SteelHeadOptimized SaaS traffic fromSteelCentral AppResponseMore than traditional SD-WANapplications. Riverbed SD-WAN delivers superior userWith Riverbed, organizations can embrace SD-WAN toexperience for both your on-premises and cloud-basedmaximize the performance of business-criticalapplications and makes your network faster, cheaper,applications, boost network availability, and reduce costseasier to manage, and more reliable at the same time.while retaining IT control and minimizing complexity. SD-To learn all the details, contact us today atWAN deployments can leverage Riverbed best-in-classwww.riverbed.com/hybridnetwork.WAN optimization for both on-premises and cloud-based 2015 Riverbed Technology. All rights reserved.12

Riverbed SD-WANRiverbed,atmorethan ionalagility.Riverbed’s26,000 sGlobal100.Learnmoreatwww.riverbed.com/steelhead. 2015 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used here are trademarks of Riverbed Technology. All other trademarks used herein belong totheir respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners. 2015 Riverbed Technology. All rights reserved.13

Riverbed SD-WAN! Transform your WAN from a cost center into a business enabler. Increase agility, reliability, security and application performance, while simultaneously reducing costs. That's the power of Riverbed SD-WAN. Overview Global enterprises are rapidly adopting cloud infrastructure such as Amazon Web Services (AWS) or