Silverpeak Advanced Slides

Class Audio for Remote
Attendees
If this class is delivered via

Advanced SDWAN Skype for Business, use
Deployments the built in audio in Skype.
You can also dial in, or have
(ASD) Skype dial out to your phone
after joining the meeting.
Version 2.3
Oct 2017
If this class is delivered VIA
Uses versions 8.2.0 Orchestrator 8.1.6 VXOA
WebEx, please join the
audio phone bridge. See
your WebEx invitation or
Steve Russell
click on Connect To Audio in
Training Manager
training@silver-peak.com
the WebEx screen for
instructions
Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved. Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Introduction
2 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

Overview
This Course Covers:
• Some less obvious, but important behaviors of overlays and interfaces

• Out of Path Traffic Redirection
• Redundancy and HA
• Asymmetry Correction with Flow Redirection
• Features and Protocols Associated with the above:
o BGP
o WCCP
o PBR
o VRRP
o Flow Redirection

This is an Advanced Course
• You should already have completed the Deploying SDWAN Technologies (DST) course.
• This class moves very quickly
• It is mostly lab
• Stay focused
• Ask for help if you get stuck

Agenda
• Introduction • WCCP, Asymmetry and Flow Redirection

• Orchestrator Features • Border Gateway Protocol (BGP) and
• Lab Overview Flow Redirection
• Lab 1: Familiarization and Licensing • Lab 5: BGP
• Route Selection, Traffic Flow & Finer • Lab 6: Flow Redirection
Points of Interfaces and Overlays
• Lab 2: Tunnel Formation • PBR, VRRP Review and Configuration
• Lab 3: Overlay Behavior and WAN • Lab 7: PBR, VRRP
Hardening
• QoS Review
• Internet Breakout, IP SLA, Networking
Features • Review
• Lab 4: Local Internet Breakout • Silver Peak SDWAN eXpert (SPSX)
Certification Exam
Details
• Lunch / Breakfast
• Restrooms
• Exits
• WiFi
• Handouts (Books, USB keys etc.)
• You can annotate pdf copies of your slides provided to you using the comments and sticky notes
feature in Adobe Acrobat.

Lab Overview

Addressing
• The following diagram shows the topology of your virtual lab environment.
o All Data Path addresses are in 10.110.xx.0 subnets
o The out of band management network uses 192.168.1.0
o All masks are 24 bit (255.255.255.0).
o Next hops
• WAN emulators are used for Broadband and MPLS clouds. Next hop addresses are shown next to the emulator
connections.
• Routers at site 3 are Cisco CSR routers (virtual - free version)
• All machines are virtual, installed in a hosted server in the cloud (at ReadyTech)

User IDs & Passwords
• Login to Virtual Lab • Orchestrator
o https://silverpeak.instructorled.training o admin / admin
o Use the access code provided by your
instructor and follow prompts
• Appliances
o Default: admin / admin After installation lab:
o log into the Student PC: Administrator /
admin/Training1
Silverpeak1
• Exsi host client login

• Windows Live Mail
o student@training.local / training
o root / training
• TG0x
• hMail Server (you should never need to use this –
hint hint)
o Administrator / Silverpeak1
o Silverpeak1
• Cisco CSRs
o No password required
• Kwanem login
o root / silverpeak

Lab 1 Overview
• Log into your lab environment

• Run the initialization script
• Familiarize yourself with the lab topology

20
LAB 1: Lab Familiarization

Traffic Flow Details

How Destinations are Chosen
• Automatically by configuring BIOs w/ traffic access policy and link bonding policy
• Manual Route Policy into a tunnel or overlay
o Choosing a Destination Underlay Tunnel will only send traffic into that tunnel to its destination
o Choosing a Destination Peer allows load balancing (see next slide)
o If you want to use an Overlay Tunnel or Overlay, use a BIO, NOT a manual route policy!

Packet Based or Flow Based?
All traffic 7.3 and below is Flow based. In 8.0+, it depends
• All traffic that uses Overlays is packet based
o Traffic is distributed across underlay tunnels in an bonded overlay on a per packet basis.
• Traffic that is directed using manual route policies into a manual (underlay) tunnel is Flow based
o All packets in a flow not sent to an overlay will go into the same tunnel
o Manually routed traffic can load share between underlay tunnels, but on a flow, not packet basis, using %
tunnel BW utilization
These options in the system template or appliance
system config do NOT apply to overlay traffic.
In 8.0+ Best Practice is to use BIOs

to direct traffic, instead of manual
policies
Silver Peak Path Selection Order 8.1.3+
Route choice Criteria when doing a subnet table lookup
1. Longest Match
• E.g. 10.10.10.0/24 preferred over 10.10.0.0/16
2. Local Preference
• Any local subnet match is preferred over learned subnet learned via advertisement regardless of metric
• Note: Routes learned via BGP are NOT local
3. Lowest Metric
• E.g. 0.0.0.0/0 metric 50 from device A preferred over 0.0.0.0/0 metric 60 from device B
• SaaS service subnets treated as remote (metric is considered)
4. Lowest Priority (Peer Priority)

• If the above are equal, choose the route from the peer with the lowest configured priority
(ConfigurationPeer Priority)
5. Random
• All the above being equal, path selection will be random

Flow Reset Selections
• Reset All – resets all flows – Potentially very dangerous in a production network!
(used in this course, however, for convenience)
• Reset All Returned – Resets flows that are displayed as a result of Filtering e.g. IP address, or
Protocol, Application Intelligence etc.
• Reset Selected – Resets only the flows you select in the displayed list

Auto Optimization

Destination: Auto Optimized
If a packet matches a policy with auto optimized as a destination…
• First check the subnet table for a match for the packet’s destination IP address
o If there's a match, put it in an underlay (not overlay) tunnel to the destination that the subnet was learned from
and honor any Path config options in the policy
o If no match in the subnet table, it depends on the setting of the system config for auto opt
Classical Auto opt requires these to be checked.

They are off by default in current 8.1 code.
• If the auto opt option boxes are not checked in the sytem config, then execute the fallback option
• If the boxes are checked, then try to do classical auto opt (see next slides)
o Note: classical auto opt is a relic from before we had subnet sharing

Classical TCP Auto Optimization
- Works by modifying the TCP Options field
If SYN cannot go in tunnel #1 #2
1. A new connection is started with a SYN packet
2. The #1 appliance: A B
Adds the flow to its flow table
Marks the TCP options field
Returns the packet unoptimized to the network
AB->Syn AB-> Syn, opt SP#1 AB-> Syn, opt SP#1, SP#2 AB-> Syn, opt SP#1, SP#2
3. The Silver Peak appliance at the remote side, #2:
Adds the flow to its flow table
Marks the TCP options field
4. #2 Delivers the packet into the LAN Syn/Ack<-BA <-SP#1 SP#2 (Syn/Ack<-BA) <-SP#1 SP#2 (Syn/Ack<-BA) Syn/Ack<-BA
5. When the SYN /ACK returns,

AB->Ack (AB->Ack) SP#2 SP#1-> (AB->Ack) SP#2 SP#1 -> AB->Ack
6. #2 Looks up the flow in the flow table
Identifies the primary peer (#1)
Puts the packet into the best tunnel Tunnel
7. #1 receives the flow on the tunnel
AB<->Traffic <-SP#2 SP#1 -> (AB->Traffic) <-SP#1 SP#2-> (AB->Traffic) Traffic<-BA
Strips off the tunnel headers
8. #1 Delivers the SYN/ACK to the LAN
Thereafter, all traffic for this flow goes through the tunnel

IP AUTO-OPTIMIZATION
• Uses the IP ID field
• Requires multiple packets to be seen in each direction
• IP auto-optimization requires that 12 packets are seen in each
direction to fully exchange the IP addresses (and, therefore, auto-
opt the flow)
• The IP ID field is too small to contain the info in one packet
• UDP traffic is recognized using a 5-tuple flow ID

• GRE and other port-less protocols use a 3-tuple ID
• GRE is connectionless but we consider all traffic matching the ID to
be the same flow…i.e., traffic from A to B is the same flow as traffic
from B to A if they are both using GRE
• Uni-directional IP traffic will not trigger IP auto-optimization

• This also means Unidirectional IP traffic will not trigger Auto-Tunnel
21 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

21
USE SUBNET SHARING!!!
You shouldn’t need classical auto opt
• If you have correctly configured subnet sharing, no classical auto
opt should be needed
• Classical auto opt is non-deterministic and should be avoided
• It may be deprecated in the future
LAN WAN
10.10.10.0 10.10.20.0
SP1 SP2
10.10.20.0 10.10.10.0
at SP2 at SP1

22
Review 1: Flow Handling and Path Selection
Order
1. T/F – When traffic is routed by Business Intent Overlays to a site with multiple available paths, all
packets in a flow will always be placed in the same tunnel.
2. When a manual route policy is used to choose a path for certain traffic to a destination reachable via
multiple underlay tunnels, can packets for individual flows be distributed across all the available paths
to the destination?
3. T/F – In a subnet table, all else being equal, the route with the lowest metric is preferred.
4. Will the packet to 10.110.30.5 be sent to appliance A or B?
10.110.0.0/16 Metric 40 Learned from A
10.110.30.0/24 Metric 50 Learned from B
5. Will the packet to 10.110.30.5 be sent to appliance A or the local interface?
10.110.30.0/24 Metric 50 Auto – (added by system)
6. T/F - If a route policy destination of auto optimize is matched, the appliance will ignore subnet table
entries.
7. T/F – You should always use classical auto opt instead of subnet sharing if possible.
Security Feature Enhancements

• Appliance will still be able to talk to
cloud portal through a hardened
WAN Hardening: Review •
interface
DHCP requests and responses will be
allowed through hardened interfaces
• DNS queries and responses will be
• No traffic is allowed in and out of site that is not IPSEC tunneled (with a few exceptions).
allowed through hardened interfaces.
• No direct to Internet at the branch if the Internet interface is hardened.
Comcast
AT&T
Branch Office Datacenter
Inline router mode w/

BT WAN hardening is the
default mode for Physical
appliances

Basic branch firewall protection
Stateful Firewall
• Simple Layer 3 & 4 functionality
➢ Sessions originating from
In Path only! the LAN-side will be
(Bridge or ILRM) permitted
• Not an IDS/IPS & no L7 content

inspection
• SNAT now possible on interface
(affects PT traffic, not overlays)
State Traffic
Allow Silver Peak IPsec tunnels.
WAN Hardening Drop GRE, UDP tunnel traffic and any traffic arriving
outside of tunnel
8.1.5+ Now includes
Stateful Firewall Allow sessions that originate Allow Silver Peak
Stateful and Stateful+SNAT from local LAN, Drop incoming IPsec tunnels, GRE,
Stateful-SNAT connections originating outside
UDP tunnel traffic.
Allow All Allow incoming from anywhere

Firewall: Stateful and Stateful+SNAT
• Applies to PT traffic and traffic that arrives outside a tunnel
o Outbound connections permitted
o Incoming connections originating from outside that arrive outside a tunnel will be dropped
• SNAT
o Applied outbound to passthrough traffic only
• Tunnel traffic is not NAT’d by Stateful+SNAT
o Source address will be NAT’d to interface IP
o Source port will be preserved if available, otherwise a new source port will be mapped
o Allows 64k connections per destination address
• Tuple = sourceIP+64k_source_ports+DestIP
o Use if no upstream NAT (e.g. local external firewall)
• NAT info for each flow is shown in the flow detail

Silver Peak can build tunnels to zScaler
Zscaler Support
• Zscaler provides cloud based security services
GRE Tunnel from EC to Zscaler
• Requires a GRE internet breakout (PT) tunnel from appliance to Zscaler

• You also need to define appliance address at Zscaler

IPsec Key Rotation
Security enhancement – Global scheduling via Orchestrator
• Keys are the same for all appliances
o Default, or
o Custom distributed via Tunnels
template
• At scheduled time, appliances run a

proprietary algorithm to create a key
variation.
o Since they all use the same
algorithm, everyone matches

IPSEC_UDP TUNNELS (IKE-LESS)
IPsec_udp solves many of the problems associated with IPsec negotiation and NAT/PAT
• Overcomes problems with IKE negotiation 10.0.0.1:10002
• IPsec tunnel negotiation can fail through NAT/PAT 1.1.1.1:10002 3.3.3.3:10002
• NAT traversal can solve some of these problems, but
not all. HA 2.2.2.2:11002
• E.g. Cannot create multiple tunnels between the same

EdgeConnect
(src, dest) pair 10.0.0.2:11002
• Requires 8.2.0 Orchestrator and 8.1.6 VXOA

• ipsec_udp is default tunnel mode for 8.2.0+ Seed: Rotates every 24 hours Orchestrator
Orchestrator Nonce: For every unidirectional SA (one way IPsec tunnel)
• Orchestrator manages key distribution and rotation, Default Destination port assignment: 10002 or 11002
unique per tunnel

• Faster negotiation and more scalable (1000s of tunnels) Note: Orch 8.2.+ Tunnel types are
configurable per WAN label. IPsec,
• Silver Peak proprietary solution
GRE and UDP are also available.
32
IP Whitelist
Restrict access to Orchestrator
• OrchestratorIP Whitelist
• Allow only configured subnets to
access Orchestrator
• Devices from sources not in the list
will be denied
• Link to see denies at bottom of dialog
• Recommended if no FW or using
cloud orchestrator.

Monitoring Drops by Hardened or SFW
• SupportDropped Packet Trends

Review 2: Security Features
1. T/F – If an interface leading to the internet is hardened, local traffic will need to be backhauled to
a data center through a tunnel to connect to Google.
2. T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec tunnel.
3. Could an interface connected to the Internet and configured to be a Stateful Firewall, allow local
access to SalesForce.com?
4. T/F – All the appliances in a network can simultaneously change to a new IPsec encryption key
on a predetermined schedule.
5. Are ipsec_udp tunnels the only type available in Orchestrator 8.2.0 and above?
6. Is it possible to limit the address spaces from which logins to Orchestrator are allowed?

Key Application Notes for 8.1 (and some
review)
Deployment Notes:

Deployment Notes for 8.1
Still 3 Supported Modes – more interfaces…
• Server Mode
o Must be deployed out of path
o Single interface (mgmt0) for data & management traffic
• Bridge mode
o Must be deployed in path
o 2 Management interfaces
o Up to 3 bridges (lan-WAN pair) for current HW platforms
• Check website for current HW specs
• When one bridge goes into bypass/open, they all do
o Forwards multicast traffic across the bridges
• Router mode
o In path or out of path
o 2 management interfaces
o Up to 6 data path interfaces (virtual or physical)
o Drops multicast traffic

Overlays in 8.1
More Flexibility
• Match Traffic via ACL or LAN Label
unchanged
• Topology: Mesh, Hub & Spoke
unchanged
• Peer Unavailable (formerly Overlay
Down
o More choices including passthrough
tunnels
• WAN Links & Bonding Policy mostly

unchanged
• Internet Traffic: Choose multiple
methods for sending traffic direct to
internet locally
o e.g. trusted apps like Office360, SFDC
• QoS now includes DSCP settings

Three Default Business Intent Overlays & ACLs
• Real Time
o Matches ‘Realtime’ ACL
• Common VOIP and conferencing
apps & ports (sip, Skype, h.323,
rtp, rtcp, rtsp etc.)
o Uses HA bonding
• Interactive
o Matches ‘Interactive’ ACL
• Common desktop apps (PCIOP,
Citrix, vnc, MS terminal svcs etc.)
o Uses HQ bonding
• Default
o Matches ‘AnyTraffic’ ACL
• Matches everything
o Uses HQ bonding
• Each overlay points to a different

traffic class for QoS
Orch now creates a PT tunnel for
Peer Unavailable Action each labeled WAN interface
Formerly ‘Overlay Down Action’

• Determines Route Policy Fallback behavior
Shaper
o Passthrough Tunnel
• Forwarded out PT tunnel to chosen interface next-hop
Passthrough Tunnel
• Can use one of the PT tunnels created by Orchestrator automatically
• Subject to QoS shaping
Passthrough Shaped
o Passthrough (PT)
• Forwarded to wan0 next-hop router unoptimized Passthrough Unshaped
• Subject to QoS shaping
o Passthrough Unshaped (PTU) D
• Forwarded to wan0 next-hop router unoptimized & no shaping
r
o
o Drop
p Note: Peer Unavailable
• Not forwarded
Action affects traffic that
• Note: You might want to think before choosing PT or PTU matches the Traffic
o For Internet, you should choose an interface using Stateful FW Access Policy, but for
o For a private network like MPLS, it depends on your needs which no destination
tunnel is available!

HQ (High Quality) Link Bonding and ‘Waterfall’
• HQ (High Quality) will use up the available BW on
the best path, then ‘waterfall’ to the next best path.
• Waterfalling is triggered by bandwidth utilization. The
“order” of the waterfall is determined by recent
quality.
• “Best Path.” is function of (RTT, loss) to score each
link.
o If you are using HQ, and quality starts to diminish (e.g.
latency, loss) as the best path saturates, e.g. at 80%
utilization, then it might be best to set the link BW to
80% on that link and waterfall over at that point to get
the best performance.
o 80% is an example, not a recommendation. Track your
link performance at different % levels to find the point
that works best for your network.
• By comparison, HT/HE (High Throughput or High

Efficiency) will load balance equal BW % on available
primary paths
Router Mode
Supports BGP as of 8.1, but not required for local forwarding of traffic
• Each interface has at least one IP address and next-hop
• Router mode supports multiple interfaces, subinterfaces/IP addresses & VLANS
o Server mode does not! (1 IP, 1 int, no vlans)
• In this course we will deploy both out-of-path, and ILRM (Inline Router Mode)
LAN
In Router Mode, there are at least 2 Silver Peak
interfaces. LAN
In Path (ILRM)
LAN
Add interface to WAN or LAN, wherever you need them WAN
LAN
Out of Path
mgmt0

HIGH AVAILABILITY FOR THE CLOUD-
CONNECTED ENTERPRISE
EdgeConnect HA cluster protects from hardware, software and transport failures
• HA Cluster operates as a single logical

WAN 0 EdgeConnect appliance
LAN 0
LAN • Cluster shares one WAN IP and one Public IP
per transport service
HA Link
VRRP
• HA Link is one 1/10 GbE link from/to any
LAN/WAN port of same media type
L2 Switch
LAN 0
• Migration of overlay tunnel traffic upon failover
WAN 1
• WAN uplink / underlay tunnel tracking
reduces VRRP priority to favor the newly
elected Master EdgeConnect appliance

APP AVAILABILITY FOR THE CLOUD-CONNECTED
ENTERPRISE
EdgeConnect HA architecture preserves all advanced SD-WAN features
Packet-Based
Load Sharing
8 7 6 5 4 3 2 1 LAN 0 WAN 0 8 7 6 5 4 3 2 1
Application Flow Application Flow
HA Link
VRRP
LAN
L2 Switch
LAN 0
WAN 1
• Tunnel bonding between any transport services • Dynamic path control with instantaneous fail-over
• Packet-based load sharing • Path conditioning

Dynamic Rate Control
DRC configured on
Inbound Shaper page
on appliance only
• Prevents multiple peers from

overrunning inbound interface speed A: 10Mbs
• Divides inbound bandwidth among peers 2Mbs 

Device B
dynamically 10Mbs
o Not necessarily equal for each peer B: 10Mbs
o e.g. if A is not sending, B&C might get

WAN
3.3 Mbps
more bandwidth Device A Device C
o Updates every second C: 10Mbs
• Asymmetric links supported 8.1.5+ Device D

Spoke to Spoke traffic via Hub
Internal Hair-pin
Spoke
• Traffic can be routed Spoke to Spoke via a Hub appliance
• Requires: 1.1.1.0
o Hub site must be configured to internally Hair-pin traffic
o Hub site must advertise subnets to spoke sites (adjust metric as needed)
HUB
Spoke
2.2.2.0

External ‘hairpinning’
In 7.x and below, incoming local WAN interface traffic cannot be put in to a tunnel
• Requires re-routing on the LAN-side
Local
Traffic
2. SP forwards to default LAN next-hop 1. Packet enters WAN int.
WAN
3. L3 device has a route that

points to Silver Peak as next-hop
4. SP BIO or route policy match
directs packet to correct tunnel

When not all subnets are automatically
known… 1.1.1.0
• Silver Peaks may not be directly attached to 1.1.2.0

all subnets at a site
Internet
• DC might want to advertise specific local

subnets to branches w/o a default route These
Out-of-Path
o E.g. if branch internet access is local appliances
not directly
•
MPLS
attached to
Silver Peaks must be configured to most local
advertise subnets that are not directly subnets
attached
Branch Data Center
o May require static subnet table entries
o Might also require static routes to tell local 1.1.4.0
appliances which next-hop to use 1.1.3.0
• Could be handled with BGP routing Subnet 1.1.1.0/0 metric 60

between Silver Peaks and local routers Subnet 1.1.2.0/0 metric 60
Subnet 1.1.3.0/0 metric 60
Subnet 1.1.4.0/0 metric 60

Backhaul branch traffic to Internet through a
Data Center
Common practice for security reasons
• Data Center Silver Peaks advertise a default
route (0.0.0.0/0) to Branch appliances
• Branch appliances forward all traffic to
unknown subnets back through tunnel to data
center Silver Peaks for forwarding to Internet
sites
o Can be superseded by local subnet table entries Internet
with a better metric
• DC firewall handles NAT, packet inspection etc.

MPLS
• Note
o Branch appliance could handle NAT and basic
L3/L4 firewall functionality, which might be Branch Data Center
sufficient w/o backhauling Subnet 0.0.0.0/0 metric 60
o Doesn’t provide packet content inspection etc.
IN PATH NETWORKING
ILRM is the recommended deployment mode
PE
lan0 wan0 Internet lan0 wan0 Internet
SP1
wan1 Branch
wan1
MPLS PE
SP2 Internet
w/ existing site router(s) Appliance as site router

• Traffic forwarded to next-hop router • BGP can be used to exchange
routes with PE router
• BGP can be used to exchange
routes with local router(s) • No other branch router required
• BGP can also be used to exchange
• Bridge mode is also possible routes with existing branch router(s)
• More in BGP section of course…
50
Out of Path Networking Flavors
BGP / PBR / WCCP BGP / VRRP / Host Based Forwarding
L2 Switch Router / L3 Switch Router / L3 Switch L2 Switch
LAN WAN
End End
Devices Devices
Same
Different
Subnet
Subnets
1. Router does Redirection 1. SP can be on same subnet w/ router and

2. PBR / WCCP: SP should be on own subnet (not end devices
with end devices) so PT will not black hole 2. End devices point to SP or virtual IP for
3. For BGP: Silver Peak should advertise best path VRRP or HBF
3. BGP: Devices point to Router as DG

VRRP with PBR
VRRP w/ PBR
L2 Switch Router using PBR
LAN WAN
End
Devices VIP
Different
Subnets
VRRP Peers
VRRP peers could be deployed out of

path with the VIP in a separate subnet
using PBR to redirect traffic

Review 3: Deployment Notes
1. T/F - Dynamic Rate Control may cause an appliance to limit it’s transmission speed to a receiving appliance.
2. What two things are required for an appliance to act as a hub that can relay traffic between two spoke sites?
3. Can a packet that enters a local WAN facing port outside of a tunnel be placed into a tunnel? If so, how?
4. T/F – Appliances cannot advertise default routes (0.0.0.0/0). This requires an external router.
5. You have two WAN facing interfaces: wan0 goes to an MPLS network, and wan1 goes to the Internet. By default,
can passthrough traffic be forwarded from lan0 to the Internet when the destination subnet is unknown?
6. T/F – The Peer Unavailable (overlay down) action is triggered only when all underlay tunnels to all destinations
are down.
7. You have two LAN interfaces and two WAN interfaces. A packet arrives at wan0 destined to a local destination
(no tunnelization needed) reachable via wan1. Which mode does the Silver Peak need to be in to forward the
packet to the correct interface? Bridge Mode or Router Mode?
lan0 wan0
lan1 wan1 WAN

Labs 2 & 3 OVERVIEW
• Omitting certain information can result in extraneous tunnel formation. Correct this condition.
• Observe the effects of WAN hardening and Overlay Down actions, some of them not so obvious.
Understand the causes, and correct unwanted side effects.
o You will see pings fail from the branch to the data center, and identify the suspected root cause by
examining the flow detail, then prove it with a temporary work around. Then you will correct the root cause.
o You will see pings work in one direction but not the other, and identify the root cause.
o In this section, remember the ECV-2 and ECV-3 are out of path, and there is not any traffic redirection. This
means that traffic can go in the tunnels leaving the branch site (because it is inline), but will not be directed
to the appliances to go into a tunnel at the data center site. You will use 3 methods of traffic redirection in
upcoming labs, but for now, your goal is to learn flow behavior, and how to identify why a flow was routed in
a particular way.
• Many networks require traffic going to the internet or other internal sites be backhauled through
the data center. Configure data center machines to advertise default routes to achieve this.

15
60
Lab 2: Tunnel Formation

Lab 3: Overlay Behavior and WAN Hardening

Classification and Internet Breakout

APPLICATION-DRIVEN SECURITY POLICIES
First-packet iQ enables granular internet breakout
Identify apps and Granular Internet

web domains on Corporate
Breakout NG-Firewall
the first packet
6 5 4 3 2 1
EdgeConnect
Untrusted /
Suspicious Apps
10,000+ Apps | 300 Million+ Web Domains “Home from
Work” Apps
100s of 1000s of IP Addresses
Trusted Business
Apps
Steer Apps Intelligently Improve App Response Time Reduce Backhaul Save Valuable WAN Bandwidth
Granular, intelligent breakout of Avoid added latency through direct Backhaul only untrusted Avoid consumption of expensive
SaaS and trusted internet-bound access to where the app resides traffic to corporate FW MPLS circuits where not necessary
traffic directly from the branch

FIRST-PACKET iQ APPLICATION CLASSIFICATION
INDUSTRY
• Cloud-hosted Internet map and geolocation database
1st • DNS response cache
First-packet iQ • HTTP get request cache
• Real-time machine learning
• Apps with ephemeral ports eg: RTSP, RTP, FTP

Deep Packet • 2-6 packets typical for HTTP
Inspection • 10-12 packets for HTTPS
• Well-known port numbers, e.g. tcp port 80

IP / TCP / UDP Port for HTTP, tcp port 443 for HTTPS, ip 1 for icmp
IP Address • IP addresses and subnets e.g: 216.58.192.0/24

FIRST-PACKET AVC: HOW IS IT DONE?
1. IP Intelligence database downloaded dynamically from Cloud Portal
Built in application groups can be used in

ACLs etc. or you can define your own

FIRST-PACKET AVC: HOW IS IT DONE? (CONT.)
2. DNS intelligence on appliance

Passthrough tunnels / Internet Breakout (8.1.3+)
e.g. : MPLS is on wan0, internet is on wan1 & local devices need Internet
or load balance two internet connections
• Flexibility
o PT tunnel / Breakout allows you to forward incoming local PT
traffic through a chosen WAN interface
o Standard Passthrough L2W traffic goes to next-hop for wan0
• Two pieces PT Default

o Breakout / Passthrough tunnel lan0 wan0
MPLS
• Encapsulation type is none (so ‘tunnel’ is really a misnomer)
• Default PT tunnels defined for each WAN int label wan1
• Orchestrator defined PT tunnels created automatically (8.1.12+)
• User defined PT tunnels allowed
Internet
o Overlay or Route Policy
• Choose which traffic to send PT
• Match incoming traffic using standard match criteria
• Destination is PT, PTU or PT tunnel This feature is called Passthrough Tunnels in the
UI, but the release notes call it Internet Breakout.

Local Internet Break Out
Sending traffic to the Internet in Overlays with Passthrough Tunnels
Drag and Drop Policies
• Use Policies to send traffic directly to an

‘external’ destination outside the Overlay
e.g. directly to the Internet
• Active policies in flow on Left (Preferred
Policy Order)
• Inactive policies on Right
Traffic that DOES NOT match • Drag and drop between columns IP SLA is automatically created to monitor
these subnets will be broken out. Internet Reachability.
• If you choose multiple Primary Break
Traffic that DOES match will be Out links, the overlay will load balance Default destination is sp-ipsla.silverpeak.cloud.
sent to the overlay on a per flow basis (not per packet) You might need to modify this for your network.

Policy Order is Important!
Match policies from top down
≠
This policy set will This policy set will
1. Break out non-internal traffic to the selected PT tunnel(s) 1. Put all traffic in the overlay if there’s a route. But if there
is no path to the destination in the subnet table (e.g. it’s
2. Put anything else in the overlay (assuming there’s a route etc.) no longer being advertised by any peers),
…But If the local breakout goes down (e.g. next-hop becomes 2. Then break out non internal traffic to the PT tunnel(s).
unreachable)
3. If the breakout interface (e.g. Internet) goes down, the
3. Put non-internal traffic in the overlay instead of breaking it out if internet traffic will be dropped.
there’s a route (could be a default route)
4. Else, do Peer Unavailable Action if possible, or Drop

Manual Passthrough Tunnel
MPLS on wan0
Internet on wan1
Default PT will go to wan0
PT tunnel lets you get around

default behavior
lan0 wan0 MPLS

wan1
Internet
Configure Route Policy with appropriate match Destination is

criteria, and point Destination to Peer PT tunnel name
Manual Passthrough Tunnels to Load Balance
Internet Connections
Address of interface 0.0.0.0 = forward to Peer is arbitrary name that
(e.g. wan0 or wan1 etc.) default next-hop for int will show in Peer List
lan0 wan0 Internet

wan1
Internet
Note: Load balancing

is flow based
Configure Route Policy with appropriate match Destination is ‘Internet’ Path is ‘load balance’
criteria, and point Destination to Peer
Overlay Flow
Match Local Path to

Destination
Overlay Service or Destination Transmit
Match in
Traffic Breakout Available via
Subnet
Access configured this Overlay
Table
Policy? ? Overlay?
Try to match next Match Host

Overlay / Policy Unavailable Drop
Internal
…or eventually Subnets
/ Overlay PT / PTU
Default Route Down PT Interface
List?
Policy Action
Send flow PT to a Breakout Interface or Service
66
Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.
Review 4: Internet Breakout and Traffic Classification
1. T/F – An EdgeConnect can snoop DNS lookups and cache the results for domain based
packet classification.
2. T/F – As part of its 1st packet classification strategy, Silver Peak appliances maintain a cache
of millions of domains and addresses that is dynamically updated.
3. What is the difference between the
Policy Orders shown?
4. T/F – It is necessary to manually configure at least two Internet passthrough tunnels to load
balance breakout traffic?

IP SLA

IP SLA
• Allows you to trigger actions based on monitored
conditions
• Three Monitor Types:
• Ping
• Interface up/down
• VRRP Monitor
• Configurable Down Action and UP Action
• One set of actions per SLA
• To get multiple actions, configure multiple SLAs that
monitor the same thing
• It’s possible to just raise/clear an alarm w/ no other action
6
IP SLA - PING
• Address
• Domain names or IP addresses
• Comma Separated if multiple
• Tested as ‘Or’ (all destinations do not need to be
reachable for ‘up’ condition – any single one will
do)
• Ping Interval – ping all IPs/names in the list

every X seconds
• Mark up after X pings – X good pings to any
single site in the list means mark a destination
up
• Mark Down after X Failed Pings – X missed
ping replies to each and every site in the list
marks a destination down
• Monitor Sampling Interval – How often higher
level processes (like overlay manger) check
the status of the SLA
7
IP SLA – MONITOR INTERFACE
• Monitors local interface and
takes up or down action
• Monitor Sampling Interval –
How often higher level
processes (like overlay
manger) check the status of
the SLA
7
IP SLA – VRRP MONITOR
• Checks to see if this
device is the VRRP
Master (up) or Backup
(down)
• Monitor Sampling Interval
– How often higher level
processes (like overlay
manger) check the status
of the SLA
7
DEFAULT IP SLA RULES
• When you configure internet breakout, IP SLA policies are created

by default per overlay.
• Policies are applied to each appliance that is part of the overlay
• Default destination is sp-ipsla.silverpeak.cloud
• Orchestrator created IP SLA policies
are not editable on the appliance

SAMPLE IP SLA USE CASES
• Use Case 1
• WAN Interface Down -> Force VRRP Failover to Secondary System
• Reason: Don’t blackhole traffic because LAN interface still up
• Use Case 2
• LAN Interface Down -> Remove local subnets from subnet table
• Reason: Don’t send traffic to a device that has nowhere to route it
• Use Case 3
• WAN IP Address Down -> Failover from Primary WAN tunnel to Secondary
• Reason: zScaler GRE Tunnels to POP1 and POP2

Review 5 – IP SLA
1. Can an IP SLA cause subnet sharing to stop if an interface goes down?
2. T/F – In an IP SLA ping address list with 3 destinations, if any one of the destinations
becomes unreachable the IP SLA will be marked DOWN, and the Down Action will be
performed.
3. T/F – It’s possible to configure an IP SLA to monitor reachability of a critical server via Ping,
and raise or clear an alarm, without taking any other action on the appliance.

Networking Features

DHCP Server
Option on LAN-side interfaces
Standard DHCP server

options
Not all options fields support text

input. If needed convert ascii Static assignments only
text or addreses to hex and available on appliance
use that.
E.g. option 162 - directory path

DHCP Server Default Settings on Orchestrator
ConfigurationDHCP Server Defaults
• For Deployment Profiles w/ DHCP

applied from Orchestrator as part of
Config Wizard.
• Monitoring shows DHCP Leases
for selected appliances

NAT for Passthrough Tunnels 8.1.4+
• Enables outbound NAT on individual Passthrough tunnels

• Not compatible with NAT Policies (not shown)
o Use one or the other to avoid unpredictable results
o NAT policies will be deprecated

Orchestrator Reachability in a NAT environment
Cloud Portal
LTE
MPLS
Edge Connect Internet Orchestrator
• With NAT, Orchestrator can have an internal and

multiple external addresses via NAT through
different service providers 8.1.3+
Configured on Orchestrator
• Use Orchestrator Reachability to make sure that
appliances point to the correct address(es) via
interfaces that use the selected label

8.1 Troubleshooting Features and
Enhancements

Orchestrator Audit Logs (8.1)
• This example
shows a user
(admin) making a
change to the
overlay config,
then Overlay
Manager making
changes to the
appliances…
• Mouseover shows
details

Live View – Real-Time Tunnel Charting
• Click on tunnel in Topology View
• Click on charting icon in Live View column
• Green means the tunnel meets performance goals

Live View – Traceroute
• Traceroute option can show you hop-by-hop latency for underlay tunnels

Broadcast CLI
Useful for quick access to appliance CLI
• Select appliances in tree view
• Execute commands on selected
• Does not have all the features of full CLI
o No up arrow retrieve, tab to complete,
question mark help etc.

Threshold Crossing Alerts (TCA)
• *Tip: Pay close attention to • TCAs can be set up to notify users in the event a certain criteria is
the unit and metric of each met
TCA as defined in the user o Appliances make constant measurement of loss, latency, throughput
guide and this training. etc.
Tooltips on the interface o When a threshold is crossed (measurement falls outside expected
provide guidance. value), an alarm is triggered
• TCAs can be defined for both appliances and tunnels (separate

configs pre 6.2)
• By default, Three TCAs are enabled:
o Tunnel latency
o System disk utilization for appliances
o >90% of max flows

How TCAs Work
• A threshold is crossed, causing the alarm to be generated
• An alarm will not be cleared until it crosses a second, different threshold
• The direction is dependent on whether the TCA is based on a rising or falling metric
Two Types:
Rising Alerts
Nominal (safe) zone
And
Falling
Alerts

TCA Types
• TCAs can be defined and applied as configuration templates

Review 6: Networking / Troubleshooting
Features and Enhancements
1. T/F – Silver Peak supports outbound Port Address Translation.
2. T/F – Silver Peak allows you to configure different NAT policies for different kinds of traffic
3. When might you have to configure different addresses for an appliance to use when connecting
to Orchestrator?
4. What can show you a color coded view of a tunnel exceeding, or conforming to a configured
threshold for loss, latency or jitter over time, and where is it found?
5. What can show you a hop-by-hop latency for a tunnel to a destination appliance?
6. What allows you to issue a text command to multiple appliances simultaneously?
7. T/F - Threshold Crossing Alerts (TCAs) can be raised when a monitored value falls below a
defined threshold.

Lab 4 OVERVIEW
• Configure an overlay for local internet breakout

• Observe the effects of the default IP SLA
• Demonstrate connectivity to an internet connected remote device via breakout

45
Lab 4: Local Internet Breakout

Web Cache Communication Protocol
WCCP

WCCP (Web Cache Communication Protocol) Review 5
ACL
• WCCP is a Cisco protocol
LAN
WAN • Routers and Servce Groups (could
ISY
be one or more SPs) talk to each
other: I See You Here I AM
One or more devices: • Designated Web Cache determines
Members of WCCP which traffic goes to which group
Service Group(s) member
in Server or Router Mode
• Offers redundancy – if a web cache
goes down, traffic is redistributed
among remaining devices, if any
HIA
RA • Router (or L3 switch) has an ACL to
determine what traffic goes to a Service
Group
WCCP – Protocol example
• Here I Am (HIA) and I See You (ISY) messages flow between routers and service
group
• E.G. link goes down, Here I Am (HIA) messages don’t get to router
• After 2.5 HIA intervals, Query Timeout occurs - Router sends
WCCP2_REMOVAL_QUERY to Appliance
• After 3 HIA intervals, Device is removed from Service Group – Reflected in I See You
(ISU) message
• Designated Web Cache sends Redirect Assign (RA) 1.5 HIA intervals after membership
change
ISY ?
ISY WAN
X
RA X

4
Out-of-Path: WCCP
Use WAN-side WCCP redirects if
no subnet sharing w/ auto opt
Apply WCCP to this interface
LAN
WAN
DO NOT apply WCCP to this interface Devices on own subnet

L2 return is optimal
• To install the appliance in this mode:

1. Connect the wan0 or mgmt0 interface of the appliance to the router (depending on whether you are in
router or server mode).
2. Do NOT connect the LAN interface of the appliance
3. Configure 2 WCCP Service Groups on the Silver Peak appliance (one for TCP and one for UDP)
4. Configure the same WCCP Service Group on the WAN router
5. Physical Appliances don’t need to connect the LAN interface to anything

ACLS and Redirection
access-list 101 permit ip 10.110.33.0 0.0.0.255 10.110.11.0 0.0.0.255

Source Subnet Destination Subnet
• ACL determines what gets sent to the appliance.
• Appliance policies determine what gets optimized.
10.110.33.0 WAN
10.110.11.0
LAN WAN
Reverse Mask for
ACLs
LAN redirect
WAN redirect
• If WAN-side redirects are required, the source and destination addresses will be reversed for ACL
that is applied to the WAN interface
o E.g. access-list 102 permit ip 10.110.11.0 0.0.0.255 10.110.33.0 0.0.0.255

2
Configuring WCCP on the router
Match LAN traffic. May need additional entries. Also
WAN-side ACL if no subnet sharing w/ auto opt
CSR-1#configure terminal
CSR-1(config)# access-list 101 permit ip 10.110.33.0 0.0.0.255 10.110.11.0 0.0.0.255
CSR-1(config)# access-list 102 permit ip 10.110.11.0 0.0.0.255 10.110.33.0 0.0.0.255
• Since you’ll be using two protocols, you’ll need two service groups. Therefore, create two WCCP service groups (as
placeholders) and associate the ACL with it. Here, we’ll create 53 to use (later) with TCP and 54 to use (later) with
UDP. Service Groups can be numbers between 51 and 255 inclusive:
CSR-1(config)# ip wccp 53 redirect-list 101
CSR-1(config)# ip wccp 54 redirect-list 101 10.110.33.0
gi 1 10.110.11.0 WAN
CSR-1(config)# ip wccp 55 redirect-list 102 gi 2

CSR-1(config)# ip wccp 56 redirect-list 102 LAN WAN
LAN redirect
• You must also associate the WCCP service group on the LAN-side interface. WAN redirect
CSR-1(config)# interface gigabitEthernet 1

CSR-1(config)# ip wccp 53 redirect in
CSR-1(config)# interface gigabitEthernet 2 Apply to LAN interface. Do this last!
CSR-1(config)# end Apply to WAN interface if not using subnet
sharing (see above)
Scalable ACL
ACL Examples – Single local LAN
• Using local subnets in ACLs makes this more scalable as it LAN WAN
will be easier to add additional sites without changes to
existing locations. 10.1.20.0/24
• LAN-side Redirect 51- LAN
redirect
ip access-list extended SP-LAN 52- WAN
redirect
deny ip host 10.1.21.2 any
permit ip 10.1.20.0 0.0.0.255 any Note the location of
ip wccp 51 redirect-list SP-LAN the ANY statement 10.1.21.2/29
• WAN-side Redirect
Denies for traffic
ip access-list extended SP-WAN
destined for appliance.
deny ip host 10.1.21.2 any Use subnet sharing and
Add if there is a
permit ip any 10.1.20.0 0.0.0.255 problem or SP must be avoid WAN-side
ip wccp 52 redirect-list SP-WAN on same subnet w/ end redirects!
devices

Scalable ACL
ACL Examples – multiple local LANs
• Use local denies to minimize ‘partner flow’ false

positives when using ‘ANY’
• LAN-side Redirect
ip access-list extended SP-LAN
Deny Traffic that LAN WAN
deny ip any 10.1.20.0 0.0.0.255 will not go over
deny ip any 10.1.25.0 0.0.0.255 10.1.20.0/24
WAN (e.g. inter 10.1.25.0/24
permit ip 10.1.20.0 0.0.0.255 any VLAN traffic) 51- LAN
redirect
permit ip 10.1.25.0 0.0.0.255 any 52- WAN
redirect
• WAN-side Redirect
10.1.21.2/29
ip access-list extended SP-WAN
Use subnet sharing!
permit ip any 10.1.20.0 0.0.0.255
No WAN-side redirects needed!
permit ip any 10.1.25.0 0.0.0.255

Configuring WCCP
• Add service group
o Choose a Group ID starting at 51 and up
o Configure a Router IP Address
o Configure the protocol Required
o Configure an interface to use on the appliance
• Best Practices
o Create 2 service groups per router – one for TCP and one for UDP. This will catch most of the traffic
o Add a 3rd group for ICMP if you want to test redirection with Pings
o Add additional service groups for any other IP protocols that need to be optimized and choose the protocol
from the dropdown list
In your lab you will connect

to two routers and create a
pair of service groups for
each
Advanced Settings: Weight
• Weight causes the designated web cache to
manipulate the bits in the hash/mask
assignment sent to a router
• Used for proportional load balancing between
devices in a service group
• Default – leave everything at 100 and traffic
distribution will be equally distributed
• Could be used to limit traffic going to (a)
particular device(s)
o Maybe tunnels connected to that device go
over slower links
o The device might be a much smaller appliance
than others in the service group that can’t
handle as much load (not recommended)
o Active/backup (100 on active, 0 on backup)
Calculation: one_appliance’s_weight / sum_of_all_weights_in_service_group
Advanced Settings: Assignment and Return
Methods LAN Svc WAN Svc
Groups 53, 54 Groups 55, 56
• Assignment Method
o ‘either’ is fine, the appliance will negotiate
LAN WAN
o L2 is preferred and Silver Peak should be on its own
subnet
• Force L2 Return mgmt0
wan0
o L3 (GRE) return will be used if L3 is the negotiated

forwarding method
o This can cause CPU usage to spike in routers that
don’t have support for it in hardware because the
traffic will be process switched
• In this case check Force L2 Return
• See your router doc
o L2 return can cause a routing loop if the SP is on a
subnet with end devices - passthrough traffic will black
hole.
• Assignment Detail
o If you need to do WAN-side redirection for some
reason, set this to WAN-ingress for the WAN-side
service groups if there are multiple appliances in a
service group
o This will help to reduce the chance of asymmetry
Monitoring WCCP on the Router
• Show wccp summary
• Show wccp xx
• Show wccp interfaces detail
Monitor WCCP on the Router
• Show ip wccp xx clients These commands show slightly more detail
• Show ip wccp xx detail on the service groups…
Monitoring WCCP in Orchestrator
• Configuration  WCCP
• Look at the ‘Oper Status’ column. Should be ACTIVE, DESIGNATED, or ACTIVE.
• Use ‘Refresh from appliance’ to fetch current status
Application Notes
• ip wccp check services all

o IOS cli command.
o Needed with certain versions of IOS to cause it to try to match service groups beyond the lowest numbered
one when multiples are configures
• Setting up a 3rd service group for icmp can be useful to test the redirection path with pings
o Without it, pings will not be redirected to the Silver Peaks
Review 7: WCCP
1. How does a router know whether a device in the WCCP farm is working?
2. What determines how the router distributes packets among the devices in the service group?
3. What happens when a device in a service group with multiple members goes down?
4. What does the router do if the only device in a service group goes down?
5. When would you need WAN-side redirection with WCCP?
6. When would L3 return negatively impact router operation and how?
Border Gateway Protocol
BGP
What is BGP?
• Stands for Border Gateway Protocol

• Like other routing protocols, is a
protocol that allows routers to
exchange reachability information for
network addresses AS-1 AS-2
• That information is used by routers to

make forwarding decisions
• BGP is policy oriented, so a lot of the
configuration is manual
o Used extensively by Service Providers
Autonomous Systems
• BGP uses the concept of Autonomous

Systems
• Autonomous System is a collection of 65001 65002
nodes under common administration
• In BGP each AS has a number
o Public ASNs are assigned by an internet
authority, you don’t just pick one AS Number Ranges
• Primarily intended for connections

0: reserved
1-64.495: public AS numbers
between ASs. 64.496 – 64.511: reserved to use in documentation
64.512 – 65.534: private AS numbers
o Usually within an AS, another protocol 65.535: reserved
Note: Ranges were expanded in 2009 for 4 byte AS
like OSPF is used to optimize routing. numbers (0 to 4294967296), which include the
ranges above.
BGP Sessions and Peers
• Neighbors are also called ‘Peers’

• Based on individual sessions with
each neighbor
o Uses TCP as a transport
protocol (port 179)
• May have multiple sessions
simultaneously to multiple peers
o Peers within an AS should be
part of a full mesh
E-BGP Updates – Inter-AS Loop Prevention
• All routes have an attribute called AS-PATH

• When a route traverses an AS, the AS number is
appended to the AS-PATH
• AS-3 knows not to send the route to AS-1 because
AS-1 is already in the AS-PATH
10.0.0.0/8 10.0.0.0/8 AS-1
AS-1 AS-2
10.0.0.0/8 AS-2 AS-1
AS-3
BGP & AS Path vs. Subnet Sharing
• Silver Peak DOES propagate complete AS-PATH to BGP neighbors for prefixes
learned via BGP.
• Starting in 8.1.6 Silver Peak DOES propagate AS-PATH when it advertises a learned
BGP prefix via subnet sharing to another Silver Peak, but the advertising Silver
Peak’s own AS# will not be in the subnet sharing info.
2.2.2.0/24 AS 65002
1.1.1.0/24 AS 65001 65002
AS 65004
1.1.1.0/24
2.2.2.0/24
Subnet Sharing through tunnel
2.2.2.0/24 AS 65002 1.1.1.0/24 1.1.1.0/24 AS 65001
2.2.20/24 2.2.20/24
AS 65001 AS 65003
AS 65002
1.1.1.0/24 AS 65001
2.2.20/24
What Prefixes Should Be Advertised?
• BGP Peers do not advertise all the

routes they know about
• BGP only advertises the routes that
are actually used by the local router
• This implies that all routes
advertised are actually
‘Best Choices’ for the advertiser
• Peers exchange ‘UPDATE’
messages to tell each
other about routes
o Initial update is full advertisement
o Subsequent updates contain only
changes/additions
iBGP vs eBGP
iBGP iBGP
int gi 3
10.110.30.1
int gi 2
10.110.30.2 • Neighbors in same AS
• Routes learned from an iBGP peer are not
advertised to other iBGP peers
AS 65001 AS 65001
bgp router-id 1.1.1.1 bgp router-id 1.1.1.2 • Routes learned from an iBGP peer can be
neighbor 10.110.30.2 neighbor 10.110.30.1 advertised to eBGP peers
eBGP
eBGP • Neighbors in different AS
int gi 3 int gi 2
10.110.30.1 10.110.30.2 • Routes learned from an eBGP peer can be
advertised to iBGP peers or eBGP peers
AS 65002 AS 65003 • Advertised routes between eBGP peers
bgp router-id 1.1.1.1 bgp router-id 1.1.1.2 have appended ASPath for loop prevention
neighbor 10.110.30.2 neighbor 10.110.30.1
BGP Config: Router AS number (private in this
case)
AS 65001
Router ID. Best practice is to
configure one using a loopback
iBGP address. This does not need to
int gi 2 int gi 3 int gi 2 int gi 3
3.3.3.1 10.110.30.1 10.110.30.2 4.4.4.1 be routable.
router bgp 65001 router bgp 65001 Specify the adjacent IP

bgp router-id 1.1.1.1 bgp router-id 1.1.1.2 address of the Peer. Must be
neighbor 10.110.30.2 neighbor 10.110.30.1 a routable address.
address family ipv4 address family ipv4 Address-family

network 3.3.3.0/24 network 4.4.4.0/24 • Could be ipv4, ipv6 or both.
You must specify
Within an address family you

must specify the networks to
advertise to neighbors
Silver Peak BGP Config 8.1.4+
Configure
• AS number
• Router ID
o Use an interface IP
• Select Options
• Explicitly define neighbor IP
addresses and AS #s
Monitor
• Use Refresh from Appliance for
current status
• See Neighbor State Details for
status
o Established means peer-to-peer
session is up
BGP Peer Config 8.1.6+ Learn Routes from
• Peer Type governs what kinds of routes the this Peer
appliance is allowed to advertise to this BGP peer.
These routes are itemized as Route Export Policies.
Currently, there are three peer Selection checks
types: Branch, Branch-transit, and PE (Provider appropriate Route
Edge) Router. A branch-transit peer can reach Export Policy boxes
another peer through a "back door" via routes shared
through another protocol such as OSPF, ISIS, or
BGP.
The peer types have these default Route Export

Policies:
• Branch -- all route types are permitted
• Branch-transit -- all route types are
permitted except Remote BGP branch-transit routes
(type 7)
• PE Router -- only BGP branch and BGP branch-
transit (types 1, 3, and 4) are permitted
Which routes to
Route Export Polices can be customized per
advertise to this peer
Peer regardless of Peer Type
BGP Peer Config 8.1.6+
• Local Preference
o iBGP only
o Can be advertised between peers within an AS
o Routes from the iBGP peer with the highest Local Preference will be
preferred
• MED (Multi-Exit Discriminator)

o Applies only to eBGP
o If two appliances in the same AS advertise the same prefix to another AS
(with all other things equal), this can cause one appliance to be preferred
over the other
o Lower MED is preferred
o Setting to ‘0’ causes default subnet
metric to be used.
• AS Prepend Count
o Can affect another devices route selection
o Allows the advertising device to ‘pad’ the AS path count with local AS
number up to 10 times
o Shortest AS Path is preferred, so prepending to AS path would make a
path less preferred.
BGP Peer Config 8.1.6+
• Keep Alive Timer

o How often should the appliance send to, and expect
keepalive messages from this peer
• Hold Timer
o Reset each time a keepalive is received
o If a keepalive is not received before the timer expires, the
peer is marked down and all routes learned from that peer
are discarded.
o Usually set to 3x Keepalive timer
• Notes:
o These values can be negotiated when the session starts. The
lower value should win and be used by both peers
o Shorter values enable faster failure detection
o Setting the timers too low can cause route flaps in a lossy network
Router Types in Silver Peak speak
Branch Router
Branch Router Branch Router
BGP BGP
AS 65001 AS 65001 AS 65002 AS 65003
• Router advertises only site local routes to the Silver Peak

• Does not have BGP connections to peers across the network, local peers possible
• Could be iBGP or eBGP between branch router and Silver Peak
• Silver Peaks will by default advertise all routes types to a Branch router, including those learned
by subnet sharing
Branch Transit Router
Branch Transit Routers
AS 65001 AS 65002
AS 65001 AT&T
BGP MPLS
Comcast
Internet AS 65002
AS 65088 AS 65099
AS 65004
PE Router PE Router
• Router advertises local and external routes to the Silver Peak

• Has BGP (or other: OSPF etc.) connections to peers across the network, including sites w/ remote
Silver Peaks that could cause routing loops
• Should be eBGP between branch transit router and Silver Peak
• Silver Peaks can advertise routes learned via subnet sharing, except when they originated at
remote end via BGP
Provider Edge (PE) Router
PE Routers
AS 65020 AS 65040
Comcast
Internet
BGP BGP BGP BGP
AT&T
AS 65001 AS 65001 MPLS AS 65002 AS 65003
AS 65030 AS 65030
PE Routers
• Router advertises external routes to the Silver Peaks, including routes to remote sites with which
an appliance might bring up a tunnel
• Should be eBGP between PE router and Silver Peak
o Silver Peak can advertise public routes from local site to PE routers (not RFC 1918)
• Silver Peaks should NOT advertise routes learned via subnet sharing to PE routers via BGP
o May cause loops and/or outages
• Routes learned via BGP from a PE router will not be subnet shared to other appliances
Subnet Table Example
BGP sourced routes will indicate advertising router type it was learned from
Limit on # of learned BGP prefixes increased from 3800 (8.1.2) to 9500 (8.1.5+)
Silver Peak & Community Attribute
• The BGP community attribute is a numerical value that can be assigned to a specific prefix and
advertised to other neighbors.
• Silver Peak uses the community values below to internally identify route types e.g. 65001:102
• The community values are also advertised to BGP peers, allowing them to filter if desired
Route Type Value
Locally Added Subnet <local AS#>:100
Remote EC Local route received via Subnet Sharing <local AS#>:101
Learned via local PE BGP neighbor <local AS#>:102
Learned via local Branch BGP neighbor <local AS#>:103
Learned via local Branch Transit BGP neighbor <local AS#>:104
Remote EC Branch BGP neighbor learned routes received via Subnet Sharing <local AS#>:105
Remote EC Branch Transit BGP neighbor learned routes received via Subnet Sharing <local AS#>:106
Any other routes/unknown <local AS#>:107 or <local AS#>:199
Silver Peak BGP Metrics in the Subnet Table
• If a route is learned from a Neighbor with a MED value, then that metric is
used in the Silver Peak subnets table
• If no MED value is attached to the route, default metrics are used:
o iBGP = 250
o eBGP = 70 Community Value = 103
Router Route Selection if > 1 Route to a Prefix
No, or not resulting in single route
Largest Highest Locally Shortest Lowest Lowest Learned Lowest

BGP Local originated AS Path ORIGIN MED? Via Next-Hop
weight Pref? path? ? code EBGP? Cost
Applies
only to Tie Breakers
BGP From Lowest
routers. BGP ID
Silver Peak Short Cluster

List
route
selection
Lowest
is based Peering Addr.
on subnet
table
lookup
Exactly One Route Selected & Installed in Forwarding Table
Session Startup – ‘A’ initiates
Trying to open A B
a session State Message Message State
IDLE IDLE
CONNECT SYN
SYN/ACK CONNECT (passive)
ACTIVE ACK
OPENSENT OPEN
Fully
Connected OPEN OPENSENT
OPENCONFIRM KEEPALIVE
KEEPALIVE OPENCONFIRM
ESTABLISHED ESTABLISHED
UPDATE UPDATE
Review 8: BGP
1. T/F - Silver Peak appliances support only iBGP.

2. Do Silver Peak appliances propagate AS-Path information via subnet sharing?
3. Which learned prefixes will a BGP router advertise to an iBGP peer?
4. Which learned prefixes will a BGP router advertise to an eBGP peer?
5. What are the three Silver Peak BGP Peer types and what is the difference between them?
6. What does the peer type selection affect on the Peer Configuration?
7. What does a MED setting of ‘0’ (zero) on the Peer Configuration cause to happen?
8. Which state indicates that a BGP peer has connected completely and an appliance and can learn
and advertise routes to it?
Flow Redirection
Correcting Asymmetry
Review: TCP Acceleration Requires Symmetric
Flows
Asymmetry: Either or both
SYN
SYN
appliances fail to see both
sides of the conversation
• Packets are routed around WAN
one or both appliances
–or-
Asymmetry
• might be PT/PTU because of
Route Policy or Optimization
Policy misconfigured SYN/ACK
SYN/ACK
Asymmetric flows can’t be Network Accelerated, but we can still apply NM and NI
Flow Redirection 1
• Corrects Asymmetric Flows

• Appliances configured as Peers in a cluster
o Cluster can be up to 32 peers
o Silver Peaks communicate over configured cluster interface
• mgmt1 (default - 1G interface), or a 10G port (tlan or twan) if additional
bandwidth is needed
• Must be in the same subnet
• Redirection interface must be in a separate subnet from the mgmt0 interface
mgmt1 mgmt1
Flow Redirection
Flow Redirection 4
• Clustered devices share flow information

o The device that sees the first SYN owns the flow
o Flow tables are shared between devices in the cluster
• Silver Peak Communication Protocol (SPCP is proprietary) is used to
communicate
• Flow tables are synchronized when a device joins an existing cluster
• Updates are dynamic as new flows are established
• Packets are redirected to the flow owner over the cluster interface
o Redirected flows will only appear in the owning appliance’s Current Flows
• Latency setting is used to determine how long to hold a TCP Flow

Table
mgmt1
Flow Redirection
mgmt1
SYN/ACK w/o a matching SYN

o New unknown flow SYN/ACK held until a message from cluster peer
arrives with a matching flow, then flow is redirected
Or…
SYN/ACK
o If timer expires first, flow is marked asymmetric (possibly by two SPs) and
forwarded to destination
Configuring Flow Redirection
• Choose cluster Interface

• Add peers to advertise to
o Make sure they are reachable
o Configure static routes if required
• Adjust Wait time if required

o Depends on latency in the environment
• Enable
OK means the Peers have

established a session
Monitoring Flow Redirection
• Monitoring  Current Flows
o Flows should not be asymmetric (filter for asymmetric flows). Reset stale flows if needed.
o Only displayed on owning appliance
• Configuration  Flow Redirection (peer status – see previous slide, OK=good)

• Monitoring  Flow Redirection
Realtime charting
updates every 2 sec
CAVEAT: REDUNDANT WCCP AND ASYMMETRY
• If there are multiple WCCP devices in a SYN
service group at a site SYN/ACK
• Then… TG-01 Site 1
• It’s possible that subnet sharing will direct

SYN
the SYN to one WCCP device VX-01
• While the SYN/ACK gets directed to another
WCCP device by the router’s hash/mask TG-03
Site 2 CSR
config in WCCP SYN/ACK
• Thereby creating an asymmetric flow

• Solution? Flow redirection SYN Goes in
tunnel to
SYN/ACK Goes
to device based
device w/ best on hash/mask VX-02 VX-03
subnet metric assignment
Review 9: Asymmetry & Flow Redirection
1. What is a TCP proxy?
2. Why must a flow be symmetric in order to be TCP accelerated?
3. Can a flow traverse a Silver Peak at two sites connected via a tunnel and still be asymmetric?
Explain your answer.
4. T/F: With Flow Redirection the Silver Peaks tell the routers to redirect traffic to the correct appliance
5. What information do Flow Redirection cluster peers exchange in their control messages?
6. Do redirected packets traverse the same interfaces as the control messages in a cluster?
7. T/F: Flow redirection peers should be in different subnets for high availability reasons.
8. Which device is the owner of a TCP flow in a Flow Redirection cluster?
9. Which interfaces can be used for Flow Redirection?
10. Flow redirection might fail in a properly configured cluster if _______?
11. T/F: In Current Flows, redirected flows will be marked as such on the redirecting (non-owning) peer.
Lab 5 Overview
• Configure iBGP between the CSR routers at Site 2

• Configure eBGP between the each of the
appliance the CSRs
• CSRs will advertise local subnets to ECVs 2 & 3
via BGP. ECVs 2 & 3 will then advertise them to
ECV-1 via subnet sharing
• ECV-1 will advertise its local subnets to ECVs 2 &
3 via subnet sharing and they will advertise to
CSRs via BGP.
• Observe unintended network instability, identify the
cause, and correct it
• Verify proper operation using CLI commands on
the routers and various UI displays on the
appliances
Lab 6 Overview
• Configure Flow Redirection between ECV-2 and

ECV-3 to eliminate Asymmetry
60
20
Lab 5: BGP
Lab 6: Flow Redirection
PBR and VRRP
Policy Based Routing (PBR) Review 4
ACL/PBR
• Routing Policies / Route Maps
determine where traffic is sent
LAN
WAN
• Router (or L3 switch) has an

mgmt0 ACL to determine which routing
policy is applied
SLA Detects
• SLA tells the router if the SP is
SP outage up or not
Out-of-Path: Policy-Based Routing Review 2
Apply PBR to this interface

LAN
WAN
Separate subnet from

DO NOT apply redirection to this interface end devices
PBR relies on the router to send traffic to SP

via ACLs & Route Maps
• To install the appliance in this mode:
1. Connect the wan0 or mgmt0 interface of the appliance to the WAN router’s available interface depending on whether you
have implemented router mode or server mode.
2. Do NOT connect the LAN interface of a physical appliance
3. Appliance should be on separate subnet from the devices it is optimizing
4. Configure a PBR on the WAN router to redirect all traffic to be accelerated to the Silver Peak Appliance IP Address
Configuring PBR on a cisco router 3
ip sla 1 Create an SLA that will ping

icmp-echo 10.110.31.100
ip sla schedule 1 life forever start-time now the appliance & tracker to
verify reachability
track 1 ip sla 1 reachability
access-list 101 permit ip 10.110.33.0 0.0.0.255 10.110.11.0 0.0.0.255 Match LAN

access-list 102 permit ip 10.110.11.0 0.0.0.255 10.110.33.0 0.0.0.255 traffic
route-map silverpeak permit 10
match ip address 101
Match WAN traffic
(only if subnet sharing is disabled)
set ip next-hop verify-availability 10.110.31.100 1 track 1
interface gigabitEthernet 3
ip route-cache policy Route-map uses ACL, sets
ip policy route-map silverpeak
next-hop IP and uses
Apply redirection to tracker 1
interface(s).
LAN=yes, WAN=maybe
Monitoring PBR (Cisco)
Counts will increment if

traffic is being matched
Log message when

appliance went down
(not part of command)
Displays SLA
status and time
last updated
Displays track
status and time
last updated
7
Virtual Router Redundancy Protocol (VRRP)
Review
10.10.10.253
10.10.10.254
Devices in 10.10.10.0/24 X
A
MASTER
Subnet
LAN vIP = 10.10.10.254
vMAC =
00-00-5E-00-01-XX WAN
Default GW=
10.10.10.254 GA
B
10.10.10.252
Out-of-Path: VRRP 5
One Silver Peak
Devices in 10.10.10.0
Subnet Priority 100
10.10.10.251
LAN
WAN
vIP = 10.10.10.254
vMAC =
Default GW=
X
00-00-5E-00-01-XX
10.10.10.254
Preempt =
YES
MASTER
10.10.10.252
Priority 255
4
Out-of-Path: VRRP
Redundant Appliances
Devices in 10.10.10.0/24
Subnet
LAN
10.10.10.253
Default GW= WAN
10.10.10.254 vIP = 10.10.10.254
vMAC =
X
00-00-5E-00-01-XX
Preempt =
NO
Out-of-Path: VRRP – Hybrid Approach 2
Redundant Appliances
Devices in 10.10.11.0/24
Subnet
WAN
LAN
10.10.11.254
10.10.10.1
Default GW=
10.10.11.254 PBR redirects traffic to
vIP =
VIP 10.10.10.254
End devices and

VRRP VIP in different
subnets
Configuring Appliance VRRP from Orchestrator
• Configuration  VRRP • Required
Click edit icon o Group ID
o Interface
o VIP
• Optional but important
Monitoring VRRP in the Orchestrator
• Configuration  VRRP
Uptime tells you when

Refresh from appliance
state last changed
fetches current status
If incrementing may
State: Master is
indicate flapping/problems
processing traffic for group
Review 10: PBR & VRRP
1. With PBR, what device is responsible for traffic redirection?

2. With PBR, how would a router know if a Silver Peak was operational?
3. Where should you never apply PBR redirection? Why?
4. What IP should the end devices use as a next-hop when doing VRRP in a simple deployment?
5. If you are doing VRRP with a single Silver Peak and a router as a peer, what two things should
you configure to ensure traffic is optimized when the Silver Peak is up?
6. With VRRP, is it a requirement that the virtual IP address be the default next-hop for all end
devices when there are redundant Silver Peaks?
7. Will VRRP peers load balance the traffic?
Lab 7 Overview
• Remove eBGP from the appliances

• Configure VRRP on SPs.
o Each appliance will belong to VRRP group 1
o ECV-2 will be master (higher priority)
• Configure PBR on router interfaces to direct traffic to a VRRP VIP address shared by redundant
SPs which use Flow Redirection.
• Verify Traffic flow
• Simulate a network outage and observe automatic network reconvergence
• Verify proper operation using CLI commands on the routers and various UI displays on the
appliances
See next slide for details on VRRP group and how traffic will be redirected by PBR
Lab 7 Overview: PBR/VRRP Lab Config

60
Lab 7: PBR, VRRP
High availability
Sharing WAN connections resiliently between two appliances

EdgeConnect edge high availability
MPLS Internet
EC1-MPLS EC2-MPLS EC1-Internet EC2-Internet
EC-1 / EC-2 HA Cluster EC1 HA Interconnect EC2
• Maintain Active / Active WAN Link Usage in a

redundant HA design
• No extra IP addresses or ports needed on WAN
• Automated and easy setup through Orchestrator

Edgeconnect high availability Ce
MPLS Internet
WAN0 HA Interconnect WAN0
EC-1 / EC-2 HA Cluster EC1 WAN1 WAN1 EC2

LAN0 LAN0
VRRP
• CE Router Replacement
• Single IP Needed Per WAN Link
• Resilient for Port or Appliance Failures

Edgeconnect ha with bgp
MPLS Internet
WAN0 HA Interconnect WAN0
EC-1 / EC-2 HA Cluster EC1 WAN1 WAN1 EC2

LAN0 LAN0
BGP BGP
(Primary) (Secondary)
• Active / Active Design Layer 3 Switch

• BGP Neighbor Primary on EC1 / Backup on EC2
• CE Router Replacement
• Single IP Needed Per WAN Link
• Resilient for Port or Appliance Failures

USE IPSEC_UDP TUNNELS
Under OrchestratorOverlay Manager Settings
• Change Mode to ipsec_udp for all WAN labels (default for

fresh install 8.2.0+)
• In this example you would need to make
3 settings, one for each label
(setting is not global)
• If migrating Orch from 8.1 and below, to see the settings, you
need to enable this:
• ipsec_udp mode (a.k.a. ‘ikeless’) is also a solution for

establishing ipsec tunnels in environments where upstream
NAT is breaking IPsec negotiation.

CONFIGURING HA
Must be done from Orchestrator Deployments TAB!!!
• Enable HA Mode
Choose HA Peer
site names should be the same.

Uses VLANS!
Configuring Ha If VMware port group connections,
must allow VLAN ID = All
Internet
May need LAN-side

routes for breakout
MPLS
• Select the HA Interconnect Link

• Select the HA Peer Device …
• Done!
Can’t use mgmt int

LOCAL BREAKOUT OF TRAFFIC ARRIVING IN
OVERLAY
• Need a default
LAN-side route
on BOTH
devices that
points to the
desired next-hop
• Can be different
next-hop &
default for each
appliance
• Default next-hop
is not enough

Config on appliance after HA
HA & WAN interfaces not editable on appliance. HA shows up as dynamic interfaces

Must configure from Orchestrator VLANS & IPs assigned by Orchestrator

LOCAL BREAKOUT OF BACKHAULED TRAFFIC W/ HA
• Internet breakout traffic must enter
the appliance on the LAN-side X Internet
• Traffic arriving in a tunnel from the

WAN must be sent to the LAN first MPLS
• Requires route on the LAN-side to a HA Link

local router which points back to the
appliances VRRP
VIP
• If you are using VRRP, the LAN-side

router will point to the VIP and the
path will depend on which appliance
is master Uses External Hairpin Internet Breakout
Review 11: High Availibility
1. T/F – Local Internet breakout is not supported with H/A C
2. T/F – Flow Redirection is not supported with H/A Internet
3. If appliance B were to lose its connection to the internet,

could it route traffic to appliance C via MPLS?
4. Click (animation) – If appliance C were to lose its
MPLS
X
connection to the Internet, could it still connect users to
HA Link
Office 365 via the one on device B (assuming it’s
Internet connection is up)? If so, how? VRRP
VIP
A B
LAB 7: HA - OVERVIEW
• Disable BGP peering between the CSRs
• Routers from different ISPs would be unlikely to be peered
• Disable Flow Redirection (not compatible with H/A)

• Enable All VLANs for the vSwitch in Vmware
• H/A connection between EdgeConnects uses multiple VLANs
• Remove unneeded WAN interfaces from appliances

• Remember with H/A, appliances can share their H/A peer’s WAN connection
• Enable H/A
• Show traffic between TG-35-11 and UBU-1 is:
• Routed to the VRRP VIP via PBR
• Sent to the Internet via local breakout from the DefaultOverlay
• Observe how SNAT is applied in two places
60
Lab 8: High Availability (HA)

Linking two Silver Peaks
QoS Review
Review: QoS Policies
• Determine which Traffic Class a packet corresponding to the Match Criteria is placed in
• Work together with Shaper configuration to manage the prioritization of traffic
• Set Actions:
o Traffic Class
o LAN QoS (sets DSCP marking for payload packet headers)
o WAN QoS (sets DSCP marking for tunnel packet headers)
o Note: Default LAN QoS /WAN QoS policy is ‘trust lan’ – DSCP markings like packet that came in from LAN
• Comment identifies policies built by BIOs

o BIO built policies are not user editable DSCP Marking
Traffic LAN = Payload
Class WAN = Tunnel header
High Level Data Flow: Tunnelized Traffic
• Remember the 3 policy types:
o Route
o QoS QoS Policy determines which Shaper Config determines the
o Optimization traffic class a packet goes to behavior of a traffic class
Deployment Profile
• Total Inbound and

Total Outbound
determine system
bandwidth to be used
by QoS
Shaper Configuration Details (appliance)
• Priority: Determines the order in which to
Max BW / Total Outbound
allocate each class's minimum bandwidth
- 1 is first, 10 is last. Set in Deployment Profile
• Min Bandwidth: Percentage of bandwidth
guaranteed to each traffic class, allocated
by priority.
• Excess Weighting: If there is bandwidth
left over after satisfying the minimum
bandwidth percentages, then the excess
is distributed among the traffic classes, in
proportion to the weightings specified in
the Excess Weighting column. Values
range from 1 to 10,000.
• Max Bandwidth: You can limit the
maximum bandwidth that a traffic class
uses by specifying a percentage in
the Max Bandwidth column.
• Max Wait Time: Any packets waiting
longer than the specified Max Wait
Time are dropped.
• Rate Limit: Per Flow limiting within class
requires 8.1.5+ (see next slide)
QoS in 8.1.10+ Orchestrator, 8.1.5+ Appliance
• 5 predefined Traffic Classes
o First 3 are used by default BIOs in Orch
o Note that default Priority of classes 1-5 is
equal (1)
• Min BW = 0 for all TCs

• Excess weighting is used to allocate BW
• There is a new shaper parameter called
Rate Limit that is configurable per traffic
class
o Max BW still limits overall throughput for
the traffic class
o Rate Limit limits throughput per flow in the These settings are from a fresh install of
traffic class (to keep big flows from hogging
all the BW in the class) Orchestrator. If you upgrade from a previous
o Rate Limit of 0 means no per flow rate version, the previous defaults for class name,
limiting
priority, etc. will be inherited from the previous
version.
Sum of Traffic Class MIN BWs shouldn’t
Exceed Max WAN BW
Traffic Class 1 - Priority 5
Q Minimum BW 34%
O
S Traffic Class 2 - Priority 1
P
Minimum BW 33%
O
L Traffic Class 3 - Priority 2
The only way TC 4 will
I
C
Y
Minimum BW 33%
Traffic Class 4 - Priority 8

? get BW is if the other TCs
don’t have enough traffic
to fill their Min BWs
Minimum BW 33%
Traffic Class Minimums Must be Set Carefully 2
Max WAN BW = 10000
• Two sites with 10 Mbps

mgmt0
tunnels
o TC mins are all set to 1 Mbps LAN
o Weights control the excess
WAN
10 Mbps
•
mgmt0 mgmt0
Now we add a new smaller
site with a 1 Mbps link
mgmt0
Any single TC min could fill the

1 Mbps tunnel, starving out
other traffic
Effect of Weights
If Min BWs have not been met,
If Min BWs Traffic Class 1 Weight is not used
have been Weight 50
met, Weight
is used and Traffic Class 2
Max WAN BW
Priority no Weight 30
longer
affects BW Traffic Class 3
allocation Weight 20
• When Min BWs are met for traffic classes, if system BW remains, Weights are used to
allocate BW until Max WAN BW is met.
• e.g. Above, sum of Weights = 100. TC 1 has a 50/100 (50%) chance of getting BW
• BW is allocated according to the ratio of the weights for all traffic classes with traffic
queued. Empty TCs are ignored.
Using Weights to Proportionately Balance 3
Traffic in Tunnels Hint: If weights total 100, then you can
Traffic Class 1 think of them as a percentage of BW
If all traffic
class Min BW=0, Weight 50
minimums are
set to 0, then Traffic Class 2
weights will
control the Min BW=0, Weight 30
traffic
proportions in Traffic Class 3
the tunnels
Min BW=0, Weight 20
• Imagine a configuration where all traffic class minimums are set to 0
• The relative sizes of the weights for each class will then control the proportion of System
BW, and therefore tunnel BW each class receives.
• Remember, BW is allocated according to the ratio of the weights for all traffic classes
with traffic queued. Empty TCs are ignored, so the proportion will vary with traffic mix
Conceptual Data Flow – Multiple Traffic Types
Traffic Type Encapsulation
Accel/OPT NA - TCP/CIFS NM
Q
Processing Tunnel 1
R TCP Compression
S
o (Proxy etc.) O
o
S H N
u Tunnel 2 u
OPT A I
t
UDP/Other t
P P
FEC
LAN e etc.
Tunnel … p
o
, E
l u
Pass Through R
i Shaped t
O
c
p > Max Wait Time = Dropped
i I
t
e Pass Through
, F
s Unshaped
Multiple Shapers
• In 7.0+ you can add a shaper for each interface if needed, or use default global shaper
An interface shaper will

override settings in the
default shaper for that
interface.
If there is no interface shaper

configured on an interface,
settings for the default
shaper will be used
• System Max WAN BW is applied to all shapers
QoS Map Activation Scheduling
• Allows you to change QoS settings on a scheduled basis
• Adjust for changes in usage, e.g.: Peak hours, nightly backups, weekends etc.
DSCP – Trust / Trust
DSCP – ef / Trust
DSCP – Trust / cs5
Review 12: QoS & DSCP
1. Configuring _____________ defines what traffic class a packet will be placed in

2. Configuring _____________ defines the behavior of individual traffic classes
3. How many traffic classes can you define on an appliance with one WAN interface?
4. What is the default traffic class?
5. In order to avoid starving any traffic class, the sum of _____________ shouldn’t exceed
_____________?
6. When is traffic class Excess Weighting used?
7. What can cause a packet to be dropped even though there is available bandwidth for all traffic
classes and Max WAN bandwidth hasn’t been exceeded?
8. What must you do to enable the excess weighting control the ratio of traffic between the classes
in all tunnels equally?
9. What is the default action Silver Peak takes to honor existing DSCP markings?
Review
Review 1: Flow Handling and Path Selection
Order
1. T/F – When traffic is routed by Business Intent Overlays to a site with multiple available paths, all
packets in a flow will always be placed in the same tunnel.
2. When a manual route policy is used to choose a path for certain traffic to a destination reachable via
multiple underlay tunnels, can packets for individual flows be distributed across all the available paths
to the destination?
3. T/F – In a subnet table, all else being equal, the route with the lowest metric is preferred.
4. Will the packet to 10.110.30.5 be sent to appliance A or B?
10.110.30.0/24 Metric 50 Learned from B
5. Will the packet to 10.110.30.5 be sent to appliance A or the local interface?
10.110.30.0/24 Metric 50 Auto – (added by system)
6. T/F - If a Route Policy destination of auto optimize is matched, the appliance will ignore subnet table
entries.
7. T/F – You should always use classical auto opt instead of subnet sharing if possible.
Review 2: Security Features
1. T/F – If an interface leading to the internet is hardened, local traffic will need to be backhauled to
a data center through a tunnel to connect to Google.
2. T/F – No traffic of any kind is allowed into a hardened interface outside of an IPsec tunnel.
3. Could an interface connected to the Internet and configured to be a Stateful Firewall, allow local
access to SalesForce.com?
4. T/F – All the appliances in a network can simultaneously change to a new IPsec encryption key
on a predetermined schedule.
5. Are ipsec_udp tunnels the only type available in Orchestrator 8.2.0 and above?
6. Is it possible to limit the address spaces from which logins to Orchestrator are allowed?
Review 3: Deployment Notes
1. T/F - Dynamic Rate Control may cause an appliance to limit it’s transmission speed to a receiving appliance.
2. What two things are required for an appliance to act as a hub that can relay traffic between two spoke sites?
3. Can a packet that enters a local WAN facing port outside of a tunnel be placed into a tunnel? If so, how?
4. T/F – Appliances cannot advertise default routes (0.0.0.0/0). This requires an external router.
5. You have two WAN facing interfaces: wan0 goes to an MPLS network, and wan1 goes to the Internet. By default,
can passthrough traffic be forwarded from lan0 to the Internet when the destination subnet is unknown?
6. T/F – The Peer Unavailable (overlay down) action is triggered only when all underlay tunnels to all destinations
are down.
7. You have two LAN interfaces and two WAN interfaces. A packet arrives at wan0 destined to a local destination
(no tunnelization needed) reachable via wan1. Which mode does the Silver Peak need to be in to forward the
packet to the correct interface? Bridge Mode or Router Mode?
lan0 wan0
lan1 wan1 WAN

0
Review 4: Internet Breakout and Traffic Classification
1. T/F – An EdgeConnect can snoop DNS lookups and cache the results for domain based
packet classification.
2. T/F – As part of its 1st packet classification strategy, Silver Peak appliances maintain a cache
of millions of domains and addresses that is dynamically updated.
3. What is the difference between the
Policy Orders shown?
4. T/F – It is necessary to manually configure at least two Internet passthrough tunnels to load
balance breakout traffic?

Review 5: IP SLA
1. Can an IP SLA cause subnet sharing to stop if an interface goes down?
2. T/F – In an IP SLA ping address list with 3 destinations, if any one of the destinations
becomes unreachable the IP SLA will be marked DOWN, and the Down Action will be
performed.
3. T/F – It’s possible to configure an IP SLA to monitor reachability of a critical server via Ping,
and raise or clear an alarm, without taking any other action on the appliance.

Review 6: Networking / Troubleshooting
Features and Enhancements
1. T/F – Silver Peak supports outbound Port Address Translation.
2. T/F – Silver Peak allows you to configure different NAT policies for different kinds of traffic
3. When might you have to configure different addresses for an appliance to use when connecting
to Orchestrator?
4. What can show you a color coded view of a tunnel exceeding, or conforming to a configured
threshold for loss, latency or jitter over time, and where is it found?
5. What can show you a hop-by-hop latency for a tunnel to a destination appliance?
6. What allows you to issue a text command to multiple appliances simultaneously?
7. T/F - Threshold Crossing Alerts (TCAs) can be raised when a monitored value falls below a
defined threshold.
Review 7: WCCP
1. How does a router know whether a device in the WCCP farm is working?
2. What determines how the router distributes packets among the devices in the service group?
3. What happens when a device in a service group with multiple members goes down?
4. What does the router do if the only device in a service group goes down?
5. When would you need WAN-side redirection with WCCP?
6. When would L3 return negatively impact router operation and how?
Review 8: BGP
1. T/F - Silver Peak appliances support only iBGP.

2. Do Silver Peak appliances propagate AS-Path information via subnet sharing?
3. Which learned prefixes will a BGP router advertise to an iBGP peer?
4. Which learned prefixes will a BGP router advertise to an eBGP peer?
5. What are the three Silver Peak BGP Peer types and what is the difference between them?
6. What does the peer type selection affect on the Peer Configuration?
7. What does a MED setting of ‘0’ (zero) on the Peer Configuration cause to happen?
8. Which state indicates that a BGP peer has connected completely and an appliance and can learn
and advertise routes to it?
Review 9: Asymmetry & Flow Redirection
1. What is a TCP proxy?
2. Why must a flow be symmetric in order to be TCP accelerated?
3. Can a flow traverse a Silver Peak at two sites connected via a tunnel and still be asymmetric?
Explain your answer.
4. T/F: With Flow Redirection the Silver Peaks tell the routers to redirect traffic to the correct appliance
5. What information do Flow Redirection cluster peers exchange in their control messages?
6. Do redirected packets traverse the same interfaces as the control messages in a cluster?
7. T/F: Flow redirection peers should be in different subnets for high availability reasons.
8. Which device is the owner of a TCP flow in a Flow Redirection cluster?
9. Which interfaces can be used for Flow Redirection?
10. Flow redirection might fail in a properly configured cluster if _______?
11. T/F: In Current Flows, redirected flows will be marked as such on the redirecting (non-owning) peer.
Review 10: PBR & VRRP
1. With PBR, what device is responsible for traffic redirection?

2. With PBR, how would a router know if a Silver Peak was operational?
3. Where should you never apply PBR redirection? Why?
4. What IP should the end devices use as a next-hop when doing VRRP in a simple deployment?
5. If you are doing VRRP with a single Silver Peak and a router as a peer, what two things should
you configure to ensure traffic is optimized when the Silver Peak is up?
6. With VRRP, is it a requirement that the virtual IP address be the default next-hop for all end
devices when there are redundant Silver Peaks?
7. Will VRRP peers load balance the traffic?
Review 11: High Availability
1. T/F – Local Internet breakout is not supported with H/A. C
2. T/F – Flow Redirection is not supported with H/A. Internet
3. If appliance B were to lose its connection to the internet,

could it route traffic to appliance C via MPLS?
4. Click (animation) – If appliance C were to lose its
MPLS
X
connection to the Internet, could it still connect users to
HA Link
Office 365 via the one on device B (assuming it’s Internet
connection is up)? If so, how? VRRP
VIP
A B
Review 12: QoS & DSCP
1. Configuring _____________ defines what traffic class a packet will be placed in

2. Configuring _____________ defines the behavior of individual traffic classes
3. How many traffic classes can you define on an appliance with one WAN interface?
4. What is the default traffic class?
5. In order to avoid starving any traffic class, the sum of _____________ shouldn’t exceed
_____________?
6. When is traffic class Excess Weighting used?
7. What can cause a packet to be dropped even though there is available bandwidth for all traffic
classes and Max WAN bandwidth hasn’t been exceeded?
8. What must you do to enable the excess weighting control the ratio of traffic between the classes
in all tunnels equally?
9. What is the default action Silver Peak takes to honor existing DSCP markings?
Silver Peak SDWAN eXpert (SPSX)
Certification Exam
SPSX Certification Exam
1. You must answer and submit all questions before submitting the test for grading.
2. You must submit the test before time expires or you will score ‘0’ and fail.
3. You should submit the test a couple of minutes before the indicated time expires (the timer in the
browser doesn’t seem to always run at the same speed as the learning management system
clock). SPSX allows 60 minutes.
4. If at any point your browser seems to hang and you see a horizontal red bar across the screen,
close your browser (not just the tab), reopen it, and log back in. Any answers you had previously
submitted will be saved and you can resume the test. The timer continues to run.
5. A passing score is 70%. If you fail and desire another attempt, you may retake the exam at any
time.
Check your email for your test registration

SPSX Certification Exam
1. Go to https://training.silver-peak.com
2. Login using your userid/pw (it should have been in your registration email)
3. Click on ‘My Courses’
4. Click on ‘Stand Alone Exams’
5. Access the test.
6. Tell your instructor immediately if you have any problems accessing the test.
Hint: a pencil and paper might be handy to allow you to

sketch out diagrams to help think through the answers
Thank You!

Silverpeak Advanced Slides

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Silverpeak Advanced Slides

Enviado por

Direitos autorais:

Formatos disponíveis

Class Audio for Remote

If this class is delivered via

2 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Some less obvious, but important behaviors of overlays and interfaces

3 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Ask for help if you get stuck

4 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Introduction • WCCP, Asymmetry and Flow Redirection

• Handouts (Books, USB keys etc.)

6 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

7 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

8 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Exsi host client login

10 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Log into your lab environment

11 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

LAB 1: Lab Familiarization

12 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

13 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

14 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

In 8.0+ Best Practice is to use BIOs

4. Lowest Priority (Peer Priority)

16 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

17 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

18 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

Classical Auto opt requires these to be checked.

19 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

5. When the SYN /ACK returns,

8. #1 Delivers the SYN/ACK to the LAN

20 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• UDP traffic is recognized using a 5-tuple flow ID

• Uni-directional IP traffic will not trigger IP auto-optimization

21 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

22 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

24 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• No direct to Internet at the branch if the Internet interface is hardened.

Branch Office Datacenter

Inline router mode w/

25 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Not an IDS/IPS & no L7 content

26 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• NAT info for each flow is shown in the flow detail

27 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Zscaler provides cloud based security services

GRE Tunnel from EC to Zscaler

• Requires a GRE internet breakout (PT) tunnel from appliance to Zscaler

30 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• At scheduled time, appliances run a

31 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• E.g. Cannot create multiple tunnels between the same

• Requires 8.2.0 Orchestrator and 8.1.6 VXOA

unique per tunnel

32 CONFIDENTIAL | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

33 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• SupportDropped Packet Trends

34 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

35 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

36 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

37 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• WAN Links & Bonding Policy mostly

• QoS now includes DSCP settings

38 Confidential | © 2017 Silver Peak Systems, Inc. All Rights Reserved.

• Each overlay points to a different