Silverpeak Assessment of 4 Large Sites with Cisco + Palo Alto

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

Certification: Wingspan Assessments is a division of Fireowls Corp., an Authorized Deployment Partner of Silver Peak Systems. This was an actual assessment performed by a certified SPSX (Silver Peak Expert), Palo Alto expert, and CCIE.

Objective This effort is intended to assess a current Silver Peak network for enabling the network at Exponix to allow different types of traffic over public Internet and private transport by using Silver Peak infrastructure, utilizing the Silver Peak appliances in active/standby, and leveraging OSPF routing.

1. General Considerations 1.1 Software Upgrade

In order to leverage the latest features and provide fixes to the appliances, a software upgrade is recommended. This is suggested as first step of the deployment phase. In order to leverage the latest features and provide fixes to the appliances, a software upgrade is recommended.

• GA-WAN-A • MI-WAN-A

1.2 Deployment Mode

In order to take full advantage of the Silver Peak features, it is recommended to deploy all the appliances using inline router mode (ILRM). This will allow a tighter integration to the existing network.

1.3 WAN Interfaces and Labels The current setup includes two WAN links per active appliance. Dallas and Denver have two Internet circuits, whereas Seattle and San Diego have one Internet connection and a point-to-point link connecting them.

Optionally, there is opportunity to augment the redundancy and capacity at those sites with one Internet connection each at Seattle and San Diego. Enabling the LAN1 interface as a WAN connection will provide the mentioned extra level of redundancy.

For every WAN interface on the Silver Peak appliances, a label is required in order to establish a relationship with the Overlays. The labels currently configured are properly in place. If it is decided to add an extra interface, an extra label would be required. The label distribution is as follows:

• San Diego. TU_GA_PTP, Internet_1, Internet_2 (optional). • Seattle. TO_GA_PTP, Internet_1, Internet_2 (optional). • Dallas. Internet_1, Internet_2. • Denver. Internet_1, Internet_2.

Finally, it is recommended to create a cross-connect between the two Internet interfaces on each appliance.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

1.4 Business Intent Overlays

Looking to classify and be able to establish different policies according to the type of traffic, new overlay templates are recommended. The order of the overlays in the Orchestrator (top-bottom) will determine the matching order of the traffic. The new overlays to be created and deployed to the appliances at all locations are:

1.4.1 Real-time Overlay

This overlay will take care mainly of voice and video traffic flows.

o Type of traffic. Applications/services to be matched are: ▪ DSCP EF – Expedite Forwarding. ▪ CISCO_SKINNY, GOOGLE-TALK, GOOGLE-TALK-VOICE-VIDEO, H_323, HP, IAX2, IVPIP, MGCP, MIRALIX, NETIQ, NVP-II, OCTOPUS, PARADIGM, PERSEUS, PHONE, RTCP, RTP, RTP_MUX, RTP_VIDEO, RTP_VOICE, RTSP, SIP, SIP_TLS, SKYPEFORBUSINESS, SPEECH- DISPATCHER, SPEECH-SYNTHESIS, TEAMSPEAK, TIDAL, TIVOCONNECT, VENTRILO, VERTEL, VIBER, VOICEIP-ACS, VONAGE, WINDOWS-LIVE-MESSENGER, WINMX, ZOOM.

o Topology. For this scope, the network topology to be used is mesh.

o Peer Unavailable Action: Pass Through.

o WAN Links: ▪ Primary: Internet_1. ▪ Backup: Internet_2, SU_FL_PTP. ▪ Cross-connect: Internet_1, Internet_2. ▪ Backup ports to be used on blackout.

o Bonding Policy: High Quality.

o Internet Traffic Policy: ▪ Preferred Policy Order: • Break Out Locally. • Backhaul Via Overlay. • Drop. ▪ Break Out Locally Using: • Primary: Internet_1. • Backup: Internet_2, SU_FL_PTP.

o Traffic Management: ▪ Traffic Class: RealTime (3). ▪ LAN-DSCP: trust-lan. ▪ WAN-DSCP: trust-lan. ▪ Boost: Not applied.

1.4.2 Interactive Overlay

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

The interactive overlay includes mostly system/network management – well-known TCP applications and flows.

o Type of traffic. Applications/services to be matched are: ▪ ADOBE, AIRS, AMMYY, AOL, APPLE-REMOTE-DESKTOP, ASF-RMCP, AVIRA, BLUEJEANS, BLUESTACKS, BROCADE, CDDBP, CISCO-AON-AMC, CITADEL, CITRIX-ICA, CODENGER, DART, DCN-MEAS, DEFAULT-PORT, DTSPCD, FARMING, FCP, FLEXNET, GDB, GE, GOBBY, GOOGLE, GOOGLEDRIVE, GOOGLEFORMS, GOOGLEUSERCONTENT, GOTOASSIST, GOTOMEETING, GOTOTRAINING, GOTOWEBINAR, HOTLINE, HTTP-RPC-EP-MAP, IBM, ICHAT, ICQ-AOL, INSTEON, INTUIT, IRC, IRC_SSL, IRCS, IRDMI, IVISIT, JOSM, KSHELL, LANTRONIX, LEECO-POS, LOTUS_NOTES, LYSKOM-PROTOCOL-A, MACOS-X, MDBS- DAEMON, MEMCACHED, MESSAGEASAP, MESSENGER, METASYS, MIRALIX, MK, MMCP, MMS, MOBRIEN-CHAT, MS_MESSENGER, MS_RPC, MS_TERMINAL_SERVICES, NCA, NETSUPPORT, NMEA, NOVELL, ONC, OPEN-OBJECT-REXX, OPENERP, OPENWINDOWS, OPSWARE, ORACLE, ORTHANC, OSISOFT, PBX, PCANYWHERE, PCANYWHEREDATA, PCANYWHERESTAT, PCOIP, POWERSCHOOL, POWERSHELL, PRM, PSYBNC, RADMIN, REMOTE-ADMINISTRATOR, REMOTE-SHELL, REXEC, RFB-VNC, RICCI, RLOGIN, RMI, RPC, RPC2PORTMAP, RTSP, SAGE, SCOL, SHELL, SPLASHTOP, SPLUNK, SSH, SSHELL, SUN_RPC, SYMANTEC-I3, SYNCTHING, TACACS, TEAMVIEWER, TEAMWARE, TELNET, TELNETS, TERADICI, TERMINAL-ACCESS, THEOSNET, THINLINC, TIMBUKTU, TIVOLI, TNTCHAT, TPM, TRACKIT, VENTRILO, VIBER, VMCONNECT, VNC, WBT, WEBEX, WINDOWS, WINRM, X-BEAT, X11, XMPP, XWINDOWS, YAHOO, ZEPHYR-CLT, ZEPHYR-HM, ZEPHYR-SRV, ZIMBRA.

o Topology. For this scope, the network topology to be used is mesh.

o Peer Unavailable Action: Pass Through.

o WAN Links: ▪ Primary: Internet_1, Internet_2, SU_FL_PTP. ▪ Backup: N/A. ▪ Cross-connect: Internet_1, Internet_2.

o Bonding Policy: High Quality.

o Traffic Management: ▪ Traffic Class: Interactive (2). ▪ LAN-DSCP: trust-lan. ▪ WAN-DSCP: trust-lan. ▪ Boost: Enabled.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

1.4.3 Data replication Overlay

Data replication is a more customized overlay. In this case the requirements include: o Zerto Virtual Replication, SQL, as well as Exchange. o To be matched either by IP addresses, IP subnets, or TCP/UDP ports.

o Type of traffic. Applications/services to be matched are: ▪ Zerto Virtual Replication, SQL, Exchange, as well as any replication-related application determined by Exponix.

o Topology. For this scope, the network topology to be used is mesh.

o Peer Unavailable Action: Pass Through.

o WAN Links: ▪ Primary: SU_FL_PTP. ▪ Backup: Internet_1, Internet_2. ▪ Cross-connect: Internet_1, Internet_2. ▪ Backup ports to be used on blackout.

o Bonding Policy: High Throughput.

o Traffic Management: ▪ Traffic Class: Replication (4). ▪ LAN-DSCP: trust-lan. ▪ WAN-DSCP: trust-lan. ▪ Boost: Enabled. Note: Enabling boost for replication depends on the volume of traffic to be replicated, and the priority for this traffic.

1.4.4 Default Overlay

This is a general overlay for traffic not matching any of the above overlays.

o Type of traffic. Applications/services to be matched are: ▪ Any Traffic. o Topology. For this scope, the network topology to be used is mesh. o Peer Unavailable Action: Pass Through. o WAN Links: ▪ Primary: Internet_1, Internet_2, SU_FL_PTP. ▪ Backup: N/A. ▪ Cross-connect: Internet_1, Internet_2.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

o Bonding Policy: High Throughput.

o Internet Traffic Policy: ▪ Preferred Policy Order: • Break Out Locally. • Backhaul Via Overlay. • Drop. ▪ Break Out Locally Using: • Primary: Internet_2. • Backup: Internet_1, SU_FL_PTP.

o Traffic Management: ▪ Traffic Class: Default (1). ▪ LAN-DSCP: trust-lan. ▪ WAN-DSCP: trust-lan. ▪ Boost: Enabled.

2. Site-specific Actions

There are actions required for every location, some are particular to the location/datacenter and others are equivalent to some of the sites. In addition, the appendix A illustrates the final diagrams for the locations.

Note: The bandwidth and boost values proposed below are recommended on a first stage basis. It is very important to constantly monitor and optimize these parameters in order to obtain the most out of the Silver Peak solution.

2.1 San Diego

• As previously mentioned, WAN-1 needs to be converted to inline router mode (ILRM).

• WAN-1 software version needs to be upgraded to match the existing appliances in router mode (8.1.7.8_70865).

• Optionally, but recommended, a third WAN interface can be configured with label Internet_2. If this interface is deployed, the next hop for each Internet interface will be the physical IP address of the corresponding Internet router.

• Initial Recommended Bandwidth. These values are an estimate based on the current Committed Information Rate, media from traffic graphs, as well as Silver Peak Orchestrator statistics. o Point-to-point: 500Mbps. o Internet VERIZON: 150Mbps. o Internet Comcast: 150Mbps.

• Recommended Boost. The suggested value is an approximate using as reference the bandwidth configured on the interfaces, as well as the bandwidth obtained from the Orchestrator. o Primary appliance: 300Mbps. o Secondary appliance: 200Mbps.

• Routing. It is recommended to use OSPF as the final state routing protocol.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

o Enable OSPF on the Silver Peak appliances.

o Redistribute Silver Peak peers routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

o Redistribute local routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

o Under the OSPF configuration for the interfaces, make sure to configure the following parameters: ▪ Priority for lan0 interface: 0 (both appliances). ▪ Cost: 0 (primary). ▪ Cost: 10 (backup).

o On the Nexus devices, enable OSPF on the SVI’s connecting to the Silver Peak appliances.

2.2 Seattle • Same as with San Diego, it is suggested a third WAN interface to be configured with label Internet_2. If this interface is deployed, the next hop for each Internet interface will be the physical IP address of the corresponding Internet router.

• Routing. It is recommended to use OSPF as the final state routing protocol.

o Enable OSPF on the Silver Peak appliances.

o Redistribute Silver Peak peers routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

o Redistribute local routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

o Under the OSPF configuration for the interfaces, make sure to configure the following parameters: ▪ Priority for lan0 interface: 0 (both appliances). ▪ Cost: 0 (primary). ▪ Cost: 10 (backup).

• On the Nexus devices, enable OSPF on the SVI’s connecting to the Silver Peak appliances.

2.3 Dallas/Denver

• The Denver and Dallas locations, as a final state, will follow the same network architecture. The goal is to bring Dallas to the same topology as Denver.

• As one of the appliances in San Diego, WAN-1 needs to be converted to inline router mode (ILRM), this will allow to have the two devices for an active/standby scheme.

• WAN-1 software version needs to be upgraded to match the existing appliances in router mode (8.1.7.8_70865).

• Initial Recommended Bandwidth. These values are an estimate based on the current Committed Information Rate, media from traffic graphs, as well as Silver Peak Orchestrator statistics.

o Dallas: ▪ Internet VERIZON: 50Mbps. ▪ Internet Level 3: 100Mbps.

o Denver: ▪ Internet VERIZON: 50Mbps. ▪ Internet Comcast: 100Mbps.

• Recommended Boost. The suggested value is an approximate using as reference the bandwidth configured on the interfaces, as well as the bandwidth obtained from the Orchestrator.

o Dallas/Denver ▪ Primary appliance: 150Mbps. ▪ Secondary appliance: 150Mbps.

• Routing. The routing recommendation in the case of Denver and Dallas is the same as San Diego/Seattle.

o Enable OSPF on the Silver Peak appliances.

o Redistribute Silver Peak peers routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

o Redistribute local routes to OSPF. ▪ Metric-type: E1. ▪ Metric for primary: 0. ▪ Metric for backup: 10.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

o Under the OSPF configuration for the interfaces, make sure to configure the following parameters: ▪ Priority for lan0 interface: 0 (both appliances). ▪ Cost: 0 (primary). ▪ Cost: 10 (backup). ▪ Since the peer devices in this case are the Palo Alto firewalls, OSPF must be enabled on their Silver Peak- facing interface.

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

Appendix A. End State Logical Diagrams

San Diego

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

Seattle

SilverPeak Assessment of 4 Large Sites with Cisco + Palo Alto

Dallas/Denver