Silver Peak updates SD-WAN with Packet-iQ to make choices from the first packet

Silver Peak updates SD-WAN with Packet-iQ to make choices from the first packet

A press release from Silver Peak announces recent innovations for their SD-WAN product set. Enhancements to their EdgeConnect are Packet-iQ, a stateful firewall, firewall service chaining and Zscaler support. They have also included routing integration, allowing easier integration of the SD- environment into larger enterprise infrastructures, using BGP.

Silver Peak have added a blog entry for application driven WAN Edge around this release, and it's gained some visibility with both LightReading and SDxCentral pointing to the release. LightReading has also done a News Analysis piece. So let's see what the noise is about…

Packet-iQ – choices from the first packet

One of the main challenges SD-WAN is the determination on the first packet to make a routing choice. This is a challenge as cloud applications use HTTP or HTTPS for connections, as do a lot of corporately hosted application portals. Selecting a path based on port information may make the wrong choice for the path. Selecting based on data such as SSL Certificate Common Names requires several packets to have passed, fixing the state of the connection through firewalls.

Deep Packet Inspection determinations the destination and a routing choice after the TCP session establishes and the first payload packets are sent (i.e. reading the GET URI, which allows differential behaviour even for connections via servers).

Changing the path once the original SYN packet has been sent causes problems with the firewalls as the connection isn't properly formed over the new route. In the past, it was easier to use IPSec to provide the links between VPN sites, and IPSec or GRE via a cloud web-services gateway (such as Zscaler) to avoid this challenge.

It looks like Silver Peak are using DNS queries and responses to track a range of IP addresses assigned to cloud services like They then use this information to get a list of IP address ranges to pass the traffic directly to the . This is more efficient than delivering it based on assumptions, and later have to move the connection with the risk of it breaking. It also avoids the initial packet backhaul to a core internet breakout point. This extra information gives Packet-iQ the capability to make that choice straight away, rather than wait for payload data. Making a more efficient and reliable

Stateful firewall and routing round out the updates

In addition, the use of a stateful firewall protects sites with connections inbound to a site only when they have been sent out first. This allows the use of the devices for local internet breakout without an external firewall requirement. Service chaining allows for firewalls using Checkpoint, Fortinet or Palo Alto within the network, or Zscaler for a cloud-based solution.

BGP provides a routing boundary at the site edge, ensuring that it easier to manage a large corporate network infrastructure, and to allow local internet breakout. This allows for ease of migration to a SD-WAN environment by establishing BGP peering with the previous network. It also helps in managing the routing propagation, particularly in larger and more complex sites. Most importantly it now allows direct connection to an MPLS network, with route exchange to the PE without needing an intervening CE router. (To use this, you will need to have an Ethernet presentation for your circuits.)

These are not trivial things, and make the EdgeConnect solution a much more flexible environment for deployment and operation, reducing complexity and cost.

John Dixon

John Dixon is the Principal Consultant of thirteen-ten nanometre networks Ltd, based in Wiltshire, United Kingdom. He has a wide range of experience, (including, but not limited to) operating, designing and optimizing systems and networks for customers from global to domestic in scale. He has worked with many international brands to implement both data centres and wide-area networks across a range of industries. He is currently supporting a major SD-WAN vendor on the implementation of an environment supporting a major global fast-food chain.

Comments are closed.