CPX MASTER v1.1

Silver Peak CPX Training
Virtela On-Site Training
Chris Rogers
Director of Training Services
crogers@silver-peak.com
Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.
CPX Managed Service Provider/Service Provider Training
What is the Silver Peak CPX?
CPX Technology
NA, NI, NM, NS
Bridge Mode and VLAN Deployment
Logging
Troubleshooting
Monitoring and Reporting
Issue resolution / getting help
CPX Solution Architecture / Components

Form factor
Licensing/Workflow
What is CPX?
CPX: SD-WAN (& WANOP) for MSP/SPs

Virtual offering with flexible licensing and packaging
Based on VXOA
No license key management required
Granular configuration of 0-1 Gbps max system bandwidth
Flexible configurability of system limits
Ships with SD-WAN & WANOP feature set (a.k.a. Boost for EC)
Virtual Appliance / Disk Image Formats

All major hypervisors supported
VMWare vSphere / ESXi OVA / OVF
KVM QCOW2 (most popular among SP/MSPs)
Citrix XenServer VHD, VMDK
Microsoft Hyper-V VHD
VX vs. CPX
Static
Static License
License
Key (Perpetual)
Fixed
Fixed
Limits
Hardcoded
Hardcoded Min.
Min.
Resourcing
Resourcing
Dynamic (No
License Key)
License
Key)
Configurable
System Limits
Limits
System
Flexible
Flexible
Resourcing
Resourcing
Cloud
Portal
Client
Registration
Registration
Renewal
Renewal
Reporting
Reporting
VX
CPX
Identical Datapath Only Licensing, Resourcing and Commercial Ops Differ

CPX : Flexible Resourcing & Max Limits

Configurable System Limits based on Available CPU & RAM
Sliders under Configuration->
System Limits menu
Min 1 vCPU, 2GB RAM, 30G
disk
Sliders allow manual allocation of
resource per custom
requirement
Based on slider positions, CPX
node will calculate total memory
required to support configured
system limits
CPX Solution
Components & Form factors
Solution Components : CPX, Cloud Portal and Orchestrator

Silver
Silver Peak
Peak
Customer
Silver
Silver Peak
Peak
Customer
Provider A
e.g. Virtela
Customer:
Enterprise
P
Customer:
Enterprise
B
Provider B
e.g. AT&T
Silver Peak
Cloud Services
Portal
Customer:
Enterprise
O
Customer's
Customer's
Customers
Customers
Customer:
Enterprise
R
Customer:
Enterprise
Gr
Customer:
Enterprise
G
CPX Nodes
Management Plane (REST/HTTPS)
Optimized Data Plane (IPsec)
CPX Form Factor

Based on Silver Peak VXOA software
Same code base, plus Service Provider-oriented licensing /
accounting modules
Virtual
Appliance Disk
Image
Available in either virtual appliance or disk image formats
Bootable ISO also available for manual VM creation
Direct customization via XML or manufacturing script to

product golden image
VXOA release 7.2 and up all VXOA data path features

carry over
CPX Silver Peak Cloud Portal
CPX Licensing and Workflow
CPX Deal Workflow

Upon commercial engagement, cloud portal account is created for
service provider by Silver Peak Operations team
Software delivered by Silver Peak / downloaded by service

provider
Provider admin logs into cloud portal account to retrieve Account

Key/Account Name.
Key and name can be embedded in software delivery by
Silver Peak
CPX nodes deployed

Monitor / track inventory, usage, other billable metrics
CPX Dynamic Licensing

CPX does not use standard license key
Default state is operational except traffic (a la Skype client)
CPX nodes phone home to register for service (requires Internet reachability)
Unlimited nodes, no notion of instance count limit based on # of license keys
Nodes phone home periodically to report usage / billing metrics
Silver Peak Orchestrator can act as license proxy
CPX Registration / Phone Home

6
5
5
4
Customer A
Site 1 (Branch)
Account Key Key

Account Name Name
1.
2.
3.
4.
5.
6.
7.
8.
CPX
node
CPX boots up
CPX attempts to reach cloud portal
Portal acks CPX request
CPX sends:
1. Account Key
2. Account Name
Authentication against local db
CPX receives reg approval (lease):
1. Manually provider admin
2. Auto (configurable)
Silver Peak tunnels created
Traffic can pass via CPX endpoints
Internet
MPLS
Backbone
3
2
Account Key Key

Account Name Name
CPX
node
Customer A
Site 2 (DC)
Post-Registration Communication with Cloud Portal

CPX node contacts portal to report usage and check if lease renewal
required:
Each reboot
Every 24 hours
Portal will renew the appliance lease every 72 hours (default)
Can be changed per providers custom requirement / contractual terms by Silver Peak
If CPX node cannot access portal after 24 hrs:
Re-try is set to 1-min intervals

Once connection is re-established, back to 24-hr cycle
During period when portal cannot be accessed after 24 hrs:
CPX node will remain in Registered / Approved state

Portal connectivity alarms will be raised on CPX node
Traffic will flow for duration of grace period (determined by appliance lease period)
Cloud Portal Provider Account Login
2 options for cloud portal administration

Manual (admin personnel, 2-factor login) or REST-based (machine-to-machine)
For REST automation, create new user with strong password
https://cloudportal.silver-peak.com
Embedded in CPX nodes no config needed
Resolves to fixed public IP address
Redundancy via auto-failover to backup portal
Account tied to email address

Multiple users can be created / managed
Cloud Portal User Management

Role-Based Administration
Superuser full privilege

Admin full privilege except add / modify users
Monitor read only
Cloud Portal Provider View, Registration Options
- For security, Account Key and Account Name can be re-generated periodically
- DNS Whitelist provides additional security by only allowing registration requests by CPX nodes in specified domains
- Registration approval can be enforced (default Manual) or permissive (Auto)
Cloud Portal Provider Account View
Operator can assign Site / Group for each customer

- e.g., Customer A and Customer B in above example
Orchestrator as Proxy / Relay for Cloud Portal

On CPX Nodes, Replace Cloud Portal Hostname with Orchestrator IP or Hostname
Highly Restrictive
Internet Policy
CPX
node
CPX
node
Using Orchestrator requires only port 443 ALLOW rules for

10.0.238.32 to / from https://cloudportal.silver-peak.com
CPX
node
- no per-node rules or global policy / permit-out zone required

Silver Peak CPX Technology
Technology Overview
NETWORK ACCELERATION
EXTEND DISTANCE
Mitigate protocol latency and chattiness
NETWORK INTEGRITY
FIX CONGESTION / PACKET LOSS
Traffic Shaping/Quality of Service (QoS)
Forward Error Correction (FEC)
Packet Order Correction (POC)
Data Center
NETWORK MEMORY
TM
INCREASE BANDWIDTH
DR Site
Real-Time de-duplication of all IP traffic
NETWORK ENCRYPTION
PROTECT DATA
Accelerated IP SEC Encryption for all traffic
Problem: High latency

Solution: Network Acceleration
Symptoms:
Cannot fill the pipe
o Applications never seem to run
faster even when there is more
bandwidth
o User complain of slowness
during times of sub-maximum
utilization
o CIFS file transfers are slow
o
Miles/Second
Commonly due to distance

or equipment: The further
you have to go, the higher
the latency
Problem: Data Loss and packets out-of-order

Solution: Network Integrity
Symptoms:
Video quality is poor with pixilation and halts
o Transmission rates for many applications is very
poor with high-end applications especially
suffering
o VoIP calls suffer poor quality or experience
increases in jitter:
o
Dropped calls
Echos
Clicks
Commonly seen on shared infrastructure links

such as MPLS or Internet based IP VPNs
Problem: Not enough bandwidth

Solution: Network Memory
Symptoms
Link to the WAN is frequently fully utilized
o Users complain of slowness
o Long delays in connection establishment
o Replication falls behind target because it cannot
push data fast enough
o
Commonly seen in any environment where

bandwidth resources are out of date or have
recently taken on new requirements
Problem: Data Insecurity and theft

Solution: Real-time Secure Content Architecture
Disk encryption protects data at rest

IPSec protects data in transit
256 bit AES encryption
WAN
Internet
IPSec
IPSec
TCP Acceleration
Delays are caused by acknowledgement

procedures and window sizing in latent
environments
TCP Acceleration overcomes delays with four

key components
Window scaling
o Selective Acknowledgement
o Round Trip Measurement
o High Speed TCP
o
Latency Slows Communications Across WAN

LAN
Transmit
WAN
Ack
Latency 1ms
Total 4ms
Transmit
Ack
Latency 100ms
Total 400ms
Silver Peak Overcomes Latency

Without Network Acceleration
Total time: 500 ms
Transmit
Ack
With Network Acceleration

Total time: 100 ms
Transmit
Ack
Latency is Determined By:

Speed of Light
Route Taken
Network Congestion
Latency 100 ms*
Latency 100 ms*

Silver Peak TCP Proxy & Acceleration

WAN
TCP Acceleration Requires Symmetric flows
TCP Acceleration requires that

each appliance see the full TCP
handshake.
If an appliance sees a Syn Ack, for

example, but no SYN, TCP
acceleration drops out of the
connection and the packet passes
through to the destination.
TCP Acceleration requires Symmetric flows
We flag a connection in the Current

Flows if we dont see the full
handshake.
Meaning of the Asymmetric Flag:

o
Asymmetric=No (dropped out of

acceleration completely AND would show
byte counts in a direction =0 otherwise a No
means its not asymmetric)
Asymmetric=Yes, if the Syn and the Ack

came with no Syn Ack.
WAN
Asymmetry
Asymmetric flows cant be accelerated, but path conditioning and de-dupe still apply
How It Works: Path Conditioning

(formerly Network Integrity)
Packet Loss
Caused by carrier congestion and SLA

When packets are lost TCP window sized reduce by
Lost packets must be retransmitted
Packet
Lost
Request Retransmit
Out-of-order packets
Caused by packets taking different routes

Out-of-Order packets cause retransmission
TCP window reduced to ensure reliability
Detect Out-of-Order
Request Retransmit
What Do You Really Get?
Latency, Packet Loss & Out-of-Order Packets

Packet retransmission slows down TCP connections and degrades UDP
What you pay for
What you actually

experience
Eliminate Packet Loss
Parity dynamically adjusted based on amount of loss

Lost packets rebuilt at the receiving Silver Peak
Receiver unaware packet loss has occurred
No window size decrease
Lost Packet Rebuilt

from Parity
Packet
Lost
Correcting Out-of-Order Packets
Packets are tagged as they leave the Silver Peak

Out-of-Order packets are reordered at the receiving side
Receiving client unaware that out-of-order packets have occurred
No window size decrease
Detect Out-of-Order
1
4
Reorder
FEC Configuration Auto Versus Enable
The auto setting

dynamically adjusts the
FEC setting based on
network conditions.
When set to auto, the

value selected in
the Ratio field becomes
the upper limit, or cap,
for adjustments.
How It Works: Network Memory

(De-duplication)
Network Memory
Byte-level De-duplication
Not Cached
Cached
1. Byte Fingerprint & Store
3. Byte Fingerprint & Store
2. Compress + Transmit
4. Uncompress & Deliver
1. Byte Fingerprint Match
3. Get Local Data from Cache
2. Send Retrieve Instructions
4. Deliver
Weighing the Benefits and Costs

WAN
Network Memory (NM) uses a combination of compression and deduplication

techniques, the latter using cached copies of previously transmitted data.
Looks for data repetition in Memory and on Disk.

o
Algorithm keeps most accessed data in memory to process in real-time
Uses byte-level caching, not object or file caching

Look-up times are negated by lower time needed to transmit the reduced data.
NM mode can be configured to balance reduction vs. added latency.
Some traffic types are not as delay sensitive, some more sensitive (i.e. Replication)
Note: Compression and de-dupe arent effective on encrypted data streams

Available Network Memory Settings
Balanced
o
This is the default setting.
It dynamically balances latency and data reduction objectives and is the best choice for most traffic types.
Maximize Reduction
o
Optimizes for maximum data reduction at the potential cost of slightly lower throughput and/or some increase in latency.
Use for bulk traffic types such as File Transfers and Replication when Bandwidth is the main concern.
Minimize Latency
o
Ensures that minimal latency is added by Network Memory processing. This may come at the cost of lower data reduction.
It is appropriate when higher throughput is the main concern, i.e. replication over high latency link, or for very latency sensitive applications
Disabled
o
No Network Memory is performed.
Selected when no deduplication benefit is expected and traffic is only tunneled for Acceleration, Network Integrity or Header compression.
Configuration of Network Memory
Network Memory settings are applied through an Optimization

Map.
o
Either in the Web-GUI or in the Orchestrator
Define Matching criteria and select the desired NM-mode.

o
Network Memory
can be erased
from the UI
The NM-setting for the default entry can be changed also.
Encrypted Data: SSL / TLS
SSL Session
X
LAN
IPSec
LAN
Without Silver Peak SSL
Encrypted Data: SSL / TLS
SSL Session
LAN
IPSec
LAN
With Silver Peak SSL

SSL (Secure Sockets Layer) / TLS (Transport Layer Security)
The user applications must use HTTPS to communicate

Supports SSL 3.0, TLS 1.0, and TLS 1.1 & 1.2
X.509 Certificates are supported
Virtual
Supported maximum number of SSL flows depends on model

o
See table at right
Appliance will still support its stated total number of flows.
Allows full reporting on SSL traffic
IPSec
IPSEC tunnel required to

encrypt all WAN traffic
VX-9000
VX-8000
VX-7000
VX-6000
VX-5000
VX-4000
VX-3000
VX-2000
VX-1000
VX-500
SSL Flows
Physical Supported
NX-11000
20000
NX-10000
20000
NX-9000
20000
NX-8000
20000
NX-7000
20000
NX-6000
10000
NX-5000
10000
NX-4000
1000
NX-3000
1000
NX-2000
1000
NX-1000
1000
NX-700
1000
Deployment Modes: Bridge (In-Line)
Bridge Mode Deployment
When do you need a LAN next

hop? Only if 2 or more
subnets on the LAN
To install the appliance in this mode:

1.
2.
3.
4.
Disconnect the Ethernet Local Area Network (LAN) switch from the WAN router
Connect the LAN interface of the appliance to the Ethernet LAN switch
Connect the WAN interface of the appliance to the WAN router
No Ethernet LAN switch or WAN router configuration modification is required
Bridge Mode Bypass = fail-to-wire

In the event of a failure, a physical
appliance in bridge mode is taken
completely out of the circuit by a
relay that fails-to-wire
Installing or replacing an
appliance in bridge mode
requires taking down a
network link!
lan0
Relay
WAN
wan0
Incoming and outgoing interface speeds, duplex etc. and

cabling MUST work end-to-end in case of failure
Bridge Options
Choice of 2 Port and 4
Port bridge
In 4 port mode, IP
addresses can be in the
same subnet
Be sure to disable WAN hardening

on the Interfaces page! (This will
be default in VXOA 7.3.4)
VLAN Trunking
Support for VLAN Tagging
Silver Peak supports 802.1q VLAN trunking in Bridge or Out-of-Path

o
Bridge (In-line) Mode only in releases prior to 6.0.
In 6.0 out-of-path is also supported, but in CLI only
In 6.2 out-of-path is supported in the GUI
A sub-interface is required for VLAN configuration

o
A Bridge Virtual sub-Interface must be created for non-native VLANs in bridge mode
Subinterface can be on bvi0 or bvi1 if in 4 port mode
Each VLAN on its own subnet
Matching can occur for all policies based on VLAN tag

VLAN Config in Bridge Mode

Add VLANS under
ConfigurationDeployment
LAN Side Next Hop and Routes only

needed if there are additional
subnets that the Silver Peak isnt part
of
WAN next hop is needed to

forward tagged passthrough
traffic for each VLAN
Add new VLAN, assign

VLAN number and IP
address for sub-interface
Tunnel Termination w/ VLAN trunking

Choose a local tunnel termination
address associated with a VLAN
(or not) when you create the
tunnel.
VLAN Match Criteria in Route/QoS/Opt Maps
The VLAN ID and interface can be used in policies to match against
Logging
Logging Overview
Appliance specific (more to come):

Event Logging records system events and level
o Alarm/Alert Logging records only events at Alert level or higher
o Audit Logging records user directed actions performed on the
appliance
o
Orchestrator
o Many logs available. Downloadable as a zipped file.
NetFlow: Appliance generated only

Syslog: Appliance generated only
SNMP: Orchestrator and Appliance generated
Netflow
NetFlow provides a way to send flow records to a centralized collector from the
appliances
NetFlow data is sent directly from the appliances, not via Orchestrator
Configured on the Orchestrator as a Template
Reports against two virtual interfaces:
o
o
sp_lan: LAN traffic on all interfaces + VLANs

sp_wan: WAN traffic on all interfaces + VLANs
WAN export shows flows inside the tunnel

(LAN traffic flows, not the encapsulated
WAN packets)
SNMP for Appliances
*Tip: MIBs are included on

the CD-ROM that shipped
with the product and are also
available for download via
the customer support portal.
MIB:
MIB: Management
Management Information
Information Base
Base
4 Silver Peakspecific Appliance MIBs:

Silverpeak-SMI (Structure of Management Information)
o Silverpeak-TC (Textual Convention)
o Silverpeak-products-mib
o Silverpeak-mgmt-mib
o
Other Standard MIBs also included

SNMP Traps supported for alerting
SNMP for the appliances is not sent via Orchestrator

o
Orchestrator receives alarm and alerts from appliance via

enhanced TCP, ensuring reliability of delivery
SNMP for Appliances, continued
Configuration:
o
Configured as a Template in Orchestrator, or directly

on the appliance
Enable SNMP and Traps
Define the Community for both
Define receivers and versions
Traps are sent using SNMP on UDP port 162
SNMP v3 is supported on Appliances
Traps are sent via mgmt0 interface

One trap is sent when an alarm is raised followed
by another when cleared
o
Configured as part of the Template (applied to devices)
Used for authentication of client and server
Recommended where it is supported
Not supported for Orchestrator traps

Syslog
Sends appliance events directly to a logging server(s) not via the Orchestrator
Syslog is set up as a Template called Logging in a Template
Define:
o
o
o
Level of logging
File rotation policy
Syslog servers
Monitoring and Reporting
Orchestrator Application Reporting by Device
Bars implicitly
display ratios
BANDWIDTH (NORMAL)
BANDWIDTH (PEAK)
LOSS
FEC Enabled
Packet Order Correction
Network View on Appliance

At a Glance:
Bandwidth Usage
Top Applications
Latency
Loss
Top flows
Selectable View Options
Traffic Type
Direction
Time Period
Tunnel
Charts (Appliance)
Charts cover:
o
o
o
o
o
o
o
Bandwidth utilization
Data reduction
Packet loss
Out of order packets
Latency
Flow volume
Packets per Second
Selectable time period up to 30 days

Zoomable by selecting region on
chart or timeline
Realtime Charts (Appliance)
Realtime Charts update

graphs in three second
intervals
Single appliance
All charts offer some form of
filtering
Many types of Stats and
metrics (3 examples shown)
WAN rate
&
Compression
Ratio
QoS
Stats,
TCs 2 & 3
Flow Monitoring
Current Flows can be

viewed in real time
Flows can be reported

on for a single or multiple
appliances
Click on the Flow Chart

icon to see a real time
graph
Click on the Detail icon

to see more info (see
upcoming slide)
Appliance: Am I Optimized Current Flows

If a flow has an alert on it, the status field is highlighted in yellow and is a hyperlink.
When user clicks on this link, he gets a description of the problem and possible actions to
resolve the problem.
Inbound means
FROM the WAN
Outbound means
TOWARD the WAN
Appliance: Am I Optimized Current Flows

User will see the following dialog to see the
details of the alert.
For many corrective actions, there is a link to
direct the user to correct location in the UI.
This list of possible solutions is not complete.
We would like to build this knowledgebase as
we expose this feature to our customers.
User can choose to ignore the alert by clicking
the checkbox. After that, this flow is classified
as optimized*. User can bring this dialog back up
and undo his alert suppression.
Example of Flow Details

Flow addressing,
endpoints etc.
Flow Statistics
Whats being done

to the flow
QoS Information
Troubleshooting
Use (free) Online Documentation

http://www.silver-peak.com/support/user-documentation
Manuals
MIBs
Quickstart Guides
Tech Tips
System
Requirements
etc
Silver Peak Support Portal
Access SW downloads, Case management, Licenses, RMA and the Knowledge Base
o
Login required
Tools
Troubleshooting
Built-In Tools
Ping
Traceroute
TCPPERF
To ping from appliance data IP

address to local devices, use
ping I <source addr>
<dest addr>
other wise ping will source from
mgmt addr and use default route
Built-In Tools
IPERF
o
Use for testing max

throughput, jitter, latency
Execute from the Orchestrator
Select two appliances
Select Link Integrity Test

from the Maintenance menu
Can be executed from the

Appliance CLI (must be set up
on each end)
Do not unintentionally send it

through the tunnel!
Orchestrator automatically
sends PT or PTU
Built in packet capture 7.1+
Built in packet capture

Limit number of packets
Filter on IP or Port
Standard pcap files
Read with Wireshark etc.
Appliance Charts, Graphs and Flow Details

The appliance has many charting and graphing options available
Use the current flows table, and view flow details
Using Appliance and Orchestrator Logs
Appliance logs: Administration Log Viewer

o
Messages file: system log for appliances that

records every NOTICE level event or higher
Problems that occurred at a specific point can
be referenced in the log
Orchestrator allows tailing of the messages file
Audit Log: useful for tracking changes made

by users
o In the Orchestrator: Support > Tech Support
o
This is also where all tcpdump results go and

where the system dumps can be generated
TCP Asymmetry
Troubleshooting
Healthy flowsTraffic is Bi-directional

Inbound means
FROM the WAN
Outbound means
TOWARD the WAN
San Jose
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
Router A
Router J
Host A
Server J
What is TCP Asymmetry? Routing problem
San Jose
Default gateway set to Router J rather
than Silver Peak J
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
TCP SYN
Router A
Host A
Router J
TCP SYN ACK

Server J
Asymmetric Flows - Diagnosis: Routing Problem
San Jose
than Silver Peak J
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
Router A
Router J
Host A
Server J
Asymmetric Flows - Diagnosis: Routing Problem
San Jose
than Silver Peak J
Atlanta
Silver Peak J
Silver Peak A
TUNNEL
Router A
Router J
Host A
Server J
What is TCP Asymmetry?

Flow redirection problem: PBR or WCCP
Packet received via tunnel but routes around the appliance as it leaves
the site
Due to the router not redirecting to the appliance, or due to a complete physical
bypass of traffic from the appliance. (Physical bypass may be intentional due to
network routing.)
Can be either a router mode or bridge mode deployment.
San Jose
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
TCP SYN
Router A
Router J
TCP SYN ACK
Host A
Server J
Router Js WCCP access-list

does not contain Host A
Diagnosis: PBR or WCCP misconfiguration
San Jose
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
Router A
Router J
Host A
Server J
Router Js WCCP access-list

does not contain Host A
What is TCP Asymmetry?

Route Policy error
Packet comes in the tunnel but leaves as Pass-Through
SP 1
TCP SYN
Due to route policy misconfiguration.

Can be either a router mode or bridge mode deployment.
Can be in either direction of the flow
WAN
WAN
WAN
LAN
TCP SYN ACK
SP 2
Inconsistent Route Policy Example

Fix: add a route
policy to make
the server traffic
passthrough
Atlanta
San Jose
Firewall doesnt see returning

SYN/ACK because its in the tunnel
Silver Peak A
SYN/ACK
Silver Peak J
TUNNEL
SYN
ACK
Host A
Firewall A
Firewall drops ACK packet
due to out-of-state
Even without
firewalls, this will be
asymmetric
Firewall J
Server J
192.168.3.13
Asymmetric Flows with a Stateful Firewall
San Jose
Default gateway set to Firewall J
rather than Silver Peak J
Atlanta
Silver Peak A
Silver Peak J
TUNNEL
SYN
Host A
Firewall A
Firewall J
SYN/ACK
Server J
192.168.3.13
SYN/ACK from Server J is out-of-state and
will be dropped by the firewall. Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.
Asymmetric Flow Treatment
Important to note that if a flow is asymmetric, it

o
o
will not receive TCP Acceleration, but

will continue to receive Network Memory and Network Integrity
Asymmetric Flow
NI
NM
NA
This means that a flow

o
o
will get DATA reduction, but

may not see a TIME reduction.
So if the flow doesnt seem faster, determine if it is symmetrical in both directions.
How to Address Asymmetry?

Auto-Optimize
o
mgmt1
mgmt1
Flow Redirection
Make sure you arent unintentionally bypassing or optimizing a flow. Make sure your policies
match on both ends.
Fix routing and switching configuration issues to ensure that the Silver Peak can see both ends of a
TCP connection and that there is no bypass.
LAN
Design Changes
o
Data Path
Redirects flows to the appliance that owns the original flow where there are redundant Silver Peaks at a
site and the SYN went through one, and the SYN/ACK went through the other.
Fix Route Policy errors

o
Can help eliminate the need to configure route policies, and related errors
Flow Redirection (click to see animation)

o
WAN
Subnet Sharing
o
Only accelerates flows that are already symmetrical TCP flows.
Data Path
Tunnel Configuration Issues

Troubleshooting
Common Reasons for Tunnels to Fail
Appliance cannot reach the WAN next hop

Check appliance IP addresses match tunnel configuration
Make sure encapsulation modes match
If using IPSec, check for NAT being performed in the path
Appliance version mismatch
Tunnel bandwidths are not correctly set
o
Can result in packet loss if one end is overrun
Can result in slow performance if its set too low
NAT can break

IPSec tunnels.
Newer versions of
SP code (7.x+)
include automatic
NAT traversal, but
you need the SP tied
to a permanent
external address.
LAN
WAN
Cabling & L2 Issues

Troubleshooting
Interface & Cabling Consistency
If performance is poor, check the interfaces of the appliances for half-duplex

When bridge mode appliance device is in bypass, the appliance acts as a cross-over
connection
o
Will the LAN-side device talk to the WAN-side device if cabled in that way?
When set to auto-negotiate, the appliance also uses auto-MDIX so cabling issues may not be
readily apparent until bypass happens
lan0
Relay
wan0
WAN
Troubleshooting
Routing/Switching Issues
Routing Issues
Appliances should have a known

path for both WAN and LAN
o
o
WebUI Configuration Routes

CLI > show system nexthops
General routing failures:

o
Traffic works when tunnels down but not

up
Possible asymmetric optimization
If traffic is supposed to be pass-through, check that
route policies are not classifying flows improperly
Routing Issues (contd)
WCCP
o
Active, Designated status or known state
Service group numbers match
ip wccp check services all
Correct IOS version?
Cisco 3750 SDM template set to desktop routing?
Double check ACLsreverse mask
High CPU utilization?? Check L2 is being used
LAN
Policy Based Routing

o
Make sure desktop routing

configured on Cisco if multiple
service groups are configured
WAN
0.0.0.255 not 255.255.255.0
Double check ACLsreverse mask
Make sure PBR or WCCP NOT applied to the appliances interface
Remember: best practice is to have the appliance on a separate VLAN/subnet
Cisco Discovery Protocol

Troubleshooting
What is CDP?
Cisco Discovery Protocol is a Cisco

proprietary protocol
It is used to exchange some basic

information between directly
connected devices.
It is available on all Cisco

manufactured equipment including
routers, bridges, and switches.
It is also available on Silver Peak

appliances since version 2.2.
CDP for Silver Peak
To verify if CDP is enabled on the Silver Peak appliances (CLI or

Broadcast CLI only):
o # show cdp
To enable/disable CDP:
o # config t
o (config)# cdp enable/disable
To show all connected neighboring devices
o # show cdp neighbors
Other commands are:
o # show cdp neighbors detail
o # show cdp traffic
Default is Enabled
Troubleshooting Guide
Troubleshooting
General Approach to troubleshooting
Check current flows

o
Look for alerts and asymmetry
Check Route, Optimization and QoS Map entries a flow matched in the flow detail
Make sure flows are optimized if they are supposed to be
Make sure they are not iproprerly optimized (e.g. NM setting on VOIP or replication traffic) if they are not supposed to be.
A missing flow might be getting misrouted and not

even getting to the Silver Peak, dropped, PTU
Check alarms
o
Often alarms contain very helpful information
Select the appropriate context in Orchestrator
Use your reporting and graphing functions

o
Look for things like loss and latency that might be causing an issue
Test Connectivity
o
Check L1/L2 issues like cabling, interface speed & duplex
Use ping I and traceroute
Are end devices pointing to the correct next hop?
Missing LAN side routes?
Use Iperf and other tools to verify actual bandwidth, latency and loss
General Approach to Troubleshooting (contd)

If the problem is with all traffic
Verify operation with in-path appliance in bypass

Verify operation with appliance in pass-thru mode (i.e. tunnels down)
Verify operation with appliance with tunnel(s) up, but all optimization disabled
o
Add a catch-all optimization map entry with
NM off
Payload off
TCP off
CIFS off
If things come up, turn optimizations back on one at a time.
If the problem is with one application or host(s)
The Optimization On/Off switch

disables NM, TCP acc, LZ, IP header,
packet coalescing, POC & FEC.
Shaper is not disabled
Try disabling optimization for just those devices with an optimization or route map entry.
This is less disruptive for your users that are up and working OK.
You can always contact Silver Peak Support

Getting Help
Troubleshooting
Use (free) Online Documentation

http://www.silver-peak.com/support/user-documentation
Manuals
MIBs
Quickstart Guides
Tech Tips
System
Requirements
etc
Silver Peak Support Portal
Access SW downloads, Case management, Licenses, RMA and the Knowledge Base
o
Login required
Global Support Numbers
To open a case online
Tips to Resolve Support cases
Make sure CPX is registered and has valid license.
Make sure CPX can talk to Silver Peak Cloud Portal (Internet
access) on management interface
If Auto-registration is not enabled then Provider has to access his/her

Cloud Portal account and manually approve CPX registration.
When debugging issues, make sure youre accessing the correct

instance of CPX e.g. Many CPX instances per customer in their
network
Once above issues are resolved, troubleshooting technical issues is

similar to VX, EC or EC-V as CPX uses VXOA
Silver Peak Training Resources

https://www.silver-peak.com/training
Silver Peak Optimization Professional (SPOP)
o Recommended training:
Deploying WAN-Opt Technologies (DWT) 3-day course
Silver Peak Optimization eXpert (SPOX)
o Recommended training:
Advanced Optimization Deployments (AOD) 1 day course (after DWT)
All Silver Peak training is online and available for FREE!

Thank You!
Chris Rogers
Director of Training Services
crogers@silver-peak.com
@silverpeakchris

CPX MASTER v1.1

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CPX MASTER v1.1

Загружено:

Авторское право:

Доступные форматы

Silver Peak CPX Training

Virtela On-Site Training

CPX Managed Service Provider/Service Provider Training

What is the Silver Peak CPX?

CPX Solution Architecture / Components

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX: SD-WAN (& WANOP) for MSP/SPs

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Virtual Appliance / Disk Image Formats

VMWare vSphere / ESXi OVA / OVF

KVM QCOW2 (most popular among SP/MSPs)

Citrix XenServer VHD, VMDK

Microsoft Hyper-V VHD

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Identical Datapath Only Licensing, Resourcing and Commercial Ops Differ

CPX : Flexible Resourcing & Max Limits

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Solution Components : CPX, Cloud Portal and Orchestrator

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Form Factor

Available in either virtual appliance or disk image formats

Bootable ISO also available for manual VM creation

Direct customization via XML or manufacturing script to

VXOA release 7.2 and up all VXOA data path features

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Silver Peak Cloud Portal

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Licensing and Workflow

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Deal Workflow

Software delivered by Silver Peak / downloaded by service

Provider admin logs into cloud portal account to retrieve Account

CPX nodes deployed

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Dynamic Licensing

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

CPX Registration / Phone Home

Account Key Key

Account Key Key

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Post-Registration Communication with Cloud Portal

Portal will renew the appliance lease every 72 hours (default)

If CPX node cannot access portal after 24 hrs:

Re-try is set to 1-min intervals

During period when portal cannot be accessed after 24 hrs:

CPX node will remain in Registered / Approved state

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Cloud Portal Provider Account Login

2 options for cloud portal administration

Account tied to email address

Cloud Portal User Management

Superuser full privilege

Cloud Portal Provider View, Registration Options

Cloud Portal Provider Account View

Operator can assign Site / Group for each customer

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.

Orchestrator as Proxy / Relay for Cloud Portal

Using Orchestrator requires only port 443 ALLOW rules for

- no per-node rules or global policy / permit-out zone required

Silver Peak CPX Technology

Confidential | 2015 Silver Peak Systems, Inc. All Rights Reserved.