Riverbed wins 7-vendor WAN optimization test

Challengers Ipanema and Exinda score high marks for innovation

1 2 3 4 Page 2
Page 2 of 4
  • Ipanema ip|engine came out on top, with a very sophisticated global application management system.
  • On the other hand, Cisco WAVE engines have no built-in traffic management features. Cisco ISR-integrated optimization, though, gains all of IOS traffic management capabilities.
  • Network managers who think that traffic management is important will want to focus on Exinda x800-series, Ipanema ip|engine, and Riverbed Steelhead as the products with the most sophisticated feature sets.  

Ipanema ip|engine offers the most innovative traffic management portfolio of any product we tested. Ipanema’s ip|engine technology offers global traffic management in their Salsa management tool. 

In a network which is a pure star, such as branch offices clustered around a single data center, traffic management is easy because the network is really a series of point-to-point lines, all of which can be controlled on both ends.

But in a modern network with multiple data centers, support centers, cloud-based communications, and branch-to-branch flows, the virtual point-to-point circuits disappear. Instead, each site may be communicating with multiple other sites, with potential for congestion and unhappy users. 

Traffic management in this environment gets very difficult without some sort of global view of traffic flows on a moment-by-moment basis. 

Ipanema’s ip|engines are in constant communication with each other and can apply global traffic management when multiple sites, for example, threaten to overpower a single branch office with limited bandwidth. Ipanema’s ip|engine technology really works, but it’s not perfect.

We saw multiple Ipanema ip|engines devices coordinate traffic flows and provide coordinated traffic management across diverse sites. However, we also saw some anomalies pointing to a few bugs to be worked out. For example, we had locked a particular streaming application down to 256kbps, but saw our Ipanema ip|engines let through 50% more traffic for long periods of time. Our Ipanema support team initially blamed this on a lack of global device synchronization, but Ipanema later told us that synchronization was not required -- which left us more in the dark about the inaccurate traffic management behavior. 

Network managers also need to be aware that Ipanema ip|engine only supports a very rigid network architecture and traffic management model. When defining global traffic flows, Salsa manages bandwidth on an application basis, not on a per-site basis. Thus, you can say “video conferencing gets a guarantee of 512K per call” or “Citrix XenDesktop gets a guarantee of 64K per session” but there is no easy way to say how many video calls or Citrix XenDesktop sessions can be going in or out of a particular site or what percentage of a site’s bandwidth can be taken up by a particular application. 

We think that some network managers will find Ipanema’s ip|engine traffic management technologies the answer to their dreams. However, Ipanema’s model of networking and traffic management doesn’t have room for negotiation -- either your network and traffic model looks like Ipanema wants, or they won’t be able to solve your traffic management and application assurance problems. 

For the other six products, we verified correct operation of outbound and inbound traffic management on a site-to-site basis (since no other product included Ipanema’s global traffic view). We based all testing on a typical WAN traffic policy. All of the products we tested passed these tests, subject to differences in what each product could support. In some cases, we had to vary our policy slightly. For example, our test policy called for policing of recreational Internet usage, but not every product could identify applications such as BitTorrent and differentiate them from non-recreational Internet usage.

Riverbed’s Steelhead and Exinda’s x800 appliances showed sophisticated traffic management capabilities that made us rank them below Ipanema, but above the rest. 

One key feature that stood out with both products was layer 7 application identification: the ability to apply traffic management rules based on the application being used and not just a simple tuple of IP address and port number.

Exinda’s heritage is as a traffic management company, which made it natural that it would excel in this part of our test. For example, the Exinda x800 can apply both per-site and per-host traffic management rules, giving the network manager the opportunity to provide some “fairness” in sites where heavy streaming usage -- or someone downloading the 1Gb iOS7 upgrade -- can impact business traffic on Internet links.  

With Exinda x800 per-host “dynamic virtual circuits,” hosts (specified by subnet, VLAN or other qualifiers) can be given a chunk of bandwidth to share fairly, on top of other per-site, per-subnet or per-application limitations. Our testing found this to work properly, with one exception: traffic management and Exinda’s Internet web cache feature don’t mix, something Exinda told us they would fix in a future version of the product.  

Both Exinda x800 and Riverbed Steelhead have inbound and outbound traffic management capabilities, although the Steelhead is strangely asymmetric in its configuration. Riverbed recently added a nice hierarchical model for traffic management, but this was only extended to outbound traffic. Exinda x800 has the same hierarchical model in both directions.  

We also preferred Exinda’s x800 traffic management for a host of smaller features not in Riverbed Steelhead, but which could be very helpful in defining a corporate network policy. For example, the Exinda x800 has time-of-day rules for traffic management and the ability to express bandwidth both in percentages and in absolute values. 

The Exinda x800 also has a feature that higher education network managers will appreciate: users who exceed a certain quota of traffic over some time period can be sent to a temporary “jail” that limits the amount of bandwidth they can use. Riverbed’s Steelhead doesn’t have any of these capabilities.

While Blue Coat Mach5, Citrix’s CloudBridge 2000 and Silver Peak’s VX-series all had traffic management features, they brought a less capable set of tools. For example, the Citrix CloudBridge 2000 has a sophisticated way to prioritize and police applications, but doesn’t let you guarantee a particular bandwidth slice to any application.


Cisco deserves special mention here. When we started testing, Cisco only had its standalone WAVE appliances, devices that had sophisticated WAN de-duplication and compression features, but no way to perform any type of traffic management. 

Midway through our test, Cisco released a new mid-sized router in its ISR family, the 4451-X. This new hardware includes IOS-XE and the capability to run internal virtual machines, including the Cisco Wide Area Application Services (WAAS) engine. At the same time, Cisco introduced a new licensing variation in the ISR family called “AX” (for “Application Experience”), which includes four options bundled together: WAAS, Application Visibility and Control, Security and the normal Data license. This new license, combined with some automatic configuration wizards on the 4451-X, drastically simplifies the process of adding network optimization features to the 4451-X ISR platform. 

So, we decided to focus on the IOS-integrated WAAS offering rather than Cisco’s standalone WAVE devices. Network managers considering Cisco for network optimization need to be careful not to confuse the Cisco standalone options, which have been the flagship of its WAN acceleration offering, with the new bundled ISR devices. Standalone WAVE still has its place in certain environments, but most network managers should aim for the IOS-integrated appliances for both features and cost-effective deployment.

We based our testing of Cisco’s acceleration performance on the standalone WAVE appliances, which should behave the same as the new integrated WAAS systems, since they are running identical software. Standalone Cisco WAVE devices have absolutely no traffic management capabilities and very limited visibility features.

IOS and IOS-XE both have a comprehensive set of traffic management tools, which puts Cisco roughly in the same ranking in our testing as Blue Coat Mach5, Citrix CloudBridge, and Silver Peak VX-series. However, Cisco IOS also has application identification features (NBAR) that can be combined with traffic management to go beyond this baseline. 

On the other hand, using NBAR to affect traffic management with a WAAS engine in the middle results in an unholy mess of unmaintainable configurations. While the CCIEs out there may be able to handle such a thing, we feel that IOS or IOS-XE combined with the WAAS engine don’t deliver a long-term best choice for traffic management.

VISIBILITY: Exinda, Riverbed excel

When dealing with hundreds or thousands of branch offices, the ability to drill down quickly and diagnose network and application problems is a major competitive edge. Visibility helps in other ways besides problem solving -- capacity planning, trend analysis, and usage tracking are all improved by good visibility.

Since a network optimization device sees WAN traffic before it gets VPNed and NATed by firewalls, this is a great place to get visibility on traffic leaving the branch office into the corporate network or to the Internet. 

Our testing focused in evaluating the capabilities of products for both short-term and long-term traffic analysis. We found that Riverbed Steelhead and Exinda x800 offered the strongest and broadest visibility feature set -- although getting the full value out of Riverbed Steelhead also means budgeting for the Riverbed Cascade analysis tool. 

Next in line were Ipanema ip|engine and Silver Peak VX-series, with Blue Coat Mach5, Citrix CloudBridge, and Cisco WAAS bringing up the rear.

SHORT-TERM ANALYSIS: Exinda, Ipanema offer richest context

We started out by asking the question: “Who is doing what on my network right now?” We found all the products to be similar. All give an overview of network performance, including compression, and have the option to see currently open connections. Some even give you a drill-down -- Cisco WAAS will tell you, for example, everything you ever wanted to know about an open connection. That’s great for debugging the network optimization tools. The biggest difference between devices at this level was their ability to use application identification technology to add more context: only Ipanema ip|engine and Exinda x800-series provided this type of information.  (Riverbed will be adding its application identification information to flow data starting with the next version, 8.5, of the Steelhead operating system RiOS.)

With Blue Coat Mach5, Cisco WAAS, Citrix CloudBridge and Ipanema ip|engine, your per-site information essentially stops there, and there’s no real information about past sessions stored on their appliances. 

Silver Peak VX-series, Riverbed Steelhead and Exinda x800-series all go further, providing flow history data on the device that lets you pivot through different views, such as by IP address, application group, and application. Exinda x800-series adds a bonus: mapping user names to IP addresses through a Windows Active Directory Domain Controller connector, which enables reporting and traffic management based on user name as well as IP address. Of course, there are scalability issues with this approach, but in a branch office with a single Windows Domain and a single network optimization box, it all works rather well.

Our testing of on-box traffic information focused on short-term flow and traffic information. For long-term traffic data, we went looking for other solutions.

LONG-TERM ANALYSIS: It’s Riverbed, Blue Coat and Silver Peak

We believe that on-site appliances shouldn’t be asked to be long-term repositories of information for two reasons: performance impact on the end device and lack of global view from a single station. The performance requirements to handle storage and analysis of traffic can be tricky and asking a device sitting in-line in the branch to store more than a month of data isn’t a great idea. 

A global view is also a critical reason to look at long-term reporting. Any one appliance can tell you a lot about what happened at that site, but when a network or application manager is hunting problems with a larger scope, or is looking at trend information across the whole network, a larger view is important. The problem is compounded at the data center end, where multiple devices may be present in multiple data centers and need aggregation. 

The obvious solution for exporting flow, traffic, and optimization data over the long term is to use a standard such as NetFlow v9 (or the IETF replacement, IPFIX). When we started this test, we assumed we’d get 100% coverage, but we were surprised: Blue Coat Mach5, Citrix CloudBridge, and Ipanema ip|engine don’t go there yet -- Blue Coat told us they were adding the capability, and Citrix said they would get equivalent functionality through a partnership with Splunk. 

Cisco’s standalone WAVE systems -- from the company that invented NetFlow -- don’t do NetFlow either, but the WAAS integrated into IOS can export NetFlow based on IOS’ capabilities.

Riverbed Steelhead, Exinda x800-series, and Silver Peak VX-series all export NetFlow. However, network managers have to be careful here, just because the optimization information is sent out in NetFlow doesn’t mean that every NetFlow collector and analyzer can do anything with it. Riverbed clearly understood that problem when it bought Mazu Networks in 2009 and re-launched Mazu’s analysis tool as Riverbed Cascade, giving Riverbed a top-notch analysis tool with extensive application analytics. 

1 2 3 4 Page 2
Page 2 of 4
The 10 most powerful companies in enterprise networking 2022