SteelHead™ Deployment Guide
Welcome
About this guide
Audience
Types of SteelHeads
Document conventions
Documentation and release notes
Contacting Riverbed
What’s new
Optimization Techniques and Design Fundamentals
How SteelHeads optimize data
Data streamlining
Scalable data referencing
Bidirectional synchronized RiOS data store
Unified RiOS data store
Transport streamlining
Overview of transport streamlining
Connection pooling
TCP automatic detection
SteelCentral Controller for SteelHead Mobile TCP transport modes
Tuning SteelHeads for high-latency links
TCP algorithm selection
WAN buffers
Application streamlining
Management streamlining
RiOS data store synchronization
RiOS data store synchronization requirements
RiOS data store error alarms
Choosing the right SteelHead model
Deployment modes for the SteelHead
Autodiscovery protocol
Original autodiscovery process
Configuring enhanced autodiscovery
Autodiscovery and firewall considerations
Removal of the Riverbed TCP option probe
Stateful firewall device in a multiple in-path environment
Multiple in-path discovery behavior
Controlling optimization
In-path rules
Default in-path rules
Peering rules
Kickoff and automatic kickoff features
Controlling optimization configuration examples
Configuring high-bandwidth, low-latency environment
Configuring pass-through transit traffic
Fixed-target in-path rules
Configuring a fixed-target in-path rule for an in-path deployment
Fixed-target in-path rule for an out-of-path deployment
Best practices for SteelHead deployments
Network Integration Tools
Redundancy and clustering
Physical in-path deployments
Virtual in-path deployments
Out-of-path deployments
Fail-to-wire and fail-to-block
Overview of link state propagation
Connection forwarding
Configuring connection forwarding
Multiple-interface support within connection forwarding
Failure handling within connection forwarding
Connection-forwarding neighbor latency
Overview of simplified routing
WAN Visibility Modes
Overview of WAN visibility
Correct addressing
Transparent addressing
Port transparency
Full address transparency
Overview of Full address transparency
Configuring VLANs and full address transparency
Full address transparency with forward reset
Implications of transparent addressing
Stateful systems
Network design issues
Network asymmetry
Misrouting optimized traffic
Firewalls located between SteelHeads
Integration into networks using NAT
NAT deployment using enhanced autodiscovery and full transparency
NAT deployment using fixed-target rules
NAT deployment using correct and port transparency addressing modes
Client-side source NAT using enhanced autodiscovery and full transparency
Failed client-side source NAT deployment using enhanced autodiscovery and correct addressing
Dual NAT deployment using enhanced autodiscovery and full transparency
Failed dual NAT deployment using enhanced autodiscovery and correct addressing
Out-of-band connection
Overview of OOB connections and addressing modes
Configuring OOB connection destination transparency
Configuring OOB connection full transparency
Configuring WAN visibility modes
Topology
Introduction to the topology concept
Defining a network
Defining a site
Configuring the local site
Configuring the default site
Application Definitions
Applications
Defining an application
Application properties
Application Flow Engine
Overview of the Application Flow Engine
AFE and Microsoft Lync 2010 and 2013
Creating host labels
Creating port labels
Creating domain labels
QoS configuration and integration
Overview of Riverbed QoS
QoS concepts
Overview of QoS concepts
QoS rules
QoS classes
Class hierarchy
Per-class parameters
QoS class latency priorities
QoS queue types
QoS queue depth
MX-TCP
QoS profiles
Configuring QoS
QoS configuration workflow
Enabling QoS
QoS default classes
Inbound QoS
Introduction to inbound QoS
Assigning an inbound QoS profile to a site
LAN bypass
QoS for IPv6
QoS in virtual in-path and out-of-path deployments
QoS in multiple SteelHead deployments
QoS and multiple WAN interfaces
Integrating SteelHeads into existing QoS architectures
WAN-side traffic characteristics and QoS
QoS integration techniques
QoS policy differentiating voice versus nonvoice traffic
SteelHead honoring premarked LAN-side traffic
SteelHead remarking traffic from the LAN side
SteelHead enforcing the QoS policy
QoS marking
QoS marking for SteelHead control traffic
QoS marking default setting
QoS marking design considerations
QoS enforcement best practices
Upgrading to RiOS 9.0
Guidelines for the maximum number of QoS classes, sites, and rules
QoS Configuration Examples
Configuring QoS using best practices
Example QoS scenario
Configuring QoS on the data center SteelHead
Configuring applications
Creating QoS profiles
Configuring topology
Enabling QoS on the SteelHead
Configuring QoS marking on SteelHeads
Configuring QoS and MX-TCP
Path Selection
Overview of path selection
Path selection implementation
Path selection workflow
Example of a path selection implementation
Identifying traffic flow candidates
Configuring path selection
Valid path selection deployment design examples
Basic multiple route path deployment
Complex parallel path deployment
Complex single in-path interface deployment
Serial deployment
Firewall path traversal deployment
MTU and MSS adjustment when using firewall path traversal
Firewall path traversal deployment example
Path selection and virtual in-path deployment
Design validation
Design considerations
Physical in-path deployments
Overview of in-path deployment
Logical in-path interface
In-path IP address selection
In-path default gateway and routing
Failure modes
Fail-to-wire mode
Fail-to-block mode
Configuring failure modes
Configuring link state propagation
EtherChannel
Cabling and duplex
Choosing the correct cables
Duplex configuration
Troubleshooting cable and duplex issues
Physical in-path deployment configuration examples
Configuring a basic physical in-path deployment
Configuring a physical in-path with dual links deployment
Configuring a serial cluster deployment with multiple links
In-path redundancy and clustering examples
Primary and backup deployments
Configuring a primary and backup deployment
Adjusting the timers for faster primary and backup failover
Serial cluster deployments
Serial cluster rules
Configuring a basic serial cluster deployment
Configuring faster peer failure detection
Configuring simplified routing
Multiple WAN router deployments
Configuring multiple WAN router deployments without connection forwarding
Configuring a single SteelHead and single Layer-2 switch deployment
Configuring a single SteelHead and dual Layer-2 switches deployment
Configuring a single SteelHead and single Layer-3 switch deployment
Configuring single SteelHead and dual Layer-3 switches deployment
Configuring multiple WAN router deployments with connection forwarding
Configuring basic connection forwarding
Configuring connection forwarding with allow-failure and fail-to-block
Configuring a dual SteelHead and dual Layer-2 switches deployment
Configuring a dual SteelHead and dual Layer-3 switches deployment
Configuring a dual SteelHead with multiple in-path deployment
802.1Q trunk deployments
Overview of VLAN trunk
Configuring a SteelHead on an 802.1Q trunk link
Capturing network traces using tcpdump
Layer-2 WAN deployments
Layer-2 WANs
Broadcast Layer-2 WANs
VLAN bridging deployments
Overview of VLAN bridging deployment
VLAN bridging considerations
VLAN bridging variations
Layer-2 VLAN bridging
Layer-3 VLAN bridging
Multiple VLAN bridging with VLAN mapping
Virtual In-Path Deployments
Overview of virtual in-path deployment
Configuring an in-path, load-balanced, Layer-4 switch deployment
Configuring flow data exports in virtual in-path deployments
WCCP Virtual In-Path Deployments
Overview of WCCP
WCCP fundamentals
Service groups
Assignment methods
Hash assignment
Mask assignment
Choosing an assignment method
Redirection and return methods
WCCP Return Router Determination
Best practices for determining a redirection and return method
WCCP clustering and failover
Multiple in-path WCCP
Advantages and disadvantages of WCCP
Configuring WCCP
Basic steps for configuring WCCP
Configuring a simple WCCP deployment
Adding a SteelHead to an existing WCCP deployment
Configuring a WCCP high availability deployment
Single SteelHead with interface high availability
Dual WCCP SteelHeads and interfaces with high availability
Configuring a basic WCCP router
Configuring additional WCCP features
Specifying the service group password
Configuring multicast groups
Configuring group lists to limit service group members
Configuring access control lists
Using access control lists for specific traffic redirection
Cisco access control list command parameters
Using access control lists with WCCP
Configuring load balancing in WCCP
Configuring load balancing using the hash assignment method
Configuring load balancing using the mask assignment method
Using the weight parameter
Flow data in WCCP
Verifying and troubleshooting WCCP configurations
Policy-Based Routing Virtual In-Path Deployments
Overview of PBR
PBR failover and Cisco Discovery Protocol
Alternate PBR failover mechanisms
Connecting the SteelHead in a PBR deployment
Configuring PBR
Overview of configuring PBR
Configuring a SteelHead to directly connect to the router
Configuring a SteelHead to connect to a Layer-2 switch
Configuring a SteelHead to connect to a Layer-3 switch
Configuring a SteelHead with object tracking
Configuring a SteelHead with multiple PBR interfaces
Configuring multiple SteelHeads to connect to multiple routers
Configuring PBR for load balancing WAN circuits
Configuring local PBR for ICMP redirection in a mixed MTU environment
Exporting flow data and virtual in-path deployments
IPv6
Overview of IPv6
RiOS RFC compliance and feature compatibility
Features not supported with IPv6
IPv6 addressing
Traffic interception
In-path rules
Deployment options
Configuring an in-path SteelHead IPv6 deployment
Configuring a SteelHead serial cluster IPv6 deployment
Configuring a connection forwarding and SteelHead IPv6 deployment
Configuring a virtual in-path SteelHead IPv6 deployment
Configuring a fixed-target rule SteelHead IPv6 deployment
Protocol support
Verification and troubleshooting
Packet Mode Optimization
Overview of packet mode optimization
Comparison with TCP proxy mode optimization
Configuring packet mode optimization
Design considerations
Best practices for packet mode optimization
Satellite Optimization
Overview of satellite networks
Impact of latency
Impact of loss
Satellite transport options
Overview of SCPS
SCPS benefits
Common uses for SCPS
SCPS and SteelHeads
TCP optimization for satellite environments
SCPS discovery
Transport optimization for satellite environments
Bandwidth estimation
Configuring error recovery
SCPS per connection
SCPS error tolerance
Rate pacing
SCPS single-ended rules
SCPS compression
Configuring automatic detect TCP optimization
Integrating the SteelHead with existing satellite modem TCP acceleration
Licensing SCPS on a SteelHead
Configuring satellite optimization features
Configuring transport optimization
Configuring rate pacing
Configuring single-ended connection rule table settings
Configuring single-ended rules
Verification and troubleshooting
Analyzing connection optimization information
Using the SteelHead Management Console to investigate connection details
Using the Riverbed command-line interface to Investigate connection details
Analyzing packets for discovery probe stripping
Understanding the health of the satellite signal
Potential under performance due to short bottleneck buffer
Potential performance impact of loss at the start of flow
Variance in SCPS performance
VPN Routing and Forwarding
NSV with VRF Select
Virtual routing and forwarding
NSV with VRF Select
IOS requirements
Prerequisites for NSV
Example NSV network deployment
Configuring NSV
Basic steps for configuring NSV
Configuring the data center router
Configuring the PBR route map
Decoupling VRF from the subinterface to implement NSV
Configuring static routes
Configuring the branch office router
Configuring the data center SteelHead
Configuring the branch office SteelHead
VRF-aware WCCP
VRF-aware WCCP design examples
XYZ Data Services design study (Nexus 7000/NX-OS Example)
IJK Enterprise design study (ASR 1000/IOS-XE example)
ABC Retail design study (ISR/IOS Example)
VRF-aware WCCP best practices
Out-of-Path Deployments
Overview of out-of-path deployment
Limitations of out-of-path deployments
Configuring out-of-path deployments
Data Protection Deployments
Overview of data protection
Planning for a data protection deployment
LAN-side throughput and data reduction requirements
Configuring a nightly full database backup
Configuring a daily file server replication
Configuring a very large nightly incremental backup
Predeployment questionnaire
Configuring SteelHeads for data protection
Adaptive data streamlining feature settings
CPU settings
Compression level
Adaptive compression
Multicore balancing
Best practices for data streamlining and compression
MX-TCP settings
SteelHead WAN buffer settings
Router WAN buffer settings
Common data protection deployments
Remote office, branch office backups
Network attached storage replication
Storage area network replication
Designing for scalability and high availability
Overview of N+M architecture
Using MX-TCP in N+M deployments
Interceptor and N+M active and backup deployment
Interceptor and pass-through connection blocking rules
Enhanced visibility and control for SnapMirror
Troubleshooting and fine-tuning
Third-party interoperability
Storage Area Network Replication
Overview of SAN replication
Storage optimization modules
FCIP optimization module
Configuring base FCIP module
Configuring FCIP module rules
SRDF optimization module
Configuring the base SRDF module
Detecting Symmetrix VMAX microcode
Configuring SRDF module rules
Configuring SRDF selective optimization
Viewing SRDF reports
Best practices for SAN replication using TCP/IP
Best practices for SAN replication using Cisco MDS FCIP
FCIP profiles
FCIP tunnels
Configuring a Cisco MDS FCIP deployment
Best practices for RiOS 5.5.3 and later with Cisco MDS FCIP configuration
Authentication, Security, Operations, and Monitoring
Overview of secure transport
Overview of authentication
Authentication features
Configuring a RADIUS server
Configuring a RADIUS server with FreeRADIUS
Configuring RADIUS authentication in the SteelHead
Configuring RADIUS CHAP authentication
Configuring a TACACS+ server
Configuring TACACS+ with Cisco Secure Access Control Servers
Configuring TACACS+ authentication in the SteelHead
Securing SteelHeads
Overview of securing SteelHeads
Best practices for securing access to SteelHeads
Best practices for enabling SteelHead security features
Best practices for policy controls
Best practices for security monitoring
Configuring SSL certificates for web user interface
REST API access
Capacity planning
Model characteristics
TCP connections
WAN capacity limits
RiOS data store size
Disk performance
Admission control
Connection limits
Overview of exporting flow data
SNMP monitoring
Configuring SNMPv3 authentication and privacy
Troubleshooting SteelHead Deployment Problems
Common deployment issues
Duplex mismatches
Solution: Manually set matching speed and duplex
Solution: Use an intermediary switch
Network asymmetry
Solution: Use connection forwarding
Solution: Use virtual in-path deployment
Solution: Deploy a four-port SteelHead
Unknown (or unwanted) SteelHead appears on the current connections list
Outdated antivirus software
Solution: Upgrade antivirus software
Packet ricochets
Solution: Add in-path routes
Solution: Use simplified routing
Router CPU spikes after WCCP configuration
Solution: Use mask assignment instead of hash assignment
Solution: Check internetwork operating system compatibility
Solution: Use inbound redirection
Solution: Use inbound redirection with fixed-target rules
Solution: Use inbound redirection with fixed-target rules and redirect list
Solution: Base redirection on ports rather than ACLs
Solution: Use PBR
Server Message Block signed sessions
Solution: Fully optimize SMB-signed traffic
Solution: Enable secure-CIFS
Solution: Disable SMB signing with Active Directory
Unavailable opportunistic locks
Solution: None needed
Underutilized fat pipes
Solution: Enable high-speed TCP
MTU sizing
MTU issues
Determining MTU size in deployments
Connection-forwarding MTU considerations
SteelHead and AppResponse Integration
Overview of SteelHead and AppResponse integration
AppResponse and SteelHead deployment scenarios
Data center deployment
Cloud deployment
SteelCentral Controller for SteelHead Mobile Deployments
Overview of SteelCentral Controller for SteelHead Mobile deployment
Basic setup for deploying Mobile Controller
Mobile Controller with VPN deployments
Mobile Controller with firewall deployments
Branch office and remote access deployments
Multiple Mobile Controller deployments
Overview of multiple Mobile Controller deployments
Mobile Controller Concurrent User Limits
Configuring multiple Mobile Controllers for redundancy
Preparing to join Mobile Controllers in a high-availability cluster
Sizing considerations in a high-availability cluster
Endpoint license pooling
General process for pooled license distribution
License thresholds
Pooled license counts during cluster member failure
Communication between HA cluster members
Ports used with Mobile Controllers and SteelHead Mobiles
Interaction between Mobile Controllers and SteelHead Mobile clients
Location awareness
Overview of location awareness
Branch warming
Branch warming and SteelHead Mobile licenses
Branch warming and enhanced autodiscovery
SSL with SteelCentral Controller for SteelHead Mobile
Traditional SSL optimization
Advanced high-security SSL optimization
Configuring SteelCentral Controller for SteelHead Mobile and SSL
Using SteelHead Mobile with SSL proxy devices
Supported TLS versions with SteelHead Mobile
Multiple Mobile Controllers and SSL
Mobile Controller best practices and other considerations
Deployment scenarios
Management best practices
Migration Mobile Controller hardware
Licensing best practices
Antivirus software
Signed SMB support
SSL client authentication support
SMC and Federal Information Processing Standard (FIPS)
Optimization before user log in
SteelHead™ Deployment Guide
SteelCentral Controller for SteelHead Mobile Deployments