• SteelHead™ Deployment Guide
•  Welcome
  •  About this guide
    • Audience
    • Types of SteelHeads
    • Document conventions
  • Documentation and release notes
  • Contacting Riverbed
  • What’s new
•  Optimization Techniques and Design Fundamentals
  •  How SteelHeads optimize data
    •  Data streamlining
      • Scalable data referencing
      • Bidirectional synchronized RiOS data store
      • Unified RiOS data store
    •  Transport streamlining
      • Overview of transport streamlining
      • Connection pooling
      • TCP automatic detection
      • SteelCentral Controller for SteelHead Mobile TCP transport modes
      • Tuning SteelHeads for high-latency links
      • TCP algorithm selection
      • WAN buffers
    • Application streamlining
    • Management streamlining
  •  RiOS data store synchronization
    • RiOS data store synchronization requirements
    • RiOS data store error alarms
  • Choosing the right SteelHead model
  • Deployment modes for the SteelHead
  •  Autodiscovery protocol
    • Original autodiscovery process
    • Configuring enhanced autodiscovery
  •  Autodiscovery and firewall considerations
    • Removal of the Riverbed TCP option probe
    • Stateful firewall device in a multiple in-path environment
  • Multiple in-path discovery behavior
  •  Controlling optimization
    • In-path rules
    • Default in-path rules
    • Peering rules
    • Kickoff and automatic kickoff features
  •  Controlling optimization configuration examples
    • Configuring high-bandwidth, low-latency environment
    • Configuring pass-through transit traffic
  •  Fixed-target in-path rules
    • Configuring a fixed-target in-path rule for an in-path deployment
    • Fixed-target in-path rule for an out-of-path deployment
  • Best practices for SteelHead deployments
•  Network Integration Tools
  •  Redundancy and clustering
    • Physical in-path deployments
    • Virtual in-path deployments
    • Out-of-path deployments
  • Fail-to-wire and fail-to-block
  • Overview of link state propagation
  •  Connection forwarding
    • Configuring connection forwarding
    • Multiple-interface support within connection forwarding
    • Failure handling within connection forwarding
    • Connection-forwarding neighbor latency
  • Overview of simplified routing
•  WAN Visibility Modes
  • Overview of WAN visibility
  • Correct addressing
  •  Transparent addressing
    • Port transparency
    •  Full address transparency
      • Overview of Full address transparency
      • Configuring VLANs and full address transparency
    • Full address transparency with forward reset
  •  Implications of transparent addressing
    • Stateful systems
    •  Network design issues
      • Network asymmetry
      • Misrouting optimized traffic
      • Firewalls located between SteelHeads
    •  Integration into networks using NAT
      • NAT deployment using enhanced autodiscovery and full transparency
      • NAT deployment using fixed-target rules
      • NAT deployment using correct and port transparency addressing modes
      • Client-side source NAT using enhanced autodiscovery and full transparency
      • Failed client-side source NAT deployment using enhanced autodiscovery and correct addressing
      • Dual NAT deployment using enhanced autodiscovery and full transparency
      • Failed dual NAT deployment using enhanced autodiscovery and correct addressing
  •  Out-of-band connection
    • Overview of OOB connections and addressing modes
    • Configuring OOB connection destination transparency
    • Configuring OOB connection full transparency
  • Configuring WAN visibility modes
•  Topology
  • Introduction to the topology concept
  • Defining a network
  •  Defining a site
    • Configuring the local site
    • Configuring the default site
•  Application Definitions
  •  Applications
    • Defining an application
    • Application properties
  •  Application Flow Engine
    • Overview of the Application Flow Engine
    • AFE and Microsoft Lync 2010 and 2013
  • Creating host labels
  • Creating port labels
  • Creating domain labels
•  QoS configuration and integration
  • Overview of Riverbed QoS
  •  QoS concepts
    • Overview of QoS concepts
    • QoS rules
    •  QoS classes
      • Class hierarchy
      • Per-class parameters
      • QoS class latency priorities
      • QoS queue types
      • QoS queue depth
      • MX-TCP
    • QoS profiles
  •  Configuring QoS
    • QoS configuration workflow
    • Enabling QoS
    • QoS default classes
  •  Inbound QoS
    • Introduction to inbound QoS
    • Assigning an inbound QoS profile to a site
  • LAN bypass
  • QoS for IPv6
  • QoS in virtual in-path and out-of-path deployments
  • QoS in multiple SteelHead deployments
  • QoS and multiple WAN interfaces
  •  Integrating SteelHeads into existing QoS architectures
    • WAN-side traffic characteristics and QoS
    •  QoS integration techniques
      • QoS policy differentiating voice versus nonvoice traffic
      • SteelHead honoring premarked LAN-side traffic
      • SteelHead remarking traffic from the LAN side
      • SteelHead enforcing the QoS policy
    •  QoS marking
      • QoS marking for SteelHead control traffic
      • QoS marking default setting
      • QoS marking design considerations
  • QoS enforcement best practices
  • Upgrading to RiOS 9.0
  • Guidelines for the maximum number of QoS classes, sites, and rules
•  QoS Configuration Examples
  •  Configuring QoS using best practices
    • Example QoS scenario
    • Configuring QoS on the data center SteelHead
    • Configuring applications
    • Creating QoS profiles
    • Configuring topology
    • Enabling QoS on the SteelHead
  • Configuring QoS marking on SteelHeads
  • Configuring QoS and MX-TCP
•  Path Selection
  • Overview of path selection
  •  Path selection implementation
    • Path selection workflow
    • Example of a path selection implementation
    • Identifying traffic flow candidates
  • Configuring path selection
  •  Valid path selection deployment design examples
    • Basic multiple route path deployment
    • Complex parallel path deployment
    • Complex single in-path interface deployment
    • Serial deployment
    •  Firewall path traversal deployment
      • MTU and MSS adjustment when using firewall path traversal
      • Firewall path traversal deployment example
  • Path selection and virtual in-path deployment
  • Design validation
  • Design considerations
•  Physical in-path deployments
  • Overview of in-path deployment
  •  Logical in-path interface
    • In-path IP address selection
    • In-path default gateway and routing
  •  Failure modes
    • Fail-to-wire mode
    • Fail-to-block mode
    • Configuring failure modes
  • Configuring link state propagation
  • EtherChannel
  •  Cabling and duplex
    • Choosing the correct cables
    • Duplex configuration
    • Troubleshooting cable and duplex issues
  •  Physical in-path deployment configuration examples
    • Configuring a basic physical in-path deployment
    • Configuring a physical in-path with dual links deployment
    • Configuring a serial cluster deployment with multiple links
  •  In-path redundancy and clustering examples
    •  Primary and backup deployments
      • Configuring a primary and backup deployment
      • Adjusting the timers for faster primary and backup failover
    •  Serial cluster deployments
      • Serial cluster rules
      • Configuring a basic serial cluster deployment
      • Configuring faster peer failure detection
  • Configuring simplified routing
  •  Multiple WAN router deployments
    •  Configuring multiple WAN router deployments without connection forwarding
      • Configuring a single SteelHead and single Layer-2 switch deployment
      • Configuring a single SteelHead and dual Layer-2 switches deployment
      • Configuring a single SteelHead and single Layer-3 switch deployment
      • Configuring single SteelHead and dual Layer-3 switches deployment
    •  Configuring multiple WAN router deployments with connection forwarding
      • Configuring basic connection forwarding
      • Configuring connection forwarding with allow-failure and fail-to-block
      • Configuring a dual SteelHead and dual Layer-2 switches deployment
      • Configuring a dual SteelHead and dual Layer-3 switches deployment
      • Configuring a dual SteelHead with multiple in-path deployment
  •  802.1Q trunk deployments
    • Overview of VLAN trunk
    • Configuring a SteelHead on an 802.1Q trunk link
    • Capturing network traces using tcpdump
  •  Layer-2 WAN deployments
    • Layer-2 WANs
    • Broadcast Layer-2 WANs
  •  VLAN bridging deployments
    • Overview of VLAN bridging deployment
    • VLAN bridging considerations
    •  VLAN bridging variations
      • Layer-2 VLAN bridging
      • Layer-3 VLAN bridging
      • Multiple VLAN bridging with VLAN mapping
•  Virtual In-Path Deployments
  • Overview of virtual in-path deployment
  • Configuring an in-path, load-balanced, Layer-4 switch deployment
  • Configuring flow data exports in virtual in-path deployments
•  WCCP Virtual In-Path Deployments
  • Overview of WCCP
  •  WCCP fundamentals
    • Service groups
    •  Assignment methods
      • Hash assignment
      • Mask assignment
      • Choosing an assignment method
    •  Redirection and return methods
      • WCCP Return Router Determination
      • Best practices for determining a redirection and return method
    • WCCP clustering and failover
    • Multiple in-path WCCP
  • Advantages and disadvantages of WCCP
  •  Configuring WCCP
    • Basic steps for configuring WCCP
    • Configuring a simple WCCP deployment
    • Adding a SteelHead to an existing WCCP deployment
    •  Configuring a WCCP high availability deployment
      • Single SteelHead with interface high availability
      • Dual WCCP SteelHeads and interfaces with high availability
    • Configuring a basic WCCP router
  •  Configuring additional WCCP features
    • Specifying the service group password
    • Configuring multicast groups
    • Configuring group lists to limit service group members
    •  Configuring access control lists
      • Using access control lists for specific traffic redirection
      • Cisco access control list command parameters
      • Using access control lists with WCCP
    •  Configuring load balancing in WCCP
      • Configuring load balancing using the hash assignment method
      • Configuring load balancing using the mask assignment method
      • Using the weight parameter
  • Flow data in WCCP
  • Verifying and troubleshooting WCCP configurations
•  Policy-Based Routing Virtual In-Path Deployments
  •  Overview of PBR
    • PBR failover and Cisco Discovery Protocol
    • Alternate PBR failover mechanisms
  • Connecting the SteelHead in a PBR deployment
  •  Configuring PBR
    • Overview of configuring PBR
    • Configuring a SteelHead to directly connect to the router
    • Configuring a SteelHead to connect to a Layer-2 switch
    • Configuring a SteelHead to connect to a Layer-3 switch
    • Configuring a SteelHead with object tracking
    • Configuring a SteelHead with multiple PBR interfaces
    • Configuring multiple SteelHeads to connect to multiple routers
    • Configuring PBR for load balancing WAN circuits
    • Configuring local PBR for ICMP redirection in a mixed MTU environment
  • Exporting flow data and virtual in-path deployments
•  IPv6
  •  Overview of IPv6
    •  RiOS RFC compliance and feature compatibility
      • Features not supported with IPv6
    • IPv6 addressing
    • Traffic interception
  • In-path rules
  •  Deployment options
    • Configuring an in-path SteelHead IPv6 deployment
    • Configuring a SteelHead serial cluster IPv6 deployment
    • Configuring a connection forwarding and SteelHead IPv6 deployment
    • Configuring a virtual in-path SteelHead IPv6 deployment
    • Configuring a fixed-target rule SteelHead IPv6 deployment
  • Protocol support
  • Verification and troubleshooting
•  Packet Mode Optimization
  • Overview of packet mode optimization
  • Comparison with TCP proxy mode optimization
  • Configuring packet mode optimization
  • Design considerations
  • Best practices for packet mode optimization
•  Satellite Optimization
  •  Overview of satellite networks
    • Impact of latency
    • Impact of loss
    • Satellite transport options
  •  Overview of SCPS
    • SCPS benefits
    • Common uses for SCPS
    • SCPS and SteelHeads
  •  TCP optimization for satellite environments
    • SCPS discovery
    •  Transport optimization for satellite environments
      • Bandwidth estimation
      • Configuring error recovery
      • SCPS per connection
      • SCPS error tolerance
      • Rate pacing
      • SCPS single-ended rules
      • SCPS compression
    • Configuring automatic detect TCP optimization
    • Integrating the SteelHead with existing satellite modem TCP acceleration
  • Licensing SCPS on a SteelHead
  •  Configuring satellite optimization features
    • Configuring transport optimization
    • Configuring rate pacing
    • Configuring single-ended connection rule table settings
    • Configuring single-ended rules
  •  Verification and troubleshooting
    •  Analyzing connection optimization information
      • Using the SteelHead Management Console to investigate connection details
      • Using the Riverbed command-line interface to Investigate connection details
    • Analyzing packets for discovery probe stripping
    • Understanding the health of the satellite signal
    • Potential under performance due to short bottleneck buffer
    • Potential performance impact of loss at the start of flow
    • Variance in SCPS performance
•  VPN Routing and Forwarding
  •  NSV with VRF Select
    • Virtual routing and forwarding
    • NSV with VRF Select
    • IOS requirements
    • Prerequisites for NSV
    • Example NSV network deployment
    •  Configuring NSV
      • Basic steps for configuring NSV
      • Configuring the data center router
      • Configuring the PBR route map
      • Decoupling VRF from the subinterface to implement NSV
      • Configuring static routes
      • Configuring the branch office router
      • Configuring the data center SteelHead
      • Configuring the branch office SteelHead
  •  VRF-aware WCCP
    •  VRF-aware WCCP design examples
      • XYZ Data Services design study (Nexus 7000/NX-OS Example)
      • IJK Enterprise design study (ASR 1000/IOS-XE example)
      • ABC Retail design study (ISR/IOS Example)
    • VRF-aware WCCP best practices
•  Out-of-Path Deployments
  • Overview of out-of-path deployment
  • Limitations of out-of-path deployments
  • Configuring out-of-path deployments
•  Data Protection Deployments
  • Overview of data protection
  •  Planning for a data protection deployment
    •  LAN-side throughput and data reduction requirements
      • Configuring a nightly full database backup
      • Configuring a daily file server replication
      • Configuring a very large nightly incremental backup
    • Predeployment questionnaire
  •  Configuring SteelHeads for data protection
    • Adaptive data streamlining feature settings
    •  CPU settings
      • Compression level
      • Adaptive compression
      • Multicore balancing
    • Best practices for data streamlining and compression
    • MX-TCP settings
    • SteelHead WAN buffer settings
    • Router WAN buffer settings
  •  Common data protection deployments
    • Remote office, branch office backups
    • Network attached storage replication
    • Storage area network replication
  •  Designing for scalability and high availability
    • Overview of N+M architecture
    •  Using MX-TCP in N+M deployments
      • Interceptor and N+M active and backup deployment
      • Interceptor and pass-through connection blocking rules
  • Enhanced visibility and control for SnapMirror
  • Troubleshooting and fine-tuning
  • Third-party interoperability
•  Storage Area Network Replication
  • Overview of SAN replication
  •  Storage optimization modules
    •  FCIP optimization module
      • Configuring base FCIP module
      • Configuring FCIP module rules
    •  SRDF optimization module
      • Configuring the base SRDF module
      • Detecting Symmetrix VMAX microcode
      • Configuring SRDF module rules
      • Configuring SRDF selective optimization
      • Viewing SRDF reports
  • Best practices for SAN replication using TCP/IP
  •  Best practices for SAN replication using Cisco MDS FCIP
    • FCIP profiles
    • FCIP tunnels
    • Configuring a Cisco MDS FCIP deployment
    • Best practices for RiOS 5.5.3 and later with Cisco MDS FCIP configuration
•  Authentication, Security, Operations, and Monitoring
  • Overview of secure transport
  • Overview of authentication
  • Authentication features
  •  Configuring a RADIUS server
    • Configuring a RADIUS server with FreeRADIUS
    • Configuring RADIUS authentication in the SteelHead
    • Configuring RADIUS CHAP authentication
  •  Configuring a TACACS+ server
    • Configuring TACACS+ with Cisco Secure Access Control Servers
    • Configuring TACACS+ authentication in the SteelHead
  •  Securing SteelHeads
    • Overview of securing SteelHeads
    • Best practices for securing access to SteelHeads
    • Best practices for enabling SteelHead security features
    • Best practices for policy controls
    • Best practices for security monitoring
    • Configuring SSL certificates for web user interface
  • REST API access
  •  Capacity planning
    •  Model characteristics
      • TCP connections
      • WAN capacity limits
      • RiOS data store size
      • Disk performance
    •  Admission control
      • Connection limits
  • Overview of exporting flow data
  • SNMP monitoring
  • Configuring SNMPv3 authentication and privacy
•  Troubleshooting SteelHead Deployment Problems
  •  Common deployment issues
    •  Duplex mismatches
      • Solution: Manually set matching speed and duplex
      • Solution: Use an intermediary switch
    •  Network asymmetry
      • Solution: Use connection forwarding
      • Solution: Use virtual in-path deployment
      • Solution: Deploy a four-port SteelHead
    • Unknown (or unwanted) SteelHead appears on the current connections list
    •  Outdated antivirus software
      • Solution: Upgrade antivirus software
    •  Packet ricochets
      • Solution: Add in-path routes
      • Solution: Use simplified routing
    •  Router CPU spikes after WCCP configuration
      • Solution: Use mask assignment instead of hash assignment
      • Solution: Check internetwork operating system compatibility
      • Solution: Use inbound redirection
      • Solution: Use inbound redirection with fixed-target rules
      • Solution: Use inbound redirection with fixed-target rules and redirect list
      • Solution: Base redirection on ports rather than ACLs
      • Solution: Use PBR
    •  Server Message Block signed sessions
      • Solution: Fully optimize SMB-signed traffic
      • Solution: Enable secure-CIFS
      • Solution: Disable SMB signing with Active Directory
    •  Unavailable opportunistic locks
      • Solution: None needed
    •  Underutilized fat pipes
      • Solution: Enable high-speed TCP
  •  MTU sizing
    • MTU issues
    • Determining MTU size in deployments
    • Connection-forwarding MTU considerations
•  SteelHead and AppResponse Integration
  • Overview of SteelHead and AppResponse integration
  •  AppResponse and SteelHead deployment scenarios
    • Data center deployment
    • Cloud deployment
•  SteelCentral Controller for SteelHead Mobile Deployments
  •  Overview of SteelCentral Controller for SteelHead Mobile deployment
    • Basic setup for deploying Mobile Controller
    • Mobile Controller with VPN deployments
    • Mobile Controller with firewall deployments
    • Branch office and remote access deployments
  •  Multiple Mobile Controller deployments
    • Overview of multiple Mobile Controller deployments
    • Mobile Controller Concurrent User Limits
    • Configuring multiple Mobile Controllers for redundancy
    • Preparing to join Mobile Controllers in a high-availability cluster
    • Sizing considerations in a high-availability cluster
    •  Endpoint license pooling
      • General process for pooled license distribution
      • License thresholds
      • Pooled license counts during cluster member failure
    • Communication between HA cluster members
  • Ports used with Mobile Controllers and SteelHead Mobiles
  • Interaction between Mobile Controllers and SteelHead Mobile clients
  •  Location awareness
    • Overview of location awareness
    •  Branch warming
      • Branch warming and SteelHead Mobile licenses
      • Branch warming and enhanced autodiscovery
  •  SSL with SteelCentral Controller for SteelHead Mobile
    • Traditional SSL optimization
    • Advanced high-security SSL optimization
    • Configuring SteelCentral Controller for SteelHead Mobile and SSL
    • Using SteelHead Mobile with SSL proxy devices
    • Supported TLS versions with SteelHead Mobile
    • Multiple Mobile Controllers and SSL
  •  Mobile Controller best practices and other considerations
    • Deployment scenarios
    • Management best practices
    • Migration Mobile Controller hardware
    • Licensing best practices
    • Antivirus software
    • Signed SMB support
    • SSL client authentication support
    • SMC and Federal Information Processing Standard (FIPS)
    • Optimization before user log in

SteelHead™ Deployment Guide

SteelCentral Controller for SteelHead Mobile Deployments