SteelHead SD Overview
This chapter provides an overview of the SteelHead SD architecture, new features, hardware and software requirements, licensing, and upgrading from SteelHead SD 1.0 or 2.0 to SteelConnect 2.13. It includes these sections:
This guide describes how to install a manufactured SteelHead SD appliance. It doesn’t describe how to upgrade an existing SteelHead CX570, CX770, or CX3070 appliance to a SteelHead SD appliance. For details on upgrading SteelHead to SteelHead SD, see the SteelHead SD In-Field Upgrade Guide.
This guide doesn’t provide detailed information about configuring and managing SD-WAN or WAN optimization features. For detailed information, see the SteelConnect Manager User Guide, SteelHead SD User Guide, and the SteelHead User Guide.
Introducing SteelHead SD
SteelHead SD combines SD-WAN and cloud networking capabilities (powered by SteelConnect) with Riverbed WAN optimization (powered by RiOS) into a single appliance. SteelHead SD seamlessly integrates advanced SD-WAN functionality with industry-leading WAN optimization, security, and visibility services all in one streamlined appliance. SteelHead SD WAN optimization reduces bandwidth utilization and accelerates application delivery and performance, while providing SteelConnect integration in the SteelOS environment.
SteelHead SD provides you with the ability to quickly provision branch sites and deploy applications remotely. At the same time, applications are optimized to ensure performance and reduce latency with zero touch provisioning.
Typically, SteelHead SD appliances and the SteelConnect SDI-2030 gateway are located in the branch office in conjunction with SteelConnect SDI-5030 gateways at the data center. The SteelConnect SDI-2030 gateway can also be deployed inline as a 1-GbE data center gateway with active-active HA. The SteelConnect SDI-2030 gateway can also serve as a very large branch office appliance with high throughput requirements. The SteelConnect SDI-2030 gateway doesn’t support WAN optimization capabilities.
SteelHead SD advanced routing and high-availability (HA) features are supported on the SteelHead SD 570-SD, 770-SD, and 3070-SD appliances and the SteelConnect SDI-2030 gateway located at the branch. For details, see the SteelHead SD User Guide and the SteelConnect Manager User Guide.
SteelHead SD deployment
SteelHead SD supports these configurations:
•SD-WAN and WAN optimization - In this configuration, WAN optimization runs as a service on top of SD-WAN. The SteelCentral Controller for SteelHead (SCC) or the SteelHead Management Console handles management and configuration of the WAN optimization features. Also, SteelHead CLI-based management is supported for WAN optimization settings. You connect to the Management Console via the primary port, which also uses DHCP to acquire its IP address. For details about configuring WAN optimization features, see the SteelCentral Controller for SteelHead User Guide and the SteelHead User Guide.
•SD-WAN only - In this configuration, WAN optimization isn’t required. SCM handles the management and configuration of SD-WAN features. SCM connectivity requires one of the WAN ports that are used as uplink ports. Only the SD-WAN service can be enabled or disabled via SCM. The SD-WAN service upgrades are managed via SCM. SCM pushes the new software version according to the schedule that you set up. For details about configuring SD-WAN features, see the SteelConnect Manager User Guide and the SteelHead SD User Guide.
SteelHead SD software architecture
SteelHead SD is based on the SteelOS infrastructure. It separates the control and data planes with internal virtual machine (VM) chaining, which provides management-plane autorecovery.
SteelHead SD platform architecture
SteelHead SD provides a flexible service platform, consisting of:
•Routing virtual machine (RVM) - The RVM is the control plane for all the underlay routing. All configuration from SCM (protocol, interface route maps, and policies) form the Routing Information Base (RIB) and the Forwarding Information Base (FIB), which is sent to the RVM. After the final FIB is formed, it is sent to the service core in the service virtual machine (SVM). SteelHead SD provides a clear separation between the data plane and the control plane.
•Service virtual machine (SVM) - The SVM is the core data plane of the appliance, which provides service chained network functions. These VMs include services such as QoS shaping, QoS marking, traffic filtering, path selection, encryption, application identification, and so forth. This architecture allows for extensible plug-and-play services that can be enabled, disabled, or reused in the packet flow chain, which in turn provides faster recovery and minimal disruption. For SteelHead SD, each packet goes through its own set of service functions (LAN ingress, LAN egress, WAN ingress, WAN egress).
•Virtual SteelHead (VSH) - The VSH manages WAN optimization services. WAN optimization is service chained into the data path and requires subscription-based licensing. Only one in-path interface is defined on SCM. This single in-path interface represents the VSH that is service chained into the SVM. It doesn’t matter what zone you put the VSH in; any packets coming into any zone are sent to the VSH. Because the VSH is separated from the routing plane, it provides WAN optimization functionality for VLANs.
•Controller virtual machine (CVM) - The CVM controls and orchestrates the entire system. It’s basically the control plane for SD-WAN and routing functions. It obtains all the configuration information from the SVM and RVM. The CVM manages appliance start up, licenses, initial configuration, and interface addressing. For details on CVM recovery from failures, see the SteelConnect Manager User Guide.
SteelHead SD port mapping between the VMs and physical ports
The SVM and RVM connect to all ports on the SteelHead SD appliance except for the primary port. The primary port (PRI) is connected directly to the VSH. The CVM is connected to the auxiliary (AUX) port and the WAN uplinks only. All the data and control packets are handled by the SVM and RVM.
The SteelHead SD AUX, LAN (LAN0_0, LAN0_1 or on the CX3070 LAN3_0, LAN3_1), and WAN (WAN0_0, WAN0_1 or on the CX3070 WAN3_0, WAN3_1) ports are connected to the SVM and RVM. Basically, there is a Layer 3 edge router on all of these ports.
The AUX and WAN ports are configured as uplinks on SCM. The AUX port can be used as an additional WAN uplink. The AUX port is also the dedicated port for SteelHead SD high-availability deployments. You can also configure a LAN-side standby uplink in case the AUX port goes down. For details, see the SteelHead SD User Guide.
Port mapping between VMs and physical ports
New features in SteelConnect 2.13
SteelConnect 2.13 includes these new features:
Office 365 integration
In SteelConnect 2.13, Riverbed SD-WAN is designated as a qualified networking solution and certified as “Works with Office 365” to provide an optimal end-user experience (certification is underway and expected in September 2019). Riverbed partners with Microsoft to provide full support for and comply with its Office 365 connectivity principles. The SteelConnect Application Control Server (ACS) supports the Microsoft Office 365 REST APIs that catalog and return up-to-date information about the front-door endpoints. SteelConnect uses the endpoint data to enable direct routing of the internet traffic from the branch to the closest front-door endpoints.
Extending AutoVPN tunnel keys
With SteelConnect 2.13, you can extend the time during which preprovisioned tunnel keys are used during an outage in SCM connectivity. Extending the number of days to use preprovisioned keys provides more time to prevent traffic forwarding disruptions on overlay routes during unforeseen issues that might persist longer than 24 hours.
SteelHead SD high-availability failover improvements
SteelConnect 2.13 includes these improvements to SteelHead SD high-availability (HA) failover:
•Bidirectional tunnel failure detection - In SteelConnect 2.13, tunnel probe requests are used to detect tunnel failures when either direction of the data flow is down. Default bidirectional-tunnel probe settings can only be changed by Riverbed Support at https://support.riverbed.com.
•LAN-side subnet discovery on HA backup appliances - SteelConnect 2.13 doesn’t have to relearn LAN-side subnets when the HA master fails and the HA backup appliance is activated. No configuration is required.
•BGP and OSPF graceful restart - SteelConnect 2.13 allows continuous data flow forwarding even if the BGP or OSPF process on the peer device restarts. If there is a system restart, you can set the amount of time to wait before a neighbor reestablishes BGP peering and the amount of time that stale paths are kept. For OSPF, you can set the amount of time to wait before adjacencies are torn down if there is a system restart.
Routing features by model
Feature | SteelHead-SD 570-SD, 770-SD, 3070-SD | SDI-2030 | SDI-130 | SDI-330 | SDI-1030 | SDI-5030 | SDI-VGW |
eBGP | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
iBGP | Yes | Yes | No | No | No | No | No |
OSPF single area | Yes | Yes | Yes | Yes | Yes | No | No |
OSPF multi-area ABR | Yes | Yes | No | No | No | No | No |
ASBR | Yes | Yes | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | No | Yes* (Underlay routing inter-working solution) |
Route retraction | Yes | Yes | No | No | No | Yes | No |
Default route originate | OSPF/BGP | OSPF/BGP LAN and WAN | OSPF only LAN | OSPF only LAN | OSPF only LAN | BGP only | OSPF only LAN |
Overlay route injection in LAN | Yes | Yes | No | No | No | Yes | No |
Local subnet discovery | Yes | Yes | No | No | No | Yes | No |
Static routes | Yes | Yes (LAN and WAN) | Yes | Yes | Yes | Yes | Yes |
VLAN support (LAN side) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
*SCM 2.9 and later support an underlay routing interworking solution that bridges BGP and OSPF. For details, see the SteelConnect Manager User Guide
Hardware and software requirements
Riverbed component | Hardware and software requirements |
SteelHead SD appliance | The SteelHead SD 570-SD and 770-SD appliances are desktop models. The SteelHead SD 3070-SD appliance requires a 19-inch
(483 mm) four-post rack. For details, see the Rack Installation Guide. |
SteelHead Management Console | The SteelHead Management Console has been tested with all versions of Chrome, Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11. You use the SteelHead Management Console to manage WAN optimization features on vSH instances. JavaScript and cookies must be enabled in your web browser. |
SteelConnect and SteelConnect Manager (SCM) | SteelHead SD requires SteelConnect 2.11 or later. SCM supports the latest version of the Chrome browser. SCM requires a minimum screen resolution of 1280 x 720 pixels. We recommend a maximum of 1600 pixels for optimal viewing. |
SteelCentral Controller for SteelHead (SCC) | We recommend that SCC 9.9 is installed. |
Firewall requirements
The SteelHead SD 570-SD, 770-SD, and 3070-SD appliances, and SDI-2030 gateways located at the branch support stateful application-based firewalls at the network edge. For details on SteelConnect firewall and security features, see the SD-WAN Deployment Guide.
All communication is sourced from the site out to the SteelConnect management service. There’s no need to set up elaborate firewall or forwarding rules to establish the dynamic full-mesh VPN or to gain connectivity to the cloud. After you register an appliance, it receives its assigned configuration automatically. For details on SteelConnect firewall requirements, see the SteelConnect Manager User Guide.
Make sure the firewall ports 80 and 443 are open so that software installation and SCM operations aren’t blocked. For details on SteelConnect default ports, see the
SteelConnect Connection Ports. Ethernet network compatibility
The SteelHead SD appliance supports these Ethernet networking standards.
Ethernet standard | IEEE standard |
Ethernet Logical Link Control (LLC) | IEEE 802.2 - 1998 |
Fast Ethernet 100BASE-TX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-LX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode | IEEE 802.3 - 2008 |
Gigabit Ethernet over 10GBASE-SR Multimode | IEEE 802.3 - 2008 |
SNMP-based management compatibility
SteelConnect provides support for SNMPv1 and v2c polling, and event logging is supported on the SteelConnect SDI-130, SDI-330, SDI-1030, SDI-5030, and SDI-VGW virtual gateways. SNMPv1, v2c, and v3 are supported in SCM (and only visible by a realm administrator).
SNMP reporting is supported on SteelHead SD SD-570, SD-770, and SD-3070 appliances, and SteelConnect SDI-2030 gateway located at the branch. For details, see the SteelConnect Manager User Guide.
The virtual SteelHead supports proprietary MIBs accessible through SNMP, SNMPv1, SNMPv2c, and SNMPv3, although some MIB items might only be accessible through SNMPv2 and SNMPv3. For details on the WAN optimization service MIB, see the SteelHead User Guide.
NIC support
Network interface card (NICs) are supported on the SteelHead SD 3070-SD appliances for nonbypass traffic. SteelHead SD 570-SD and 770-SD appliances do not support NICs.
For SteelHead SD 3070-SD appliances, bypass NICs aren’t required for SteelConnect gateway deployments because LAN traffic requires network address translation (NAT) before it reaches the service provider network.
You can install these NICs in the SteelHead SD 3070-SD for nonbypass traffic.
NICs | Size (*) | Manufacturing part # | Orderable part # |
Two-Port 10-GbE Fiber SFP+ | HHHL | 410-00036-02 | NIC-1-010G-2SFPP |
Four-Port 10-GbE Fiber SFP+ | HHHL | 410-00108-01 | NIC-1-010G-4SFPP |
*HHHL = Half Height, Half Length
For details on NICs, see the Network and Storage Card Installation Guide.
Licensing
SteelConnect 2.13 requires a WAN optimization subscription license if you want to use the WAN service. The WAN optimization subscription license is an optional purchase.
SteelConnect SD-WAN service licensing
The SteelConnect SD-WAN service requires a gateway management subscription license that is managed by SCM. You must obtain this license before you begin the installation process.
After purchasing SteelHead SD, you will receive these emails:
•An email with the license token and SteelConnect serial number. You redeem the token in SCM where all hardware nodes and license keys are added to your organization. Each token is redeemable only once.
•An email that contains the URL for connecting to SCM and the default login and password: admin and pppp. This email is requested by the sales team and sent by the Riverbed Cloud Operations team.
If you don’t receive these emails, contact your sales representative or Riverbed Support at
https://support.riverbed.com.
To redeem the SD-WAN service token
1. Open the email you received from Riverbed and copy the token.
2. Connect to SCM.
3. Choose Organization > Licenses.
4. Click Redeem Token and paste the token into the text box.
5. Click Submit.
If automatic licensing fails, go to the Riverbed Licensing Portal at https://licensing.riverbed.com/ and follow the instructions for retrieving your licenses. The licensing portal requires a unique product ID such as a serial number, a license request key (activation code), or a token, depending on the product. Online instructions guide you through the process.
SteelHead WAN optimization service licensing
The SteelHead WAN optimization service requires an MSPEC license. Once you connect SteelHead SD to the network, the system automatically contacts the Riverbed Licensing Portal to retrieve and install license keys for the WAN optimization service.
If automatic licensing fails, go to the Riverbed Licensing Portal at https://licensing.riverbed.com/ and follow the instructions for retrieving your licenses. The licensing portal requires a unique product ID such as a serial number, a license request key (activation code), or a token, depending on the product. Online instructions guide you through the process.
Upgrading SteelHead SD
This section describes how to upgrade SteelHead SD. It includes these topics:
Upgrading from SteelHead SD 2.0 to SteelConnect 2.13
SteelHead SD features require the virtual SteelHead (vSH) image, which is contained within the SteelConnect 2.13 image. All SteelHead SD 2.0 customers will be automatically upgraded to SteelConnect 2.13. SteelConnect automatically upgrades to 2.13 according to the schedule and restrictions you have set in SteelConnect Manager (SCM). For details on scheduling updates in SCM, see the SteelConnect Manager User Guide.
If you need to upgrade the SteelHead appliances in your deployment, see the SteelCentral Controller for SteelHead Installation Guide and the SteelHead Installation and Configuration Guide.
Upgrading from SteelHead SD 1.0 to SteelConnect 2.13
SteelHead SD features require the virtual SteelHead (vSH) image, which is contained within the SteelConnect 2.13 image. All SteelHead SD 1.0 and 2.0 customers will be automatically upgraded to SteelConnect 2.13. SteelConnect automatically upgrades to 2.13 according to the schedule and restrictions you have set in SteelConnect Manager (SCM). For details on scheduling updates in SCM, see the SteelConnect Manager User Guide.
Before proceeding with the SteelConnect 2.13 upgrade process:
•SteelHead SD 1.0 supported an active-passive HA scheme. Because SteelConnect 2.13 supports active-active HA, you can’t upgrade your SteelHead SD 1.0 HA seamlessly to SteelConnect 2.13 HA. You must first manually unpair your master and backup appliances in SCM, upgrade to SteelConnect 2.13, and reconfigure HA in SCM. For details, see the SteelHead SD User Guide.
•You must back up your SteelHead WAN optimization configuration prior to upgrading to SteelConnect 2.13. Secure vault contents (that is, certificates and keys) are not saved during the upgrade process; you must reinstall any SSL or proxy certificates. You can use the backup and restore functions on the SCC or the SteelHead Management Console to save and reapply the SteelHead configuration settings.
–To back up your system and SteelHead appliances from the SCC, choose Manage > Operations: Backup/Restore to back up your configuration. For details, see the SteelCentral Controller for SteelHead User Guide.
–To save your SteelHead configurations from the SteelHead Management Console, choose Administration > System Settings to save and copy your configuration to a local machine. For details, see “Managing configuration files” in the SteelHead User Guide.
•To upgrade to SteelConnect 2.13, you must have internet connectivity for the SteelHead and the SteelConnect virtual gateway. With internet connectivity, both SteelHead perpetual and SteelConnect virtual gateway subscription licenses will be applied as part of the SteelHead SD 2.13 upgrade process.
•SteelConnect 2.13 supports a single in-path interface for WAN optimization. SteelHead SD is a Layer 3 (L3) gateway, and multiple LAN ports are mapped to a single in-path interface—multiple in-path interfaces are unnecessary on SteelHead SD appliances. To simplify in-path configuration and for ease-of-use, after upgrading to SteelConnect 2.13 you will see only a single in-path interface in the SteelHead Management Console or the SCC. If you have multiple in-path interfaces configured for WAN optimization, you must make in-path configuration changes to account for this change.
•The SteelConnect gateway bypass feature supported on SteelHead SD 1.0 is no longer supported on SteelConnect 2.13. If at any point the status of the virtual SteelHead instance shows a failure condition (for example, a reboot or a crash), the system stops sending traffic that was destined for the virtual SteelHead. Instead, it bypasses the SteelHead thereby ensuring the traffic is not black-holed. You can compare this behavior with a physical SteelHead entering bypass mode.
•You might need to recable SteelHead SD appliances in HA deployments when you upgrade to SteelConnect 2.13. The AUX port is mandatory for back-to-back connectivity for SteelConnect 2.13 HA deployments.
•If you need to upgrade the SteelHead appliances in your deployment, see the SteelCentral Controller for SteelHead Installation Guide and the SteelHead Installation and Configuration Guide.
Preparing your site for installation
Before you begin, make sure your shipment contains all the items listed on the packing slip. If it doesn’t, contact your sales representative.
Your site must meet these requirements:
•It is a standard electronic environment where the ambient temperature doesn’t exceed 104°F
(40°C) and the relative humidity doesn’t exceed 80% (noncondensing).
•Ethernet connections are available within the standard Ethernet limit.
•There is space on a standard four-post 19-inch Telco-type rack. For details about installing the SteelHead in a rack, see the Rack Installation Guide or the printed instructions that were shipped with the system. (If your rack requires special mounting screws, contact your rack manufacturer.)
•A clean power source is available, dedicated to computer devices and other electronic equipment.
The appliance is completely assembled, with all the equipment parts in place and securely fastened. The appliance is ready for installation with no further assembly required.
Before you begin
•Any interim firewalls must be configured to allow traffic on ports 80 and 443 so that the software installation and SCM operations aren’t blocked. (Also any additional firewall configurations must allow traffic to and from the SteelHead appliance that is being upgraded.)
•We highly recommend that your network provides a DHCP service so the appliance can establish a connection automatically.