Introducing SteelConnect

Overview

SteelConnect provides cloud-based management system software for SD-WAN gateways, WiFi access points, and Ethernet switches. It connects your entire company using a new approach for managing your network. Instead of opening a box, figuring out how to log in to whatever complex product is inside, and then trying to get it operating in your network, SteelConnect lets you plan, store, and visualize your entire network first. Then you simply activate smart hardware (gateways, switches, and access points) that acknowledges the network components, and the SteelConnect Manager (SCM) brings the enterprise into production.

Key features

Unified connectivity and management across the WAN, remote LAN, and cloud networks

•SteelConnect manages a software-defined connectivity fabric that spans WANs, remote office LANs, and cloud infrastructure networks through a line of physical, virtual, and cloud-based WAN gateways, as well as remote LAN switches and WiFi access points.

•Full-mesh VPN connectivity ensures application delivery from WAN to LAN that works over any network underlay such as Multiprotocol Label Switching (MPLS) and the internet.

Data center workloads

•The SteelConnect SDI-5030 gateway offers enterprise-class SD-WAN for large-scale deployments. The 5030 gateway is designed for higher throughput to accommodate data center workloads.

•Because the 5030 gateways are placed physically out of path from the data flow, you can deploy them with no network downtime. The system relies on either traffic redirection or route injection to receive SD-WAN services. The SteelHead Interceptor 9600 provides traffic redirection. You can also use route injection to redirect traffic to the data center gateways without the SteelHead Interceptor 9600 appliance.

WAN optimization

•The SteelHead SD gateway models deliver the benefits of SteelHead WAN optimization and SteelConnect SD-WAN while providing the flexibility of a single box solution. For details, see the SteelHead SD Installation Guide.

Cloud-based management

•SCM provides an intuitive graphical user interface that supports an agile and intent-based workflow for managing networks.

•Use SCM to design every aspect of a distributed network before deploying any hardware.

Business-aligned orchestration

•SteelConnect provides policy-based orchestration using language aligned with business priorities: applications, users, locations, performance service-level agreements, and security requirements.

•You no longer need to configure individual appliances.

•The graphical user interface eliminates all CLI coding.

Business intent-based policy

•SCM lets you manage a network centrally using a single business intent-based policy.

•A central policy for all branches enables direct translation of business needs.

•You can enforce a policy based on user identity—not just the IP address—for the same experience on all the user devices.

•You can easily align all aspects of application delivery to improve performance.

Universal policy automation

•SteelConnect empowers IT to evolve the infrastructure without having to revisit the policy.

•A universal policy enables cohesive and automated change management.

•Because you can use the same application groups, applications, and web categories for the policy engine and reporting, you can directly convert the reported results into policy rules.

Zero-touch provisioning

•SCM provides instant deployment of physical devices into a network.

•The configuration and reconfiguration of edge devices is automatic.

•Automatic provisioning reduces or eliminates the need for on-site IT in remote facilities.

Visibility

•SCM provides a unified view of users, devices, and groups of either.

•You can quickly identify what traffic is consuming bandwidth.

•Because SCM automatically detects new devices and users, you can minimize security risks.

High-level architecture

SteelConnect resides in the global Amazon Web Services (AWS) cloud public infrastructure and orchestrates a series of services hosted by Riverbed. Each service has dependencies that function as a part of the collective SteelConnect infrastructure. These services include:

•Management console

•Global certificate authorities (CAs)

•Network Time Protocol (NTP)

•Dynamic Domain Name System (DNS)

•IP address reflectors, a simple mechanism for all gateways to find their public IP address per uplink and report the address to SCM

•Structured Query Language (SQL) relational databases that keep track of which SCMs are associated with which organizations, sites, and devices

SteelConnect appliances (gateways, switches, and access points) connect to SCM, and the services associated with it. Each SCM communicates through various services for any updates regarding the appliance registration and management changes. All communication between the appliances and SCM, as well as all interoperating services inside of SCM, are authenticated through x509 certificate validation. These Riverbed-owned certificates are exchanged and validated for authenticity.

We preassign appliances to your organization in the factory.

SteelConnect registration and communication

With the exception of agent VPN clients, all communication is sourced from the site out to the SteelConnect management service. There’s no need to set up elaborate firewall or forwarding rules to establish the dynamic full-mesh VPN or to gain connectivity to the cloud. After you register an appliance, it receives its assigned configuration automatically.

For a list of the UDP and TCP ports that are sourced from the sites out into the cloud to connect to SCM, see Ports for UDP, TCP, and ICMP connections.

Appliances

Gateways

Gateways can be categorized into hardware and software appliances. They automatically map into connected network segments, called zones, to

•Provide basic network services.

•Handle one or more uplinks, either by concurrent use or as backup.

•Enable policy enforcement.

•Enforce security.

•Enable extended reporting for connected zones.

•Connect multiple sites with a secure, full-mesh virtual private network (VPN) without tedious manual configuration using Automated VPN (AutoVPN). For details on the different ways to enable AutoVPN, see AutoVPN modes.

This table lists the common uses cases for SteelConnect gateways.

Gateway Model	Use Case
SDI-130	Small branch and retail
SDI-330	Medium branch
SDI-1030	Medium to large branch
SDI-5030	Campus and data center

Access points

•Provide network access to WiFi clients.

•You can also use an access point as a VPN endpoint for AutoVPN. For example, branches without a gateway can use an access point at the end of a VPN tunnel.

Switches

•Enable plug-and-play multizone Layer 2 connectivity.

•Provide power over Ethernet (PoE) to PoE-enabled appliances, including third-party devices.

SCM manages all appliances, including all firmware upgrades. For firmware upgrade details, see Upgrade overview.

Hardware versus software appliances

SteelConnect hardware appliances, such as a gateway, come with a serial number that activates the appliance in the organization. SteelConnect also supports a virtual gateway running in AWS or any hypervisor like VMware, Hyper-V, KVM, or Xen.

To help you identify an appliance without unmounting it, unregistered appliances with an organic LED (OLED) display (Gateway G100, Switch S24, and Switch S48) show their serial numbers on the screen until you register the appliance with SCM.

Browser support

SCM supports the latest versions of Firefox, Chrome, and Internet Explorer. For best performance, we recommend using the latest Chrome browser.

We strongly recommend using the latest Chrome browser with the WiFi planner.

SCM requires a minimum screen resolution of 1280 x 720 pixels.

Network service architecture

The SteelConnect network service architecture is built on two distinct layers:

•Underlay

•Overlay

Underlay

The underlay provides traditional physical Layer 2 and Layer 3 connectivity between appliances (gateways, routers, switches, and so on) in the network. The underlay allows all network nodes to communicate with other sites, even if the site doesn’t have a SteelConnect gateway.

A SteelConnect gateway in the branch typically provides underlay services, such as gateway routing, DHCP client, DHCP server, and DNS.

When there is a SteelConnect gateway in the data center, it uses the information it receives about the underlay to provision the overlay. The data center gateway doesn’t provide major underlay services, but it participates in (and observes) the underlay. The vertical lines in Transport overlays: internet and MPLS illustrate the relationship between the overlay and underlay networks.

Transport overlays: internet and MPLS

Overlay

The overlay augments the underlay and provides the powerful ability to select a WAN path based on traffic rules. For details, see Balancing traffic using traffic rules.

The overlay doesn’t replace the underlay. Sites that don’t have SD-WAN installed, perhaps during an initial migration, communicate across the underlay. Fully SD-WAN enabled sites communicate across the overlay.

The software-defined WAN (SD-WAN) controller provides overlay creation and overlay routing. The overlay forms encapsulated tunnels between nodes in the network that carry the traffic within the SD-WAN.