Overview of SteelHead EX
Overview of SteelHead EX
This chapter provides an overview of SteelHead EX. It includes these sections:
•  Introducing SteelHead EX
•  Safety guidelines
•  Virtual Services Platform
•  SteelFusion storage
•  Product dependencies and compatibility
•  New features in 5.5
•  Upgrading to SteelHead EX 5.5
Introducing SteelHead EX
With SteelHead EX, you can consolidate branch office services into a converged infrastructure solution combining optimization, storage delivery, and virtualization for complete branch consolidation. SteelHead EX optimizes the performance of applications across the hybrid network, including on-premise, cloud, and Software-as-a-Service (SaaS) applications.
Note: SteelHead EX version 5.5.1 supports features for RiOS 9.7 and earlier. SteelHead EX ends feature support after version 5.5.1 and will not be updated.
The SteelHead EX provides these features:
•  The Riverbed Virtual Services Platform (VSP) that consolidates branch services onto the vSphere virtualization platform.
•  Centralizes branch data to the data center with Riverbed BlockStream technology for storage delivery.
•  Acts as a SteelCentral probe, making it easy to provide branch application-level visibility and troubleshooting.
•  Seamlessly integrates with NetProfiler for end-to-end network monitoring and reporting, and with AppResponse for end-user experience monitoring for web and SaaS applications.
•  Integrates seamlessly with SteelCentral NetShark-V for continuous captures of packet and flow data to improve network troubleshooting.
SteelHead technology
All SteelHead solutions offer a combination of data, transport, and application streamlining, and path selection. These technologies, along with SteelHead management capabilities, provide a comprehensive solution for the hybrid enterprise.
Data streamlining
•  Uses patented, scalable, data referencing technology to reduce the bandwidth used to transmit data by up to 99%.
•  Provides industry-leading scalability and patented deduplication.
•  Works with TCP-based protocols and applications, including file sharing (CIFS/SMB), web applications (HTTP and HTTPS), database software (Oracle), and collaboration tools (CAD, SharePoint, email)
•  Works with UDP-based file transfer applications, including Signiant, Aspera, and Symantec’s Veritas Volume Replicator
Transport streamlining
•  Reduces the number of TCP packets required to transfer data by 65-98%.
•  Enables the acceleration of SSL-encrypted traffic to eliminate the security versus performance trade-offs.
•  Enables greater utilization of high bandwidth links (long, fat networks, such as OC3, OC12, and metro-fiber) for HS-TCP and MX-TCP.
•  Supports satellite optimization for TCP links (based on SCPS extensions) over satellite connections that tend to be high latency, dynamic bandwidth, or lossy due to signal-to-noise ratio.
Application streamlining
•  Offers the broadest support for application-specific modules to provide performance improvements on top of the data and transport streamlining optimization performed on all TCP traffic.
•  Reduces application protocol chattiness up to 98%.
•  Minimizes application overhead to provide massive throughput increases to applications such as file sharing (CIFS, SMB2/3, and NFS), collaboration software (SharePoint), email (Exchange and IBM Lotus Notes), cloud-based SaaS offerings (Office 365 and Salesforce), web applications (HTTP and HTTPS), database (Oracle), and storage and disaster recovery (NetApp SnapMirror and EMC SRDF/A).
Management streamlining
•  Enables easy deployment through auto-discovery of peers and auto-interception of traffic—with no reconfiguration of clients, servers, or routers.
•  Simplifies ongoing management by providing simple but powerful web-based (SteelCentral SteelCentral Controller for SteelHead, Management Console) and command-line interfaces, in-depth reporting, and real-time NetFlow export.
•  Supports a vast array of network environments and topologies, including but not limited to MPLS, VoIP, video conferencing, QoS, VPN, satellite infrastructure, ATM, frame relay, microwave, and wireless.
•  Automates configuration and deployment of hybrid networking and path selection with application-aware, business intent-based policies.
SteelHead behavior in the network
You configure optimization of traffic using the 5.5 or the Riverbed CLI. You configure the type of traffic a SteelHead optimizes and specify the type of action it performs using:
•  In-Path rules - In-path rules determine the action a SteelHead takes when a connection is initiated, usually by a client. In-path rules are used only when a connection is initiated. Because connections are usually initiated by clients, in-path rules are configured for the initiating, or client-side SteelHead. You configure one of these types of in-path rule actions:
–  Auto Discover - Use the autodiscovery process to determine if a remote SteelHead is able to optimize the connection attempting to be created by this SYN packet.
–  Fixed-Target - Skip the autodiscovery process and use a specified remote SteelHead as an optimization peer. Fixed-target rules require the input of at least one remote target SteelHead; an optional backup SteelHead might also be specified.
–  Fixed-Target (Packet Mode Optimization) - Skip the autodiscovery process and uses a specified remote SteelHead as an optimization peer to perform bandwidth optimization on TCPv4, TCPv6, UDPv4, or UDPv6 connections. Packet-mode optimization rules support both physical in-path and master/backup SteelHead configurations. For details, see the SteelHead Management Console User Guide.
–  Pass-Through - Allow the SYN packet to pass through the SteelHead. No optimization is performed on the TCP connection initiated by this SYN packet.
–  Discard - Drop the SYN packet silently.
–  Deny - Drop the SYN packet and send a message back to its source.
•  Peering rules - Peering rules determine how a SteelHead reacts when it sees a probe query. Peering rules are an ordered list of fields a SteelHead uses to match with incoming SYN packet fields. For example, source or destination subnet, IP address, VLAN, or TCP port, as well as the IP address of the probing SteelHead. This is especially useful in complex networks. These types of peering rule are available:
–  Auto - If the receiving SteelHead isn’t using enhanced autodiscovery, this has the same effect as the Accept peering rule action. If enhanced autodiscovery is enabled, the SteelHead only becomes the optimization peer if it is the last SteelHead in the path to the server.
–  Accept - The receiving SteelHead responds to the probing SteelHead and becomes the remote-side SteelHead (that is, the peer SteelHead) for the optimized connection.
–  Passthrough - The receiving SteelHead doesn’t respond to the probing SteelHead, and allows the SYN+ probe packet to continue through the network.
For detailed information about in-path and peering rules and how to configure them, see the SteelHead Management Console User Guide.
Fail-to-wire (bypass) mode
All SteelHead models and in-path network interface cards support a fail-to-wire mode. In the event of a failure or loss of power, the SteelHead goes into bypass mode and the traffic passes through uninterrupted.
If the SteelHead is in bypass mode, you are notified in the following ways:
•  The Intercept/Bypass status light on the bypass card is triggered. For detailed information about bypass card status lights, see Series EX xx60 Technical Specifications.
•  The Home page of the Management Console displays Critical in the Status bar.
•  SNMP traps are sent (if you have set this option).
•  The event is logged to system logs (syslog).
•  Email notifications are sent (if you have set this option).
When the fault is corrected, new connections receive optimization; however, connections made during the fault do not. To force all connections to be optimized, enable the kickoff feature. Generally, connections are short-lived and kickoff isn’t necessary. For detailed information about enabling the kickoff feature, see the SteelHead Management Console User Guide.
When the SteelHead is in bypass mode the traffic passes through uninterrupted. Traffic that was optimized might be interrupted, depending on the behavior of the application-layer protocols. When connections are restored, they succeed, even without optimization.
In an out-of-path deployment, if the server-side SteelHead fails, the first connection from the client fails. After detecting that the SteelHead isn’t functioning, a ping channel is set up from the client-side SteelHead to the server-side SteelHead. Subsequent connections are passed through unoptimized. When the ping succeeds, processing is restored and subsequent connections are intercepted and optimized.
For detailed information about the ping command, see the Riverbed Command-Line Interface Reference Manual.
Fail-to-block (disconnect) mode
With fail-to-block mode enabled in a redundant network path environment, traffic is blocked and rerouted to an optimized backup path in the event of a failure.
This feature is useful only if the network has a routing or switching infrastructure that can automatically divert traffic off the link to the optimized backup path. In an active-backup redundant network setup, the active path is configured to use fail-to-block, and the backup path is configured to use fail-to-bypass, thus traffic continues to be optimized on the backup path if there is a failure on the active path. In the event of a failure, the LAN and WAN interfaces power down and from a connected router or switch perspective those devices do not detect a link.
SteelHead EX supports fail-to-block mode on all cards.
The following events trigger fail-to-block if the feature is enabled:
•  Kernel crash
•  Hardware failure
•  Power loss
Note: You can use this mode with connection-forwarding, the allow-failure CLI command, and an additional SteelHead on another path to the WAN to achieve redundancy. For more information, see the Riverbed Command-Line Interface Reference Manual.
You set fail-to-block mode in the SteelHead CLI. For detailed information, see the SteelHead Deployment Guide.
Safety guidelines
Follow the safety precautions outlined in the Safety and Compliance Guide when installing and setting up your equipment.
Note: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of the equipment voids all warranties. Read and follow safety guidelines and installation instructions carefully.
Many countries require the safety information to be presented in their national languages. If this requirement applies to your country, consult the Safety and Compliance Guide. Before you install, operate, or service the Riverbed products, you must be familiar with the safety information. Refer to the Safety and Compliance Guide if you do not clearly understand the safety information provided in the product documentation.
Virtual Services Platform
The Virtual Services Platform (VSP) is a VMware-based virtualization platform that lets you run multiple virtual machines on a SteelHead EX. With VSP, you can consolidate multiple basic services in the branch such as print, DNS, and DHCP. In VSP, you install and run virtual machines directly from a dedicated partition of the SteelHead EX. VSP supports running up to five virtual machines on a single SteelHead EX.
VSP is included in the native SteelHead EX functionality and doesn’t require a separate download or license. VSP in SteelHead EX 5.5 includes ESXi 6.0 Patch 3 as the virtualization platform.
For details on configuring and using VSP, see the SteelHead Management Console User Guide for the SteelHead EX.
SteelFusion storage
SteelFusion is a converged infrastructure solution, encompassing all branch services such as server, storage, networking, and WAN optimization. It is a dual-ended system comprised of: SteelFusion Enabled SteelHead EX or SteelFusion Edge and SteelFusion Core.
SteelFusion Core is a physical or virtual appliance in the data center that mounts all LUNs that need to be made available to applications and servers at a remote location from the back-end storage array. SteelFusion Enabled SteelHead EX or SteelFusion Edge provides a virtualized environment that hosts the branch application servers. Core appliances communicate across the WAN with the Edge appliances at the branch.
SteelFusion delivers local user performance while enabling data centralization, instant recovery, and lower total operating costs. Unlike traditional converged infrastructures, SteelFusion enables stateless branch services. You can access applications that run locally in your branch while the primary data is centralized in your data center. Decoupling computation from its underlying storage allows your applications to run in a stateless mode, which reduces your branch footprint and centralizes management of your branch services.
With SteelFusion, you can extend a data center storage array to a remote location, even over a low-bandwidth link. This enables you to effectively deliver global storage infrastructure anywhere you need it.
SteelFusion provides the following functionality:
•  Innovative block storage optimization ensures that you can centrally manage data storage while keeping that data available to business operations in the branch, even in the event of a WAN outage.
•  A local authoritative cache ensures LAN-speed reads and fast cold writes at the branch.
•  Integration with Microsoft Volume Shadow Copy Service enables consistent point-in-time data snapshots and seamless integration with backup applications.
•  Integration with the snapshot capabilities of the storage array enables you to configure application-consistent snapshots through the SteelFusion Core Management Console.
•  Integration with industry-standard Challenge-Handshake Authentication Protocol (CHAP) authenticates users and hosts.
•  A secure vault protects sensitive information using AES 256-bit encryption.
•  Solid-state disks (SSDs) that guarantee data durability and performance.
•  An active-active high-availability (HA) deployment option for Core ensures the availability of storage array logical unit numbers (LUNs) for remote sites.
•  Customizable reports provide visibility to key utilization, performance, and diagnostic information.
For detailed information about how SteelFusion works, see the SteelFusion Core Installation and Configuration Guide.
SteelFusion-dedicated target mode
SteelFusion-dedicated target mode refers to a SteelFusion-enabled SteelHead EX that provides VSP functionality but doesn’t include WAN optimization.
Appliances in SteelFusion-dedicated target mode are intended to be used in conjunction with existing SteelHead deployments, thereby enabling customers to take advantage of SteelFusion functionality without upgrading their existing SteelHeads.
Product dependencies and compatibility
This section provides information about product dependencies and compatibility. It includes this information:
•  Software dependencies
•  SCC compatibility
•  Virtual Services Platform support
•  Firewall requirements
•  Ethernet network compatibility
•  SNMP-based management compatibility
Software dependencies
This table summarizes the software requirements for the SteelHead.
Riverbed component
Hardware and software requirements
SteelHead Management Console, SteelCentral Controller for SteelHead
Any computer that supports a web browser with a color image display.
The Management Console has been tested with Chrome, Mozilla Firefox Release 38, and Microsoft Internet Explorer 11.
The SteelCentral Controller for SteelHead has been tested with Mozilla Firefox Release 38 and Microsoft Internet Explorer 11.
Internet Explorer 9.0 must refresh reports every 4 minutes due to performance issues. Consider using a different browser to view reports.
JavaScript and cookies must be enabled in your web browser.
SCC compatibility
The SteelHead EX has been tested with the following SteelCentral Controller for SteelHead (SCC) versions.
EX version
SteelHead RiOS version
Recommended SCC version
Note: As a result of updating the version of SSH, older releases of SCC can’t connect to newer software on managed appliances. If you plan to upgrade your EX appliances to 4.3 or later, first upgrade the SCC to 9.1.0e or later to avoid disconnections. See knowledge base article S27759 for complete details. 
Virtual Services Platform support
Virtual Services Platform (VSP) isn’t supported on the Series xx55 hardware platforms. VSP is supported only on the SteelHead EX Series xx60 hardware platforms.
Firewall requirements
We recommend that you deploy the SteelHead behind your firewall. These firewall settings are required for the SteelHead:
•  Ports 7800 and 7810 must be open.
•  Make sure your firewall doesn’t strip TCP options.
Secure transport requires communication on the management plane, control plane, and data plane. Consider the following port usage:
•  The management plane requires communication between the SteelHead and the SCC on TCP port 9443 and TCP port 22.
•  The control plane between the SteelHead acting as the controller and the SteelHeads acting as group members is over TCP port 9443.
•  Encryption service flows over ESP (IP protocol 50). Or, if the network is public, over UDP port 4500.
Note: The secure transport feature must be configured on the SCC. For detailed information, see the SteelCentral Controller for SteelHead User’s Guide.
Ethernet network compatibility
The SteelHead supports these networking standards. A SteelHead with a Gigabit Ethernet card supports jumbo frames on in-path and primary ports.
Ethernet standard
IEEE standard
Ethernet Logical Link Control (LLC)
IEEE 802.2 - 1998
Fast Ethernet 100BASE-TX
IEEE 802.3 - 2008
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.)
IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector)
IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode
IEEE 802.3 - 2008
Gigabit Ethernet over 10GBASE-SR Multimode
IEEE 802.3 - 2008
The SteelHead ports support these connection types and speeds.
Primary (PRI)
10/100/1000BASE-T, auto-negotiating
Auxiliary (AUX)
10/100/1000BASE-T, auto-negotiating
10/100/1000BASE-T or 1000BASE-SX or 1000BASE-LX or 10GBASE-LR or 10GBASE-SR, depending on configuration
10/100/1000BASE-T or 1000BASE-SX or 1000BASE-LX or 10GBASE-LR or 10GBASE-SR, depending on configuration
The SteelHead supports VLAN Tagging (IEEE 802.3 - 2008). It doesn’t support the Inter-Switch Link (ISL) protocol.
The SteelHead autonegotiates speed and duplex mode for all data rates and supports full duplex mode and flow control (IEEE 802.3 – 2008).
SNMP-based management compatibility
This product supports a proprietary Riverbed MIB accessible through SNMP. SNMPv1 (RFCs 1155, 1157, 1212, and 1215), SNMPv2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418), and SNMPv3 are supported, although some MIB items might only be accessible through SNMPv2 and SNMPv3.
SNMP support enables the product to be integrated into network management systems such as Hewlett-Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network management tools.
New features in 5.5
These new features are available in 5.5:
•  Parity with RiOS 9.7 and SteelFusion Core 5.5 - EX 5.5 includes the features in RiOS 9.7 and SteelFusion Core 5.5 (exception: SteelHead EX doesn’t support the Web Proxy feature).
Upgrading to SteelHead EX 5.5
This section describes how to upgrade, reclaim disk space, and how to downgrade your software. It includes these sections:
•  Managing the ESXi upgrade
•  Upgrading SteelHead EX software
•  Reclaiming disk space
•  Downgrading the software
SteelHead EX reserves a portion of the datastore so that non-ESX-based virtual machines can be converted, on the SteelHead EX, to ESX virtual machine format. You can reclaim that datastore space for other purposes.
SteelHead EX version 5.5 is compatible with previous SteelHead EX software versions. However, to obtain the full benefits of the new features in 5.5, you must upgrade the client-side and server-side SteelHeads on any given WAN link. After you have upgraded all appliances, all the benefits of the new features and enhancements are available.
If you mix software versions in your network, the releases might support different optimization features and you can’t take full advantage of the features that aren’t part of the older software versions.
For information on compatibility between RiOS, Edge, Core, and vSphere releases, see the knowledge base article RiOS, SteelFusion Edge, SteelFusion Core and vSphere Release Matrix
Managing the ESXi upgrade
Because the SteelHead EX software image includes the ESXi software, the image upgrade might upgrade the ESXi version used by VSP.  If you haven’t changed the ESXi version outside of SteelHead EX, the ESXi version will be updated to match the new install image, if necessary. If you have modified the ESXi version for VSP independently of the SteelHead EX image, the software upgrade does one of the following:
•  If the existing version of ESXi is older than the version in the image file, the image upgrade updates the ESXi version. The configuration won’tbe affected.
•  If the existing version of ESXi is newer than the version in the image file, the image upgrade doesn’t change ESXi. The configuration won’t be affected.
•  If the version can’t be determined, ESXi will be upgraded to the version in the image file. The ESXi configuration might be lost. As a best practice, back up your existing configuration before proceeding.
If your running ESXi version is fully supported, meaning the version reported by ESXi matches the version of ESXi bundled with the RiOS image, the upgrade process performs a backup of the existing ESXi configuration before the upgrade.
Note: You can verify the version number and the support status of the running ESXi installation on the Help page of the Management Console.
Upgrading SteelHead EX software
Follow these steps to upgrade your software. These instructions assume you are familiar with the SteelHead EX and the Management Console.
Riverbed has tested and qualified EX upgrades within two major releases. To perform a qualified upgrade, you might need to upgrade to an intermediary release first.
To upgrade the EX software
1. Download the software image from the Riverbed Support site to a location such as your desktop. Optionally, you can download a delta image directly from the Riverbed Support site to the SteelHead. The delta downloaded image includes only the incremental changes. The smaller file size means a faster download and less load on the network.
2. Log in to the Management Console using the Administrator account (admin).
3. Choose Configure > Maintenance: Software Upgrade and choose one of the following options:
–  From URL - Type the URL that points to the software image. Use one of the following formats:
–  From Riverbed Support Site - Select the target release number from the drop-down list to download a delta image directly to the appliance from the Riverbed Support site. The downloaded image includes only the incremental changes. You do not need to download the entire image. The system downloads and installs the new image immediately after you click Install. To download and install the image later, schedule another date or time before you click Install.
–  From Local File - Browse your file system and select the software image.
–  Schedule Upgrade for Later - Select this check box to schedule an upgrade for a later time. Type the date and time in the Date and Time text boxes using these formats:
4. Click Install to immediately upload and install the software upgrade on your system, unless you schedule it for later.
The software image can be quite large; uploading the image to the system can take a few minutes. Downloading a delta image directly from the Riverbed Support site is faster because the downloaded image includes only the incremental changes and is downloaded directly to the appliance.
As the upgrade progresses, status messages appear.
After the installation is complete, you are reminded to reboot the system to switch to the new version of the software.
5. Choose Configure > Maintenance: Reboot/Shut Down and click Reboot.
The appliance can take a few minutes to reboot. This is normal behavior as the software is configuring the recovery flash device. Do not press Ctrl-C, unplug, or otherwise shut down the system during this first boot. There is no indication displayed during the system boot that the recovery flash device is being configured.
After the reboot, the Home page, Software Upgrade, and Help pages of the Management Console display the software version upgrade.
Reclaiming disk space
Follow the steps in this section to reclaim the disk space that was reserved for converting virtual machines. These instructions assume that you have performed the upgrade procedure described in Upgrading SteelHead EX software.
By default, the upgrade process doesn’t automatically alter the existing disk layout. Disk space must be manually reclaimed.
Note: Changing the disk layout erases SteelFusion and VSP data from the disk and destroys the ESXi datastore. The appliance is rebooted as part of the process. Back up your SteelFusion, VSP, and datastore data prior to changing the disk layout.
For details about the amount of space that can be recovered, and about maximum allocations, see Series EX xx60 Technical Specifications.
To reclaim datastore space
1. Ensure that you have upgraded the appliance to EX 2.1 or greater.
2. Launch the Management Console.
3. Enter login credentials.
4. Select Configure > System Settings: Disk Management.
5. In the Disk Layout area, select one of the two available extended modes.
6. Click Apply.
7. At the prompt, click OK to confirm your intention to change the disk layout and reboot the device.
Downgrading the software
If you want to downgrade to a previous version of the SteelHead software, you must downgrade to a version of the software that has previously run on your machine.
When you downgrade the software, RiOS reverts the ESXi version to the version supported in the installation image. If you upgraded the ESXi using vCenter (separate from the EX installation), the system can’t restore the state and ESXi starts with the initial configuration.