Product Overview
This chapter provides an overview of common terms, new features, upgrade instructions, technical and environmental specifications, and a description of the status lights for the system.
Prerequisites
This section provides information about product dependencies and compatibility.
Software dependencies
This table summarizes the software requirements for the SteelHead.
Riverbed component | Hardware and software requirements |
SteelHead Management Console | Any computer that supports a web browser with a color image display. The Management Console has been tested with the latest versions of Chrome, Mozilla Firefox, and Microsoft web browsers. JavaScript and cookies must be enabled in your web browser. |
SCC compatibility
To manage SteelHeads, you need to use an SCC of the same version. You cannot manage SteelHeads running a later version than the version the SCC is running. For details about SCC compatibility across versions, see the SteelCentral Controller for SteelHead Installation Guide.
Firewall requirements
We recommend that you deploy the SteelHead behind your firewall. These firewall settings are required for the SteelHead:
• Ports 7800 and 7810 must be open.
• Make sure your firewall doesn’t strip TCP options.
Secure transport requires communication on the management plane, control plane, and data plane. Consider the following port usage:
• The management plane requires communication between the SteelHead and the SCC on TCP port 9443 and TCP port 22.
• The control plane between the SteelHead acting as the controller and the SteelHeads acting as group members is over TCP port 9443.
• Encryption service flows over ESP (IP protocol 50). Or, if the network is public, over UDP port 4500.
Overview of the SteelHead
The causes for slow throughput in WANs are well known: high delay (round-trip time or latency), limited bandwidth, and chatty application protocols. Large enterprises spend a significant portion of their information technology budgets on storage and networks, much of it spent to compensate for slow throughput, by deploying redundant servers and storage, and the required backup equipment. SteelHeads enable you to consolidate and centralize key IT resources to save money, reduce capital expenditures, simplify key business processes, and improve productivity.
With the SteelHead, you can solve a range of problems affecting WANs and application performance, including:
• Insufficient WAN bandwidth
• Inefficient transport protocols in high-latency environments
• Inefficient application protocols in high-latency environments
The Riverbed Optimization System (RiOS) intercepts client-server connections without interfering with normal client-server interactions, file semantics, or protocols. All client requests are passed through to the server normally, while relevant traffic is optimized to improve performance.
RiOS uses these optimization techniques:
Data streamlining
SteelHeads and Client Accelerator can reduce WAN bandwidth utilization by 65% to 98% for TCP-based applications using data streamlining. In addition to traditional techniques like data compression, RiOS also uses a Riverbed proprietary algorithm called scalable data referencing (SDR). SDR breaks up TCP data streams into unique data chunks that are stored in the hard disk (RiOS data store) of the device running RiOS (a SteelHead or Client Accelerator host system). Each data chunk is assigned a unique integer label (reference) before it’s sent to a peer RiOS device across the WAN. When the same byte sequence is seen again in future transmissions from clients or servers, the reference is sent across the WAN instead of the raw data chunk. The peer RiOS device uses this reference to find the original data chunk on its RiOS data store, and reconstruct the original TCP data stream.
Transport streamlining
SteelHeads use a generic latency optimization technique called transport streamlining. Transport streamlining uses a set of standards and proprietary techniques to optimize TCP traffic between SteelHeads. These techniques:
• ensure that efficient retransmission methods, such as TCP selective acknowledgments, are used.
• negotiate optimal TCP window sizes to minimize the impact of latency on throughput.
• maximize throughput across a wide range of WAN links.
Application streamlining
In addition to data and transport streamlining optimizations, RiOS supports a rich set of application protocols that includes but is not limited to Microsoft Exchange, CIFS, SMB, SharePoint, HTTP/HTTPS, Lotus Notes, FCIP, SRDF, and SnapMirror.
Path selection for hybrid networking
These solutions maximize multiple WAN services based on business needs, service quality, and costs. Path selection redirects specific traffic or applications through one of three alternate paths determined by destination availability in cascading order. The path selection technology deterministically redirects select traffic and application flows through alternate networks based on service metrics, such as path availability, application priority, and policies you create.
Traffic classification
The SteelHead application flow engine, which covers more than 1,300 individual applications and processes, uses information to understand where data is coming from, which application sent it, and what function that application is trying to accomplish. The application flow engine utilizes a variety of techniques, often in combination, such as port-based classification, application signature matching, protocol dissection, behavioral classification, and others. Path selection classifies traffic using the full assortment of packet rules including IP addresses, 5-tuple, differentiated services code point (DSCP), TCP, user datagram protocol (UDP) port numbers, and so on. In this way, operators can instruct SteelHead solutions to precisely associate applications to networks based on their nature, performance requirements, and business criticality.
Packet forwarding
After the SteelHead has selected the right path, the next step is for it to steer traffic to the newly selected path. This operation is transparent to the client, server, and any networking devices such as routers or switches. RiOS forwards packets either directly using distinct SteelHead physical interfaces, or indirectly using (MAC) address rewriting. When these forwarding methods aren’t possible. For example, with virtual in-path deployments or where the SteelHead solution is not in the same Layer-2 domain, RiOS uses DSCP marking with upstream policy-based routing.
Availability monitoring
The SteelHead monitors end-to-end path availability and quality. You define the endpoint IP address for every path, and the SteelHead sends an Internet Control Message Protocol (ICMP) ping every two seconds. To validate availability, each path can have a different remote host.
Failover management
If three consecutive pings are missed, the system considers the path to be unavailable, and selects the backup path. Every application has a default and a prioritized set of backup paths. Should the default path be unavailable, the higher-priority backup is instantly used (and then the lower one if needed). Operators can block certain types of applications when the primary path becomes unavailable, with a goal of reserving the remaining available bandwidth for more critical applications. As soon as the default path becomes available, traffic is routed back to it.
Management streamlining
Management streamlining refers to the methods that Riverbed has developed to simplify the deployment and management of RiOS devices. These methods include:
• Autodiscovery process, which enables SteelHeads and Client Accelerator to automatically find remote SteelHeads, and to then optimize traffic using them. Enhanced autodiscovery automatically discovers the last SteelHead in the network path of the TCP connection. Autodiscovery relieves you from having to manually configure large amounts of network information. The autodiscovery process enables administrators to control and secure connections, specify which traffic is to be optimized, and specify peers for optimization.
• SteelCentral Controller for SteelHead (SCC), which automatically configures and monitors remote SteelHeads. It also gives you a single view of the overall benefit and health of the SteelHead network. SteelCentral Controller for SteelHead’s central management console dramatically improves the management and usability of control capabilities. The SCC features an intuitive interface and management plane based on high-level abstractions such as applications, sites, uplinks, or networks that match the way you view your IT environment. With SCC, you can implement new, more efficient configuration and change management workflows that make hybrid-networking capabilities truly usable at scale.
• Client Accelerator Controller (Client Accelerator), which tracks the individual health and performance of each deployed software client, and manages enterprise client licensing. The SCCM enables you to see who is connected, view their data reduction statistics, and perform support operations such as resetting connections, pulling logs, and automatically generating traces for troubleshooting. You can perform all of these management tasks without end user input.
For detailed information about how the SteelHead works and deployment design principles, see the SteelHead Deployment Guide.
Configuring optimization
You configure optimization of traffic using the Management Console or the Riverbed CLI. You configure the type of traffic a SteelHead optimizes and specify the type of action it performs using:
In-Path rules
In-path rules determine the action a SteelHead takes when a connection is initiated, usually by a client. In-path rules are used only when a connection is initiated. Because connections are usually initiated by clients, in-path rules are configured for the initiating, or client-side SteelHead. You configure one of these types of in-path rule actions:
• Auto discover - Use the autodiscovery process to determine if a remote SteelHead is able to optimize the connection attempting to be created by this SYN packet.
• Fixed-target - Skip the autodiscovery process and use a specified remote SteelHead as an optimization peer. Fixed-target rules require the input of at least one remote target SteelHead; an optional backup SteelHead might also be specified.
• Fixed-target (packet mode optimization) - Skip the autodiscovery process and use a specified remote SteelHead as an optimization peer to perform bandwidth optimization on TCPv4, TCPv6, UDPv4, or UDPv6 connections. Packet-mode optimization rules support both physical in-path and master/backup SteelHead configurations. For details, see the SteelHead User Guide.
• Pass-through - Allow the SYN packet to pass through the SteelHead. No optimization is performed on the TCP connection initiated by this SYN packet.
• Discard - Drop the SYN packet silently.
• Deny - Drop the SYN packet and send a message back to its source.
Peering rules
Peering rules determine how a SteelHead reacts when it sees a probe query. Peering rules are an ordered list of fields a SteelHead uses to match with incoming SYN packet fields: for example, source or destination subnet, IP address, VLAN, or TCP port, as well as the IP address of the probing SteelHead. This is especially useful in complex networks. These types of peering rules are available:
• Auto - If the receiving SteelHead is not using enhanced autodiscovery, this has the same effect as the Accept peering rule action. If enhanced autodiscovery is enabled, the SteelHead only becomes the optimization peer if it’s the last SteelHead in the path to the server.
• Accept - The receiving SteelHead responds to the probing SteelHead and becomes the remote-side SteelHead (that is, the peer SteelHead) for the optimized connection.
• Passthrough - The receiving SteelHead doesn’t respond to the probing SteelHead, and allows the SYN+ probe packet to continue through the network.
For detailed information about in-path and peering rules and how to configure them, see the SteelHead User Guide.
Fail-to-wire (bypass) mode
All SteelHead models and in-path network interface cards support a fail-to-wire mode. In the event of a failure or loss of power, the SteelHead goes into bypass mode and the traffic passes through uninterrupted.
Many in-path network interface cards (NICs) also support a fail-to-block mode in which case if there’s a failure or loss of power, the SteelHead LAN and WAN interfaces power down and stop bridging traffic. The default failure mode is fail-to-wire mode.
If there’s a serious problem with the SteelHead or it’s not powered on, it goes into bypass mode to prevent a single point of failure. If the SteelHead is in bypass mode, you are notified in these ways:
• The Intercept/Bypass status light on the bypass card is triggered. For detailed information about bypass card status lights, see the appendixes that follow.
• The Dashboard of the Management Console displays the Critical health icon next to the appliance name.
• SNMP traps are sent (if you have set this option).
• The event is logged to system logs (syslog).
• Email notifications are sent (if you have set this option).
When the fault is corrected, new connections receive optimization; however, connections made during the fault aren’t optimized. To force all connections to be optimized, enable the kickoff feature. Generally, connections are short-lived and kickoff is not necessary. For detailed information about enabling the kickoff feature, see the SteelHead User Guide and the SteelHead Deployment Guide.
When the SteelHead is in bypass mode the traffic passes through uninterrupted. Traffic that was optimized might be interrupted, depending on the behavior of the application-layer protocols. When connections are restored, they succeed, although without optimization.
In an out-of-path deployment, if the server-side SteelHead fails, the first connection from the client fails. After detecting that the SteelHead is not functioning, a ping channel is setup from the client-side SteelHead to the server-side SteelHead. Subsequent connections are passed through unoptimized. When the ping succeeds, processing is restored and subsequent connections are intercepted and optimized.
For detailed information about the ping command, see the Riverbed Command-Line Interface Reference Manual.
Fail-to-block (disconnect) mode
In fail-to-block mode, if the SteelHead has an internal software failure or power loss, the SteelHead LAN and WAN interfaces power down and stop bridging traffic.
When fail-to-block mode is enabled, a failed SteelHead blocks traffic along its path, forcing traffic to be rerouted onto other paths (where the remaining SteelHeads are deployed). This is only useful if the network has a routing or switching infrastructure that can automatically divert traffic off of the link once the failed SteelHead blocks it.
You can use this mode with connection-forwarding, the allow-failure CLI command, and an additional SteelHead on another path to the WAN to achieve redundancy. For more information, see the Riverbed Command-Line Interface Reference Manual.
You set fail-to-block mode in the SteelHead CLI. For detailed information, see the SteelHead Deployment Guide.
Upgrading RiOS
This section provides information specific to upgrading and downgrading the SteelHead. For more general information and procedures, see
Riverbed Software Licenses, Upgrades, and Image Signing.RiOS is backward compatible with previous RiOS versions. However, to obtain the full benefits of the new features in the software, you must upgrade the client-side and server-side SteelHeads on any given WAN link. After you have upgraded all linked appliances, all the benefits of the features and enhancements are available.
The SteelHead uses image signing verification to ensure that software upgrades and downgrades are authentic Riverbed images.
User permissions
Upgrading from RiOS 8.6 to 9.0 and later requires additional user permissions for path selection and QoS. For example, a user with QoS read/write permission in a previous version will no longer have permission to configure a QoS rule. In RiOS 9.0 and later, a user needs read/write permission for network settings in addition to read/write permission for QoS.
This table summarizes the changes to the user permission requirements for RiOS 9.0 and later.
Management console page | To configure this feature or change this section | Required read permission | Required read/write permission |
Networking > Topology: Sites & Networks | Networks | Network Settings Read-Only | Network Settings Read/Write |
Sites | Network Settings Read-Only QoS Read-Only Path Selection Read-Only | Network Settings Read/Write QoS Read/Write Path Selection Read/Write |
Networking > App Definitions: Applications | Applications | Network Settings Read-Only | Network Settings Read/Write |
Networking > Network Services: Quality of Service | Enable QoS | QoS Read-Only | QoS Read/Write |
Manage QoS Per Interface | Network Settings Read-Only | Network Settings Read/Write |
QoS Profile | QoS Read-Only | QoS Read/Write |
QoS Remote Site Info | Network Settings Read-Only QoS Read-Only | — |
Networking > Network Services: QoS Profile Details | Profile Name | QoS Read-Only | QoS Read/Write |
QoS Classes | QoS Read-Only | QoS Read/Write |
QoS Rules | QoS Read-Only | Network Settings Read/Write QoS Read/Write |
Path Selection | Enable Path Selection | Network Settings Read-Only | Network Settings Read/Write |
Path Selection Rules | Network Settings Read-Only Path Selection Read-Only | Network Settings Read/Write Path Selection Read/Write |
Uplink Status | Network Settings Read-Only Path Selection Read-Only Reports Read/Write | — |
Outbound QoS Report | | QoS Read-Only | QoS Read/Write |
Inbound QoS Report | | QoS Read-Only | QoS Read/Write |
Host Labels | | Network Settings Read-Only or Path Selection Read-Only | Network Settings Read/Write or QoS Read/Write |
Port Labels | | Network Settings Read-Only or QoS Read-Only | Network Settings Read/Write or QoS Read/Write |
Upgrade considerations
Consider the following before upgrading RiOS:
• You can’t upgrade the SteelHead CX 555 or CX 755 to RiOS version 9.5 or later.
• If you mix RiOS software versions in your network, the releases might support different optimization features and you can’t take full advantage of the features that aren’t part of the older software versions.
• If you have deployed path selection or QoS in a RiOS deployment before 9.2, we recommend that you temporarily disable the path selection and QoS features after upgrading to 9.2 or later and prior to rebooting the appliance. For more information, go to Knowledge Base article
S28250.
Recommended upgrade paths
To find allowed upgrades between RiOS versions and recommended upgrade paths, use the Software Upgrade tool on the Riverbed Support site at
https://support.riverbed.com. The tool includes all of the recommended intermediate RiOS versions.