Quick Start
Getting started
This tutorial describes how to configure a basic network with a single company headquarters in minutes. You’ll define an organization, establish network zones (including a guest zone), add users, and then deploy SDI-130 wireless gateways into the sites. You design first and deploy the hardware last.
This tutorial steps you through setting up a basic network and putting it into production. It takes about 20 minutes to complete.
SteelConnect Manager (SCM) uses a single control plane for all sites and provides central policy management for the distributed enterprise. You use it to define the network-wide policy and push the policy to all devices. You complete all configurations through the central console using abstract concepts such as users, applications, sites, and zones.
To begin, log in to SCM. By default, the username is admin and the default password is pppp.
After a successful log in, you're greeted by the dashboard.
A unified view of your organization
The dashboard shows a visual representation of your organization. Double-click to zoom in. For more details, see
Monitoring the Network.
The first task is to define an organization.
Organization with a headquarters, guest zone, data center, and two branch offices
Defining an organization
SCM uses these terms to describe your company:
•Organization - A company representing an end customer. You can assign administrative rights to individual administrator accounts per organization. You can also manage appliances and licensing per organization.
•Site - A physical location of one or more office buildings, a hosting center, or a cloud location that make up the organization. A site houses a SteelConnect gateway and uses a permanent DNS alias. Every site requires a local network zone and at least one internet uplink. When you create a site, the zone is automatically created and an uplink is automatically created for the internet path.
•Zone - Layer 2 network segments or VLANs within sites that are VLAN-tagged traffic. A zone always has a VLAN tag assigned to it.
SCM is delivered with a default organization. You’ll want to edit the default organization.
After adding the company name, you’ll add basic information. You can always change and customize this information later.
To change a company name and location
1. Choose Organization.
2. Change the organization name to Cyberdyne.
3. Click Submit.
4. Under location, type the company headquarters physical address in San Francisco.
5. Click Submit.
The dashboard map updates dynamically to keep an accurate visual overview of your network. You can always refer to the dashboard map as you define your topology to make sure the deployment is accurate.
The next task is to create one or more sites. If you have a lot of sites you can also do a bulk import to speed things up as described in
Creating sites. For now, we’ll start by adding a site manually.
To add sites
1. Choose Network Design > Sites.
2. Click Add Sites.
3. Select New Site.
4. Add a site tag: for example, headquarters.
5. Add the site’s location: for example, San Francisco.
6. Specify the site’s address, country, and time zone. Make sure the time zone matches the site’s location.
7. Click Submit.
After you create the site, it appears on the dashboard map. Repeat
Step 2 through
Step 6 to add a site for the data center in Ashburn, and two more sites for branches in Seattle and Dallas.
All drop-down lists support type ahead. For example, in the Timezone drop-down list, you don’t need to search through the list to find Americas/New_York. Simply type New_ and you’ll see it appear in the list. This applies for any drop-down list in SCM.
Designing a network
After you define your organization and add sites, you are ready to design a network. You’ll start by editing and creating zones. Zones are Layer 2 network segments (or VLANs within sites) that contain networks and IP addresses. In this tutorial, you’ll change the default zone for the LAN.
To change a zone
1. Choose Network Design > Zones.
2. Select a zone, click Settings, and update the zone name.
3. Select the IP tab, and change the IP address to match your network topology.
In this tutorial, you want this zone to be part of the VPN and to automatically connect your VPN connection using automated VPN. For more details on automated VPN, see
AutoVPN modes.
Regular zones are always part of RouteVPN by default.
4. Click Submit.
The LAN zone is complete.
By default, all sites are configured with an internet uplink and a AutoVPN uplink which automatically creates secure tunnels over internet links to create a secure overlay network.
Next, you’ll create a new zone for guests. Within the guest zone, you can determine how guests can register their devices: using their mobile phone number (SMS), email address, or social media apps (Facebook, Twitter, Google).
Guest zones are only allowed to send traffic over to the internet.
After you create a guest zone you can’t change it to a standard zone.
Guest zones on SteelHead SD appliances have unrestricted access in the network.
To create a guest zone
1. Return to the Zones page and click New Zone.
2. Select the Headquarters (San Francisco) site from the drop-down list.
3. Type Guest to describe the zone.
4. Under guest zone, click On to add some extra intraclient security and isolate the guests from each other.
5. Click Submit.
Two zones are ready for use: one for the corporate LAN in San Francisco and one for the headquarters guests.
Adding shadow appliances
When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number.
To add a shadow appliance
1. Choose Appliances and click Add appliances.
2. Select Create Shadow Appliance.
3. Select SDI-130 Gateway from the model drop-down list.
4. Choose Headquarters as the site to deploy the shadow gateway.
5. Click Submit.
6. Repeat
Step 2 through
Step 5, substituting Ashburn data center as the site instead of Headquarters.
7. Repeat
Step 2 through
Step 5 to create gateways for the branch offices in Seattle and Dallas.
Later, you’ll register the gateways to transform them from shadow appliances to physical appliances. For details, see
Adding shadow appliances.
Choose Network Design > Uplinks to see that SCM has automatically assigned uplinks to the new gateways.
Establishing a security policy
Before deploying the hardware, you need to establish a policy that the sites have permission to recognize each other. Because the network is going to be transiting zones, you create an outbound/internal rule within a policy that allows this rule.
To create a policy rule
1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. For users/source, select All (excluding guests).
4. Click Allow.
5. Under Applications / Targets, choose Selected zones.
6. Click Submit.
7. Choose all the LANs except the guest LAN in the headquarters to make them accessible from the users/zones.
8. Click On.
The rules match on the source and destination selected.
Enabling appliances
SteelConnect Manager stores all configurations, including your existing and future plans. This means you can either add an appliance when you physically have it, or you can preplan and configure an appliance for the future and then later drop the physical appliance into the topology with no further configuration needed.
In SCM, an appliance can be an SD-WAN gateway, an Ethernet switch, or a Wi-Fi access point.
When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number.
Now you have shadow appliances deployed and zones created. The next task is to register the physical devices to transform them from shadow appliances into physical appliances.
To register a hardware appliance
1. Choose Appliances.
2. Select the shadow appliance, and choose Actions > Register hardware.
3. The appliance is shipped with a label that has the SteelConnect serial number. Find that serial number on the appliance and type it here.
SteelConnect gateway serial number location
To help you identify an appliance without unmounting it, unregistered appliances with an Organic LED (OLED) display (Gateway SDI-330, Switch S24, and Switch S48) display their serial number in the screen until you register the appliance with SCM.
4. Click Submit.
5. Repeat
Step 2 to
Step 4 to register the other appliances.
The provisioning server hands off the appliance when it connects into the particular organization and site. It gives the appliance its configuration, brings it online, performs all firmware upgrades, and realizes your design on the appliance in the real world.
This automatic provisioning makes the appliances easily replaceable, if necessary.
All internet connections, or uplinks, are automatically created when you set up your sites. By default, all uplinks use DHCP; however, SteelConnect also supports static IPs and PPPoE with authentication. For details, see
Creating uplinks.
A complete mesh overlay connects across all sites and shares all networks that are involved with RouteVPN using full permissions.
The last task is to cable the physical appliances, using the first WAN port for internet. After powering on the appliances, each appliance will download the latest firmware if necessary, and reboot. After they are updated with the latest firmware, SteelConnect will automatically start building a secure overlay of VPN tunnels.
After AutoVPN establishes the tunnels, you can view the dashboard map to see a visible representation of the network. Click a site marker to verify that the locations are completely connected with a full-mesh VPN. SCM displays the established connections as green lines between the sites. The lines change to red if the tunnel switches to offline.
For troubleshooting, see
Provisioning.
For details on adding a Wi-Fi broadcast to a zone, see
How do I plan and broadcast Wi-Fi?.
Configuring remote employee access to the corporate LAN
This section steps through the optional procedure of setting up a home office for a CEO that has access to the corporate LAN. When finished, your configuration will reflect
Organization with a home office added to the corporate network.
Organization with a home office added to the corporate network
You’ll start by creating a unique site that isn’t part of a dedicated zone shared with the rest of the company. Instead, the new home office site will use an IP address on the headquarters network as though the CEO were working in the building.
To provide the CEO access to the corporate LAN from home
1. Choose Network Design > Sites.
2. Click Add a Site.
3. Type a site tag to give the site a name: for example, CEOSite.
4. Type a site name that describes the site: for example, CEO.
5. Type the CEO’s home site location: for example, Denver.
6. Type the site’s address, country, and time zone.
7. Click Submit. SCM automatically creates a zone for the site.
8. Choose Network Design > Zones.
9. Select the zone CEOSite, select the IP tab, and change the IP address to match the CEO’s local internet connection.
10. Click Submit.
11. Because the CEO’s home office will use an access point instead of a gateway, select the Gateways tab and select Manual to disable automatic gateway configuration.
12. Choose Uplinks and choose CEOSite.
13. Select the Settings tab and rename the uplink to CEO-Uplink.
14. Choose Wi-Fi > Broadcasts and click New Broadcast.
15. Select CEOSite (CEO).
16. Select the SSID Employees.
17. Select the headquarters LAN as the default zone.
18. Click Submit.
When the CEO joins the network from home, the CEO is assigned an IP address on the corporate LAN. You don’t need to create a security policy because the home office isn’t transiting sites.
19. Choose Appliances and click Add appliances.
20. Select Create Shadow Appliance.
21. Select an access point.
22. Choose CEOSite (CEO) as the site to deploy the access point.
23. Click Submit.
After registering the access point, the CEO joins the corporate LAN from home. For details, see
Adding shadow appliances.
Logging out
To log out of the current session
1. In the upper-right corner click your username to open the drop-down menu.
2. Click Logout.