Introducing SteelHead SD

Introducing SteelHead SD

This topic provides an overview of the SteelHead SD. It includes these sections:

•Introducing SteelHead SD

•SteelHead SD and SteelConnect feature compatibility by model

•SD-WAN feature restrictions for SteelHead SD 2.0

•SteelHead feature changes after upgrading to SteelHead SD 2.0

•Hardware and software requirements

This guide doesn’t provide detailed information about configuring and managing SD-WAN or WAN optimization features. For details, see the SteelConnect Manager User Guide and the SteelHead User Guide.

Introducing SteelHead SD

SteelHead SD combines SD-WAN and cloud networking capabilities (powered by SteelConnect) with Riverbed WAN optimization (powered by RiOS) into a single appliance. SteelHead SD seamlessly integrates advanced SD-WAN functionality with industry-leading WAN optimization, security, and visibility services all in one streamlined appliance. SteelHead SD WAN optimization reduces bandwidth utilization and accelerates application delivery and performance, while providing SteelConnect integration in the SteelOS environment.

SteelHead SD provides you with the ability to quickly provision branch sites and deploy applications remotely. At the same time, applications are optimized to ensure performance and reduce latency with zero touch provisioning.

Typically, SteelHead SD appliances and the SteelConnect SDI-2030 gateway are located in the branch office in conjunction with SteelConnect SDI-5030 gateways at the data center. The SteelConnect SDI-2030 gateway can also be deployed inline as a 1-Gbps data center gateway with active-active HA. The SteelConnect SDI-2030 gateway can also serve as a very large branch office box with high throughput requirements. The SteelConnect SDI-2030 gateway doesn’t support WAN optimization capabilities.

SteelHead SD 2.0 advanced routing and high availability (HA) features are supported on the SteelHead SD 570-SD, 770-SD, and 3070-SD appliances and the SteelConnect SDI-2030 gateway located at the branch. For details, see the SteelHead SD User Guide and the SteelConnect Manager User Guide.

SteelHead SD deployment

SteelHead SD supports these configuration modes:

•SD-WAN and WAN optimization - In this configuration, WAN optimization runs as a service on top of SD-WAN. The SteelCentral Controller for SteelHead (SCC) or the SteelHead Management Console handles management and configuration of the WAN optimization features. Also, SteelHead CLI-based management is supported for WAN optimization settings. You connect to the Management Console via the primary port, which also uses DHCP to acquire its IP address. For details on configuring WAN optimization features, see the SteelCentral Controller for SteelHead User Guide and the SteelHead User Guide.

•SD-WAN only - In this configuration, WAN optimization is not required. SCM handles the management and configuration of SD-WAN features. SCM connectivity requires one of the WAN ports that are used as uplink ports. Only the SD-WAN service can be enabled or disabled via SCM. The SD-WAN service upgrades are managed via SCM. SCM pushes the new software version according to the schedule that you set up. For details on configuring SD-WAN features, see the SteelConnect Manager User Guide and the SteelHead SD User Guide.

In SteelConnect 2.11, SteelHead SD appliances do not perform source NATing on underlay traffic exiting via the Internet uplink if it is destined for a private address, regardless of the configured outbound NAT setting. This is a change from the previous behavior for SteelConnect 2.10 SteelHead SD appliances, if NAT was enabled for an uplink, NAT was performed for all traffic exiting via the Internet uplink. For details on configuring NAT, see Branch topologies in the SteelConnect Manager User Guide.

For details on SteelHead SD software architecture and new features for SteelHead SD 2.0, see the SteelHead SD Installation Guide.

SteelHead SD and SteelConnect feature compatibility by model

Feature	SteelHead 570-SD, 770-SD, 3070-SD	SDI-2030	SDI-130	SDI-330	SDI-1030	SDI-5030	Virtual GW	Cloud GW
eBGP	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
iBGP	Yes	Yes	No	No	No	No	No	No
OSPF single area	Yes	Yes	Yes	Yes	Yes	No	No	—
OSPF multi-area ABR	Yes	Yes	No	No	No	No	No	—
ASBR	Yes	Yes	Yes* (Underlay routing inter-working solution)	Yes* (Underlay routing inter-working solution)	Yes* (Underlay routing inter-working solution)	No	Yes* (Underlay routing inter-working solution)	No
Route retraction	Yes	Yes	No	No	No	Yes	No	No
Default route originate	OSPF/BGP	OSPF/BGP LAN and WAN	OSPF-only LAN	OSPF-only LAN	OSPF-only LAN	BGP only	OSPF-only LAN	No
Overlay route injection in LAN	Yes	Yes	No	No	No	Yes	No	No
Local subnet discovery	Yes	Yes	No	No	No	Yes	No	No
Static routes	Yes	Yes (LAN and WAN)	Yes (3rd-party routes)	Yes (3rd-party routes)	Yes (3rd-party routes)	Yes	Yes (3rd-party routes)	Yes (3rd-party routes)
VLAN support (LAN side)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	—
1:1 Active-Active High Availability	Yes	Yes	No (Active-Passive HA)	No (Active-Passive HA)	No (Active-Passive HA)	No (HA cluster)	No (Active-Passive HA)	No (Active-Passive HA AWS)
Brownfield transit for internet-only branch	Yes (As an edge device only)	Yes	Yes (As an edge device only)	Yes (As an edge device only)	Yes	Yes	Yes (As an edge device only)	Yes (As an edge device only)
Native VLAN support	No	No	Yes	Yes	No	No	Yes	—

*SCM 2.9 and later support an underlay routing interworking solution that bridges BGP and OSPF. For details, see the SteelConnect Manager User Guide.

SD-WAN feature restrictions for SteelHead SD 2.0

This table summarizes the SDWAN feature restrictions for SteelHead SD 2.0.

SD-WAN feature	Description
Static uplinks on the WAN	If you have static uplinks on the WAN, a default static route is not added automatically in SteelConnect. On SCM, you must manually add static routes to reach networks that aren't present on the SteelConnect overlay network in order to send packets on those WANs. For details, see the Knowledge Base article, S32693.
WAN AutoVPN memberships	WAN AutoVPN memberships for zones are not supported on SteelHead SD 2.0 and SteelConnect 2.11 appliances.
Redirection of UDP traffic through the virtual SteelHead	Redirection of UDP traffic through the virtual SteelHead is not supported in SteelHead SD 2.0. You will not be able to optimize UDP traffic using the SteelHead IP blade.
Classic VPN	Classic VPN is not supported on SteelHead SD 2.0 and SteelConnect 2.11 appliances.
Flow distribution	Flow distribution for internet traffic across similar uplinks is not supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances
General SD-WAN features	The following general SD-WAN features are not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 appliances: •PPPoE •LTE uplinks •USB port for tethering (initial ZTP/SCM via USB tethering) •Cloudifi •Agents tab under Sites
LAN-side settings	The following LAN-side settings are not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 appliances: •Multiple physical ports in a single zone. •Spanning tree on LAN side. •Multiple physical ports in a zone. •Native VLANs. •zones Import configuration at the Site level. •xLAN option under Site configuration.
Path preference/path selection restrictions	When WAN optimization is enabled and the application target of a traffic rule is set to SSL, SteelConnect doesn’t correctly classify SSL traffic and the traffic will not travel across the SteelHead optimized path. For details, see the Knowledge Base article, S32180.
Traffic path rule restrictions	When the SteelHead is located out-of-path, application-based path preference rules are not honored for deployments using WAN optimization with fixed target in-path rule to the SteelHead. You have these configuration options: •Convert your deployment to an in-path or virtual in-path and adjust SteelHead SD WAN optimization in-path rules to remove the fixed target setting. •Adjust the SteelHead SD WAN optimization in-path rules to pass-through and disable WAN optimization for application types you want to have follow the path preference rules.
Static uplinks on the WAN	If you have static uplinks on the WAN, a default static route is not added automatically in SteelConnect. On SCM, you must manually add static routes to reach networks that aren't present on the SteelConnect overlay network in order to send packets on those WANs. For details, see the Knowledge Base article, S32693.
Source NAT on underlay traffic	Source NAT on underlay traffic is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-203 appliances. SteelHead SD appliances do not perform source NATing on underlay traffic exiting via the Internet uplink if it is destined for a private address, regardless of the configured outbound NAT setting. This is a change from the previous behavior for SteelHead SD 1.0 appliances, if NAT was enabled for an uplink, NAT was performed for all traffic exiting via the Internet uplink. For details on configuring NAT, see the SteelConnect Manager User Guide.
RADIUS/Authentication server under Sites configuration in SCM	RADIUS/Authentication server under Sites configuration in SCM is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 appliances. Consult with your Riverbed sales engineer or Riverbed Professional Services at http://www.riverbed.com/services/index.html.

SteelHead feature changes after upgrading to SteelHead SD 2.0

These tables summarize the SteelHead features after you upgrade SteelHead appliances to SteelHead SD 2.0 appliances. For details on upgrading SteelHead appliances to SteelHead SD 2.0 appliances, see the SteelHead SD In-Field Upgrade Guide.

These tables do not summarize the feature changes that occur after you upgrade from SteelHead SD 1.0 to SteelHead SD 2.0. For details on feature changes that occur after upgrading from SteelHead SD 1.0 to SteelHead SD 2.0, see the SteelHead SD Installation Guide.

SteelHead features unchanged after upgrading to SteelHead SD 2.0

This table summarizes the SteelHead features that do not change when you upgrade to SteelHead SD 2.0.

SteelHead feature	Feature after upgrading to SteelHead SD 2.0
Layer 7 optimization blades	All Layer 7 SteelHead optimization blades are supported. For example, HTTP, SSL, CIFS/SMB, MAPI, Oracle Forms, NFS, Lotus Notes, and storage replication (for example, SnapMirror) all operate normally and are unchanged. The Citrix optimization blade is supported but the ability to support the optimization of Multi-Stream ICA within the blade is no longer possible because the QoS functionality is taken care of by the service virtual machine (SVM) in SteelHead SD. You cannot optimize UDP traffic using the SteelHead IP blade as traffic is not redirected through the virtual SteelHead.
SteelHead SaaS and the new SaaS Accelerator	SteelHead SD 2.0 supports SteelHead SaaS and the SaaS Accelerator are both supported. The SaaS Accelerator is not availble for SteelConnect 2.11 gateways.
Web proxy	SteelHead SD supports SteelHead Web proxy.
CIFS prepopulation	SteelHead SD supports SteelHead CIFS prepopulation.
Active Directory integration	SteelHead SD supports SteelHead Active Directory integration. Because the virtual SteelHead instance has full control of the primary interface, it supports Active Directory integration and server-side out-of-path deployments.
Data store synchronization	SteelHead SD supports SteelHead data store synchronization on the primary interface with an adjacent SteelHead appliance.
Caching DNS service	SteelHead SD supports the SteelHead caching DNS service. With the caching DNS service, because the AUX port is not available to the virtual SteelHead, caching DNS is limited to the primary interface only.
Transport performance features	SteelHead SD supports SteelHead high speed TCP and bandwidth estimation, satellite features such as SCPS, and single-ended connections.
Management, reporting, and diagnostics	SteelHead SD supports SteelHead domain, host, and port labels, as well as in-path and peering rules.
Secure vault	SteelHead SD supports SteelHead secure vault. The secure vault password is retained when you upgrade from SteelHead to SteelHead SD.
Management access controls	SteelHead SD supports SteelHead management access controls including Radius and TACACS, and role-based access.
TCP dump export	SteelHead SD supports SteelHead export of TCP dumps.

SteelHead features changed after upgrading to SteelHead SD 2.0

This table summarizes the features that do change after upgrading to SteelHead SD 2.0.

SteelHead feature	Feature after upgrading to SteelHead SD 2.0
WAN-optimization only mode	WAN-optimization only mode is not supported on SteelHead SD.
Hybrid networking services (path selection, secure transport, QoS)	Hybrid networking services (path selection, secure transport, QoS) are not supported on SteelHead SD. The network services of QoS, path selection and secure transport replaced by SteelConnect SD-WAN counterparts. Any QoS feature configuration on the original SteelHead must be converted to the new QoS in SCM. MX-TCP, because it was part of QoS, is not supported on SteelHead SD. Citrix Multistream ICA is not supported on SteelHead SD.
Multiple in-path interfaces for WAN optimization	SteelHead SD doesn’t support multiple in-path interfaces for WAN optimization. Given that SteelHead SD is a Layer 3 gateway, multiple LAN ports and segments can be mapped to a single in-path interface. There is no longer a need for multiple in-path interfaces on an SteelHead SD appliance. After upgrading from SteelHead to SteelHead SD you must reconfigure your multiple in-path interfaces to a single in-path configuration.
Virtual in-path or WCCP/PBR	Virtual in-path or WCCP/PBR is not supported on SteelHead SD. The concept of virtual in-path is not relevant for the WAN optimization of SteelHead SD. Thus, there is no need for WCCP or PBR.
Simplified Routing and VLAN transparency	Simplified Routing and VLAN transparency is not supported on SteelHead SD. Because the in-path interface on the virtual SteelHead instance within SteelHead SD doesn’t sit physically in-path on the network, there is no need for Simplified Routing or VLAN transparency.
IPSec, subnet side rules, MXTCP and link state propagation	IPSec, subnet side rules, MXTCP and link state propagation are not supported on SteelHead SD.
Serial high availability (HA)	After upgrading, serial HA is not supported on SteelHead SD 2.0. SteelHead appliances in an HA pair must be individually shut down and upgraded separately. Active-active (1:1) HA is supported on SteelHead SD 2.0.
NIC bypass (fail-to-wire)	Currently, NIC level bypass or fail-to-wire is not supported in SteelHead SD. If at any point the status of the virtual SteelHead instance shows a failure condition, for example a reboot or a crash, the system stops sending traffic that was destined for the virtual SteelHead. Instead, it bypasses the SteelHead thereby ensuring the traffic is not black-holed. You can compare this behavior with a physical SteelHead entering bypass mode. The traditional SteelHead bypass functionality doesn’t apply 1:1 to a SteelHead SD appliance because it is now an SD-WAN appliance that acts as a Layer 3 hop (or a custom edge router in some cases). Enabling NIC bypass mode without proper routing architecture support can lead to unintended traffic path behavior and can have security implications.
Fail-to-block	If a SteelHead SD appliance fails, the appliance goes into fail-to-block mode. If only the SteelHead WAN optimization service fails, then traffic is passed through unoptimized and the SteelConnect SD-WAN service remains fully operational. If only the SteelConnect SD-WAN service fails, then all traffic on the gateway is blocked.
Data store synchronization	Data store synchronization is supported only on the primary interface because the AUX interface is not available to the virtual SteelHead. (The AUX port is the dedicated port used in HA configurations; it can also be used as an additional WAN uplink.)
RADIUS/Authentication server under Sites	RADIUS/Authentication server under Sites configuration in SCM is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 appliances. Consult with your Riverbed sales engineer or Riverbed Professional Services at http://www.riverbed.com/services/index.html.
Redirection of UDP traffic through the virtual SteelHead	Redirection of UDP traffic through the virtual SteelHead is not supported in SteelHead SD 2.0. You cannot optimize UDP traffic using the SteelHead IP blade.
Source NAT on underlay traffic	Source NAT on underlay traffic is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030. SteelHead SD appliances do not perform source NATing on underlay traffic exiting via the Internet uplink if it is destined for a private address, regardless of the configured outbound NAT setting. This is a change from the previous behavior for SteelHead SD 1.0 appliances, if NAT was enabled for an uplink, NAT was performed for all traffic exiting via the Internet uplink. For details on configuring NAT, see the SteelConnect Manager User Guide.
SteelHead Management Console GUI pages	These SteelHead Management Console GUI elements are not supported in SteelHead SD 2.0: •QoS reports. •Flow export settings: Export QoS and application statistics to Cascade Flow Collectors. •Subnet side rules. •WCCP settings. •Connection forwarding settings. •Failover settings. •In-Path Settings: Enabling Link State Propagation. •IPSec settings. •AUX interface setting in the Base Interfaces page. •Caching DNS: Listen on AUX interface check box.

Hardware and software requirements

Riverbed component	Hardware and software requirements
SteelHead SD appliance	The SteelHead SD 570-SD and 770-SD appliances are desktop models. The SteelHead SD 3070-SD appliance requires a 19-inch (483 mm) four-post rack. For details, see the Rack Installation Guide.
SteelHead SD Management Console	The Management Console has been tested with all versions of Chrome, Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11. JavaScript and cookies must be enabled in your web browser.
SteelConnect and SteelConnect Manager (SCM)	SteelHead SD requires SteelConnect 2.11. SCM supports the latest version of the Chrome browser. SCM requires a minimum screen resolution of 1280 x 720 pixels. We recommend a maximum of 1600 pixels for optimal viewing.
SteelCentral Controller for SteelHead (SCC)	We recommend you have SCC 9.7.1 installed.

NIC support

Network interface card (NICs) are supported on the SteelHead SD 3070-SD appliances for nonbypass traffic. SteelHead SD 570-SD and 770-SD appliances do not support NICs.

For SteelHead SD 3070-SD appliances, bypass NICs are not required for SteelConnect gateway deployments since LAN traffic requires network address translation (NAT) before it reaches the service provider network.

You can install these NICs in the SteelHead SD 3070-SD for nonbypass traffic.

NICs	Size (*)	Manufacturing part #	Orderable part #
Two-Port 10-GbE Fiber SFP+	HHHL	410-00036-02	NIC-1-010G-2SFPP
Four-Port 10-GbE Fiber SFP+	HHHL	410-00108-01	NIC-1-010G-4SFPP

*HHHL = Half Height, Half Length

For details on NICs, see the Network and Storage Card Installation Guide.

Firewall requirements

The SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 support stateful application-based firewalls at the network edge. For details on SteelConnect firewall and security features, see the SteelConnect SD-WAN Deployment Guide.

All communication is sourced from the site out to the SteelConnect management service. There’s no need to set up elaborate firewall or forwarding rules to establish the dynamic full-mesh VPN or to gain connectivity to the cloud. After you register an appliance, it receives its assigned configuration automatically. For details on SteelConnect firewall requirements, see the SteelConnect Manager User Guide.

Make sure the firewall ports 80 and 443 are open so that software installation and SCM operations aren’t blocked. For details on SteelConnect default ports, see the SteelConnect Manager User Guide.

Ethernet network compatibility

The SteelHead SD appliance supports these Ethernet networking standards.

Ethernet standard	IEEE standard
Ethernet Logical Link Control (LLC)	IEEE 802.2 - 1998
Fast Ethernet 100BASE-TX	IEEE 802.3 - 2008
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.)	IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector)	IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 1000BASE-LX	IEEE 802.3 - 2008
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode	IEEE 802.3 - 2008
Gigabit Ethernet over 10GBASE-SR Multimode	IEEE 802.3 - 2008

SNMP-based management compatibility

SteelConnect SD-WAN service supports proprietary MIBs accessible through SNMPv2 and SNMPv3. For detailed information about the SD-WAN service MIB, see the SteelConnect Manager User Guide.

The SteelHead WAN optimization supports proprietary MIBs accessible through SNMP, SNMPv1, SNMPv2c, and SNMPv3, although some MIB items might only be accessible through SNMPv2 and SNMPv3. For detailed information about the WAN optimization service MIB, see the SteelHead User Guide.

For detailed information on SteelConnect SNMP support, see the SteelConnect Manager User Guide and the SteelHead SD User Guide.