SteelHead SD deployment
SteelHead CX3070 | SteelHead SD 3070-SD | |
Software | RiOS | SteelOS |
Network device type | Layer 2 | Layer 3 |
Purpose | WAN optimization | SD-WAN and, optionally, WAN optimization |
Icon |  |  |
deploymentSteelHead feature | Feature after upgrading to SteelHead SD |
Layer 7 optimization blades | All Layer 7 SteelHead optimization blades are supported. For example, HTTP, SSL, CIFS/SMB, MAPI, Oracle Forms, NFS, Lotus Notes, and storage replication (for example, SnapMirror) all operate normally and are unchanged. The Citrix optimization blade is supported but the ability to support the optimization of Multi-Stream ICA within the blade is no longer possible because the QoS functionality is taken care of by the service virtual machine (SVM) in SteelHead SD. You cannot optimize UDP traffic using the SteelHead IP blade as traffic is not redirected through the virtual SteelHead. |
SteelHead SaaS and the new SaaS Accelerator | SteelHead SD 2.0 supports SteelHead SaaS and the SaaS Accelerator. The SaaS Accelerator is not available on SteelConnect 2.11 gateways. |
Web proxy | SteelHead SD supports SteelHead Web proxy. |
CIFS prepopulation | SteelHead SD supports SteelHead CIFS prepopulation. |
Active Directory integration | SteelHead SD supports SteelHead Active Directory integration. Because the virtual SteelHead instance has full control of the primary interface, it supports Active Directory integration and server-side out-of-path deployments. |
Data store synchronization | SteelHead SD supports SteelHead data store synchronization on the primary interface with an adjacent SteelHead appliance. |
Caching DNS service | SteelHead SD supports the SteelHead caching DNS service. With the caching DNS service, because the AUX port isn’t available to the virtual SteelHead, caching DNS is limited to the primary interface only. |
Transport performance features | SteelHead SD supports SteelHead high speed TCP and bandwidth estimation, satellite features such as SCPS, and single-ended connections. |
Management, reporting, and diagnostics | SteelHead SD supports SteelHead domain, host, and port labels, as well as in-path and peering rules. |
Secure vault | SteelHead SD supports SteelHead secure vault. The secure vault password is retained when you upgrade from SteelHead to SteelHead SD. |
Management access controls | SteelHead SD supports SteelHead management access controls including Radius and TACACS, and role-based access. |
TCP dump export | SteelHead SD supports SteelHead export of TCP dumps. |
SteelHead feature | Feature after upgrading to SteelHead SD |
WAN-optimization only mode | WAN-optimization only mode is not supported on SteelHead SD. |
Hybrid networking services (path selection, secure transport, QoS) | Hybrid networking services (path selection, secure transport, QoS) are not supported on SteelHead SD. The network services of QoS, path selection and secure transport replaced by SteelConnect SD-WAN counterparts. Any QoS feature configuration on the original SteelHead must be converted to the new QoS in SCM. MX-TCP, because it was part of QoS, is not supported on SteelHead SD. Citrix Multistream ICA is not supported on SteelHead SD. |
Multiple in-path interfaces for WAN optimization | SteelHead SD does not support multiple in-path interfaces for WAN optimization. Given that SteelHead SD is a Layer 3 gateway, multiple LAN ports and segments can be mapped to a single in-path interface. There is no longer a need for multiple in-path interfaces on an SteelHead SD appliance. After upgrading from SteelHead to SteelHead SD you must reconfigure your multiple in-path interfaces to a single in-path configuration. |
Virtual in-path or WCCP/PBR | Virtual in-path or WCCP/PBR is not supported on SteelHead SD. The concept of virtual in-path is not relevant for the WAN optimization of SteelHead SD. Thus, there is no need for WCCP or PBR. |
Simplified Routing and VLAN transparency | Simplified Routing and VLAN transparency is not supported on SteelHead SD. Because the in-path interface on the virtual SteelHead instance within SteelHead SD doesn’t sit physically in-path on the network, there is no need for Simplified Routing or VLAN transparency. |
IPSec, subnet side rules, MXTCP and link state propagation | IPSec, subnet side rules, MXTCP and link state propagation are not supported on SteelHead SD. |
Serial high availability (HA) | After upgrading, serial HA is not supported on SteelHead SD 2.0. SteelHead appliances in an HA pair must be individually shut down and upgraded separately. Active-active (1:1) HA is supported on SteelHead SD 2.0. |
NIC bypass (fail-to-wire) | Currently, NIC level bypass or fail-to-wire is not supported in SteelHead SD. If at any point the status of the virtual SteelHead instance shows a failure condition, for example a reboot or a crash, the system stops sending traffic that was destined for the virtual SteelHead. Instead, it bypasses the SteelHead thereby ensuring the traffic is not black-holed. You can compare this behavior with a physical SteelHead entering bypass mode. The traditional SteelHead bypass functionality doesn’t apply 1:1 to a SteelHead SD appliance because it is now an SD-WAN appliance that acts as a Layer 3 hop (or a custom edge router in some cases). Enabling NIC bypass mode without proper routing architecture support can lead to unintended traffic path behavior and can have security implications. |
Fail-to-block | If a SteelHead SD appliance fails, the appliance goes into fail-to-block mode. If only the SteelHead WAN optimization service fails, then traffic is passed through unoptimized and the SteelConnect SD-WAN service remains fully operational. If only the SteelConnect SD-WAN service fails, then all traffic on the gateway is blocked. |
Data store synchronization | Data store synchronization is supported only on the primary interface because the AUX interface isn’t available to the virtual SteelHead. (The AUX port is the dedicated port used in HA configurations; it can also be used as an additional WAN uplink.) |
RADIUS/Authentication server under Sites | RADIUS/Authentication server under Sites configuration in SCM is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030 appliances. Consult with your Riverbed sales engineer or Riverbed Professional Services at http://www.riverbed.com/services/index.html. |
Redirection of UDP traffic through the virtual SteelHead | Redirection of UDP traffic through the virtual SteelHead is not supported in SteelHead SD 2.0. You cannot optimize UDP traffic using the SteelHead IP blade. |
Source NAT on underlay traffic | Source NAT on underlay traffic is not supported on SteelHead SD 570-SD, 770-SD, 3070-SD, and SDI-2030. SteelHead SD appliances do not perform source NATing on underlay traffic exiting via the Internet uplink if it is destined for a private address, regardless of the configured outbound NAT setting. This is a change from the previous behavior for SteelHead SD 1.0 appliances, if NAT was enabled for an uplink, NAT was performed for all traffic exiting via the Internet uplink. For details on configuring NAT, see the SteelConnect Manager User Guide. |
SteelHead Management Console GUI pages | These SteelHead Management Console GUI elements are not supported in SteelHead SD 2.0: •QoS reports. •Flow export settings: Export QoS and application statistics to Cascade Flow Collectors. •Subnet side rules. •WCCP settings. •Connection forwarding settings. •Failover settings. •In-Path Settings: Enabling Link State Propagation. •IPSec settings. •AUX interface setting in the Base Interfaces page. •Caching DNS: Listen on AUX interface check box. |
Interface attribute | Before upgrade (SteelHead) | After upgrade (SteelHead SD) |
Appliance management | SteelHead Management Console | SCM |
Primary port interface | •SteelHead management via the SCC or SteelHead Management Console. •DHCP or statically configured. | The virtual SteelHead instance within the SteelHead SD does not have control of the physical network ports except for the Primary interface. •The primary port is used for management of the virtual SteelHead on SteelHead SD using the SCC or SteelHead Management Console. •DHCP or statically configured using the SteelHead SD Management Console. The primary IP address can be acquired using DHCP from the SteelConnect DHCP service. You must cable the primary back to a LAN port using a switch. •In a deployments where data store synchronization is used between two adjacent SteelHead appliances, the primary interface must be used for the data synchronization of traffic. |
Auxiliary (AUX) port interface | Backup management port. | The AUX port can be used as an additional WAN uplink on SteelHead SD. The AUX port is also the dedicated port for SteelHead SD HA deployments. The AUX port is not available for data store synchronization between two adjacent SteelHead appliances, the primary interface must be used for the synchronization traffic. |
In-path management | Management through the SCC or SteelHead Management Console. | Management of the vSH through the in-path management interface must be reconfigured. |
In-path interface | Typically one or two SteelHead in-path interfaces are configured (for example, internet and MPLS) over physical LAN and WAN pairs. | The inpath0_0 interface must be reconfigured after upgrade. |
SCC hosting | Typically, in the data center and used to manage remote SteelHeads using MPLS paths. | The virtual SteelHead on SteelHead SD will continue to be managed via SCC over MPLS path. |
Internet connectivity options | Local breakout or through MPLS from headquarters site. | Internet breakout options must be configured appropriately in SCM. |
Baseboard Management Controller (BMC) | Available to remotely power the appliance off and on. | For SteelHead SD 2.0, this port is unavailable. |
Feature | SteelHead 570-SD, 770-SD, 3070-SD | SDI-2030 | SDI-130 | SDI-330 | SDI-1030 | SDI-5030 | Virtual GW | Cloud GW |
eBGP | Yes | Yes | Yes | Yes | Yes | Yes | Yes | No |
iBGP | Yes | Yes | No | No | No | No | No | No |
OSPF single area | Yes | Yes | Yes | Yes | Yes | No | No | — |
OSPF multi-area ABR | Yes | Yes | No | No | No | No | No | — |
ASBR | Yes | Yes | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | No | Yes* (Underlay routing inter-working solution) | No |
Route retraction | Yes | Yes | No | No | No | Yes | No | No |
Default route originate | OSPF/BGP | OSPF/BGP LAN and WAN | OSPF-only LAN | OSPF-only LAN | OSPF-only LAN | BGP only | OSPF-only LAN | No |
Overlay route injection in LAN | Yes | Yes | No | No | No | Yes | No | No |
Local subnet discovery | Yes | Yes | No | No | No | Yes | No | No |
Static routes | Yes | Yes (LAN and WAN) | Yes (3rd-party routes) | Yes (3rd-party routes) | Yes (3rd-party routes) | Yes | Yes (3rd-party routes) | Yes (3rd-party routes) |
VLAN support (LAN side) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | — |
1:1 Active-Active High Availability | Yes | Yes | No (Active-Passive HA) | No (Active-Passive HA) | No (Active-Passive HA) | No (HA cluster) | No (Active-Passive HA) | No (Active-Passive HA AWS) |
Brownfield transit for internet-only branch | Yes (As an edge device only) | Yes | Yes (As an edge device only) | Yes (As an edge device only) | Yes | Yes | Yes (As an edge device only) | Yes (As an edge device only) |
Native VLAN support | No | No | Yes | Yes | No | No | Yes | — |
Riverbed component | Hardware and software requirements |
SteelHead SD appliance | The SteelHead SD 570-SD and 770-SD appliances are desktop models. The SteelHead SD 3070-SD appliance requires a 19-inch (483 mm) four-post rack. For details, see the Rack Installation Guide. Upgrading from SteelHead to SteelHead SD requires the RiOS 9.7.1a virtual SteelHead (vSH) image. The 9.7.1a vSH image is contained within the SteelHead SD 2.0/SteelConnect 2.11. The supported SteelHead to SteelHead SD upgrade paths are: –9.6.1 > SteelHead SD 2.0 (includes 9.7.1a vSH) –9.6.2 > SteelHead SD 2.0 (includes 9.7.1a vSH) –9.6.2a > SteelHead SD 2.0 (includes 9.7.1a vSH) –9.7.0 or 9.7.0a > 9.7.1 > SteelHead SD 2.0 (includes 9.7.1a vSH) |
SteelHead SD Management Console | The Management Console has been tested with all versions of Chrome, Mozilla Firefox Extended Support Release version 38, and Microsoft Internet Explorer 11. JavaScript and cookies must be enabled in your web browser. |
SteelConnect and SteelConnect Manager (SCM) | SteelHead SD requires SteelConnect 2.11or later. SCM supports the latest version of the Chrome browser. SCM requires a minimum screen resolution of 1280 x 720 pixels. We recommend a maximum of 1600 pixels for optimal viewing. |
SteelCentral Controller for SteelHead (SCC) | To use the SCC to upgrade SteelHead to SteelHead SD, you must have SCC 9.7.1 installed. Upgrading SCC to 9.8 removes the in-field upgrade option in SCC. The SCC must be running version 9.7.1 for the SteelHead SD in-field upgrade wizard to appear. |
Ethernet standard | IEEE standard |
Ethernet Logical Link Control (LLC) | IEEE 802.2 - 1998 |
Fast Ethernet 100BASE-TX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-LX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode | IEEE 802.3 - 2008 |
Gigabit Ethernet over 10GBASE-SR Multimode | IEEE 802.3 - 2008 |
NICs | Size (*) | Manufacturing part # | Orderable part # |
Two-Port 10-GbE Fiber SFP+ | HHHL | 410-00036-02 | NIC-1-010G-2SFPP |
Four-Port 10-GbE Fiber SFP+ | HHHL | 410-00108-01 | NIC-1-010G-4SFPP |