Adding and Registering Appliances in SCM
This chapter describes how to add and register SteelHead SD appliances using SteelConnect Manager (SCM). It includes these sections:
Overview
Logging in to SCM
Defining an organization
Adding sites
Adding zones
Adding shadow appliances
Registering SteelHead SD appliances
Recabling the appliance
This chapter doesn’t describe how to configure SD-WAN features in detail. For details, see the SteelHead SD Installation Guide, the SteelHead SD User Guide, and the SteelConnect Manager User Guide.
Overview
For each SteelHead appliance you’ll be upgrading, you must add it to SCM as a shadow appliance and register it.
To register SteelHead appliances that you are converting, you will need the SteelHead SD serial number that was sent via email by Riverbed. The SteelConnect serial number starts with XN. Make sure you register your appliances using the SteelConnect serial number. If you don’t, the SCM won’t autodetect the appliances when you register them.
DHCP versus static IP
The inpath0_0 interface address on the virtual SteelHead instance is needed for initial contact between the SteelHead and SCM during the upgrade process. These settings are preconfigured in SCM so the SteelHead doesn’t revert to DHCP after initial contact with SCM.
We recommend you use the DHCP server when you are upgrading SteelHeads to SteelHead SD. If you are using DHCP for uplink IP addresses, no additional configuration is needed. SteelConnect will use DHCP to obtain the system inpath0_0 interface address. After the new image is downloaded and reflashed, the appliance reboots and acquires a temporary WAN IP address via DHCP for communication over the internet. It then contacts SCM and the Riverbed licensing servers to download certificates and complete the installation as a SteelHead SD appliance.
If your network isn’t running a DHCP server, you can use a static IP address, but you must preconfigure these in-path IP addresses, gateways, and DNS servers on the SteelHead appliances and in SCM before beginning the in-field upgrade process. At least one WAN uplink interface (for example, WAN0_0, WAN0_1, WAN3_0, WAN3_1) must have internet connectivity.
For details on configuring SD-WAN settings, see “Designing a Network” in the SteelConnect Manager User Guide.
Logging in to SCM
You log in to SCM using the URL that was emailed to you when you purchased the in-field upgrade kit. The email contains the URL for connecting to SCM and the default login and password: admin and pppp. This email is requested by the sales team and sent by the Riverbed Cloud Operations team.
For details on configuring SD-WAN settings, see “Quick Start” and “Designing a Network,” in the SteelConnect Manager User Guide.
To log in to SCM
Log in to SCM using the default username admin and the default password pppp. After a successful log in, you're greeted by the dashboard.
SCM will open with a default organization.
SCM Dashboard
The dashboard shows a visual representation of your organization. Double-click to zoom in. For more details, see “Monitoring the Network” in the SteelConnect Manager User Guide.
Defining an organization
The first task is to define an organization. SCM uses these terms to describe your company:
Organization - A company representing an end customer. You can assign administrative rights to individual administrator accounts per organization. You can also manage appliances and licensing per organization.
Site - A physical location of one or more office buildings, a hosting center, or a cloud location that make up the organization. A site houses a SteelConnect gateway or SteelHead SD appliances and uses a permanent DNS alias. Every site requires a local network zone and at least one internet uplink. When you create a site, the zone is automatically created and an uplink is automatically created for the internet path.
Zone - Zones are at the center of an SD-WAN network. A zone is equivalent to a Layer 2 IP segment within a site. Zones define subnets and VLANs on gateways. Every site has at least one zone and can have multiple zones. When you create a site, SteelConnect automatically adds a default zone.
SCM is delivered with a default organization. You’ll want to edit the default organization.
After adding the company name, you’ll add basic information. You can always change and customize this information later.
To change the default name and location of the organization
1. Choose Organization to display the default organization settings.
Changing the default organization settings
2. Change the organization name.
3. Click Submit.
4. Under location, type the company headquarters physical address.
5. Click Submit.
The dashboard map updates dynamically to keep an accurate visual overview of your network. You can always refer to the dashboard map as you define your topology to make sure the deployment is accurate.
Adding sites
The next task is to create one or more sites. If you have a lot of sites you can also do a bulk import. For details on creating sites and bulk imports, see “Creating sites” in the SteelConnect Manager User Guide.
All internet connections, or uplinks, are automatically created when you set up your sites. By default, all uplinks use DHCP; however, SteelConnect also supports static IPs and PPPoE with authentication. For details, see “Creating uplinks” in the SteelConnect Manager User Guide.
To add sites
1. Choose Network Design > Sites.
2. Click Add a New Site.
3. Select Create Site to create a site for the data center.
Creating site
4. Add a site tag: for example, headquarters.
5. Add the site’s location: for example, San Francisco.
6. Specify the site’s address, country, and time zone. Make sure the time zone matches the site’s location.
7. Click Submit.
After you create the site, it appears on the dashboard map. Repeat these steps to add sites for the branch offices.
Adding zones
Zones are at the center of an SD-WAN network. A zone is equivalent to a Layer 2 IP segment within a site. Zones define subnets and VLANs on gateways.
Every site has at least one zone and can have multiple zones. When you create a site, SteelConnect automatically adds a default zone.
Zones can cross sites. For a business application that involves a call center that requires peer-to-peer networking, you can stretch a single zone across multiple sites, providing users all over the globe with one universal security policy applied to the same IP zone.
You can add zones to any sites or any organization. A zone belongs to a site, but it can also belong to multiple sites. A site is a location like an office building, a hosting center, or a cloud location. Every site has at least one internet uplink and one local network zone.
To change the default zone to the LAN zone on the SteelHead
1. Choose Network Design > Zones.
2. Select a zone, click Settings, and update the zone name.
3. Select the IP tab, and change the IP address to match your LAN subnet on the SteelHead.
4. Click Submit.
The LAN zone is complete. By default, all sites are configured with an internet uplink and a AutoVPN uplink, which automatically creates secure tunnels over internet links to create a secure overlay network.
You can add additional zones to a site, if necessary. For details on configuring zones, see “Designing a Network” in the SteelConnect Manager User Guide.
Adding shadow appliances
SCM stores all configurations, including your existing and future network plans. This means you can either add an appliance when you physically have it, or you can preplan and configure an appliance for the future and then later drop the physical appliance into the topology with no further configuration needed.
When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically placeholders that represent the physical appliances until you register them with their serial numbers.
To add a shadow appliance
1. Choose Appliances and click Add appliances.
2. Select Create Shadow Appliance.
3. Select the SteelHead SD appliance from the model drop-down list.
4. Choose Headquarters as the site to deploy the shadow gateway.
5. Click Submit.
6. Repeat Step 2 through Step 5, for the remaining appliances.
Registering SteelHead SD appliances
The next task is to register the physical appliances to transform them from shadow appliances into physical appliances.
To register appliances
1. Locate the SteelConnect serial number either from the email that you received from Riverbed or from the appliance label. The SteelConnect serial number starts with XN.
Locating the serial number that starts with XN
2. Choose Appliances > Overview.
3. Select the shadow appliance, and select Actions > Register hardware.
Registering appliances
4. Type the serial number.
5. Optionally, you can select the site for the appliance or set that later.
6. Click Submit.
7. Repeat these steps for each appliance.
The provisioning server hands off the appliance when it connects into the particular organization and site. It gives the appliance its configuration, brings it online, performs all firmware upgrades, and realizes your design on the appliance in the real world. This automatic provisioning makes the appliances easily replaceable, if necessary. A complete mesh overlay connects across all sites and shares all networks that are involved with RouteVPN using full permissions.
After AutoVPN establishes the tunnels, you can view the dashboard map to see a visible representation of the network. Click a site marker to verify that the locations are completely connected with a full-mesh VPN. SCM displays the established connections as green lines between the sites. The lines change to red if the tunnel switches to offline.
Recabling the appliance
After you register your hardware you might need to recable the appliances to ensure the at least one WAN port has connectivity to the internet:
On the SteelHead SD 570-SD or 770-SD appliances, use a straight-through cable to connect either the WAN0_0 or WAN0_1 ports to a WAN router with an internet uplink or an MPLS uplink for back-hauled internet traffic.
On the SteelHead SD 3070-SD appliance, use a straight-through cable to connect either the WAN3_0 or WAN3_1 port to a WAN router. Internet reachability can be via a local breakout or via a data center over MPLS—whichever you prefer.
WAN ports require an IP address as they represent the uplink configuration. The SteelHead in-path interface must have an IP address and VLAN ID, which can be in any SteelConnect zone.
After powering on the appliances, each appliance will download the latest SteelConnect firmware if necessary, and reboot. After the appliances are updated with the latest firmware, SteelConnect will automatically start building a secure overlay of VPN tunnels.
We recommend you cable the primary port to a DHCP reachable port on the switch. For details on DHCP versus static IP, see Backing up your SteelHead configuration.
You cable at least one LAN port (for example, LAN0_0, LAN0_1, and so on) to the LAN port on a switch.
SteelHead SD port definitions
For details on port mappings, see SteelHead SD Port Mappings
Port
Description
Primary (PRI)
The primary port is the management interface that enables you to connect to the SteelHead Management Console.
Preferably the primary port connects to a DHCP reachable port on a switch.
In a deployments where data store synchronization is used between two adjacent SteelHead appliances, the primary interface must be used for the data synchronization of traffic.
AUX
The AUX port can be used as an additional WAN uplink on SteelHead SD. The AUX port is also the dedicated port for SteelHead SD HA deployments.
The AUX port is not available for data store synchronization between two adjacent SteelHead appliances, the primary interface must be used for the synchronization traffic.
WANX_X
WAN ports function as uplinks for internet service providers that connect to the internet.
Connect the WAN port to a WAN router using a straight-through cable.
For SteelHead SD 570-SD and 770-SD appliances, the default internet access port is WAN0_0 or WAN0_1.
For SteelHead SD 3070-SD appliances, the default internet access port is WAN3_0 or WAN3_1.
LANX_X
Connect the LAN port to the LAN switch using a straight-through cable.
For SteelHead SD 570-SD and 770-SD appliances, the default port is LAN0_0 and LAN0_1.
For SteelHead SD 3070-SD appliances, the default port is LAN3_0 or LAN3_1.
Console
Connects you to the controller virtual machine (CVM) using a serial cable. CVM is the runtime management platform that connects you to the hypervisor via SSH. Typically, you should be able to troubleshoot and modify network issues using SCM.
Recabling the appliance
This sections describes how to recable the appliance (if necessary).
To recable the SteelHead SD appliance
1. Plug the straight-through cable into the primary port to a port on the switch. We recommend this is a DHCP-reachable port on the switch that connects to a DHCP server.
Connecting the primary port to the LAN switch
2. Plug the straight-through cable into at least one LAN port (LAN0_0, LAN0_1, or LAN3_0, LAN3_1 on the 3070-SD appliance) to the LAN port on the switch.
Connecting the LAN switch to the LAN port
3. Connect at least one WAN port to an uplink from a service provider.
For example, on a 570-SD or 770-SD appliance, use a straight-through cable to connect the WAN0_0 or WAN0_1 port to an internet uplink or to an MPLS uplink for back-hauled internet traffic. On a 3070-SD appliance, connect either the WAN3_0 or WAN3_1 port to a WAN router. Internet reachability can be via a local breakout or via a data center over MPLS.
Connecting the WAN port to the WAN router
After you finish these tasks, you are ready to install the software. For details, see Upgrading the SteelHead Software. .