SteelHead SD deployment
SteelHead CX3070 | SteelHead SD 3070-SD | |
Software | RiOS | SteelOS |
Network device type | Layer 2 | Layer 3 |
Purpose | WAN optimization | SD-WAN and, optionally, WAN optimization |
Icon |  |  |
deploymentSteelHead feature | Feature after upgrading to SteelHead SD |
Layer 7 optimization blades | All Layer 7 SteelHead optimization blades are supported. For example, HTTP, SSL, CIFS/SMB, MAPI, Oracle Forms, NFS, Lotus Notes, and storage replication (for example, SnapMirror) all operate normally and are unchanged. The Citrix optimization blade is supported but the ability to support the optimization of Multi-Stream ICA within the blade is no longer possible because the QoS functionality is taken care of by the service virtual machine (SVM) in SteelHead SD. You cannot optimize UDP traffic using the SteelHead IP blade as traffic is not redirected through the virtual SteelHead. |
SteelHead SaaS and the SaaS Accelerator | SteelHead SD supports SteelHead SaaS and the SaaS Accelerator. The SaaS Accelerator is available on SteelConnect 2.13 or later gateways. |
Web proxy | SteelHead SD supports SteelHead Web proxy. |
CIFS prepopulation | SteelHead SD supports SteelHead CIFS prepopulation. |
Active Directory integration | SteelHead SD supports SteelHead Active Directory integration. Because the virtual SteelHead instance has full control of the primary interface, it supports Active Directory integration and server-side out-of-path deployments. |
Data store synchronization | SteelHead SD supports SteelHead data store synchronization on the primary interface with an adjacent SteelHead appliance. |
Caching DNS service | SteelHead SD supports the SteelHead caching DNS service. With the caching DNS service, because the AUX port isn’t available to the virtual SteelHead, caching DNS is limited to the primary interface only. |
Transport performance features | SteelHead SD supports SteelHead high speed TCP and bandwidth estimation, satellite features such as SCPS, and single-ended connections. |
Management, reporting, and diagnostics | SteelHead SD supports SteelHead domain, host, and port labels, as well as in-path and peering rules. |
Secure vault | SteelHead SD supports SteelHead secure vault. The secure vault password is retained when you upgrade from SteelHead to SteelHead SD. |
Management access controls | SteelHead SD supports SteelHead management access controls including Radius and TACACS, and role-based access. |
TCP dump export | SteelHead SD supports SteelHead export of TCP dumps. |
SteelHead feature | Feature after upgrading to SteelHead SD |
WAN-optimization only mode | WAN-optimization only mode is not supported on SteelHead SD. |
Hybrid networking services (path selection, secure transport, QoS) | Hybrid networking services (path selection, secure transport, QoS) are not supported on SteelHead SD. The network services of QoS, path selection and secure transport replaced by SteelConnect SD-WAN counterparts. Any QoS feature configuration on the original SteelHead must be converted to the new QoS in SCM. MX-TCP, because it was part of QoS, is not supported on SteelHead SD. Citrix Multistream ICA is not supported on SteelHead SD. |
Multiple in-path interfaces for WAN optimization | SteelHead SD does not support multiple in-path interfaces for WAN optimization. Given that SteelHead SD is a Layer 3 gateway, multiple LAN ports and segments can be mapped to a single in-path interface. There is no longer a need for multiple in-path interfaces on an SteelHead SD appliance. After upgrading from SteelHead to SteelHead SD you must reconfigure your multiple in-path interfaces to a single in-path configuration. |
Virtual in-path or WCCP/PBR | Virtual in-path or WCCP/PBR is not supported on SteelHead SD. The concept of virtual in-path is not relevant for the WAN optimization of SteelHead SD. Thus, there is no need for WCCP or PBR. |
Simplified routing and VLAN transparency | Simplified routing and VLAN transparency is not supported on SteelHead SD. Because the in-path interface on the virtual SteelHead instance within SteelHead SD doesn’t sit physically in-path on the network, there is no need for Simplified routing or VLAN transparency. |
IPSec, subnet side rules, MXTCP and link state propagation | IPsec, subnet side rules, MXTCP and link state propagation are not supported on SteelHead SD. |
Serial high availability (HA) | After upgrading, serial HA is not supported on SteelConnect 2.13. SteelHead appliances in an HA pair must be individually shut down and upgraded separately. Active-active (1:1) HA is supported on SteelConnect 2.13. |
NIC bypass (fail-to-wire) | Currently, NIC level bypass or fail-to-wire is not supported in SteelHead SD. If at any point the status of the virtual SteelHead instance shows a failure condition (for example, a reboot or a crash), the system stops sending traffic that was destined for the virtual SteelHead. Instead, it bypasses the SteelHead thereby ensuring the traffic is not black-holed. You can compare this behavior with a physical SteelHead entering bypass mode. The traditional SteelHead bypass functionality doesn’t apply to a SteelHead SD appliance because it is an SD-WAN appliance that acts as a Layer 3 hop (or a custom edge router, in some cases). Enabling NIC bypass mode without proper routing architecture support can lead to unintended traffic path behavior and can have security implications. |
Fail-to-block | If a SteelHead SD appliance fails, the appliance goes into fail-to-block mode. If only the SteelHead WAN optimization service fails, then traffic is passed through unoptimized and the SteelConnect SD-WAN service remains fully operational. If only the SteelConnect SD-WAN service fails, then all traffic on the gateway is blocked. |
Data store synchronization | Data store synchronization is supported only on the primary interface because the AUX interface isn’t available to the virtual SteelHead. (The AUX port is the dedicated port used in HA configurations; it can also be used as an additional WAN uplink.) |
RADIUS/Authentication server under Sites | RADIUS/Authentication server under Sites configuration in SCM is not supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances, and the SDI-2030 gateway located at the branch. Consult with your Riverbed sales engineer or Riverbed Professional Services at http://www.riverbed.com/services/index.html. |
Redirection of UDP traffic through the virtual SteelHead | Redirection of UDP traffic through the virtual SteelHead is not supported in SteelConnect 2.13. You cannot optimize UDP traffic using the SteelHead IP blade. |
Source NAT on underlay traffic | Source NAT on underlay traffic is not supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances, and the SDI-2030 gateway located at the branch. SteelHead SD appliances do not perform source NATing on underlay traffic exiting via the internet uplink if it is destined for a private address, regardless of the configured outbound NAT setting. This is a change from the previous behavior for SteelHead SD 1.0 appliances: if NAT was enabled for an uplink, NAT was performed for all traffic exiting via the internet uplink. For details on configuring NAT, see the SteelConnect Manager User Guide. |
SteelHead Management Console GUI pages | These SteelHead Management Console GUI elements are not supported in SteelConnect 2.13: •QoS reports. •Flow export setting: Export QoS and application statistics to Cascade Flow Collectors. •Subnet side rules. •WCCP settings. •Connection forwarding settings. •Failover settings. •In-Path settings: Enabling Link State Propagation. •IPsec settings. •AUX interface setting in the Base Interfaces page. •Caching DNS: Listen on AUX interface check box. |
Interface attribute | Before upgrade (SteelHead) | After upgrade (SteelHead SD) |
Appliance management | SteelHead Management Console | SCM |
Primary port interface | •SteelHead management via the SCC or SteelHead Management Console. •DHCP or statically configured. | The virtual SteelHead instance within the SteelHead SD does not have control of the physical network ports except for the primary interface. •The primary port is used for management of the virtual SteelHead on SteelHead SD using the SCC or SteelHead Management Console. •DHCP or statically configured using the SteelHead SD Management Console. The primary IP address can be acquired using DHCP from the SteelConnect DHCP service. You must cable the primary back to a LAN port using a switch. •In a deployment where data store synchronization is used between two adjacent SteelHead appliances, the primary interface must be used for the data synchronization of traffic. |
Auxiliary (AUX) port interface | Backup management port. | The AUX port can be used as an additional WAN uplink. An SHSD appliance with WAN optimization enabled has a virtual SteelHead instance running inside the SHSD appliance. Any traffic that is optimized is sent out through any of the WAN interfaces, including the AUX interface, if it has been configured for that purpose. The AUX port is also the dedicated port for SteelHead SD high-availability deployments. If you two SteelHead SD appliances in HA mode, then the AUX port must be used for the interconnection so it will not be available as an additional WAN uplink. In SteelConnect 2.13, you can configure an HA LAN-side standby uplink in case the AUX port goes down. For details, see the SteelHead SD User Guide. The AUX port is not available for data store synchronization between two adjacent SteelHead appliances. The primary interface must be used for the synchronization traffic. |
In-path management | Management through the SCC or SteelHead Management Console. | Management of the vSH through the in-path management interface must be reconfigured. |
In-path interface | Typically one or two SteelHead in-path interfaces are configured (for example, internet and MPLS) over physical LAN and WAN pairs. | The inpath0_0 interface must be reconfigured after upgrade. |
SCC hosting | Typically, in the data center and used to manage remote SteelHeads using MPLS paths. | The virtual SteelHead on SteelHead SD will continue to be managed via SCC over an MPLS path. |
Internet connectivity options | Local breakout or through MPLS from headquarters site. | SteelConnect 2.13 supports LAN-side internet breakout on SteelHead SD appliances. |
Baseboard Management Controller (BMC) | Available to remotely power the appliance off and on. | For SteelConnect 2.13, this port is unavailable. |
Feature | SteelHead-SD 570-SD, 770-SD, 3070-SD | SDI-2030 | SDI-130 | SDI-330 | SDI-1030 | SDI-5030 | SDI-VGW |
eBGP | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
iBGP | Yes | Yes | No | No | No | No | No |
OSPF single area | Yes | Yes | Yes | Yes | Yes | No | No |
OSPF multi-area ABR | Yes | Yes | No | No | No | No | No |
ASBR | Yes | Yes | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | Yes* (Underlay routing inter-working solution) | No | Yes* (Underlay routing inter-working solution) |
Route retraction | Yes | Yes | No | No | No | Yes | No |
Default route originate | OSPF/BGP | OSPF/BGP LAN and WAN | OSPF only LAN | OSPF only LAN | OSPF only LAN | BGP only | OSPF only LAN |
Overlay route injection in LAN | Yes | Yes | No | No | No | Yes | No |
Local subnet discovery | Yes | Yes | No | No | No | Yes | No |
Static routes | Yes | Yes (LAN and WAN) | Yes | Yes | Yes | Yes | Yes |
VLAN support (LAN side) | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Riverbed component | Hardware and software requirements |
SteelHead SD appliance | The SteelHead SD 570-SD and 770-SD appliances are desktop models. For details on rack mounting desktop appliances, see the Rack Installation Guide. The SteelHead SD 3070-SD appliance requires a 19-inch (483 mm) four-post rack. For details, see the Rack Installation Guide. |
My SteelConnect Manager is running | In-field upgrade I must use | My SteelHead must start at | My SCC must be running |
2.11.x | 9.7.1a-sd2-in-field-upgrade1 (2.11.0 with SteelHead 9.7.1a) | 9.6.1, 9.6.2, 9.6.2a, 9.7.1 | 9.7.1 or 9.9.0 and later |
2.12.x or later | 9.8.1-in-field-upgrade1 (2.12.0 or later with SteelHead 9.8.1-sd1) | 9.6.1, 9.6.3 9.7.1, 9.7.1b 9.8.0, 9.8.1 | 9.9.0 and later |
My SteelHead is running | My SCC must be running |
9.7.1a | 9.7.1, 9.8.0, 9.9.0 and later |
9.8.1-sd1 | 9.8.0, 9.9.0 and later |
9.9.0 and later | 9.9.0 and later |
Ethernet standard | IEEE standard |
Ethernet Logical Link Control (LLC) | IEEE 802.2 - 1998 |
Fast Ethernet 100BASE-TX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Copper 1000BASE-T (All copper interfaces are autosensing for speed and duplex.) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-SX (LC connector) | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 1000BASE-LX | IEEE 802.3 - 2008 |
Gigabit Ethernet over Fiber 10GBASE-LR Single Mode | IEEE 802.3 - 2008 |
Gigabit Ethernet over 10GBASE-SR Multimode | IEEE 802.3 - 2008 |
NICs | Size (*) | Manufacturing part # | Orderable part # |
Two-Port 10-GbE Fiber SFP+ | HHHL | 410-00036-02 | NIC-1-010G-2SFPP |
Four-Port 10-GbE Fiber SFP+ | HHHL | 410-00108-01 | NIC-1-010G-4SFPP |