Riverbed SteelHead 3070-SD User Manual Download

Page: 1 / 124

SteelHead

™

SD User Guide

Models 570-SD, 770-SD, 3070-SD

SteelHead SD 2.12, SteelConnect 2.12

May 2019

Summary of Contents for SteelHead 3070-SD

Page 1: ...SteelHead SD User Guide Models 570 SD 770 SD 3070 SD SteelHead SD 2 12 SteelConnect 2 12 May 2019...

Page 2: ...trademarks of VMware Inc in the United States and in other countries This product includes Windows Azure Linux Agent developed by the Microsoft Corporation http www microsoft com Copyright 2017 Micros...

Page 3: ...of WAN optimization on the virtual SteelHead 15 Assigning the in path IP address and default gateway in SCM 16 Enabling WAN Optimization in SCM 17 Identifying the primary IP address of the SteelHead...

Page 4: ...refixes 46 Configuring BGP route redistribution 47 Configuring conditional default route originate routing 48 Configuring the BGP origin type attribute 49 Enabling multi exit discriminator MED setting...

Page 5: ...r 95 Assigning the LAN zone to the SteelHead SD HA pair 96 Configuring the appliances in an HA pair 97 Configuring a standby LAN HA link 98 Monitoring a high availability pair 101 Troubleshooting 103...

Page 6: ...o flows port mapping 117 Service chain virtual machines 117 vSwitch mapped VM ports 118 Bridged VM ports for internal communication 119 SteelHead SD 3070 SD appliance 119 Physical ports 119 CVM ports...

Page 7: ...cess the Riverbed Knowledge Base log in to the Riverbed Support site at https support riverbed com Each software release includes release notes The release notes list new features known issues and fix...

Page 8: ...8 Welcome to SteelHead SD Contacting Riverbed Documentation Have suggestions about the online documentation or printed materials Send comments to techpubs riverbed com...

Page 9: ...d SD WAN functionality with industry leading WAN optimization security and visibility services all in one streamlined appliance SteelHead SD WAN optimization reduces bandwidth utilization and accelera...

Page 10: ...pported for WAN optimization settings You connect to the Management Console via the primary port which also uses DHCP to acquire its IP address For details on configuring WAN optimization features see...

Page 11: ...s Yes No No OSPF multi area ABR Yes Yes No No No No No ASBR Yes Yes Yes Underlay routing inter working solution Yes Underlay routing inter working solution Yes Underlay routing inter working solution...

Page 12: ...e requirements SteelHead SD appliance The SteelHead SD 570 SD and 770 SD appliances are desktop models The SteelHead SD 3070 SD appliance requires a 19 inch 483 mm four post rack For details see the R...

Page 13: ...rted in SCM and only visible by a realm administrator SNMP reporting is supported on SteelHead SD SD 570 SD 770 SD 3070 and 2030 SDI appliances located at the branch For details see the SteelConnect M...

Page 14: ...14 Introducing SteelHead SD Next steps...

Page 15: ...onfiguration within SCM You must also configure settings on the virtual SteelHead instance itself using the SteelHead Management Console the CLI or the SteelCentral Controller for SteelHead SCC When e...

Page 16: ...he SteelHead SD is installed You will use this IP address to configure the in path interface and default gateway on the virtual SteelHead instance These instructions assume that you have configured th...

Page 17: ...n you configure the default gateway for WAN optimization on the virtual SteelHead instance Enabling WAN Optimization in SCM You enable WAN optimization in SCM in the Appliances page under the Services...

Page 18: ...nce will not be applied SteelHead Zone Select the zone to which this SteelHead SD appliance belongs Only zones that are attached to a physical port can be used to configure the SteelHead SD IP address...

Page 19: ...eelHeads it detects in your network and provides the primary IP address for each in the Appliances page For details on connecting to SCC see the SteelCentral Controller for SteelHead User Guide When a...

Page 20: ...1 Using the Primary IP address you obtained from SCM SCC or the DHCP server enter it in the address bar of your web browser using HTTPS The login page for the SteelHead Management Console is displayed...

Page 21: ...ned in SCM for the default gateway For details see To assign the in path IP address and the default gateway in SCM on page 16 9 If the LAN port is part of a VLAN trunk enter the correct VLAN ID for th...

Page 22: ...ptimization Troubleshooting In path interface of virtual SteelHead instance Knet interfaces of the service virtual machine To gather and verify information check these SteelHead reports Current Connec...

Page 23: ...ances support the ability to configure these DHCP options in zones Preboot Execution Environment PXE boot using the Trivial File Transfer Protocol TFTP Session Initiation Protocol SIP server HTTP prox...

Page 24: ...proxy in the Options type Example for HTTP proxy using vendor attributes option vendor Riverbed 42 address port 14 Click Submit Overriding DNS on guest zones on SteelHead SD SteelHead SD appliances s...

Page 25: ...onally specify the VLAN tag Every zone has a VLAN tagged assigned to it If you leave this option blank the system will automatically assign a VLAN tag to the zone 9 Click Submit 10 Select the guest zo...

Page 26: ...26 Configuring DHCP Options in Zones on SteelHead SD Overriding DNS on guest zones on SteelHead SD...

Page 27: ...ria so that routes that match the criteria are qualified as subnets local to the branch Ideally all routes learned over the LAN interfaces of an appliance on a particular branch should be qualified as...

Page 28: ...te for one of the prefixes in the list is received it is qualified as a local subnet Next hop inclusion list You configure a list of next hop prefixes All routes whose next hop matches one of the entr...

Page 29: ...s 4 Specify the IPv4 address including the network prefix to be included in local subnet autodiscovery 5 Click Submit 6 Click Add Next Hop Figure 4 3 Defining the next hop 7 Specify the IPv4 address f...

Page 30: ...splay the sites for the organization 2 Select the site for which you want to define local subnet discovery 3 Select the Local Subnet Discovery tab 4 Select the zone to discover all of the LAN side sub...

Page 31: ...e for which you want to define local subnet discovery 3 Select the Local Subnet Discovery tab 4 Under Exclusion List click On to globally exclude subnets and next hops Whatever subnets were configured...

Page 32: ...ubnet Discovery on SteelHead SD Defining local subnet discovery 7 Click Submit 8 Click Excluded Networks Figure 4 7 Excluding networks 9 Specify the network prefix to be excluded from local subnet dis...

Page 33: ...inks the SteelHead SD appliances and SteelConnect gateways at an organization s sites SteelConnect automatically sets up a full meshed VPN configuration in minutes By default AutoVPN is on and include...

Page 34: ...ished as they would appear identical Overriding the AutoVPN port ensures tunnels with the two HA appliances are using different ports and can be established Configuring AutoVPN on SteelHead SD This se...

Page 35: ...ss Use the internal interface address if it is routed by upstream equipment Specify custom IPv4 Specify a custom IPv4 target IP address that remote sites can use when connecting to this uplink 6 Click...

Page 36: ...36 Configuring AutoVPN on SteelHead SD Configuring AutoVPN on SteelHead SD...

Page 37: ...n SteelHead SD Multiple VLANs are very common in Layer 2 L2 network environments on the LAN side With this feature you can configure multiple VLANs on the same LAN port that is trunk port functionalit...

Page 38: ...re 6 2 Creating a VLAN trunk 3 Specify a VLAN tag if necessary Every zone has a VLAN tag assigned If you leave this field empty the system picks a free VLAN ID from the pool 4 Click Submit 5 Choose Ap...

Page 39: ...hange to the Port mode For example if the port is already set to Singlezone you must first disable the port then set the port to Trunk Port 9 Click Submit 10 Navigate back to Appliances Zones to enabl...

Page 40: ...ing timeout Sets how long in seconds an ARP entry stays in the cache before the cache refreshes The default value is 1500 Figure 6 4 VLAN enabled on the trunk port for the zone 14 Click Submit 15 Repe...

Page 41: ...SD we recommend you read the SteelConnect Manager User Guide The procedures here provide the basic steps for configuring SteelHead SD appliances Configuring BGP on SteelHead SD This section describes...

Page 42: ...SD appliances you can only add BGP neighbors under the Appliances BGP tab You can t add BGP neighbors from the Routing BGP page Branch community list SteelConnect 2 12 enables you to specify a branch...

Page 43: ...to see the password as you type The view persists until you click the eye icon again to hide the password Keep Alive Time Optionally specify the amount of time in seconds that the eBGP neighbors excha...

Page 44: ...e learned via the eBGP neighbor the next hop for that route isn t changed when it is passed to its iBGP peers As an iBGP peer may not be aware of next hop of the external route that route becomes unre...

Page 45: ...outside of the local route selection process and is purely internal to the local router 4 Shortest AS path You configure this value when you create BGP routing polices Routing Route Maps Add Route Map...

Page 46: ...the SteelConnect Manager User Guide To configure inbound and outbound BGP route settings 1 Choose Appliances and select the appliance to expand the pane 2 Select the BGP tab Figure 7 2 Configuring inb...

Page 47: ...lists before you configure BGP route redistribution For details on configuring routing policies see Creating routing IPv4 prefix lists on page 72 In SteelConnect 2 12 you can differentiate between st...

Page 48: ...sabled Configuring overlay routes takes effect immediately Route Map Click the search selector to select the route map This option only applies to the route maps with the use cases Static and connecte...

Page 49: ...10 Specify an AS number in Local AS to start a BGP session The range is from 1 to 4294967295 11 Click the search selector and select a branch community from the list If no branch community is selecte...

Page 50: ...use case Policies at the BGP neighbor level use case Enabling the origin type attribute in a BGP route map enables you to filter the routes or change the origin type of routes received from a BGP neig...

Page 51: ...n there are multiple connections between two autonomous systems The MED attribute is applied to outbound routes dictating the best inbound path into the AS assuming multiple paths exist When a BGP spe...

Page 52: ...Submit Configuring BGP route summarization With route summarization a new network prefix with a shorter prefix length is advertised into BGP Summarizing prefixes conserves router resources and accele...

Page 53: ...y 4 Click Automatic to have the system calculate the prefixes automatically or click Manual to specify the prefix For automatic prefix calculation specify a starting and an ending address and SteelCon...

Page 54: ...sessions can be done at two levels at the neighbor level at global level To configure BGP neighbor reset 1 Choose Appliances and select the appliance to expand the pane 2 Select the BGP tab Figure 7 7...

Page 55: ...ssion at the neighbor level All BGP neighbors to reset the BGP session at a global level Be advised that when you specify this option the BGP tab disappears as it is applicable to all BGP neighbors 5...

Page 56: ...er edge CE router A SteelConnect branch gateway is deployed in front of the CE routers The provider edge PE routers on the MPLS WAN side are using BGP and the CE routers on the LAN side are using OSPF...

Page 57: ...ear in the site list Creating another network and leaving the site selection blank again selects the second site in the list and so on Name Specify a network name Default Area Name Specify a name for...

Page 58: ...ID Appears when you select MD5 Specify a value to associate with the MD5 key The ID is used by the receiver of the OSPF packet to determine which key to use for authentication To change your MD5 key s...

Page 59: ...manipulate the cost by specifying a number within the range of 1 to 65535 10 is the default setting The OSPF network needs a zone and optionally one or more uplinks to report OSPF learned routes to SC...

Page 60: ...F and establishes OSPF neighbors with LAN routers in the same network segment Creating OSPF areas All of the networks learned from an OSPF zone interfaces are mapped to the OSPF area that the interfac...

Page 61: ...om 0 to 4294967295 or an IPv4 address in dotted decimal notation x x x x The default setting is the backbone area ID 0 however you can change the value to your existing area ID For small LANs area 0 m...

Page 62: ...dvertised from this area Area ranges advertised Specify a set of advertised routes to be advertised In order to aggregate routing information at area boundaries area address ranges can be employed Eac...

Page 63: ...the participating areas in OSPF Always Click On to advertise the default route 0 0 0 0 0 regardless of the default route entry in the routing table Metric Optionally specify the metric with a range o...

Page 64: ...the routes to be injected as When the type matches the value specified then that route is qualified to be distributed Type 1 EI This type includes the external cost to the destination as well as the...

Page 65: ...ummarized Prefix Specify the IP prefix designated for the range of addresses including the prefix length Advertise Click On to advertise the summary prefix Click Off to stop advertisements of the summ...

Page 66: ...Routes 2 Click Add Static Route Figure 7 16 Adding a static route 3 Select the appliance to which you want to add the static route 4 Specify the IPv4 destination mask address 5 Specify the IPv4 addres...

Page 67: ...fit from route retraction on a SteelHead SD you need to meet the following requirements You need to redistribute the overlay network into the internet gateway protocol on the LAN For SteelHead SD appl...

Page 68: ...68 Configuring BGP OSPF Static Routing and Route Retraction on SteelHead SD Route retraction for SteelHead SD 4 Click Submit...

Page 69: ...appliances act as a full ASBR when they are located at the branch ASBR full routing policies are supported on SteelHead SD 570 SD 770 SD and 3070 SD appliances and the SteelConnect SDI 2030 gateway l...

Page 70: ...tribution and default route redistribution Extended ASN capability Extended autonomous system number ASN capability is set as the default when the first AS number is configured Normal ASN ranges from...

Page 71: ...ization Default Route Origination in OSPF Redistributes the default route in OSPF This category of route map contains both match and set criteria This is the simplest route map category that is not de...

Page 72: ...outing policy to establish BGP neighbors For details see Configuring BGP route redistribution on page 47 6 Configure inbound and outbound route maps and prefixes for BGP neighbors using the configured...

Page 73: ...he range of addresses to distribute Use the format xxx xxx xxx xxx xx 9 Click Submit Tip Click Actions to delete a list Creating routing community lists A BGP community is a group of routes to which a...

Page 74: ...internet and thus contributing to unnecessary global routing table growth no advertise Instructs a BGP router not to advertise the tagged prefix to any other neighbor including other iBGP or eBGP rou...

Page 75: ...he BGP expression which matches locally originated routes means that the string is null Within the scope of BGP the only time that the AS path is null is when you are looking at a route within your ow...

Page 76: ...t route origination in OSPF Static and connected route injection in BGP Allows the configuration of match and set clauses that can applied while redistributing static and connected routes in BGP OSPF...

Page 77: ...hat route is qualified for distribution Next hop list Optionally select the next hop prefix When the next hop address matches the selected address the route qualifies for distribution by the router Me...

Page 78: ...uter AS path Click On to set the AS path for the route Specify the AS string as space separated list from 1 to 4294967295 For details see Configuring BGP path selection on page 45 Tag If On then the v...

Page 79: ...undary router Tag Optionally enter a value from 0 to 4294967295 When a tag in a route matches this value the route qualifies for distribution by the router AS path Click On to set the AS path for the...

Page 80: ...icates the origin of the route For details see Configuring BGP path selection on page 45 Select the origin type from the list igp The route is interior gateway protocol IGP such as OSPF to the AS of o...

Page 81: ...bution by the router Tag Optionally enter a value from 0 to 4294967295 When a tag in a route matches this value the route qualifies for distribution by the router Prefix list Select the prefix list Th...

Page 82: ...this value the route qualifies for distribution by the router Community In addition to the keywords below you can also configure numbers in the range from 1 to 65535 and numbers in AA NN format where...

Page 83: ...BGP via Exterior Gateway Protocol EGP as indicated by e in the BGP table incomplete The routes that are redistributed into BGP using the redistribution command These routes are marked with in the BGP...

Page 84: ...he value specified then that route is qualified to be distributed Type 1 This type includes the external cost to the destination as well as the cost metric to reach the AS boundary router Type 2 This...

Page 85: ...side of the network can occur in one of the following ways Sending the packet to Zscaler or Cloudi Fi over tunnels to the Zen nodes that break out from the cloud firewalls Locally using a direct to i...

Page 86: ...traffic is put on the LAN interface Configuring LAN side internet breakout This section describes how to configure LAN side internet breakout at the organization site and zone level You can also confi...

Page 87: ...et breakout 3 Select the WAN AutoVPN tab Figure 9 2 Configuring intent breakout at the site level 4 Click the search selector and select Underlay 5 Click Submit To configure LAN side internet breakout...

Page 88: ...ng traffic to the internet the default behavior is to use direct internet uplinks local breakout You can also use RouteVPN WANs or underlay routing as alternative breakouts Some of these options requi...

Page 89: ...e field and select Underlay 6 Click Submit Troubleshooting Enter the show connections CLI command to verify that the TX path is underlay The Outgoing Interface will show the LAN interface which means...

Page 90: ...90 Configuring LAN Side Internet Breakout on SteelHead SD Troubleshooting...

Page 91: ...SD 1 0 SCM 2 10 to SteelConnect 2 12 and reconfigure HA in SCM Overview of HA on SteelHead SD SteelHead SD provides active active HA for 570 SD 770 SD and 3070 SD appliances Note SteelConnect 2 12 pro...

Page 92: ...nces operate as a single logical unit Autoconfiguration of the HA partner for bootstrapping when SCM connectivity with a peer is not accessible Integration with SCM health check for visibility and tro...

Page 93: ...ers to redistribute the overlay and connected routes LAN connectivity can be through either L2 switch domain or L3 In the case of a L3 LAN connectivity is established through dynamic routing SteelHead...

Page 94: ...ched back to the AUX link Prerequisites Before configuring high availability check these requirements and recommendations Both appliances must be running the same software version Both appliances must...

Page 95: ...appliances 1 On the first appliance in the pair choose Appliances Ports and select the site from the Site drop down list 2 Under Appliances select the appliance The ports for the appliance are displa...

Page 96: ...Assigning the LAN zone to the SteelHead SD HA pair After you configure the LAN zones you must assign the LAN ports to the zones If the LAN side network is L2 the same zone must to be attached to the L...

Page 97: ...ppliances in an HA pair To configure the appliances into an HA pair 1 Choose Appliances and select the appliance 2 Select the HA tab Figure 10 7 HA tab 3 Under High availability partner appliance sele...

Page 98: ...can use LAN side connectivity to run the HA heartbeat configure replication and perform additional synchronization functions to avoid a split brain HA condition With a standby LAN HA link configured...

Page 99: ...acket to send to the master appliance it uses the LAN link for GRE encapsulated packets When the AUX link comes back up any further HA traffic uses the AUX link Note If a standby HA link is configured...

Page 100: ...list All the zones associated with the appliance are listed 5 Specify the loopback IP address for the specified zone The loopback IP address should not be same as the zone IP address 6 Click Submit Co...

Page 101: ...availability pair SCM displays all appliances belonging to a high availability pair with a blue HA icon in all views After the appliance reports its HA state to SCM the icon indicates whether it is t...

Page 102: ...SCM manages both appliances in a pair as one For example under Appliances Ports if you view the ports for an HA pair they appear together Figure 10 12 HA pair ports To view appliance health of an HA p...

Page 103: ...els must be up and should be using the uplinks for both the HA appliances If the appliance HA role is Unknown or if the appliance pair is listed as Master Master make sure the AUX port that is the ded...

Page 104: ...104 Configuring High Availability on SteelHead SD Troubleshooting...

Page 105: ...a minimal level of service for that uplink If traffic exceeds the configured bandwidth it is buffered and shaped If traffic exceeds the buffer capacity it is dropped The QoS shaper throttles and limi...

Page 106: ...lected by the DWRR can be sent To ensure that each class based queue doesn t overflow when the queue is filled to its maximum capacity the newly arriving packets are dropped until the queue has enough...

Page 107: ...raffic rule with the QoS priority set to URGENT then QoS shaping will be influenced as follows Inbound QoS shaping queues and processes the traffic as NORMAL priority before the traffic rule changes t...

Page 108: ...t traffic classes Urgent High Normal Low sent on the same WAN uplink will share the bandwidth at a ratio of 4 3 2 1 respectively Their combined bandwidth will not exceed the configured rate If you con...

Page 109: ...g on page 114 Exporting syslog messages to an external syslog server on page 114 Exporting Netflow data on page 115 These procedures describe health check and reporting tools for SteelHead SD 570 SD 7...

Page 110: ...tatus of the appliance in the Health Check Appliance Health page To view the SteelHead SD HA IP address and status 1 Choose Health Check Appliance Health 2 Select the SteelHead SD appliance to expand...

Page 111: ...tables for SteelHead SD 570 SD 770 SD 3070 SD appliances and the SteelConnect SDI 2030 gateway located at the branch You can search also search by site or appliance serial number To display FIB table...

Page 112: ...appliances in the organization select the BGP Tables tab All the BGP learned and advertised routes are displayed You can search for an appliance by serial number or search for appliances by site name...

Page 113: ...e appliance serial number Partial searches are supported 4 Select an OSPF appliance to display the OSPF nodes and routes for the appliance Figure 12 6 OSPF appliance neighbors and learned routes You c...

Page 114: ...For a 2030 SDI located at the data center use the management IP address To view the management IP choose Appliances IPs tab For the SD 570 SD 770 SD 3070 and 2030 SDI at the branch use the zone IP ad...

Page 115: ...work flow information to a flow collector In the flow exporter role the appliances aggregate packet information into flows and then export the flow records to one or more flow collectors using the IPF...

Page 116: ...116 Health Check and Reporting on SteelHead SD Exporting Netflow data...

Page 117: ...0 WAN0_0 LAN0_1 WAN0_1 CVM ports The CVM has these ports knet2 knet3 knet4 knet5 knet6 knet7 Physical port to flows port mapping Service chain virtual machines SteelHead SD dynamically allocates vSwit...

Page 118: ...vm knet6 LAN0_1 cvm knet7 WAN0_1 catfish_secure_node0 knet22 WAN0_1 catfish_secure_node0 knet23 WAN0_0 catfish_secure_node0 knet24 1101 LAN0_0 catfish_secure_node0 knet24 1100 LAN0_0 catfish_secure_no...

Page 119: ...presence of an add on NIC can change the total NIC count on the appliance and can also result in different flows port mapping accordingly Each add on NIC can carry either two or four NICs For details...

Page 120: ...appliance RVM ports There are four more virtual NICs in RVM for each physical add on NIC vSH ports The vSH has these ports hpn PRI AUX LAN0_0 WAN0_0 inpath0_0 vSH has only one LAN WAN pair and will n...

Page 121: ...on SteelHead SD on page 107 TOS DSCP and QoS Traffic Classes Table TOS Value DSCP Value Traffic Class ID Traffic Class Priority 0 0 1 Normal 4 1 2 High 8 2 1 Normal 12 3 1 Normal 16 4 2 High 20 5 1 N...

Page 122: ...Urgent 132 33 1 Normal 136 34 2 High 140 35 1 Normal 144 36 2 High 148 37 1 Normal 152 38 2 High 156 39 1 Normal 160 40 3 Urgent 164 41 1 Normal 168 42 1 Normal 172 43 1 Normal 176 44 3 Urgent 180 45...

Page 123: ...123 TOS DSCP and QoS Traffic Classes Table 224 56 3 Urgent 228 57 1 Normal 232 58 1 Normal 236 59 1 Normal 240 60 1 Normal 244 61 1 Normal 248 62 1 Normal 252 63 1 Normal TOS Value DSCP Value Traffic...

Page 124: ...124 TOS DSCP QoS Traffic Class Table TOS DSCP and QoS Traffic Classes Table...

Search results

Summary of Contents for SteelHead 3070-SD

Reviews:

Related manuals for SteelHead 3070-SD

Brands by name

Popular brands

Riverbed SteelHead 3070-SD, User Manual

Search results

Summary of Contents for SteelHead 3070-SD

Reviews:

Related manuals for SteelHead 3070-SD

Brands by name

Popular brands