SteelConnect™ Manager User Guide
Version 2.7
May 2017
© 2017 Riverbed Technology, Inc. All rights reserved.
Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners.
Akamai® and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Juniper Networks and Junos are registered trademarks of Juniper Networks, Incorporated in the United States and other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/ Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Inc. in the United States and in other countries.
This product includes Windows Azure Linux Agent developed by the Microsoft Corporation (http://www.microsoft.com/). Copyright 2016 Microsoft Corporation.
This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
The SteelHead Mobile Controller (virtual edition) includes VMware Tools. Portions Copyright © 1998-2016 VMware, Inc. All Rights Reserved.
NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files.
For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com.
This documentation is furnished “AS IS” and is subject to change without notice and should not be construed as a commitment by Riverbed. This documentation may not be copied, modified or distributed without the express authorization of Riverbed and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to military agencies. This documentation qualifies as “commercial computer software documentation” and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation.
Riverbed Technology 680 Folsom Street San Francisco, CA 94107 Part Number www.riverbed.com 712-00293-01 Contents
Welcome ...... 11 Documentation and release notes ...... 11 Contacting Riverbed ...... 11
1 - Introducing SteelConnect...... 13 Overview...... 13 Key features ...... 13 High-level architecture...... 14 Appliances ...... 15 Browser support...... 16
2 - Topologies ...... 17 Supported topologies ...... 17 Branch topologies ...... 18 Single router using NAT to the internet ...... 18 Single router to an MPLS network ...... 20 Two routers active-backup ...... 20 Two routers active-active ...... 21 Dual MPLS...... 24 Data center topology ...... 26 Topology options ...... 26 Local internet breakout or backhaul...... 26 Remote access...... 28 Connect cloud services ...... 28
3 - Quick Start ...... 29 Getting started ...... 29 Defining an organization...... 30 Designing a network...... 31 Adding shadow appliances...... 32 Establishing a security policy...... 33 Broadcasting WiFi wireless radio coverage...... 35 Enabling appliances...... 37 Configuring remote employee access to the corporate LAN...... 38
SteelConnect Manager User’s Guide 3 Contents
Logging out...... 40
4 - SteelConnect in the Cloud ...... 41 Amazon Web Services and Microsoft Azure connectivity ...... 41 SteelHead WAN optimization ...... 42 Redundancy ...... 42 Subscribing to Riverbed products ...... 43 Configuring your cloud accounts with SteelConnect Manager ...... 44 Importing cloud networks...... 46 Deploying SteelConnect gateways onto cloud networks ...... 47 Managing your deployments...... 48
5 - Monitoring the Network ...... 51 Viewing your topology...... 51 Viewing tunnel status ...... 51 Viewing site and appliance status ...... 52 Displaying online help ...... 53
6 - Scheduling Firmware Upgrades...... 55 Upgrade overview ...... 55 Creating site tags ...... 55 Configuring firmware upgrade schedules ...... 57 Changing the default policy...... 57 Scheduling firmware upgrades...... 58 Postponing scheduled upgrades ...... 60 Upgrading immediately ...... 61 Deleting schedules...... 61 How can I tell if the appliance firmware is up to date?...... 62
7 - Defining an Organization ...... 63 Organization overview ...... 63 Name/Location ...... 64 Networking defaults...... 64 Social Media ...... 64 Numbering Pools...... 65 Data Retention ...... 65 Agent...... 66 SSH...... 69 Legal Disclaimer...... 70 Appliances Login ...... 70
4 SteelConnect Manager User’s Guide Contents
8 - Designing a Network...... 71 Creating sites ...... 71 Zones within a site ...... 74 Assigning a gateway to a zone ...... 76 Assigning more than one gateway to a zone ...... 77 Forwarding DHCP/BOOTP requests to a DHCP server on a remote network...... 79 Forwarding inbound internet traffic to a remote server ...... 79 Creating a third-party zone ...... 80 Integrating a third-party router/gateway into a zone ...... 81 Turning off outbound NAT for a zone ...... 81 DNS settings ...... 82 DNS routing...... 83 RADIUS authentication...... 83 Creating a WAN...... 84 WAN settings...... 84 Creating uplinks ...... 85 Selecting an uplink priority ...... 87 Turning off AutoVPN for an uplink...... 87 Creating an uplink for a single router to an MPLS network...... 88 Adding zone details ...... 88 Portals ...... 92 Registering guest devices using social media...... 92
9 - Data Center Gateway Clusters...... 95 Adding gateways to the data center...... 95 Topology ...... 96 Cluster components ...... 97 Attracting branch traffic toward data center gateways...... 97 Creating clusters ...... 97 Creating data center uplinks ...... 100 Creating interfaces...... 101 Why enable dynamic routing for a cluster? ...... 102 Forwarding packets from the branch to the data center gateway ...... 103 Forwarding packets from the data center gateway to the branch ...... 103 Forwarding inner connections to the data center ...... 104 Configuring BGP settings...... 104 Secure overlay tunnels ...... 108 Deployment considerations...... 109 SD-WAN controller ...... 109 Key management, retrieval, and rotation...... 109 Key resiliency ...... 110 Viewing cluster health ...... 110 Deleting a cluster ...... 112
SteelConnect Manager User’s Guide 5 Contents
Viewing cluster status events...... 112 How does SteelConnect allocate resources within a cluster? ...... 113
10 - Integrating a SteelHead Interceptor with a Data Center Gateway...... 117 Overview...... 117 Changing the default gateway configuration...... 117 Why is the Datacenter tab dimmed? ...... 119
11 - Connecting a Topology Using VPN...... 121 Setting up site-to-site VPN...... 121 AutoVPN modes ...... 121 AutoVPN leaf mode ...... 125 Deployment examples ...... 127 Connecting to a third-party VPN ...... 128 Classic VPN use cases...... 128
12 - Enabling Branch Dynamic Routing ...... 131 Dynamic routing overview...... 131 Why enable dynamic routing?...... 131 Benefits of dynamic routing with OSPF ...... 131 Benefits of dynamic routing with eBGP ...... 132 CE and PE routers ...... 132 BGP ...... 132 BGP modes...... 133 Branch dynamic routing topologies with eBGP ...... 133 Enabling eBGP on static IP uplinks...... 135 Viewing eBGP learned and advertised routes ...... 137 OSPF ...... 138 OSPF topology...... 139 Configuring OSPF routing ...... 139 Prerequisites...... 139 Viewing learned routes ...... 143 Viewing OSPF neighbor activity ...... 144 How does an OSPF zone interact with traffic rules in SCM?...... 144
13 - Configuring High Availability ...... 147 Overview...... 147 SteelConnect Gateway Model Physical Appliances ...... 147 Branch high availability overview...... 147 How does branch high availability work? ...... 148 Which gateway models support high availability?...... 149 HA features ...... 149 Prerequisites...... 150
6 SteelConnect Manager User’s Guide Contents
How do I configure an HA pair? ...... 154 Monitoring a high availability pair ...... 156 Data center high availability overview ...... 157 Data center redundancy ...... 157 How does data center high availability work? ...... 157 eBGP and high availability ...... 158 Which models support data center high availability?...... 158 Upgrading a data center cluster ...... 158 Prerequisites...... 158
14 - Using Applications...... 161 Overview...... 161 Application groups ...... 161 Application catalog ...... 164 Custom applications ...... 164
15 - Enabling Security Using Rules...... 167 How do inbound and outbound rules work? ...... 167 Policy controls...... 167
16 - Managing User Identities...... 173 Identifying and grouping users ...... 173 Adding users ...... 173 Creating user groups ...... 176
17 - Defining Traffic Path Rules ...... 177 Balancing traffic using traffic path rules ...... 177 Configuring path quality based path selection...... 178 Path quality profiles ...... 179 QoS priority ...... 180 Editing traffic path rules ...... 182 Deleting traffic path rules ...... 183 Traffic path policy example...... 184 Viewing traffic paths ...... 187 Monitoring path quality ...... 188
18 - Connecting a SteelHead with a Gateway ...... 191 SteelHead compatibility...... 191 The SteelHead gateway connection...... 192 Enabling SteelHead compatibility on the gateway automatically ...... 193 Viewing SteelHead connections ...... 193
SteelConnect Manager User’s Guide 7 Contents
19 - Configuring QoS for Branch Gateways ...... 195 Configuring QoS...... 195 How does QoS for gateways work? ...... 195 Enabling QoS on uplinks...... 196
20 - Network Visibility ...... 199 A clear picture of your network...... 199 Managing network devices and workflow ...... 199 Viewing the event log...... 201 Viewing site status ...... 202 Viewing WAN path status ...... 203
21 - Managing Appliances ...... 205 Viewing SteelConnect appliances...... 205 Viewing appliance details...... 206 Appliance date and time...... 207 Viewing gateways ...... 207 STP...... 208 AutoVPN...... 208 Adding shadow appliances...... 209 Registering appliances...... 210
22 - SteelConnect Ports...... 213 Viewing ports ...... 213
23 - Managing Devices...... 217 Viewing devices ...... 217 Viewing unregistered devices ...... 218 Viewing device details ...... 218
24 - Covering a Network with WiFi ...... 219 How do I use SCM to plan and broadcast WiFi?...... 219 What is an SSID? ...... 219 Planning WiFi wireless radio coverage...... 222
25 - Troubleshooting...... 225 Support package ...... 225 Ping and traceroute connectivity tests ...... 227 Packet capture ...... 230 Echo test ...... 230 Appliance configuration ...... 231 SteelConnect Windows Agent...... 231
8 SteelConnect Manager User’s Guide Contents
Provisioning...... 232 Multiple DNS servers for a site ...... 232 Uplink subnet mask format ...... 233 VPN ...... 233 WiFi ...... 233 Access points ...... 234 Gateways...... 234
26 - SteelConnect REST API...... 235 REST API Overview...... 235 Accessing the API...... 236 Authenticating API requests...... 236 Viewing documentation for an object ...... 236 Supported appliance types ...... 238
27 - SteelConnect Connection Ports...... 239 Ports for UDP, TCP, and ICMP connections...... 239 Outbound connections ...... 239 Inbound/outbound connections ...... 240 Tunneled SSH client connections ...... 240
28 - Administering a Realm ...... 241 Realm Overview...... 241 Maintenance ...... 242 Settings ...... 242 Export Settings ...... 243 3rd party integrations...... 244 Legal Disclaimer...... 245 Using realm menus...... 246 Organizations ...... 246 Admins...... 246 Creating an administrator ...... 247 Hardware ...... 249
29 - SteelConnect SNMP Traps ...... 251 SNMP traps ...... 251
SteelConnect Manager User’s Guide 9 Contents
10 SteelConnect Manager User’s Guide Welcome
Welcome to the SteelConnect Manager User’s Guide for the SteelConnect Manager (SCM), version 2.7. SteelConnect is cloud-based management system software for SD-WAN gateways, WiFi access points, and Ethernet switches that connect your entire company with a next generation SD-WAN solution. This guide is written for network administrators familiar with administering and managing WANs. For a high-level look at how SteelConnect works, see “Overview” on page 13. For a quick 20-minute tutorial, see “Getting started” on page 29. Refer to the other topics for more feature details. For troubleshooting, see “Support package” on page 225.
Documentation and release notes The most current version of all Riverbed documentation is on the Riverbed Support site at https:// support.riverbed.com. The Riverbed Knowledge Base contains any known issues, how-to documents, system requirements, and common error messages. You can browse titles or search for keywords and strings. To access the Riverbed Knowledge Base, log in to the Riverbed Support site at https://support.riverbed.com. Each software release includes release notes. The release notes list new features, known issues, and fixed problems. To see the most current version of the release notes, click the version number in the lower-left corner of SCM. We recommend taking a look at the release notes before you begin using a new version of SCM.
Contacting Riverbed
Technical support - Problems installing, using, or replacing Riverbed products? Contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415-247-7381 outside the United States. You can also go to https://support.riverbed.com.
Professional services - Need help with planning a migration or implementing a custom design solution? Contact Riverbed Professional Services. Email [email protected] or go to http:// www.riverbed.com/services/index.html.
Documentation - Have questions about Riverbed’s documentation? Send your comments to [email protected].
SteelConnect Manager User’s Guide 11 Welcome Contacting Riverbed
12 SteelConnect Manager User’s Guide 1
Introducing SteelConnect
Overview SteelConnect provides cloud-based management system software for SD-WAN gateways, WiFi access points, and Ethernet switches. It connects your entire company using a new approach for managing your network. Instead of opening a box, figuring out how to log in to whatever complex product is inside, and then trying to get it operating in your network, SteelConnect lets you plan, store, and visualize your entire network first. Then you simply activate smart hardware (gateways, switches, and access points) that acknowledges the network components, and the SteelConnect Manager (SCM) brings the enterprise into production.
Key features
Unified connectivity and management across the WAN, remote LAN, and cloud networks
SteelConnect manages a software-defined connectivity fabric that spans WANs, remote office LANs, and cloud infrastructure networks through a line of physical, virtual, and cloud-based WAN gateways, as well as remote LAN switches and WiFi access points.
Full-mesh VPN connectivity ensures application delivery from WAN to LAN that works over any network underlay such as Multiprotocol Label Switching (MPLS) and the internet.
Data center workloads
The SteelConnect SDI-5030 gateway offers enterprise-class SD-WAN for large-scale deployments. The 5030 gateway is designed for higher throughput to accommodate data center workloads.
Because the 5030 gateways are placed physically out of path from the data flow, you can deploy them with no network downtime. The system relies on traffic redirection to the gateways to receive SD-WAN services. The SteelHead Interceptor 9600 sits in path to provide traffic redirection.
WAN optimization
The SteelHead SD gateway models deliver the benefits of SteelHead WAN optimization and SteelConnect SD-WAN while providing the flexibility of a single box solution. For details, see the SteelHead SD Installation Guide.
Cloud-based management
SCM provides an intuitive graphical user interface that supports an agile and intent-based workflow for managing networks.
SteelConnect Manager User’s Guide 13 Introducing SteelConnect Overview
Use SCM to design every aspect of a distributed network before deploying any hardware.
Business-aligned orchestration
SteelConnect provides policy-based orchestration using language aligned with business priorities: applications, users, locations, performance service-level agreements, and security requirements.
You no longer need to configure individual appliances.
The graphical user interface eliminates all CLI coding.
Business intent-based policy
SCM lets you manage a network centrally using a single business intent-based policy.
A central policy for all branches enables direct translation of business needs.
You can enforce a policy based on user identity—not just the IP address—for the same experience on all the user devices.
You can easily align all aspects of application delivery to improve performance.
Universal policy automation
SteelConnect empowers IT to evolve the infrastructure without having to revisit the policy.
A universal policy enables cohesive and automated change management.
Because you can use the same application groups, applications, and web categories for the policy engine and reporting, you can directly convert the reported results into policy rules.
Zero-touch provisioning
SCM provides instant deployment of physical devices into a network.
The configuration and reconfiguration of edge devices is automatic.
Automatic provisioning reduces or eliminates the need for on-site IT in remote facilities.
Visibility
SCM provides a unified view of users, devices, and groups of either.
You can quickly identify what traffic is consuming bandwidth.
Because SCM automatically detects new devices and users, you can minimize security risks.
High-level architecture
SteelConnect resides in the global Amazon Web Services (AWS) cloud public infrastructure and orchestrates a series of services hosted by Riverbed. Each service has dependencies that function as a part of the collective SteelConnect infrastructure. These services include:
Management console
Global certificate authorities (CAs)
Network Time Protocol (NTP)
Dynamic Domain Name System (DNS)
14 SteelConnect Manager User’s Guide Overview Introducing SteelConnect
IP address reflectors, a simple mechanism for all gateways to find their public IP address per uplink and report the address to SCM
Structured Query Language (SQL) relational databases that keep track of which SCMs are associated with which organizations, sites, and devices SteelConnect appliances (gateways, switches, and access points) connect to SCM, and the services associated with it. Each SCM communicates through various services for any updates regarding the appliance registration and management changes. All communication between the appliances and SCM, as well as all interoperating services inside of SCM, are authenticated through x509 certificate validation. These Riverbed-owned certificates are exchanged and validated for authenticity. We preassign appliances to your organization in the factory.
Figure 1-1. SteelConnect registration and communication
Important: With the exception of agent VPN clients, all communication is sourced from the site out to the SteelConnect management service. There’s no need to set up elaborate firewall or forwarding rules to establish the dynamic full-mesh VPN or to gain connectivity to the cloud. After you register an appliance, it receives its assigned configuration automatically.
For a list of the UDP and TCP ports that are sourced from the sites out into the cloud to connect to SCM, see “Ports for UDP, TCP, and ICMP connections” on page 239.
Appliances
Gateways Gateways can be categorized into hardware and software appliances. They automatically map into connected network segments, called zones, to:
Provide basic network services.
SteelConnect Manager User’s Guide 15 Introducing SteelConnect Browser support
Handle one or more uplinks, either by concurrent use or as backup.
Enable policy enforcement.
Enforce security.
Enable extended reporting for connected zones.
Connect multiple sites with a secure, full-mesh virtual private network (VPN) without tedious manual configuration using Automated VPN (AutoVPN). For details on the different ways to enable AutoVPN, see “AutoVPN modes” on page 121.
Access points
Provide network access to WiFi clients.
You can also use an access point as a VPN endpoint for AutoVPN. For example, branches without a gateway can use an access point at the end of a VPN tunnel.
Switches
Enable plug-and-play multizone Layer 2 connectivity.
Provide power over Ethernet (PoE) to PoE-enabled appliances, including third-party devices. SCM manages all appliances, including all firmware upgrades. For firmware upgrade details, see “Upgrade overview” on page 55.
Hardware versus software appliances SteelConnect hardware appliances, such as a gateway, come with a serial number that activates the appliance in the organization. SteelConnect also supports a virtual gateway running in AWS or any hypervisor like VMware, Hyper-V, KVM, or Xen. To help you identify an appliance without unmounting it, unregistered appliances with an organic LED (OLED) display (Gateway G100, Switch S24, and Switch S48) show their serial numbers on the screen until you register the appliance with SCM.
Browser support SCM supports the latest versions of Firefox, Chrome, and Internet Explorer. For best performance, we recommend using the latest Chrome browser. We strongly recommend using the latest Chrome browser with the WiFi planner. SCM requires a minimum screen resolution of 1280 x 720 pixels.
16 SteelConnect Manager User’s Guide 2
Topologies
Supported topologies This section describes many, but not all, of the supported topologies in SteelConnect for the branches and the data center. For all topologies, configuring high availability improves the reliability of a network by replacing a single SteelConnect gateway with two gateways in the branch or three gateways in the data center. A backup gateway can maintain network traffic if another gateway fails. For details, see “How does branch high availability work?” on page 148 and “How does data center high availability work?” on page 157.
SteelConnect Manager User’s Guide 17 Topologies Branch topologies
Branch topologies
Single router using NAT to the internet
Figure 2-1. Router using NAT
The following topologies support a single router using network address translation (NAT).
DHCP or static IP address for the uplink A location connects to the internet using a single router or a DSL modem. You can deploy a SteelConnect gateway on the LAN side of the router with its default configuration and it will perform NAT as well. This topology works fine for most deployments. If you have port forwarding configured on the router, you’d have to configure the port forwarding on the gateway as well.
Turn off outbound NAT at the gateway for a zone Outbound NAT forwards the client's connections with their original source IP to the router. For deployments where an upstream gateway, router, or firewall will perform NAT, you can turn off outbound NAT using the Skip Outbound NAT setting. When Skip Outbound NAT is off, the existing router is no longer directly connected to the IP subnets used in the LAN, but sends traffic to the gateway. In this case, the SteelConnect gateway performs NAT and forwards traffic to the zones.
18 SteelConnect Manager User’s Guide Branch topologies Topologies
You can’t turn off outbound NAT per gateway. You can only turn off outbound NAT per zone. For details, see “Turning off outbound NAT for a zone” on page 81.
Figure 2-2. Skipping outbound NAT
Reconfigure the router to function as a DSL modem or bridge In this deployment, you need to configure the Point-to-Point Protocol over Ethernet (PPPoE) credentials on the gateway so it can authenticate with the internet service provider. This typically means that the customer enters a user name and password provided by the ISP to use that last-mile link from the customer premises to the ISP. The gateway then connects to the internet using NAT and routes traffic between the configured zones and the internet.
SteelConnect Manager User’s Guide 19 Topologies Branch topologies
Single router to an MPLS network
This topology is similar to the previous description of a single router using NAT, except that the router connects to an MPLS network.
Figure 2-3. One router connecting to MPLS
The gateway must connect to the internet either through the MPLS network or through a local internet breakout to connect to the SteelConnect cloud service. You must map the static IP address for the gateway’s uplink to the IP address of the LAN interface on the router. To ensure that the zones on the LAN side of the gateway can be reached, you must also configure static routes for the zone’s subnets on the router. To set up a VPN over the MPLS network, configure the uplink of the gateway to propagate the internal IP address that the remote sites use as the endpoint target for the AutoVPN tunnel. By default, SCM uses the external IP address facing the internet. For details, see “To configure an uplink to use an internal interface” on page 88.
Two routers active-backup
The following topologies support two routers.
20 SteelConnect Manager User’s Guide Branch topologies Topologies
Single network: internet/MPLS This topology deploys two routers connecting to the same network where one router is actively forwarding traffic and the second router is acting as backup for the first. In this topology, it doesn’t make a difference if the network were trying to connect to the internet or a private network such as MPLS. For a description of the challenges connecting to the internet versus connecting to a private network, see “Single router to an MPLS network” on page 20. To connect a SteelConnect gateway to two routers, you need to create two uplinks configured with different IP addresses. Then you need to configure one of the uplinks as backup only. To monitor the active uplink, the SteelConnect gateway performs a traceroute to the configured DNS and pings the third answering device on the path every ten seconds. After the uplink misses five consecutive pings, SteelConnect considers the uplink to be down and the backup uplink becomes active. At the same time, the system monitors the link status. If the active uplink is down, the backup uplink becomes active immediately. For details on creating a backup uplink, see “Creating uplinks” on page 85.
Figure 2-4. Two routers active-backup
Two routers active-active
This topology deploys two routers connecting to the same network where both routers are actively forwarding traffic. In this topology, you connect a SteelConnect gateway to the routers by creating two uplinks configured with different IP addresses. There is nothing additional to configure.
SteelConnect Manager User’s Guide 21 Topologies Branch topologies
The SteelConnect gateway automatically load balances the sessions over the two uplinks based on source and destination IP addresses.
Figure 2-5. Two routers active-active
22 SteelConnect Manager User’s Guide Branch topologies Topologies
Dual internet through two ISPs This topology has dual Internet connectivity via two different Internet Service Providers (ISPs). The traffic outbound is automatically load balanced by the gateway when both uplinks connect to the same WAN (internet). The system uses the source IP to load balance internet-bound traffic, and the source and destination IP to load balance RouteVPN traffic.
Note: You can also configure this topology as active-backup.
Figure 2-6. Two routers connecting to the internet with different ISPs
Internet and MPLS This topology is very similar to the previous deployment except instead of two internet connections there is one connection to the internet and one connection to a private network, typically MPLS. As in the previous topologies, you connect a SteelConnect gateway to the routers by creating two uplinks configured with different IP addresses. Next, choose to do either automatic load balancing or path selection. For path selection, the SteelConnect gateway must have a Layer 2 connection to the routers to perform MAC address rewriting.
SteelConnect Manager User’s Guide 23 Topologies Branch topologies
For this topology, on the gateway uplink to the MPLS router, you also need to configure a static route to the MPLS network. For details, see “Single router to an MPLS network” on page 20. You must also configure static routes to zones on the MPLS router.
Figure 2-7. One connection to the internet, one connection to MPLS
Dual MPLS
This topology has two connections to private networks, most likely MPLS. In this topology the SteelConnect gateway needs a connection to the internet to reach the cloud controller. The internet connection can’t use a proxy. You create two uplinks with different IP addresses. Next, choose to do either automatic load balancing or path selection. For path selection, the SteelConnect gateway must have a Layer 2 connection to the routers to perform MAC address rewriting.
24 SteelConnect Manager User’s Guide Branch topologies Topologies
For this topology, on the gateway uplink to the MPLS router, you need to configure a static route to the MPLS network. For details, see “Single router to an MPLS network” on page 20. You must also configure static routes to zones on the MPLS router.
Figure 2-8. Two connections to private networks
SteelConnect Manager User’s Guide 25 Topologies Data center topology
Data center topology A 5030 gateway is the data center side of SteelConnect. In contrast to the branch gateways that handle the in-path traffic, the data center gateway sits out of path deep inside the data center’s network.
Figure 2-9. Data center, Interceptor, and branch gateway deployment
Figure 2-9 shows four SteelHead Interceptor 9600s placed between the LAN switching and WAN aggregation routing layers. On the LAN side of the SteelHead Interceptors, three SteelHead CXs provide WAN optimization. On the WAN side of the SteelHead Interceptors, three 5030 gateways are connected physically (or by switching) to the WAN aggregation routers. All VPN tunnels exist between the branch gateways and the 5030 gateways behind the aggregation layer. The SteelHead Interceptors always see nonencrypted traffic, enabling them to redirect the flows to the SteelHead CXs for WAN optimization.
Topology options
Local internet breakout or backhaul
When sending traffic to the internet, a SteelConnect access point or gateway uses direct internet uplinks by default for the local breakout. You can configure a backhaul site, or a local internet breakout for each network, similar to a default route. SteelConnect sends any traffic with an unknown destination network; that is, the destination is not configured in a site or a zone, to the specified site, or to the local internet breakout.
26 SteelConnect Manager User’s Guide Topology options Topologies
You can set the internet breakout preference to RouteVPN, which is essentially a WAN over the internet resulting from AutoVPN, or to a WAN defined for an organization. You can override the default on the network, site, or zone level. You can define multiple internet breakouts within an organization. For more information, see “Adding zone details” on page 88.
Figure 2-10. Internet traffic breakout or backhaul
Note: In SteelConnect, the terms RouteVPN and AutoVPN are interchangeable.
SteelConnect Manager User’s Guide 27 Topologies Topology options
Remote access
An agent for Windows or Mac is available for download to provide remote client access for traveling users. The advantage of using the agent is that you can configure remote user policy centrally on SCM. After downloading, installing, and registering the agent, the user connects to a site’s zone as if they were physically located there. The same user policy is applied no matter where they are working. By default, all agents connect to the same site. For details, see “Agent” on page 66.
Figure 2-11. Remote access through an agent for Windows
Connect cloud services
The SteelConnect gateway virtual machine (VM) is available for various virtualization platforms in these image types:
VMware
Virtualbox
KVM
Hyper-V
XENCenter
Amazon EC2 When you deploy a gateway in your cloud or multiple clouds, the RouteVPN feature lets you connect your data center to the cloud, or even multiple clouds with each other.
28 SteelConnect Manager User’s Guide 3
Quick Start
Getting started This tutorial describes how to configure a basic network with a single company headquarters in minutes. You'll define an organization, establish network zones (including a guest zone), configure the wireless networks, add users, and then deploy SDI-130 wireless gateways into the sites. You design first and deploy the hardware last. This tutorial steps you through setting up a basic network and putting it into production. It takes about 20 minutes to complete. SteelConnect Manager (SCM) uses a single control plane for all sites and provides central policy management for the distributed enterprise. You use it to define the network-wide policy and push the policy to all devices. You complete all configurations through the central console using abstract concepts such as users, applications, sites, and zones. To begin, log in to SCM. By default, the username is admin and the default password is pppp. After a successful log in, you're greeted by the dashboard.
Figure 3-1. A unified view of your organization
SteelConnect Manager User’s Guide 29 Quick Start Getting started
The dashboard shows a visual representation of your organization. For more details, see “Monitoring the Network” on page 51. The first step is to define an organization.
Figure 3-2. Organization with a headquarters, guest zone, data center, and two branch offices
Defining an organization
SCM uses these terms to describe your company:
Organization - A company representing an end customer. You can assign administrative rights to individual administrator accounts per organization. You can also manage appliances and licensing per organization.
Site - A physical location of one or more office buildings, a hosting center, or a cloud location that make up the organization. A site houses a SteelConnect gateway and uses a permanent DNS alias. Every site requires a local network zone and at least one internet uplink. When you create a site, the zone is automatically created and an uplink is automatically created for the internet path.
Zone - Layer 2 network segments or VLANs within sites that are VLAN-tagged traffic. A zone always has a VLAN tag assigned to it. SCM is delivered with a default organization. You’ll want to edit the default site. After adding the company name, you’ll add basic information. You can always change and customize this information later.
30 SteelConnect Manager User’s Guide Getting started Quick Start
To change a company name and location
1. Choose Organization.
2. Change the organization name to Cyberdyne.
3. Click Submit.
4. Under location, type the company headquarters physical address in San Francisco.
5. Click Submit. The dashboard map updates dynamically to keep an accurate visual overview of your network. You can always refer to the dashboard map as you define your topology to make sure the deployment is accurate.
To add sites
1. Choose Network Design > Sites.
2. Click Add Site(s).
3. Add a site tag: for example, headquarters.
4. Add the site’s location: for example, San Francisco.
5. Type the site’s address, country, and time zone.
6. Click Submit. After you create the site, it appears on the dashboard map. Repeat steps 2 through 6 to add a site for the data center in Ashburn, and two more sites for branches in Seattle and Dallas.
Designing a network
After you define your organization, you are ready to design a network. You’ll start by editing and creating zones. Zones are Layer 2 network segments (or VLANs within sites) that contain networks and IP addresses. In this tutorial, you’ll change the default zone for the LAN.
To change a zone
1. Choose Network Design > Zones.
2. Select a zone, click Settings, and update the zone name.
3. Select the IP tab, and change the IP address to match your network topology.
SteelConnect Manager User’s Guide 31 Quick Start Getting started
In this tutorial, you want this zone to be part of the VPN and to automatically connect your VPN connection using automated VPN. For more details on automated VPN, see “AutoVPN modes” on page 121. Regular zones are always part of RouteVPN by default. If you need to remove the RouteVPN membership for a zone, see “To remove a zone from AutoVPN” on page 126. Guest zones are not included in RouteVPN.
4. Click Submit. The LAN zone is complete. Next, you’ll create a new zone for guests. Within the guest zone, you can determine how guests can register their devices: using their mobile phone number (SMS), email address, or social media apps (Facebook, Twitter, Google).
To create a guest zone
1. Return to the Zones page and click New Zone.
2. Select the Headquarters (San Francisco) site from the drop-down list.
3. Type Guest to describe the zone.
4. Under guest zone, click On to add some extra intraclient security and isolate the guests from each other.
5. Click Submit. Two zones are ready for use: one for the corporate LAN in San Francisco and one for the headquarters guests.
Adding shadow appliances
When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number. In this tutorial, you’ll add gateways initially and access points later. 1. Choose Appliances > Gateways and click Add appliances.
2. Select Create Shadow Appliance.
3. Select SDI-130 Gateway from the model drop-down list.
4. Choose Headquarters as the site to deploy the shadow gateway.
5. Click Submit.
6. Repeat steps 2 through 6, substituting Ashburn data center as the site instead of Headquarters.
32 SteelConnect Manager User’s Guide Getting started Quick Start
7. Repeat steps 2 through 6 to create gateways for the branch offices in Seattle and Dallas. After adding the gateways, SCM automatically connects them using AutoVPN to create secure VPN tunnels. Later, you’ll register the gateways to transform them from shadow appliances to physical appliances. For details, see “Adding shadow appliances” on page 209. Choose Network Design > Uplinks to see that SCM has automatically assigned uplinks to the new gateways.
Establishing a security policy
Before deploying the hardware, you need to establish a policy that the sites have permission to recognize each other. Because the network is going to be transiting zones, you create an outbound/ internal rule within a policy that allows this rule.
To create a policy rule
1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. For users/source, select All (excluding guests).
4. Click Allow.
5. Under Applications / Targets, choose Selected zones.
6. Choose all the LANs except the guest LAN in the headquarters to make them accessible from the users/zones.
7. Click On. The rules match on the source and destination selected. The next task is to make the zones reachable over WiFi by adding a short name, or service set identifier (SSID), that contains the WiFi definition with authentication options. An SSID distinguishes one wireless network from another. In this tutorial, you’ll create a unified corporate SSID for use at all the sites, and one SSID to allow guests to join the network using a guest portal. After adding the SSIDs, you can broadcast them by site. Every broadcast can set additional, advanced WiFi options as well as the captive portal. For details, see “How do I use SCM to plan and broadcast WiFi?” on page 219.
To modify the default SSID
1. Select WiFi.
2. Click New SSID and name it Employees.
SteelConnect Manager User’s Guide 33 Quick Start Getting started
By default, an SSID uses WiFi protected access 2 (WPA2) for security. A default SSID also includes a randomly generated password. Changing the default password secures it and makes it easier to remember. Optionally, you can authenticate against RADIUS/NPS servers. See “RADIUS authentication” on page 83.
3. Select the SSID and change the password.
4. Click Submit. The SSID for Cyberdyne employees is ready for use. Next, you need to add an SSID for your guests.
To create a guest network
1. Choose WiFi > SSIDs.
2. Click New SSID and name it Guests.
3. Select Open from the security drop-down list to leave this SSID open to the onboarding portal. This selection secures the guest access by requiring them to use SMS or an email authentication to gain access to the guest network.
4. Click Submit.
To add users to the guest network
1. Choose Network Design > Portals.
2. Type the portal name Guest headquarters.
3. Select the portal type Guest Portal - Authenticated.
4. Select email + SMS to turn on the authentication portal so guests are able to use SMS and email authentication to join this network. You can also use social media apps to authenticate guest access. For details, see “Registering guest devices using social media” on page 92.
5. Click Submit. Note: The guest network will never be able to connect to the secured corporate VPN.
Now that two SSIDs are defined, you need to broadcast them at your sites. (Again, hardware doesn't come into play yet—you’ll add a gateway later.) You can broadcast SSIDs by site and set advanced WiFi options for each broadcast as well as the captive portal. For details, see “How do I use SCM to plan and broadcast WiFi?” You can either set the broadcast channel selection and transmit power automatically or manually per access point.
34 SteelConnect Manager User’s Guide Getting started Quick Start
To broadcast SSIDs
1. Choose WiFi > Broadcasts and click New Broadcast.
2. Select Headquarters (San Francisco).
3. Select the SSID Employees.
4. Select the Headquarters LAN network as the default zone.
5. Click Submit.
6. Under WiFi Broadcasts, click New Broadcast.
7. Select Headquarters (San Francisco).
8. Select the SSID Guests.
9. Select the Headquarters LAN network as the default zone.
10. Click Submit.
11. Select the Guest Portal.
12. Under Portal, select Guest [Guest Portal Authenticated] from the drop-down list.
Broadcasting WiFi wireless radio coverage
First you’ll need to determine how many access points you need. To assist with access point planning, SCM provides an integrated WiFi planner that eliminates expensive planning tools and guesswork. Use the planner to visualize the WiFi coverage in all sites, upload floor plans, and place access point placeholders as required. You can select different coverage-type presets. The WiFi planner will automatically create shadow devices as placeholders that you can turn into real hardware deployments later. We recommend using the Chrome browser for the best WiFi planning experience.
Important: The WiFi planning tool assumes a barrier-free wireless radio signal coverage.
To plan the WiFi coverage for a site 1. Select Planning.
2. Click New Plan.
3. Select the headquarters site.
4. Type a name for the plan.
5. Select a WiFi profile to influence the recommended access point placement and range.
SteelConnect Manager User’s Guide 35 Quick Start Getting started
6. Click Upload Plan or Draw Plan. To upload a predefined plan, choose the filename and click Open.
7. Click Submit. The next task is to set the general building dimensions to help define the signal strength and ranges.
To set the building dimensions
1. Click Set Scale.
2. Click the plan, expand an item in the drawing, and set the scale. For example, if you know one wall of your building is 26 feet long, you can set the scale with this wall to 26 feet.
To add access points
1. Open the WiFi planner.
2. Click Create New AP3 (or AP5 or AP5r). An access point icon appears on the plan, surrounded by a shaded transmit power area.
3. Select 2.4 or 5 GHz.
4. Move the access point to the desired location in the plan.
5. Type a name for the location.
6. Use the slider to adjust the transmit area.
7. Repeat steps 2 through 6 to add more access points, making sure they have the correct placement, amount of channel separation, and transmit power.
8. To avoid overlap between access points, either right-click the access point and select another channel from the channel drop-down list or use the channel auto select (the default setting).
9. Adjust the transmit area and placement of the access point as needed.
10. Click Save. Because the WiFi planner is integrated in SCM, it uses the concept of shadow appliances for the access points. When you add an access point for future deployment, it’s called a shadow access point. Shadow access points are basically cardboard cutouts that you can use to represent what will be a physical access point.
To view the access points
Select Appliances > Access Points. The access points appear with a status of Shadow.
36 SteelConnect Manager User’s Guide Getting started Quick Start
Enabling appliances
SteelConnect Manager stores all configurations, including your existing and future plans. This means you can either add an appliance when you physically have it, or you can preplan and configure an appliance for the future and then later drop the physical appliance into the topology with no further configuration needed. In SCM, an appliance can be an SD-WAN gateway, an Ethernet switch, or a WiFi access point. When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number. Now you have shadow appliances deployed, zones created, and a WiFi network that is set up and broadcasting SSIDs. The next task is to register the physical devices to transform them from shadow appliances into physical appliances.
To register a hardware appliance
1. Select the shadow appliance, and choose Actions > Register hardware.
2. The appliance is shipped with a label that has the SteelConnect serial number. Find that serial number on the appliance and type it here. Figure 3-3. SteelConnect gateway serial number location
To help you identify an appliance without unmounting it, unregistered appliances with an Organic LED (OLED) display (Gateway 330, Switch S24, and Switch S48) display their serial number in the screen until you register the appliance with SCM.
SteelConnect Manager User’s Guide 37 Quick Start Getting started
3. Repeat these steps to register the other appliances. The provisioning server hands off the appliance when it connects into the particular organization and site. It gives the appliance its configuration, brings it online, performs all firmware upgrades, and realizes your design on the appliance in the real world. This automatic provisioning makes the appliances easily replaceable, if necessary. All internet connections, or uplinks, are automatically created when you set up your sites. By default, all uplinks use DHCP; however, SteelConnect also supports static IPs and PPPoE with authentication. For details, see “Creating uplinks” on page 85. A complete mesh overlay connects across all sites and shares all networks that are involved with RouteVPN using full permissions. After AutoVPN establishes the tunnels, you can view the dashboard map to see a visible representation of the network. Click a site marker to verify that the locations are completely connected with a full- mesh VPN. SCM displays the established connections as green lines between the sites. The lines change to red if the tunnel switches to offline. For troubleshooting, see “Provisioning” on page 232.
Configuring remote employee access to the corporate LAN
This section steps through the optional procedure of setting up a home office for a CEO that has access to the corporate LAN. When finished, your configuration will reflect Figure 3-4.
Figure 3-4. Organization with a home office added to the corporate network
You’ll start by creating a unique site that isn’t part of a dedicated zone shared with the rest of the company. Instead, the new home office site will use an IP address on the headquarters network as though the CEO were working in the building.
38 SteelConnect Manager User’s Guide Getting started Quick Start
To provide the CEO access to the corporate LAN from home
1. Choose Network Design > Sites.
2. Click Add a Site.
3. Type a site tag to give the site a name: for example, CEOSite.
4. Type a site name that describes the site: for example, CEO.
5. Type the CEO’s home site location: for example, Denver.
6. Type the site’s address, country, and time zone.
7. Click Submit. SCM automatically creates a zone for the site.
8. Choose Network Design > Zones.
9. Select the zone CEOSite, select the IP tab, and change the IP address to match the CEO’s local internet connection.
10. Click Submit.
11. Because the CEO’s home office will use an access point instead of a gateway, select the Gateways tab and select Manual to disable automatic gateway configuration.
12. Choose Uplinks and choose CEOSite.
13. Select the Settings tab and rename the uplink to CEO-Uplink.
14. Choose WiFi > Broadcasts and click New Broadcast.
15. Select CEOSite (CEO).
16. Select the SSID Employees.
17. Select the headquarters LAN as the default zone.
18. Click Submit. When the CEO joins the network from home, the CEO is assigned an IP address on the corporate LAN. You don’t need to create a security policy because the home office isn’t transiting sites.
19. Choose Appliances and click Add appliances.
20. Select Create Shadow Appliance.
21. Select an Access Point.
22. Choose CEOSite (CEO) as the site to deploy the access point.
23. Click Submit. After registering the access point, the CEO joins the corporate LAN from home. For details, see “Adding shadow appliances” on page 209.
SteelConnect Manager User’s Guide 39 Quick Start Getting started
Logging out
To log out of the current session
1. In the upper-right corner click your username to open the drop-down menu.
2. Click Logout.
40 SteelConnect Manager User’s Guide 4
SteelConnect in the Cloud
Amazon Web Services and Microsoft Azure connectivity Do you need to connect separate virtual networks? Are you developing a hybrid network? Do you want to connect your IaaS, cloud-hosted networks to your in-house networks and manage them all through a single interface? This topic explains how to easily accomplish these tasks. SteelConnect offers strong integration with Amazon Web Services (AWS) and Microsoft Azure. Connect your IaaS vendor accounts to SCM, and SteelConnect will find all your subnets, in all networks, in all regions. Importing an entire network, or individual subnets, into SCM is as easy as clicking a button. You can then deploy virtual SteelConnect gateways—with optional SteelHead WAN optimization and redundancy—onto your SCM-managed subnets to build an interconnected, full-mesh virtual private network (VPN).
Note: Redundancy and manual routing are currently only available on AWS.
Note: AWS, Azure, and SteelConnect use slightly different terms to refer to similar network concepts. Virtual Private Clouds (AWS) and VNets (Azure) are called sites in SteelConnect, and subnets are referred to as zones.
Figure 4-1. Sample organization with applications and services in the cloud
SteelConnect Manager User’s Guide 41 SteelConnect in the Cloud SteelHead WAN optimization
The process is simple and fast, as described in this table.
Step Details
1. Go to your IaaS vendor’s marketplace and “Subscribing to Riverbed products” on page 43 subscribe to a Riverbed offering. 2. Log in to your SteelConnect Manager console “Configuring your cloud accounts with SteelConnect and configure your IaaS vendor account on Manager” on page 44 SteelConnect Manager. 3. Import networks and connect subnets into “Importing cloud networks” on page 46 SteelConnect. 4. Deploy gateways into your virtual network. “Deploying SteelConnect gateways onto cloud networks” on page 47
SteelHead WAN optimization SteelConnect gateways can be deployed together with SteelConnect SteelHeads for WAN optimization. You also have the option to deploy redundant gateway/WAN optimization stacks. You can add these features at deployment time, or at any later time. See “Managing your deployments” on page 48. When you choose WAN optimization, SteelHead images engineered for SteelConnect, are deployed together with your gateways into your virtual network. All routing and licensing is automatic, and the SteelHead is covered by Riverbed support. Logically, the SteelHead sits between the gateway and the subnets within the virtual network, or data center or branch. SteelHeads use autodiscovery to peer with each other and begin optimizing traffic throughout your SteelConnect-connected network.
Note: Currently, WAN transparency is not enabled by default on SteelHeads in SteelConnect. Effectively, this means that if the gateway is configured with rules that rely on client/server IP addresses, those rules will not apply. However, you can manually configure WAN transparency through the SteelHead management console. See “To manage SteelHead appliances” on page 48.
Note: Currently, only RiOS 9.2.1 is supported on AWS. Support for upgrades to newer versions will be made available in a future release. RiOS 9.5 and later is supported on Azure.
Redundancy You can turn on redundancy when you deploy your SteelConnect gateways or at a later time. You can choose redundancy for SteelConnect gateway-only deployments or for SteelConnect gateway with WAN optimization deployments.
Note: Redundancy is currently only available on AWS.
When you choose redundancy, redundant appliances are deployed in different availability zones. The active appliances that are actively routing and optimizing your network traffic are the primary appliances. Standing by are secondary appliances, ready to take over if a primary appliance fails. You can determine whether an appliance is primary or secondary by viewing its role in the appliance details page. See “To view gateway or SteelHead appliance details” on page 48.
42 SteelConnect Manager User’s Guide Subscribing to Riverbed products SteelConnect in the Cloud
For gateways with optimization, when the primary SteelHead fails, traffic is directly sent to its associated (the master) gateway first, bypassing optimization. If the SteelHead fails to revive within two minutes, traffic is then redirected to the secondary stack and WAN optimization starts again.
Subscribing to Riverbed products Riverbed offers products in the AWS and Azure marketplaces. After subscribing to a product, you can configure your cloud accounts in SCM and begin deploying appliances. If you don’t already have an SCM, you can get a free trial version.
Note: Subscribing to a Riverbed product does not require the creation of a “dummy” virtual machine instance. However, if you do launch an instance during the subscription process that virtual machine can be disregarded or deleted.
To subscribe to SteelConnect Gateway in AWS
1. Go to http://awsgateway.riverbed.com. You will be directed to the AWS Marketplace.
2. Click Continue.
3. Select the Manual Launch tab and accept software terms.
To subscribe to SteelConnect Gateway in Azure
1. Go to http://azuregateway.riverbed.com. You will be directed to the Azure Marketplace.
2. Log in to the Azure Marketplace.
3. Click Want to deploy programmatically? Get started.
4. Click Enable.
5. Click Save.
To subscribe to SteelHead (WAN optimization) in AWS 1. Go to http://awssteelhead.riverbed.com.
2. Click Continue.
3. Select the Manual Launch tab and accept software terms.
To subscribe to SteelHead (WAN optimization) in Azure 1. Go to http://azuresteelhead.riverbed.com. You will be directed to the Azure Marketplace.
2. Log in to the Azure Marketplace.
SteelConnect Manager User’s Guide 43 SteelConnect in the Cloud Configuring your cloud accounts with SteelConnect Manager
3. Click Want to deploy programmatically? Get started.
4. Click Enable.
5. Click Save.
To get a free trial of SCM
Go to https://www.riverbed.com/steelconnect/steelconnect-free-trial-download.html.
Configuring your cloud accounts with SteelConnect Manager You can add multiple accounts.
Note: For Azure accounts, you will need to create an application and gather some information about it. Log in to the Riverbed Knowledge Base and search for article S29078 for details.
To configure your AWS accounts with SteelConnect Manager
1. Log in to the SteelConnect Manager console.
2. Choose Network Design > AWS.
3. Click Add Account. The Add AWS Account dialog box appears.
4. Type an account name.
5. Select IAM role as the account type. IAM is preferred because it’s more secure and provides a clear audit trail of activity. Instructions for creating an IAM role for use with SteelConnect appear in the Add AWS Account dialog box. Keep these instructions handy.
6. Copy and save the account ID and the external ID to a location where you can easily access them. You’ll need them later in this procedure.
7. Return to the AWS console and choose Services > Security & Identity > IAM > Roles.
8. Continue by following the instructions in the Add AWS Account dialog box.
9. When you are finished, return to the SteelConnect Manager and click Submit.
To configure your Azure accounts with SteelConnect Manager 1. Log in to the SteelConnect Manager console.
2. Choose Network Design > Azure.
3. Click Add Account. The Add Azure Account dialog box appears.
4. Type an account name.
44 SteelConnect Manager User’s Guide Configuring your cloud accounts with SteelConnect Manager SteelConnect in the Cloud
5. Enter a subscription ID, application ID, secret key, and tenant ID from Azure by completing the steps in “To generate Azure credentials for SteelConnect Manager integration” on page 45.
6. Click Submit.
To generate Azure credentials for SteelConnect Manager integration Use one of the following methods to generate Azure credentials:
Method 1 We recommend using this method if you already have azure-cli installed on your local machine, since it takes fewer steps and adds a script for your convenience. 1. Ensure you have azure-cli installed on your local machine from which you will run this script. On that machine, create and save the following script with the name azure_credentials_generate.sh. #!/bin/bash
azure config mode arm azure login
if [ -z "$1" ] then SubsID=$(azure account show | grep "ID" | grep -v "Tenant ID"| awk -F ":" '{print $3}' | awk '{print $1}') echo "Using default Subscription ID: $SubsID" else SubsID=$1 echo "Using user provided Subscription ID: $SubsID" fi
AppName="SteelConnect$RANDOM" AppSecret="SteelConnect123$RANDOM" AppID=$(azure ad app create --name $AppName \ --home-page https://www.riverbed.com/$RANDOM \ --password $AppSecret \ --identifier-uris https://www.riverbed.com/$RANDOM | grep "AppId" | awk -F ":" '{print $3}' | awk '{print $1}') SPObjID=$(azure ad sp create --applicationId $AppID | grep "Object Id" | awk -F ":" '{print $3}' | awk '{print $1}') echo "On Azure Portal, created an application with name: $AppName" echo "Waiting for changes to propagate to Azure..." sleep 120 azure role assignment create --objectId $SPObjID -o Owner -c \ /subscriptions/$SubsID/ > /dev/null 2>&1 TenantID=$(azure account show $SubsID | grep "Tenant ID" | awk -F ":" '{print $3}' | awk '{print $1}') echo "*******************************************************" echo "Credentials to enter on SCM:" echo "Subscription ID: $SubsID" echo "Application ID: $AppID" echo "Secret Key: $AppSecret" echo "Tenant ID: $TenantID" echo "***************************************************"
SteelConnect Manager User’s Guide 45 SteelConnect in the Cloud Importing cloud networks
2. Run the script from the Azure CLI using the following syntax: ./azure_credentials_generate.sh Do not use any other syntax to run this command, such as sh azure_credentials_generate.sh. Note: To use a subscription ID that is different than the one on your system, enter the command in the format ./azure_credentials_generate.sh
3. Make a note of the subscription ID, application ID, secret key, and tenant ID that is displayed from the command output and enter these credentials on SCM by completing the following steps:
In SCM, choose Network Design > Azure and click Add account.
Enter the subscription ID, application ID, secret key, and tenant ID.
Click Submit. The entry appears in the Azure account list. The status changes from Configuring to OK after a short time.
Method 2 Manually obtain and enter a subscription ID, application ID, secret key, and tenant ID from the Azure portal. See article S29078 in the Riverbed Knowledge Base at https://supportkb.riverbed.com/support/index?page=content&id=s29078.
Importing cloud networks
To import cloud networks
1. In SCM, choose Network Design > AWS or Azure.
2. Select the Import VPCs or Virtual Networks tab. Your cloud network appears. All networks, and their subnets, in your accounts are displayed. SCM automatically refreshes this list every 15 minutes. To filter the list, type a search filter in the search box.
3. Click Connect all subnets to import a network and all of its subnets, or import individual subnets with their Connect button. If you would like to later remove an item from the full-mesh network, you can disconnect it. See “To remove a subnet or entire site from the full-mesh network” on page 49.
46 SteelConnect Manager User’s Guide Deploying SteelConnect gateways onto cloud networks SteelConnect in the Cloud
This step prepares the necessary updates and configurations locally on SteelConnect Manager, but it does not yet propagate them to your IaaS vendor account. Figure 4-2. Importing VPCs and connecting subnets
After importing and connecting, you’re ready to deploy gateways into your SCM-connected network.
Deploying SteelConnect gateways onto cloud networks Note: Refer to the IaaS vendor’s price list for instance pricing.
To deploy gateways into your virtual network 1. In SCM, choose Network Design > AWS or Azure.
2. Select the Deploy Instances tab.
3. Click Deploy next to a site name. The Deploy Instances dialog box appears.
4. In the Deploy Instances dialog box, select an instance size for your gateways based on the bandwidth you need.
SteelConnect Manager User’s Guide 47 SteelConnect in the Cloud Managing your deployments
5. Optionally, add WAN optimization across this site by selecting an instance size for the SteelHead instance (see “To manage SteelHead appliances” on page 48).
6. Optionally for AWS only, turn on Redundancy (see “Managing your deployments” on page 48)
7. Optionally for AWS only, switch to manual routing if your deployments will exceed the AWS limit on routing table entries (50 maximum) or if you prefer to manage your route tables yourself.
8. Click Submit. Refer to the IaaS vendor’s price list for instance pricing.
Managing your deployments
To view gateway or SteelHead appliance details
1. Once the deployment completes, in SCM choose Appliances > Gateways.
2. Select a gateway. The appliance details page appears. Information in this page is organized under several tabs.
3. Select the SteelHead tab to view SteelHead appliance details.
To manage SteelHead appliances
1. Choose Appliances > Gateway.
2. Select a gateway.
3. Select the SteelHead tab.
4. Click the appliance’s IP address. The SteelHead Management Console appears.
5. Log in to the SteelHead Management Console. For a first-time login, use admin for the username. In Azure, the password is password. In AWS, the password is the instance ID for the SteelHead. Change these credentials after you log in for the first time and be sure to record your new username and password in a safe location. See the SteelHead Management Console’s online help for details about using it. All further configuration and management of the SteelHead can be performed directly through the SteelHead Management Console or through a SteelCentral Controller for SteelHead.
To remove the gateway from a site
1. On SCM, choose Network Design > AWS or Azure.
2. Click Undeploy next to a site. A confirmation dialog box appears.
3. Click Confirm.
48 SteelConnect Manager User’s Guide Managing your deployments SteelConnect in the Cloud
The system terminates the gateways and SteelHeads, and removes all traces of SteelConnect from the site.
To remove a subnet or entire site from the full-mesh network You must undeploy a site before you can remove it or its last remaining subnet. See “To remove the gateway from a site” on page 48.
On SCM, choose Network Design > AWS or Azure and select the Import VPCs or the Virtual Networks tab and click Disconnect next to an item.
To change instance size, WAN optimization, redundancy, or routing 1. On SCM, choose Network Design > AWS and select the Deploy Instances tab.
2. Click Manage next to the site.
3. Change settings to your liking and click Submit.
SteelConnect Manager User’s Guide 49 SteelConnect in the Cloud Managing your deployments
50 SteelConnect Manager User’s Guide 5
Monitoring the Network
Viewing your topology The dashboard map offers a unified at-a-glance view of your network topology, including a summary of the established tunnels, tunnels that need attention, sites under construction, and new events. It also provides continuous automatic monitoring of network events and site status.
To view the dashboard
Select Dashboard. Figure 5-1. Multiple sites within an organization
The Google Map displays the sites within an organization.
Viewing tunnel status The dashboard displays the tunnels in the full-mesh network after you click a site marker.
SteelConnect Manager User’s Guide 51 Monitoring the Network Viewing site and appliance status
To view tunnel status
1. On the dashboard map, click the site marker. Figure 5-2. Viewing tunnel status
2. Click the green line indicating a path. Path quality reports metrics on established and functional tunnels, throughput, and path quality. For details, see “Monitoring path quality” on page 188.
Green line - Indicates that the VPN tunnel is successfully established.
Red dashed line - Indicates that the VPN tunnel can’t be established or is down.
Gray dashed line - Indicates that the VPN tunnel is under construction.
Viewing site and appliance status You can monitor the real-time status of your sites along with the appliance status from the dashboard. You can also monitor path quality metrics if you’re using path selection. For details, see “Monitoring path quality” on page 188.
To view site status
On the dashboard map, click the site marker. The site’s tunnel status, appliance status, and location appear:
52 SteelConnect Manager User’s Guide Displaying online help Monitoring the Network
Green - SCM measures the AutoVPN health of a site as a whole. As long as there is one AutoVPN tunnel from that site to another, it shows a green check mark for the site status. Green indicates that some or all tunnels associated with the site are established.
Gray - A gray dashed icon indicates that the site is under construction. This includes: – sites that are in the process of being defined within SCM, but are not yet live with actual appliances – sites with shadow appliances.
Red - A red icon indicates that there is a problem with the site.
If the city for a site is invalid, a purple question mark appears in an ocean on the dashboard map. Figure 5-3. Invalid city marker for a site
– Click the marker to view the invalid address. Click the invalid address to go to the Location tab where you can fix the city. Note: To return to the dashboard, click the site marker again.
Displaying online help
To display online help
1. Click the question mark (?) icon in the upper-right corner.
2. Choose SteelConnect Help. The help appears in a new browser tab.
SteelConnect Manager User’s Guide 53 Monitoring the Network Displaying online help
54 SteelConnect Manager User’s Guide 6
Scheduling Firmware Upgrades
Upgrade overview SteelConnect automatically updates firmware for all managed appliances. A SteelConnect appliance needs to be connected to the internet and registered, and the upgrade happens automatically when a new version of the firmware is available. A SteelConnect appliance has two memory partitions that store the old and new firmware at the same time. While the new firmware is downloading, the appliance continues to operate using the old firmware. After the firmware is downloaded, it is installed on the inactive partition, according to the upgrade schedule. The appliance reboots when the upgrade is complete. The upgraded firmware becomes active after the appliance reboots. If the new firmware fails to load, the appliance reverts to the old firmware. The network administrator can schedule the upgrade time and day and reschedule pending upgrades. Initially, the default policy determines the upgrade schedule for all appliances. For more control, SteelConnect Manager (SCM) provides the ability to schedule firmware upgrades at a date and time of your choosing.
Creating site tags You can use site tags to group multiple appliances under one policy. Sites can have one tag, multiple tags, or no tags at all.
SteelConnect Manager User’s Guide 55 Scheduling Firmware Upgrades Creating site tags
To create a site tag
1. Choose Organizations > Network Design > Sites. Figure 6-1. Sites page
2. Select a site where you would like to create a tag. The site page displays.
3. Select the Location tab. Figure 6-2. Location tab
4. Click the Tags selection box. Enter the tag name for the site.
5. Click Add tag
56 SteelConnect Manager User’s Guide Configuring firmware upgrade schedules Scheduling Firmware Upgrades
6. Click Submit. Figure 6-3. Creating the tag
Configuring firmware upgrade schedules You can use site tags to group appliances and manage their upgrades. Once configured, you can configure an upgrade policy for each tag. SCM upgrades all appliances grouped under a tag according to the tag policy.
Changing the default policy
The default policy determines the upgrade schedule for appliances not associated with a tag policy.
Note: An organization’s maintenance policy overrides the realm’s maintenance policy. For details, see “Maintenance” on page 242.
To review and define the default upgrade policy
1. Choose Organizations > Maintenance.
SteelConnect Manager User’s Guide 57 Scheduling Firmware Upgrades Configuring firmware upgrade schedules
2. Click Edit next to the Default site group. Figure 6-4. Selecting the default policy
3. Specify a weekday and time for the monthly firmware upgrades. Figure 6-5. Editing the default policy
4. Click Submit to save changes.
Scheduling firmware upgrades
You can use site tags to further enhance the upgrade schedules. Once you define site tags, you can customize schedules for the sites.
To schedule firmware upgrades
1. Choose Organizations > Maintenance.
58 SteelConnect Manager User’s Guide Configuring firmware upgrade schedules Scheduling Firmware Upgrades
2. Click Add schedule. Figure 6-6. Adding a schedule
3. Select a Site Group from the drop-down list. If a drop-down list does not appear, see the Creating site tags section to create and define the site tags. Figure 6-7. New scheduling rule page
4. Click Add tag
5. In the Position field, select a position from the drop-down list. Site groups are listed in the order they’re created. The position determines the order of the site groups displayed on the dashboard and the order of upgrade priority.
6. In the Day of Week field, select a day from the drop-down list that the firmware upgrade will take place.
7. In the Frequency field, select After every SteelConnect Manager Upgrade.
8. In the Time of Upgrade field, select a time from the drop-down list.
9. Click On if you want the upgrade to happen in the site group's time zone. Click Off if you want the upgrade to happen in the organization's time zone.
SteelConnect Manager User’s Guide 59 Scheduling Firmware Upgrades Configuring firmware upgrade schedules
10. Click Submit. Your new entry will appear on the dashboard. Once you’ve created a policy, you can click the Edit button to make changes.
Important: Changing the time and day settings for firmware upgrades only affects new firmware upgrades; it does not affect previously scheduled upgrades. If you need to change existing scheduled upgrades, click Postpone.
Postponing scheduled upgrades
You can postpone the next scheduled upgrade without changing the overall policy.
To postpone the next upgrade of an existing schedule 1. Click Postpone. Figure 6-8. Postponing an upgrade
2. Select a new day for the rescheduled upgrade.
3. Select a new time for the rescheduled upgrade. Note: The new day and time must be within the first 14 days after the SCM recognizes a new firmware image. Trying to postpone it by more than 14 days results in an error message.
Figure 6-9. Rescheduling a firmware upgrade
60 SteelConnect Manager User’s Guide Configuring firmware upgrade schedules Scheduling Firmware Upgrades
Upgrading immediately
To upgrade the firmware version immediately
For the default policy, there are two ways to upgrade immediately. Click Edit and then click On in the edit default policy window to apply the firmware upgrades immediately. Click Submit. Click Upgrade Now for the default group. Click Confirm to apply the upgrade. This applies to upgrades as soon as a new firmware version is available for all future releases. Figure 6-10. Applying upgrades immediately
For scheduled upgrades, click Upgrade Now for the site group that you want to upgrade. Click Confirm to apply the upgrade. (The Upgrade Now button only appears if appliances have pending firmware upgrades.) Figure 6-11. Upgrade Now button
Deleting schedules
To delete a schedule 1. Click Delete next to the schedule that you want to delete.
2. Click Confirm to delete the schedule. Figure 6-12. Deleting a schedule
SteelConnect Manager User’s Guide 61 Scheduling Firmware Upgrades How can I tell if the appliance firmware is up to date?
When you delete a schedule, the remaining policies control the upgrades. An appliance can have multiple site tags so it is possible that a secondary policy will apply. If a scheduled policy does not apply to an appliance, the appliance follows the default upgrade policy.
How can I tell if the appliance firmware is up to date? From the dashboard, choose Appliances > Overview. Click an appliance and compare the appliance’s major firmware version number with the SCM version. The SCM version appears in the bottom left corner of the page. When the major firmware version of the appliance matches the SCM version, the appliance is up to date. In this figure, the firmware is up to date because the major version numbers 2.6 match.
Figure 6-13. Verifying the appliance firmware version
62 SteelConnect Manager User’s Guide 7
Defining an Organization
Organization overview An organization is a company representing an end customer. It contains the customer details, sites, devices, zones associated with the devices, the uplinks, and so on. You can assign administrative rights to individual administrator accounts per organization. You can also manage appliances and licensing per organization. SCM ships with a default organization. This section explains the default settings and how to create a new site within an organization. You can change settings associated with an organization using the tabs on the Organization page.
Figure 7-1. Defining an organization
SteelConnect Manager User’s Guide 63 Defining an Organization Organization overview
Name/Location
This tab provides a place to set the name referenced in SCM and the reports. This tab also displays the global organization ID generated by SCM that uniquely identifies the organization system wide. You can also define the location and the contact information for the entire organization.
Networking defaults
To select the networking defaults
1. Choose Organization and select the Networking defaults tab.
2. Specify your preference for these items:
Internet breakout preference - Determines how you want internet traffic to flow for each site that you deploy throughout the organization. When sending traffic to the internet, the default is to send internet bound traffic directly out the local connection. You can also use RouteVPN or WANs as alternative breakouts. When including RouteVPN in your preference list, specify the default site that will handle the breakout. For details, see “Local internet breakout or backhaul” on page 26. This setting is global and affects the entire organization if you don’t override the settings by sites and zones. Moving the internet breakout location to a central location forces all internet traffic to that location regardless of the presence of a local internet breakout.
WAN usage preference - If using more than one WAN, select the preferred path. For example, if you have two paths to reach your corporate headquarters, you can select an MPLS as the preferred path.
NTP Settings - Specify the local Network Time Protocol (NTP) servers of your choice, one per line. We recommend that you configure your own internal NTP servers; however, you can leave the field blank to use these default Riverbed-provided NTP servers: 0.ocedo.pool.ntp.org 1.ocedo.pool.ntp.org 2.ocedo.pool.ntp.org 3.ocedo.pool.ntp.org
Social Media
This tab provides a place for an administrator to configure guest access using a social media app. For details, see “Registering guest devices using social media” on page 92.
64 SteelConnect Manager User’s Guide Organization overview Defining an Organization
Numbering Pools
When SCM creates new zones, it uses the default zone numbering specified on the Numbering Pools tab for VLANs, IPv4, and IPv6 addressing. These are global pool settings used as the base identifiers throughout the organization. Optionally, you can manually configure the numbering for each zone. A simple method is to assign a 10.x.0.0/16 network such as 10.1.0.0/16, which every zone created will then pull an IP address from. The default numbers are:
VLAN pool base: 1000
IPv4 network pool: 172.16.0.0/12
IPv6 ULA network pool: fd00:ced0:ced0::/48
Important: Both IPv4 and IPv6 addresses come from finite pools of numbers. Don’t create a zone with a subnet the size of the full IP address pool, because doing so can exhaust the pool. After the pool is exhausted, SteelConnect is unable to create the zones with the allocated subnets.
To manually configure the numbering pools
1. Choose Organization and select the Numbering Pools tab.
2. Change the default IP addresses or VLAN pool base.
3. Click Submit. Note: You can also configure the pool settings when you create a zone. For details, see “Zones within a site” on page 74.
Data Retention
This tab provides a place to specify how long SCM retains its traffic data history and unregistered device information for an organization. The maximum number of days is 366. The default setting for traffic history is 14 days and 7 days for unregistered devices.
To change the amount of time SCM retains data
1. Choose Organization and select the Data Retention tab.
2. Change the number of days for traffic history, unregistered devices, or both.
3. Click Submit.
SteelConnect Manager User’s Guide 65 Defining an Organization Organization overview
Agent
A SteelConnect agent is a software VPN client that you can download and install on your laptop. The agent provides remote access to company applications automatically, when employees travel or work from home. The SteelConnect agent is available for Windows and Mac.
Figure 7-2. Remote access using an agent
The inbound VPN agent uses UDP port 4500 to connect to a single gateway for an organization. The agent detects the gateway automatically, so there isn’t an IPSec tunnel for the user’s client if the user connects to the LAN side of a gateway. After installing and registering the agent, you need to make sure that the users associated with the agent can be authenticated using their email address or mobile phone number to log in and gain access to inbound VPN from those sites. You will also have to define policy rules to allow traffic from the agent. You need to install and register the agent once. After installation, whenever the computer is online, the agent connects to the organization and establishes a tunnel automatically.
Where do I find the agent software? As the SteelConnect agent is branded for each organization, you’ll download it from SCM, as described in the following procedures.
66 SteelConnect Manager User’s Guide Organization overview Defining an Organization
Installing the Windows agent
To install the Windows agent
1. In the Windows Control Panel, select Programs and Features, and uninstall any previous versions of the agent.
2. Choose Organization > Organization.
3. Select the Agent tab.
4. Click Download Agent for Windows.
5. Double-click the Agent-acme.exe file to install the agent.
6. Verify your organization information, agree to the end-user license agreement, and click Install.
7. Register your agent installation with the corresponding SteelConnect Manager.
8. Define policy rules to allow traffic from the agent. For details, see “To create a traffic path rule” on page 181. The Windows task bar displays the agent status:
Onsite - Indicates that the agent has recognized that the device is already located behind a Riverbed appliance of its organization. The agent doesn’t negotiate a dedicated IPSec tunnel.
Offsite - Indicates that the agent has recognized that the device is not located behind a Riverbed appliance of its organization. The agent doesn’t negotiate a dedicated IPSec tunnel. If the agent installation is unsuccessful, see “SteelConnect Windows Agent” on page 231.
Installing the Mac agent After installing the agent, you must register it. As part of the installation process, you will install a helper application that will step you through the registration process. To register, you will need to provide an email address or phone number where you can receive a confirmation code. Have this information handy.
To install the Mac agent 1. Uninstall any previous versions of the agent.
2. Choose Organization > Organization.
3. Select the Agent tab.
4. Click Download Agent for Mac.
5. Navigate into the Downloads folder and launch the Agent-acme.dmg file.
6. Double-click the Install Agent.app file to launch the installer.
7. Click Open to verify that you want to install the application.
SteelConnect Manager User’s Guide 67 Defining an Organization Organization overview
8. Review the license agreement and click Install. The agent is installed.
9. Click Open.
10. Click Install to authorize the installation of the helper tool.
11. Enter your username and password and click Install Helper.
12. Enter an email address or phone number where you can receive a confirmation code.
13. Click Next.
14. Enter your 8-digit confirmation code.
15. Click Finish.
16. Define policy rules to allow traffic from the agent. For details, see “To create a traffic path rule” on page 181.
To uninstall the Mac agent
Follow these steps to remove the agent and all associated data.
Note: To remove the agent but not items such as log files, VPN certificates, and so on, simply delete the agent from the Applications folder.
1. Download the Mac agent and launch the .dmg file. See “To install the Mac agent” on page 67.
2. Right click the Install Agent.app file and choose Show Package Contents.
3. Navigate to Contents > Resources.
4. Right click the agent_unistall.sh file.
5. Choose Open With > Other.
6. Search for Terminal.
7. Select Terminal and click Open.
8. Type your password and press Enter.
Selecting the default agent home site The agent always connects to a single site within the organization. By default, all agents connect to the same site. You can select the default site. The default site is the headend for all agent traffic. There can only be one headend for the agents.
To select a default home site
1. Choose Network Design > Sites.
68 SteelConnect Manager User’s Guide Organization overview Defining an Organization
2. Select the current default home site for the agent, indicated by the Agent home icon. Figure 7-3. The default home site for the agent
3. Select the Agent tab.
4. After Default site, click Off.
5. Click Submit.
6. Select the site you want to make the default home site.
7. Select the Agent tab.
8. After Default site, click On.
9. Click Submit.
Changing the agent IP address pool Agents receive their IP address assignment from a pool of IPv4 addresses. You can choose the pool from which the headend will assign the IPv4 addresses to the agents.
To change the agent IP address pool
1. Choose Network Design > Sites.
2. Select the default home site for the agent, indicated by the Agent home icon.
3. Select the Agent tab.
4. Type an IPv4 address: for example, xxxx.xx.x.x/24. The subnet must be at least 24 (/24.)
5. Click Submit.
SSH
SteelConnect gateways, switches, and access points are zero touch configuration and don’t require console access; however, if you need to access the appliance console for troubleshooting, the controller can create an SSH tunnel. You enable SSH access to an appliance on the SSH tab. You must add a public SSH key.
Important: Be sure to shut off SSH access when it is not needed.
SteelConnect Manager User’s Guide 69 Defining an Organization Organization overview
Legal Disclaimer
This tab provides a place to add a predefined legal disclaimer that appears each time a user logs in to SCM. For example, “This computer system is the private property of its owner, whether individual, corporate, or government. It is for authorized use only.”
Appliances Login
This tab sets a login password required on all appliances in an organization for root access. We strongly recommend that you use an appliance console login password. The password must be a minimum of six characters. Leave the login password field blank and click Submit to generate a random console appliance password.
70 SteelConnect Manager User’s Guide 8
Designing a Network
Creating sites A site is a physical location of one or more office buildings, a hosting center, or a cloud location that make up the organization. A site houses a SteelConnect gateway and uses a permanent DNS alias. You can create a site without an appliance and add the appliance later. When you create a site, you’re essentially configuring the location of each network you want to participate in the full-mesh VPN. To speed up site definition for multiple sites, you can define sites in the comma-separated values (CSV) file format and import all of the definitions into SCM at once. The site definitions include the name and location of the site, the time zone, site tags, and so on.
To create a new site
1. Choose Network Design > Sites.
2. Click Add Site(s).
3. Select New Site to add a single site.
4. Type a site tag, which is a name for the site: for example, NY. Don’t use spaces in the tag. Note: Don’t mistake the site tag with the tags mentioned in “To add tags to a site” on page 72. This site tag is simply a display label that gives a name to the site. The tags you add on the Location tab are more powerful because they let you group and add structure to sites.
5. Type a site description: for example, Modesto.
6. Type the site address.
7. Select a time zone from the drop-down list.
8. Click Submit.
9. Repeat steps 2 through 8 to create additional sites one at a time: for example, factory and research lab sites. The next step is to add tags to group sites. Tags are a powerful way to provide structure for a large number of sites and allow an additional or alternative method of grouping sites. Any sites tags that match can be grouped together. Site tags can be used to
make creating a hub-and-spoke (Leaf mode) network topology easier.
apply a granular firmware update policy to a group of sites.
SteelConnect Manager User’s Guide 71 Designing a Network Creating sites
make bulk changes to site configurations.
To add tags to a site 1. Choose Network Design > Sites.
2. Select a site.
3. Select the Location tab.
4. After Tags, type a tag and press Enter. A site can have none, one, or multiple tags. Repeat step 4 to add more tags. With the site definitions complete, you can now configure the network zones and topology. See “AutoVPN modes” on page 121.
To import multiple site definitions 1. Create a tabular data file in a spreadsheet or database that contains the site definitions and save it in the CSV format. Figure 8-1. Source columns for bulk site creation
Include these columns in the CSV file:
Short name - A unique short name for the site: for example, SV. Don’t include spaces.
Long name - A descriptive name for the site: for example, Office SV.
Tags - A comma-separated list of tags to group operations or filter sites, for example: Office, Development Sales. Use tags to provide structure for a large number of sites and allow an additional or alternative method of grouping sites. A site can have none, one, or multiple tags.
Street address - The site’s street address.
City - The site’s city.
Country - A valid two-letter ISO country code.
72 SteelConnect Manager User’s Guide Creating sites Designing a Network
Time zone - The time zone associated with the site location: for example, American/New York. The time zone in the CSV file must match an entry on the timezone list that appears on the Create Site page. To view the timezone list, choose Network Design > Sites, click Add Site(s), and select New Site. Figure 8-2. Valid time zones on the Create Site page
You can also define zones and uplinks in the file. If you don’t include zone and uplink definitions, you have the option of cloning preexisting zones and uplinks with site definitions after importing the file.
2. Choose Network Design > Sites.
3. Click Add Site(s) and select Bulk Site Creation.
4. Click Start: Select a CSV file and navigate to a local file.
5. Select the file and click Open. Figure 8-3. Bulk site creation
SteelConnect Manager User’s Guide 73 Designing a Network Zones within a site
6. After the system imports the site definitions, review the site listing. To fix any problems, edit the original CSV file and reimport it. SCM will never reimport or change a site that already exists with the same short name.
7. Click Submit.
8. Click Next: Select WANs and Zones. Figure 8-4. Optional uplink and zone selection
9. Optionally, select preexisting uplinks or zones to use as templates for the new sites. When you leave the zone or uplink selection blank, the system doesn’t create any more zones or uplinks and you can add them manually later.
10. Click Finish: Launch site creation process. The system imports the site definitions into SCM. Figure 8-5. Bulk site creation progress
11. Click Close.
12. Select the Events tab or choose Visibility > Event Log to monitor the site creation progress in the Event log. The Event log includes any site creation errors.
Zones within a site Zones are at the center of SteelConnect. A zone is equivalent to a Layer 2 IP segment within a site. Zones define subnets and VLANs on gateways.
74 SteelConnect Manager User’s Guide Zones within a site Designing a Network
Every site has at least one zone and can have multiple zones. When you create a site, SteelConnect automatically adds a default zone. Zones can cross sites. For example, for a business application that involves a call center that requires peer-to-peer networking, you can stretch a single zone across multiple sites, providing users all over the globe with one universal security policy applied to the same IP zone. You can add zones to any sites or any organization. A zone belongs to a site, but it can also belong to multiple sites. A site is a location like an office building, a hosting center, or a cloud location. Every site has at least one internet uplink and one local network zone.
To add a new zone to a site 1. Choose Network Design > Zones.
2. Click New Zone.
3. Select a site from the drop-down list.
4. Type a unique single word short name that describes the zone. Don’t use spaces in the name.
5. Optionally, enable the zone for guests to add some extra security and isolate the guests from other zones. Guest zones don’t participate in AutoVPN and a guest zone can’t send guest traffic over the IPSec tunnel. Essentially assigning a guest zone to a site sends that traffic directly out to the internet.
6. SteelConnect configures IPv4 addresses at the zone level. A new zone can automatically use the default IPv4 address numbering specified on the Organization > Numbering Pools tab. Specify a subnet to override the default zone numbering. For details on the default numbering, see “Numbering Pools” on page 65.
Important: Both IPv4 and IPv6 addresses come from finite pools of numbers. Don’t create a zone with a subnet the size of the full IP address pool, because doing so can exhaust the pool. After the pool is exhausted, SteelConnect is unable to create the zones with the allocated subnets.
7. Specify the gateway IPv4 address for the network. A SteelConnect gateway will automatically configure itself with this IP address.
8. Select whether the default gateway configuration is automatic (the default setting) or manual. Select manual to use a third-party routing configuration or a centralized DHCP server. For a manual gateway configuration, you must assign an IP address on the LAN side of the gateway to make the gateway a member of the zone. For details on manually assigning a gateway to a zone, see “Assigning a gateway to a zone” on page 76.
9. When there are multiple gateways in one location, select which gateway will bind to the zone as the default gateway.
SteelConnect Manager User’s Guide 75 Designing a Network Zones within a site
10. When SCM creates new zones, it assigns the default global VLAN ID numbering specified on the Organization > Numbering pools tab.Specify a VLAN ID to override the default VLAN numbering. For details on the default numbering, see “Numbering Pools” on page 65.
11. Click Submit.
12. Repeat steps 2 through 10 to create additional zones.
Assigning a gateway to a zone
You can assign a gateway to a zone manually or automatically. By default, SCM assigns a gateway to a zone automatically.
To manually assign a gateway to a zone 1. Choose Network Design > Zones.
2. Select the zone and then select the Gateways tab.
3. Select Manual as the default gateway configuration.
4. Click Add Assignment.
5. Select the gateway.
6. Assign the gateway IPv4 address to the LAN side of the gateway to make the gateway a zone member. For details on DHCP relay agent settings, see “Configuring a gateway as a DHCP relay agent” on page 78. For details on DHCP/RA Server settings, see “Forwarding DHCP/BOOTP requests to a DHCP server on a remote network” on page 79. For details on skipping outbound NAT, see “Turning off outbound NAT for a zone” on page 81.
76 SteelConnect Manager User’s Guide Zones within a site Designing a Network
7. Click Submit. Figure 8-6. Adding a gateway to a zone manually
Assigning more than one gateway to a zone
You can assign several gateways as members in a zone, and also you can add gateways as members to remote sites. Each gateway that becomes a member of a zone can route into the zone’s network.
To manually assign more than one gateway to a zone
1. Choose Network Design > Zones.
2. Select the zone and then select the Gateways tab.
3. Select Manual as the default gateway configuration.
4. Click Add Assignment.
5. Assign a gateway to the zone.
SteelConnect Manager User’s Guide 77 Designing a Network Zones within a site
6. Click Submit. Figure 8-7. Adding another gateway to a zone manually
Any gateway in a zone can act as a DHCP relay, but you must configure only one gateway as a DHCP relay per zone.
Configuring a gateway as a DHCP relay agent You can configure a gateway as a DHCP relay agent. When a gateway is configured as a DHCP relay agent, it forwards DHCP request and reply packets between DHCP clients and DHCP servers that aren’t on the same physical subnet. The DHCP relay agent gateway doesn’t have to be the default gateway.
To configure a gateway as a DHCP relay
1. Choose Network Design > Zones.
2. Select the zone in which to locate the DHCP relay.
3. Select Gateways and select Manual.
4. Edit the existing default gateway assignment or add a new gateway assignment.
5. If the DHCP server is on, turn it off.
6. Turn on the DHCP relay.
7. Specify the IPv4 address of the DHCP server to use. Only one IPv4 address is supported.
8. Click Submit.
78 SteelConnect Manager User’s Guide Zones within a site Designing a Network
Forwarding DHCP/BOOTP requests to a DHCP server on a remote network
Gateways typically provide dynamic IP addressing to clients; however, you might want to have the gateway forward DHCP/BOOTP requests to a central IP address management server.
To forward DHCP/BOOTP requests 1. Choose Network Design > Zones.
2. Select the zone where the clients machines will connect.
3. In the LAN panel, select the Gateways tab. Set the default gateway configuration to Manual.
4. Click Edit.
5. In the Edit gateway assignment pop-up window, set DHCP/RA Server to Off.
6. Set DHCP Relay to On.
7. Type the IP address of the DHCP server in the DHCP relay address field.
8. Click Submit.
Forwarding inbound internet traffic to a remote server
You can allow clients on the internet to access select applications on your internal network, behind your SteelConnect gateway. To do this, you create a custom application and then create an inbound rule.
To create external to internal port forwarding on a gateway
1. Choose Applications > Custom.
2. Click New Application.
3. Choose a name and description for the inbound application.
4. Select the application type Device from the drop-down list.
5. Select the destination server.
6. Choose a protocol such as TCP or UDP.
7. To only forward specific ports, set Limit TCP/UDP ports to On.
8. List the ports to be forwarded in the Ports text box. Specify ranges with a dash; separate several ports or ranges with a comma.
9. Click Submit.
10. Choose Rules > Inbound (NAT) and click New inbound rule.
11. Select the Application you created in the previous steps.
SteelConnect Manager User’s Guide 79 Designing a Network Zones within a site
12. Choose one or more uplinks where you want to implement this rule. Leave the other values at their defaults.
13. Click Submit. The new rule appears in the list.
Creating a third-party zone
A zone that isn’t directly connected to a SteelConnect gateway is called a third-party zone. You can create a third-party zone that is reachable by other zones. After creating a third-party zone, you add a route to make it reachable. The route includes a next hop IP address in the subnet of any of the connected networks, which is typically a third-party router. When the uplink between the SteelConnect gateway and the third-party router (or SteelConnect gateway) are configured as BGP neighbors, the zone is advertised by the SteelConnect gateway and learned by its BGP neighbor (the third-party router or SteelConnect gateway). For details on BGP, see “BGP” on page 132.
Note: You can create one third-party route for one zone. Multiple routes aren’t supported.
To create a third-party zone
1. Choose Network Design > Zones.
2. Click New Zone.
3. Select a site.
4. Specify the third-party zone’s primary IPv4 address.
5. Specify the third-party zone’s default gateway IP address. Note: IPv6 addresses are not supported.
6. Select Manual as the default gateway configuration.
7. Click Submit.
8. Select the zone you just created.
9. Select the Gateways tab.
10. Under Gateway assignments, click Delete to remove the default gateway assignment.
11. Click Confirm to delete the default gateway.
12. Select the Settings tab.
13. Under third-party routing, click Add route.
14. To add the next hop, after From Zone/Net, select any directly connected zone in the same site.
80 SteelConnect Manager User’s Guide Zones within a site Designing a Network
15. In the IPv4 gateway field, type the IP address of the third-party router or gateway.
16. Click Submit.
17. Verify that the zone appears as a third-party gateway route. The SteelConnect gateway will now advertise the third-party zone in BGP and its BGP neighbor (the SteelConnect gateway or the third-party router) will learn the zone. To view the routes, see “Viewing eBGP learned and advertised routes” on page 137.
Integrating a third-party router/gateway into a zone
To use a third-party router/gateway as the default
1. Choose Network Design > Zones.
2. Select the zone and then select the Gateways tab.
3. Select Manual as the default gateway configuration.
4. If there’s already a gateway assigned, delete it.
5. Click Add assignment.
6. Assign the third-party router/gateway as a member gateway for the zone.
7. Click Submit.
8. Choose Network Design > Uplinks.
9. Select Settings.
10. Select DHCP or static.
11. Select Manual as the default gateway configuration.
12. Click Submit.
Turning off outbound NAT for a zone
You can turn off outbound NAT for deployments where:
The gateway is behind a corporate firewall that already performs NAT.
The network is using all public IP addresses.
The network is internal and it routes untranslated, native addresses.
An upstream gateway, router, or firewall will perform NAT. For details, see “Turn off outbound NAT at the gateway for a zone” on page 18.
SteelConnect Manager User’s Guide 81 Designing a Network DNS settings
To turn off outbound NAT
1. Choose Network Design > Zones.
2. Select the zone and then select the Gateways tab.
3. Change the Gateway type to manual.
4. Click Edit for the current gateway, and click On to skip outbound NAT.
5. Click Submit.
DNS settings By default, SteelConnect appliances use the IP address assigned to them using DHCP from the ISP’s DNS server. If the default DHCP-assigned server fails, the appliances use the public Google DNS servers. You can use a corporate DNS server for all DNS resolution. You can also resolve internal IP addresses separately using DNS routing.
To change the DNS settings
1. Choose Network Design > Sites.
2. Select the DNS tab.
3. After Site DNS Server, type the IPv4 or IPv6 DNS server primary IP address.
4. Click Submit. Note: A 5030 gateway ignores site-specific DNS settings. Instead, it uses the DNS management port settings.
To view the DNS settings for a 5030 gateway
1. Select the 5030 gateway.
2. Choose Ports.
3. Select Port 1, the management port.
4. Select the Info/Mode tab. The settings appear under Mode when Static IP is selected as the type.
82 SteelConnect Manager User’s Guide RADIUS authentication Designing a Network
DNS routing
You can use alternate DNS servers during the DNS resolution process. For example, you can configure internal DNS servers and forward queries to them for DNS lookup. Specifying multiple internal DNS servers localizes the queries, making DNS resolution more efficient. For example, you can split up the DNS resolution by forwarding all corporate DNS queries to an internal DNS server and forwarding all other queries to the ISP’s DNS servers. The queries resolve to one IP address on the internal network, and another on the external network, reducing the load on the corporate DNS server.
To direct DNS queries to specific internal DNS servers based on domain names 1. Choose Network Design > Sites.
2. Select the DNS tab.
3. Click New DNS route.
4. Type the domain for which you want to use an internal DNS server.
5. Type the IPv4 or IPv6 address of the target server to use to resolve the domain. Separate multiple IP addresses with a space. To bind a server to a specific source IP address, add /SRC to the IP address.
RADIUS authentication You can configure an NPS/RADIUS server to use wireless authentication for a site. If a site doesn’t have its own server, it can use another site’s server.
To configure a RADIUS server
1. Choose Network Design > Sites.
2. Select the RADIUS tab.
3. Type the shared secret, RADIUS server IP address, and, optionally, a port. Use this format: sharedsecret@ipaddress[@port] (for example, [email protected]).
4. Click Submit. You can repeat steps 2 through 4 to add a second RADIUS server for WPA-EAP authentication if the first RADIUS server doesn’t answer within a certain time.
To set up an SSID using WPA2 Enterprise security
1. Choose WiFi > SSIDs.
2. Click New SSID.
3. Select WPA2 Enterprise from the security drop-down list.
4. Click Submit.
SteelConnect Manager User’s Guide 83 Designing a Network Creating a WAN
5. Choose WiFi > Broadcasts to begin broadcasting the Enterprise SSID at the applicable sites.
Creating a WAN A WAN in SteelConnect is simply the WAN cloud that sites use to communicate with each other. It describes the type of transport available for application flows. SCM creates a default WAN. You might want to create additional WANs to enable path selection for failover or redundancy. Name your networks with words such as Primary MPLS or Internet.
To create a WAN
1. Choose Network Design > WANs.
2. Type the WAN name: for example, Primary or Secondary MPLS.
3. Optionally, type a longer description for the WAN and select WAN settings, described in “WAN settings” on page 84.
4. Click Submit. Figure 8-8. WAN settings
WAN settings
Internet Breakout - Click On to break out traffic directly to the internet from this site. For a private WAN circuit without internet reachability, click Off (the default setting). Internet NAT - (Appears when you enable Internet Breakout) Masks traffic leaving an uplink connected to an MPLS network with the uplink’s public IP address instead of using the original private source IP address. When internet NAT is on, the gateway masquerades the local packets for the entire MPLS network, including every zone.
84 SteelConnect Manager User’s Guide Creating uplinks Designing a Network
Breakout sites - (Appears when you enable Internet Breakout) Select sites that are available to this site as an internet breakout location. Click the search box for a list of sites directly connected to the internet. To use a third-party site as the internet breakout site, leave the list blank and the internet breakout site configured in the Network defaults tab will be used.
Encryption - Click On to create an additional overlay network of VPN tunnels between internal zone-to-zone encrypted WAN traffic over noninternet uplinks. The default setting is on. Enabling encryption on a second WAN doubles the number of VPN tunnels on the gateway. You can deploy an MPLS overlay that uses encryption and turn encryption off for another MPLS overlay. When Internet Breakout is enabled and one or more breakout sites are configured, internet traffic is sent encrypted to the configured breakout sites. When encryption is on, zone-to-zone traffic is sent encrypted to the remote site. When Internet Breakout is enabled but there isn’t a breakout site configured, internet traffic is sent unencrypted to the WAN default gateway.
Trusted - Click On to permit all unencrypted traffic originating from a WAN to communicate into the gateway’s WAN and LAN zones. For example, enable the Trusted button to allow SteelConnect sites and legacy router sites within the WAN to communicate with each other. Prior to SCM 2.2, to allow communication between a host originating in a native MPLS network and a specific host in the gateway LAN zone, you must create an inbound NAT rule identifying each host and allowing them to trust each other. Now, instead of creating multiple inbound rules to permit trust, simply enable the Trusted button. When enabled, all WAN transfer networks and eBGP learned networks are allowed to communicate into the gateway LAN zones. A transfer network is a network on the WAN side of the gateway that isn’t part of the gateway LAN zones. For details on eBGP learned networks, see “Dynamic routing overview” on page 131.
Ping check IP - Add an IP address to probe for WAN availability. If the ping fails to that IP address, the system declares all uplinks to that WAN are down. Internet uplinks perform an automatic ICMP ping check once every 10 seconds. When a ping at the 10- second interval fails, it retries three times at 1-second retry intervals.
Transfer Networks - A transfer network is a network on the WAN side of the gateway that isn’t a part of the gateway’s WAN or LAN zones. For example, a transfer network could be used for your ISP addressing or as the core of your MPLS provider that you don’t have loaded as a zone on your gateway or inside of your organization. In this example, you can either enable it as a transfer network that polls for WAN availability using an inside IP address or you can use an IP address to poll for ISP uptime.
Creating uplinks Uplinks define how traffic is sent from the SteelConnect gateway to the various WANs to which it has been assigned. An uplink physically connects the site to a WAN. A site can have a single uplink or multiple uplinks to the same WAN and can connect to multiple WANs. You can use multiple uplinks to the same WAN for redundancy. You need to bind an uplink to a site and a WAN.
Note: You cannot enable multiple uplinks on the same subnet on a gateway. This is a common restriction with routers because choosing a next hop based on overlapping subnets is ambiguous.
SteelConnect Manager User’s Guide 85 Designing a Network Creating uplinks
For details on data center uplinks on a 5030 gateway, see “Creating data center uplinks” on page 100. To create an uplink 1. Choose Network Design > Uplinks.
2. Click New Uplink.
3. Select a site. Each uplink is site-specific and its connection type differs between sites.
4. Type the uplink name: for example, primary.
5. Select a WAN. Note: You can enable an uplink as a backup when no other uplinks are available. See Step 9. Uplinks that are configured for failover must be connected to the same WAN.
6. Select how the uplink connects to the WAN:
DHCP client
Static
DSL/PPPoE - Configure a DSL physical layer that uses the Point-to-Point Protocol over Ethernet (PPPoE) credentials on the gateway so it can authenticate and tunnel with the internet service provider. This typically means that the customer enters a user name and password provided by the ISP to use the last-mile link from the customer premises to the ISP. The gateway then connects to the internet using NAT and routes traffic between the configured zones and the internet.
DSL/PPPoA/PPTP Most DSL lines have a forced reconnect imposed by the ISP, typically in a 24-hour interval. You can proactively select the disconnect and reconnect time to control when the disconnect occurs. For example, if you switched your modem on for the first time during business hours, you’ll be stuck with a reconnect during business hours, every 24 hours, until you disconnect proactively outside of business hours. You can use the Time for PPP-reconnect setting to automate disconnects at a specified time. To reconnect PPP uplinks at a certain time of day, select a 15-minute interval from the Time for PPP-reconnect drop-down list. Note: The SteelHead SD 570-SD gateway, 770-SD gateway, and 3070-SD gateway models don’t support the DSL/ PPPoE or DSL/PPPoA settings for uplinks.
7. For an uplink using a static IP address, complete these fields (either IPv4 or IPv6):
Specify a static IPv4 address. When creating an uplink to a private network, you must specify the IPv4 address with a /32 netmask.
Specify a static IPv4 gateway. Or
Specify a static IPv6 address.
Specify a static IPv6 gateway.
86 SteelConnect Manager User’s Guide Creating uplinks Designing a Network
8. Optionally, specify a VLAN tag (1 through 4049). Note that when you specify a VLAN tag, connectivity to uplinks without a VLAN tag or uplinks that use a different VLAN tag is lost.
9. Optionally, you can enable the uplink as a backup when no other uplinks are available. This setting applies to two uplinks connected to the same WAN. When there is only one uplink and it’s set to backup only, it will be used until there is another uplink in the same WAN that is always active.
10. Click Submit.
Selecting an uplink priority
You can set an AutoVPN priority for uplinks connected to the same WAN that determines the order in which they are used. For example, when you create two uplinks and set the first uplink to high priority and set the other to normal, SCM creates a tunnel for the uplink with the highest priority. If something happens to the high-priority tunnel, SCM reestablishes the tunnel through the uplink with the next highest priority. When you set the same priority for both uplinks, SCM creates a tunnel for each one based on the source and destination. To set an uplink priority 1. Choose Network Design > Uplinks.
2. Select an uplink.
3. Under AutoVPN priority, select one of these options from the drop-down list:
Don’t use this uplink for AutoVPN - Disables AutoVPN use for the uplink.
Low - Sets the uplink to the lowest priority.
Normal - Sets the uplink to the normal priority.
High - Sets the uplink to the highest priority.
4. Click Submit.
Turning off AutoVPN for an uplink
At times you might want to disable AutoVPN for an uplink. For example, you can turn AutoVPN off to bring a tunnel down for troubleshooting tunnel connectivity. To turn off AutoVPN for an uplink 1. Choose Network Design > Uplinks.
2. Select an uplink.
3. Under AutoVPN priority, select Don’t use this uplink for AutoVPN.
4. Click Submit.
SteelConnect Manager User’s Guide 87 Designing a Network Creating uplinks
Creating an uplink for a single router to an MPLS network
To set up a VPN over the MPLS network as shown in Figure 2-3 on page 20, configure the uplink of the gateway to propagate the internal IP address that the remote sites use as the endpoint target for the AutoVPN tunnel. By default, SCM uses the external IP address facing the internet.
Note: SCM activates AutoVPN only for uplinks connecting to WANs using the internet and skips other interface types.
To configure an uplink to use an internal interface
1. Choose Network Design > Uplinks.
2. Select the uplink.
3. Select AutoVPN.
4. Select Internal Interface IPv4.
5. Click Submit.
Adding zone details
Choose Network Design > Zones and select a zone to view more configuration possibilities:
IP tab - Define the IPv4 or IPv6 network and gateway addresses. By default, the gateway assumes that it is the IP gateway for the site to serve DHCP addresses. Clients on the LAN side will use it as their .1 address. Use this tab to change the default gateway IP address to any other IP address in that subnet for which it’s serving DHCP addresses. You can also enable IPv6 to allow a gateway that provides default gateway services to also send router advertisements (RAs) for IPv6 connectivity in this zone. Note: SteelConnect does not allow 0.0.0.0/0. Use a specific IP address and subnet mask.
To enable the gateway to send router advertisements for IPv6 connectivity in a zone
1. Click On next to Use IPv6.
2. Specify the IPv6 network.
3. Specify the IPv6 gateway IP address for the network.
4. Click Submit.
Gateways tab - By default, a SteelConnect gateway deployed in the site is automatically configured as the default gateway for this zone. The zone uses the default gateway IP addresses specified on the IP tab. If you want to control all gateway assignments for this zone manually, or you want to use a third-party default gateway for this zone, select Manual.
DHCP tab - When the gateway is acting as the DHCP resource for a zone, use these settings to configure its properties and parameters. You can also use the Options field to make a specific DHCP proxy server available to the SteelConnect appliances instead of using a SteelConnect gateway as the DHCP resource.
88 SteelConnect Manager User’s Guide Creating uplinks Designing a Network
Range start - First IP address available for assignment to DHCP clients. Range end - Last IP address available for assignment to DHCP clients. Lease time - Sets how long a gateway acting as a DHCP server waits for a zone lease renewal before invalidating its lease. The zone must renew its IP configuration data before the lease period expires or the gateway invalidates the zone’s lease and discontinues use of its current IP address. You can select a lease renewal duration time of 5 minutes to 48 hours from the drop-down list. Options - Specify advanced configuration options for the DHCP server. Use a separate line for each configuration option. You can use Options to create a secure environment that prohibits direct internet access to end users or devices on an internal enterprise network. HTTP proxy support allows direct client communication and restricts direct internet access by passing all traffic bound for the SCM through an explicit proxy. The DHCP server tells the SteelConnect appliance the IP address or hostname of the HTTP proxy server. The proxy is then used to connect to SCM.
To configure an HTTP proxy for a SteelConnect appliance behind a gateway
In the Options field, specify the vendor code Riverbed, 42, and your HTTP proxy server IP address and port number. You must enclose the IP address or hostname and port number in quotation marks: #option vendor:Riverbed,42,“IP address or hostname:port” This example allows the SteelConnect appliances such as gateways, switches, and access points deployed behind a SteelConnect gateway to use a proxy for all traffic destined to SCM. Because a gateway doesn’t necessarily receive an IP address through DHCP, setting up HTTP proxy support for a gateway behind a router requires more configuration. To configure HTTP proxy support for a gateway, you need to add the vendor code to the router in front of the gateway. When you add the Riverbed vendor code to a router, one of the uplinks will request and receive the vendor code offering, install it, and then use it.
To configure an HTTP proxy for a SteelConnect gateway behind a router
When using the ISC DHCP server for providing DNS to a SteelConnect Gateway, specify these lines in the configuration file to set the SCM proxy address: Option space Riverbed; Option Riverbed.proxy code 42 = text; Option local-encapsulation code 43 = encapsulate Riverbed; Option Riverbed.proxy "host_addr:port_no";
Important: The HTTP proxy needs to be available on the underlay network.
Note: Reverse SSH tunnels don’t work with HTTP proxy support.
VLAN tag - SCM automatically assigns a VLAN ID to a zone, even if the tags aren’t used on the wire. You can change the VLAN ID. You can reuse the same VLAN ID in different zones in multiple sites. Two zones in the same site can’t use the same VLAN ID.
SteelConnect Manager User’s Guide 89 Designing a Network Creating uplinks
When you use the same VLAN ID in different sites, you can still import a zone from another site, unless the local destination site already uses the VLAN ID of the imported zone. When there is a conflict between the VLAN ID for the imported zone and the local destination site, the local zone takes precedence and its port, gateway assignments, and broadcast settings are used. The system disables any conflicting assignments and settings and displays an alert that the zone has not been imported.
Policy tag - Forces anything that matches a policy tag to drop into that zone. For example, you can assign certain users a policy tag, such as using tags to categorize executives into a unique zone no matter where they roam or what they plug into. You could also use a policy tag to move everyone from conference room 1 to conference room 2, or you could assign a policy tag to employees that use the same type of cubicle across the office so that they receive the same connection each time they connect to the network.
Management zone - Designates a zone as the place that access points and switches use to receive their dynamic IP addressing when DHCP is enabled. Appliances that use multizone (VLAN trunk) connectivity will use this zone for IP autoconfiguration and console communication.
WAN/AutoVPN - Use the internet breakout preference option to override any breakout points previously set at the site or organization level and choose a path for each zone. For example, you could set up a testing lab zone to send its traffic over the internet. You could also set up a production zone at that site to backhaul traffic through the main data center. Use the membership option to choose which WAN or AutoVPNs you want a particular breakout preference to take. Figure 2-10 on page 27 shows an internet breakout deployment. You can also configure a hub-and-spoke deployment using AutoVPN leaf mode from this tab, as shown in Figure 11-2 on page 123.
Zone settings Use the Settings tab to:
change a zone name.
prevent ICMP traffic from entering the zone. (ICMP traffic is always permitted to leave the zone.)
add routes to networks with third-party routers when the SteelConnect gateway doesn’t have ownership of all the networks that touch it. For example, there might be a zone used as a transient network or an extension to another site connected to the LAN of that network. Specify any networks with third-party routers to make the SteelConnect gateways aware of their existence and how they are reached. For example, if there is a demilitarized zone (DMZ) that is separated by a firewall, you must let the remote sites know where the DMZ is located. For details, see “Creating a third-party zone” on page 80.
Adding a second IPv4 network subnet to a zone SteelConnect lets you add additional IPv4 network subnets as part of an existing zone using the ADDL Networks tab. For example, you can mix a public IPv4 network with a private one. Any subnets added become part of RouteVPN. The difference between this feature and the third-party routes described in “Creating a third-party zone” on page 80 is that the SteelConnect gateway can act as the gateway for this traffic. To make these additional network subnets reachable through a SteelConnect appliance, you must assign a gateway from the Gateways tab.
90 SteelConnect Manager User’s Guide Creating uplinks Designing a Network
Adding a static route manually 1. Create a zone called “Remote Network” belonging to the site.
2. Reopen the zone “Remote Network” and select the Gateways tab.
3. Switch the default gateway configuration to Manual.
4. If there’s already a gateway assigned, delete it.
5. Choose Network Design > Zones.
6. Select the zone that needs to be reachable through the third-party router (shown as remote zone 10.99.99.0/24 in Figure 8-9).
7. Select the Settings tab.
8. Click Add route.
9. In the From Zone/Net field, type the zone connected to the Riverbed gateway where the third-party gateway is located (shown as local zone in Figure 8-9).
10. In the IPv4 gateway field, type the IP address of the third-party router belonging to the local zone (shown as .254 in Figure 8-9). Figure 8-9. Gateway using a static route
SteelConnect Manager User’s Guide 91 Designing a Network Portals
Portals SteelConnect provides wireless user access. SteelConnect also lets you create portals to customize the user access experience, whether they are registered or guest users. You can use the bring your own device (BYOD) registration, use guest vouchers, require users to click through to accept the terms of service, or create a guest portal that is authenticated by a guest login. To set up a BYOD registration portal, you must enable email and mobile messaging (SMS) as additional authentication to join and register a device using the portal.
To configure a guest portal 1. Choose Network Design > Portals.
2. Click New Portal.
3. Select the portal type Guest Portal - Authenticated.
4. Click Submit. After creating the portal, you need to assign it to a WiFi broadcast.
To assign a portal to a WiFi broadcast
Choose WiFi > Broadcasts > Portal.
Registering guest devices using social media
When the portal is active on a guest zone, guests can use these methods to register guest devices:
Mobile phone number (via SMS)
Email address
Social media apps Facebook, Google, and Twitter The Organization > Social Media tab is where an administrator configures guest access using a social media app. After guest devices are registered and validated, they are allowed access to the guest zone. Remember that guest zones are always masqueraded and are never part of the RouteVPN topology. Also, after you create a guest zone you can’t change it to a standard zone.
To use Facebook
1. Log in to https://developers.facebook.com. You might need to verify your Facebook account.
2. Choose My Apps > Add a New App.
3. Select basic setup instead of selecting a platform.
4. Choose a clear display name such as Riverbed Social WiFi.
5. Choose a namespace such as riverbedsocialwifi.
92 SteelConnect Manager User’s Guide Portals Designing a Network
6. Choose a category.
7. Click Create App ID. After successful creation, the app is in development mode and is therefore publicly not available. You must enter a valid contact email to make the app available to all users.
8. Choose Settings > Basic > Contact Email and enter a valid email address.
9. Click Save Changes.
10. Go to the menu App Review.
11. Click Yes to switch on public access.
12. Confirm that you want to make the app public.
13. Choose Settings > Advanced > Security > VClient OAuth redirect URIs.
14. Insert the redirect URL displayed in your SCM (for example, https://
15. Save your changes. In the Facebook developers sidebar, choose Dashboard and copy/paste App ID and App Secret to your Organization > Social Media Apps > Facebook Application ID/secret.
To use Google
1. Log in to https://console.developers.google.com/project.
2. Click Create Project.
3. Type a representative project name. For example, Riverbed Social WiFi. To use a different project ID as the project name, click Edit and change the ID information.
4. Click Create.
5. Go to the Google Developers Console at https://console.developers.google.com/project.
6. Select your project: in this example, Riverbed Social WiFi.
7. To activate the Google+ API choose API Manager > Social APIs in the sidebar on the left.
8. Click Google+API.
9. Click Enable.
10. Select the OAuth consent screen tab and assign credentials to your project.
11. Select a product name to show to users: for example, Riverbed Social WiFi. The Homepage URL, product logo, privacy policy URL, and terms of service URL are optional.
SteelConnect Manager User’s Guide 93 Designing a Network Portals
12. Click Save to store your progress.
13. In the left sidebar, choose APIS & AUTH > Credentials.
14. Click Create credentials and choose OAuth Client ID.
15. Choose a name. For example, Riverbed Social WiFi.
16. Copy the redirect URI: for example, https://
17. Click Create Client ID and copy the client ID and secret that appear in the pop-up window.
18. In SCM, choose Organization > Social Media and then copy and paste the Google client ID and secret.
19. Click Submit.
To use Twitter
1. Sign in to https://apps.twitter.com.
2. Click Create New App.
3. In the application details, type a clear application name. For example, Riverbed Social WiFi.
4. Add an application description. For example: Twitter OAuth.
5. Add your company website. For example, http://www.riverbed.com.
6. Insert a callback URL. For example, https://
7. Agree to the developer rules.
8. Create your Twitter application and copy the API key and secret.
9. In SCM, choose Organization > Social Media, and then paste the Twitter API key and secret.
10. Click Submit.
94 SteelConnect Manager User’s Guide 9
Data Center Gateway Clusters
Adding gateways to the data center The SDI-1030 and SDI-5030 gateways are the data center side of SteelConnect. The 1030 is meant for a large branch, campus, or small data center and is deployed in-path. In contrast to the gateways that handle the in-path traffic, 5030 data center gateways are deployed out of path deep inside the data center network. Because the 5030 gateways are placed physically out of path from the data flow, you can deploy them with no network downtime. The system relies on traffic redirection to the gateways to receive SD-WAN services. The SteelHead Interceptor 9600 sits in path to provide traffic redirection. The SteelHead Interceptor can be used for both WAN optimization and SD-WAN when the SteelHeads are on the LAN side and the data center gateways are on the WAN side of the network. For details, see the SteelHead Interceptor User’s Guide. You can deploy 1030 and 5030 gateways in a data center with minimal redesign and disruption to the ongoing data center operations. This section describes data center deployments using 5030 gateways.
SteelConnect Manager User’s Guide 95 Data Center Gateway Clusters Topology
Topology A data center gateway scales to a higher capacity consistent with the data center environment. To accommodate data center workloads, 5030 gateways are designed to operate in a cluster. Clusters provide resiliency and reliability in addition to higher bandwidth throughput.
Figure 9-1. Data center gateway cluster topology
The software-defined WAN (SD-WAN) functionality shown in Figure 9-1 is comprised of two SteelHead Interceptors and a SteelConnect data center gateway cluster. The SteelHead Interceptors provide scalable data referencing (SDR)-aware load balancing and network traffic redirection. The SD-WAN topology requires minimal routing interaction and provides graceful failover, scalability, and easy upgrades to existing configurations. A 5030 gateway acts as a termination point for all overlay tunnels coming into a data center location from the branch offices. A 5030 gateway only serves a subset of branch traffic: overlay-to-underlay conversion ingress and underlay-to-overlay redirection on egress. In addition to serving data center-bound overlay traffic, a 5030 gateway can act as a common gateway across many branches. The data center gateway achieves integration with the network underlay using External Border Gateway Protocol (eBGP) peering with WAN aggregation routers in the data center, as shown in Figure 9-1. The 5030 gateway is aware of any non-SteelHead sites connected to the network and lets those sites know of any SteelConnect-enabled branches and data centers on the WAN. Use SteelConnect Manager (SCM) to create and configure the gateways as out-of-path clusters on your network. SCM supports one cluster per site. Each gateway in a 5030 cluster is physically connected to SCM using an out-of-band management connection.
Note: The 5030 gateway doesn’t interact with LAN switches or access points, and it doesn’t include a built-in perimeter firewall.
96 SteelConnect Manager User’s Guide Creating clusters Data Center Gateway Clusters
Cluster components
A 5030 gateway cluster is simply three or more 5030 gateways stacked together and wired to the data center. A minimum of three 5030 gateways in a cluster is required to provide single gateway fault protection. A cluster uses Layer 2 full-mesh interconnectivity between the individual gateways using direct interconnect for cluster spanning for multiple gateways or an external switch. A 5030 gateway cluster is made up of these components:
Cluster nodes - The individual physical 5030 gateways in the cluster.
Data center uplinks - The network segments that connect to available WANs. Data center uplinks notify SteelConnect which WANs are available for building 5030 gateway tunnels across.
Overlay tunnel endpoints (TEPs) - The IP addresses that provide the reachability information for a branch to a data center. You can think of TEPs as the on and off ramps to the overlay network. Traffic enters and leaves the overlay through a TEP.
Site pool - A collection of branches grouped together to communicate with a data center. Site pools provide a way to share the branch traffic load.
Site map - A resource allocation method that tracks how a site cluster is serving the site traffic at any point in time to maintain high availability for the data center gateways. The site map tracks which site pool is associated with which data center node.
Attracting branch traffic toward data center gateways
SteelConnect can steer traffic bound for branches to the data center gateways using a SteelHead Interceptor 9600 to intercept the traffic and tunnel it to the data center gateways using generic routing encapsulation (GRE). After creating the data center gateway cluster, you enable communication between the gateways in the cluster and the SteelHead Interceptor sending traffic to the cluster by entering the sd-wan and sd-wan communication CLI commands on the SteelHead Interceptor. For details on these CLI commands, see the Riverbed Command-Line Interface Reference Manual. For details on the SteelHead Interceptor, see “Changing the default gateway configuration” on page 117 and the SteelHead Interceptor Deployment Guide.
Creating clusters Before configuring a data center gateway cluster, you must add at least three 5030 gateways to a site. All of the 5030 gateways must be:
connected to SCM using a dedicated connection. For details, see “Configuring ports” on page 98.
registered with SCM. For details, see “Adding shadow appliances” on page 209.
running the same firmware version. For details, see “How can I tell if the appliance firmware is up to date?” on page 62.
cabled on the WAN side. We recommend that the gateways be cabled identically for redundancy. A cluster is limited to 256 nodes.
SteelConnect Manager User’s Guide 97 Data Center Gateway Clusters Creating clusters
Configuring ports Each of the 5030 gateways use ports 1 and 2 for system-related tasks. The remaining ports are used as data ports.
Port 1 - Management port dedicated to SCM. Requires connectivity to a network with internet access to facilitate calls to SCM. The SteelHead Interceptor must be able to reach this port.
Port 2 - Dedicated cluster connectivity port, providing an internal, private physical connection between the 5030 gateways for cluster synchronization and high availability. All 5030 gateways must be Layer 2 adjacent in this network.
Port 3 - Data port for WAN-facing connectivity, which can optionally be used for high availability.
Ports 4-10 - Data ports for WAN-facing connectivity. Figure 9-2 assumes that there are two WANs available.
Figure 9-2. Data center gateway cluster connectivity
To create a data center gateway cluster
1. Choose Network Design > Clusters.
2. Click New Cluster.
3. Specify a cluster name.
4. Select the site to deploy the cluster from the drop-down list.
98 SteelConnect Manager User’s Guide Creating clusters Data Center Gateway Clusters
Tip: In a cluster workflow, it can become difficult to differentiate between data center gateways in a cluster when they are referenced on various SCM pages. We strongly recommend that you always specify a detailed location for the gateway using the Location field under the Location tab in the appliance page. Setting the location associates a gateway with its location wherever an appliance is referenced, making it easy to identify.
5. Select the cluster members from the drop-down list.
6. Specify the number of failover nodes. By default, the system creates one failover node in a cluster of three 5030 gateways.
7. Select On to accept communications from an integrated SteelHead Interceptor 9600 running version 5.6.0 or later with 5030 gateways to help route and optimize network traffic.
8. Specify the IP address the Interceptor will use to communicate with the cluster. The IP address has to be on the management network for the cluster.
9. Click Submit. Select the cluster from the Clusters page and select the Info tab to view the cluster’s health. The individual cluster member status appears at the bottom of the page under cluster configuration. Figure 9-3. Cluster configuration
SteelConnect Manager User’s Guide 99 Data Center Gateway Clusters Creating data center uplinks
A green check mark lets you know that the item is configured correctly. A red x appears next to any item that needs attention. When a green check mark appears next to each item under Cluster Configuration, the cluster is configured correctly. In Figure 9-3, a red x appears after three items, indicating that you also need to configure BGP neighbors, interfaces, and data center uplinks before the cluster configuration is complete. Selecting the link next to the red x takes you to the configuration page where you can fix the issue.
Creating data center uplinks A data center uplink physically connects the cluster to a WAN. A cluster must have at least a single uplink or multiple uplinks to the same WAN and can connect to multiple WANs. You can use multiple uplinks to the same WAN for redundancy. You need to bind an uplink to a cluster and a WAN. You also need to enter an IPv4 and IPv6 address for each IP set, per uplink. The data center uplink is restricted to the IP subnet. To create an uplink 1. Choose Network Design > Clusters.
2. Select a cluster to associate with the uplink. Each uplink is cluster-specific and its connection type differs between clusters.
3. Select the Datacenter Uplinks tab.
4. Click Add Datacenter Uplink. Figure 9-4. Data center uplink
5. Type the uplink name: for example, DC Uplink2. Each uplink name must be unique.
100 SteelConnect Manager User’s Guide Creating interfaces Data Center Gateway Clusters
6. Select a WAN.
Important: 5030 gateways are deployed out of path in the data center. To deploy path selection with a 5030 gateway, you must enable encryption on the WAN. When encryption is disabled on a WAN, the packets are not put on any tunnel. This means that the packets from the remote branch to the 5030 gateway in the data center will use the destination IP address and not the 5030 gateway’s WAN interface. As a result, packets won't be sent to the 5030 gateway. With encryption enabled, packets will reach the data center because the 5030 gateway will send the packets to the original destination on the LAN. For details, see “WAN settings” on page 84.
7. Identify how the branch gateway will reach the correct data center gateway by specifying the tunnel endpoints for each gateway in the cluster: for example, 40.1.1.1. For three appliances in the cluster, add two tunnel endpoints for each gateway, resulting in six endpoint IP addresses. You can also use a netmask subnet and SCM will allocate the endpoints. You can also specify a public IP’s corresponding NAT port along with the tunnel’s endpoints.
8. Specify the public IPv4 address of the uplink with an optional netmask. This address is required for Internet WANs and optional for other WANs.
9. Click Submit.
Creating interfaces Each 5030 appliance must have at least one interface. To create an interface 1. Choose Network Design > Clusters.
2. Select a cluster to associate with the interface.
3. Select the Interfaces tab.
4. Click Add Interface.
5. Select a data center port from the drop-down list. Click the search box to search for a port.
6. Specify the IPv4 address and netmask to the 5030 gateway. The netmask is required. Use this format for an individual subnet IP address and netmask: xxx.xxx.xxx.xxx/xx
7. Specify the IPv6 address for the interface. Use this format for an individual subnet IP address and netmask: x:x:x::x/xxx
8. Specify the MTU value. The MTU is the largest physical packet size, measured in bytes, that a network can send. The default value is 1500.
9. Click Submit.
10. Repeat steps 4 through 9 to add more interfaces one at a time.
SteelConnect Manager User’s Guide 101 Data Center Gateway Clusters Why enable dynamic routing for a cluster?
You can select the Interfaces tab to view the interfaces for a cluster. Figure 9-5. Interfaces associated with a cluster
The next task is to configure the BGP settings to enable dynamic routing for a cluster. This task is required.
Why enable dynamic routing for a cluster? The 5030 gateways use eBGP for dynamic routing within the data center. Each 5030 gateway in a cluster forms eBGP peering with the data center routers. The global BGP settings:
establish eBGP neighbor relationships with the provider edge (PE) routers.
enable the data center gateway to learn routes from the WAN uplinks. Enabling dynamic routing for a data center cluster provides reachability information for the following scenarios.
102 SteelConnect Manager User’s Guide Why enable dynamic routing for a cluster? Data Center Gateway Clusters
Forwarding packets from the branch to the data center gateway
Because the data center network needs to know how to forward tunneled packets from the branch to the correct 5030 gateway, you have to define the 5030 gateway tunnel endpoints in the underlay.
Note: SteelConnect doesn’t support IPv6-based tunnel endpoints (TEPs).
Figure 9-6. Forwarding from the branch to the data center
Forwarding packets from the data center gateway to the branch
Because there can be multiple routers going to different WAN edges in the network, the 5030 gateway needs to know how to forward outgoing tunneled packets heading to the branch to the correct data center router. The data center router informs the 5030 gateway about the branch TEP reachability.
Figure 9-7. Forwarding from the data center to the data center router en route to the branch
SteelConnect Manager User’s Guide 103 Data Center Gateway Clusters Why enable dynamic routing for a cluster?
Forwarding inner connections to the data center
The 5030 gateway must know how to forward deencapsulated inner packets to the appropriate data center router. The data center router must tell the 5030 gateways about the data center subnet reachability.
Figure 9-8. Forwarding inner connections through the data center router
Configuring BGP settings
This routing information flows between the eBGP peers:
The 5030 gateway informs the data center aggregation routers of its TEP addresses that terminate on the 5030 gateway.
In the opposite direction, the data center’s aggregation routers communicate to the 5030 gateways all of the prefixes they need to route to data center subnets, including branch TEP addresses and the branch subnets for all non-SD-WAN branches. Each appliance must have at least one BGP neighbor. BGP routing is also needed for cluster high availability. For details, see “eBGP and high availability” on page 158. For more information on dynamic routing with BGP, see “Branch dynamic routing topologies with eBGP” on page 133. First, configure the individual 5030 appliances with local information. To configure BGP for a 5030 appliance 1. Choose Appliances.
2. Select an appliance.
3. Select the BGP tab.
104 SteelConnect Manager User’s Guide Why enable dynamic routing for a cluster? Data Center Gateway Clusters
4. Fill out these required session attributes:
Router ID - Specify the router IPv4 or IPv6 address to uniquely identify the router in the local autonomous system (AS). The gateway can peer with any remote router that supports eBGP. eBGP must be enabled on the router.
Local AS - Specify the AS number the router belongs to: for example, 100. The range is from 1 to 4294967295. Next, configure the BGP information for the cluster. The cluster needs the router information needed to communicate with the 5030. To configure BGP for a data center cluster 1. Choose Network Design > Cluster.
2. Select a cluster.
3. Select the BGP tab.
4. Fill out these BGP settings:
Tunnel Endpoint Community - Restricts traffic entering a tunnel by tagging route advertisements to a BGP peer with a community attribute. Specify a community name in the format AA:NN or a number between 1 and 65535. The same community attribute is applied to all route advertisements from the gateway. The Tunnel Endpoint (TEP) Community tag and the Branch Community tag must be different. You don’t need to have a community attribute for each unique subnet and zone advertised.
Branch Community - Restricts traffic entering a tunnel by tagging route advertisements to a BGP peer with a community attribute. Specify a community name in the format AA:NN or a number between 1 and 65535. The same community attribute is applied to all route advertisements from the gateway. The Branch community tag and the TEP community tag must be different. You don’t need to have community attribute for each unique subnet and zone advertised.
Subnet Splitting - When disabled, the gateway advertises the regular branch subnet prefixes (BSPs) for which it is responsible to its eBGP peers. When enabled, the gateway withdraws the BSPs and instead advertises the corresponding split subnets. When disabled, the system withdraws the split subnets and advertises the BSP as received. By default, subnet splitting is off.
5. Click Add BGP Neighbor.
6. Specify a name for the neighbor.
7. Select an appliance from the drop-down list.
8. Specify the neighbor’s IPv4 address.
9. Specify the ASN number the neighbor belongs to: for example, 100. The range is from 1 to 4294967295.
10. In the Password field, type a password to enable MD5 authentication. You must use the same password on both BGP neighbors. If you don’t require MD5 authentication, you can leave this field blank.
SteelConnect Manager User’s Guide 105 Data Center Gateway Clusters Why enable dynamic routing for a cluster?
11. In the Keep Alive Time field, specify the amount of time, in seconds, that the eBGP neighbors exchange keepalive messages to determine whether a link has failed or is no longer available. The neighbors exchange keepalive messages often enough so that the hold time does not expire. The default setting is 60 seconds.
12. In the Hold Time field, specify the amount of time, in seconds, that a gateway neighbor waits for an incoming keepalive, update, or notification message from a neighbor before it assumes its neighbor is down. If the gateway doesn’t receive a keepalive, update, or notification message from its neighbor within the period specified, it closes the connection and routing through that neighbor becomes unavailable. A 0 value means that no keepalive messages are sent and the connection will never close. The hold-time range is from 0 to 65535. The default setting is 180 seconds (three minutes). The hold-time value is three times the interval at which keepalive messages are sent. Using the default values for the keepalive time of 60 and the hold time of 180, the settings work together like this: after two neighbors establish an eBGP session, 60 seconds later they’ll each send a keepalive message. When a gateway receives a keepalive message from its neighbor, that gateway’s hold time for the session will have counted down from 180 to 120, but it’s then reset to 180. This process continues every 60 seconds. However, should neighbor A lose power, then neighbor B won’t receive any keepalives. So after 180 seconds, neighbor B determines that neighbor A is down and closes the session.
13. Click Submit.
14. Repeat steps 5 through 13 to create additional neighbors one at a time. Select the BGP tab to view the BGP neighbor configuration for a cluster. Figure 9-9. BGP neighbors for a cluster
106 SteelConnect Manager User’s Guide Why enable dynamic routing for a cluster? Data Center Gateway Clusters
Special consideration for iBGP and eBGP deployments Deployments that use a combination of eBGP and iBGP require some special configuration on the routers.
Figure 9-10. 5030 gateway deployment combining eBGP and iBGP
In this topology, the interior gateway protocol (IGP) in the data center underlay is iBGP, and the MPLS WAN side is using eBGP. eBGP is in use between the 5030 gateways, router 1, and router 2. The 5030 gateways advertise the branch prefixes and TEPs into the underlay through eBGP, with the next hop as self. iBGP will advertise these routes but it won’t update the next hop of routes advertised by the 5030 gateways. Because the 5030 gateway cluster requires an eBGP session with next hop routers, this requirement will have an effect on traffic if one of the WDRs through which the routes were reachable was to go down. This is a known configuration and an industry practice. This scenario requires additional CLI configuration on the routers. For example, configure the router 1 through router 3 iBGP session or the router 2 through router 3 iBGP session like this: On router 1
router bgp 1 neighbor
router bgp 1 neighbor
SteelConnect Manager User’s Guide 107 Data Center Gateway Clusters Secure overlay tunnels
Advertising the default route in IGP in the data center for internet uplinks The packets from the remote branch to the gateway cluster in the data center on the internet uplink use the source IP address as the public IP address for the remote branch. They also use the destination IP address as the public IP address for the data center. Because the destination IP address gets NATed on the internet router or the firewall to the 5030 gateway's TEP IP, the remote branch is able to send packets to the 5030 gateway cluster. But the overlay traffic from a 5030 gateway to the remote branch could fail because the source IP address will be the 5030 gateway's TEP and the destination IP address will be the public IP address of the remote branch—which is not advertised in the data center underlay. To enable the 5030 gateway to learn the default route, the network administrator or engineer for the data center must redistribute the default route into the IGP of the data center and also into the BGP session with the 5030 cluster. After the 5030 learns the default route, it knows how to send packets out to the remote branch on the internet uplink.
Secure overlay tunnels SteelConnect establishes secure overlay tunnels between a data center cluster and branch gateways. The overlay tunnels are secured using centralized virtual private network keying (C-VPN-K). Traffic is encrypted by the Advanced Encryption Standard (AES) cipher algorithm in Cipher Block Chaining (CBC) mode using a 256-bit key. For secure authentication, centralized VPN keying uses the hash message authentication code (HMAC) secure hash algorithm (SHA512). By default, centralized keying is turned off for branch gateway-only (non-5030) deployments. When centralized keying is off, gateway-to-gateway tunnels are established with IKEv2 using the same encryption and authentication algorithms as centralized keying. Centralized keying can be enabled for a given realm when the realm contains a 5030 gateway. When centralized keying is enabled, both branch gateway-to-branch gateway and branch gateway-to-data center gateway (5030) tunnels within that realm use centralized keying.
Figure 9-11. Secure overlay tunnels use centralized VPN keying
108 SteelConnect Manager User’s Guide Secure overlay tunnels Data Center Gateway Clusters
Deployment considerations
For centralized keying to work, you must enable encryption for all WANs, including MPLS. For details, see “WAN settings” on page 84.
5030 gateways don’t support IKEv2.
We recommend using NTP time synchronization to synchronize the branch and data center gateways. Complete this procedure on each branch and data center gateway in the deployment.
To synchronize the date and time using NTP servers 1. Choose Organization.
2. Select the Networking Defaults tab.
3. Under NTP settings, specify the local Network Time Protocol (NTP) servers of your choice, one per line. We recommend that you configure your own internal NTP servers; however, you can leave the field blank to use these default Riverbed-provided NTP servers:
0.ocedo.pool.ntp.org
1.ocedo.pool.ntp.org
2.ocedo.pool.ntp.org
3.ocedo.pool.ntp.org
4. Click Submit.
SD-WAN controller
SCM and the SD-WAN controller reside within the Riverbed-hosted cloud environment. The SD-WAN controller listens to configuration changes made by the user through the SCM, such as adding new sites. The SD-WAN controller reacts to any configuration changes and, if required, creates new tunnels between the branch gateways and the data center 5030 gateway cluster to account for the changes. The SD-WAN controller owns and manages all centralized VPN keys.
Key management, retrieval, and rotation
The 5030 gateways must connect to the SD-WAN controller with their management port. When a 5030 gateway cluster is configured and centralized keying is enabled for the realm, the SD-WAN controller generates unique VPN keys for each tunnel. The data center gateway receives the encryption keys from the controller through an SSL connection on TCP port 3904. TCP port 3904 must be open on the corporate firewall in order for the gateways to pull the keys securely. The branch gateways already have a secure connection to the controller in the cloud and use this connection. You don’t need to open an additional port on the firewall for the branch gateways.
The gateways store the keys locally for use until the rekey interval expires.
The keys are changed every four hours or when a new tunnel endpoint (TEP) appears.
SteelConnect Manager User’s Guide 109 Data Center Gateway Clusters Viewing cluster health
The gateways change from the old to the new keys during a rekeying event and apply the new keys to the existing tunnels.
Each gateway is only aware of the keys used to secure its own tunnels.
Key resiliency
SCM services related to centralized keying are fault tolerant and don’t affect AutoVPN connectivity when restarted.
The centralized keys are resilient to complete loss of connectivity to SCM for extended periods (about one day).
The keys are resilient to asymmetric loss of connectivity to SCM, such as when only one gateway receives a configuration update.
Viewing cluster health 1. Choose Network Design > Clusters. The cluster health appears. Figure 9-12. Cluster health
A cluster’s health falls into one of these categories:
Healthy - Indicates that all gateways in the cluster are operating normally.
Degraded - Indicates that all gateways in the cluster aren’t operating normally. The cluster is unprotected by redundancy but is operational.
Unhealthy - Indicates a loss of quorum resulting from one or more gateways in the cluster going offline or failing.
Unknown - Indicates the lack of status updates because the connection to SCM is down.
2. For more details, select the cluster.
3. Select the Info tab.
110 SteelConnect Manager User’s Guide Viewing cluster health Data Center Gateway Clusters
The individual cluster member status appears. A red x appears next to any item that needs attention. Selecting the link next to the red x takes you to the configuration page where you can fix the issue. When you return to the cluster info page, a green check mark lets you know that the item is configured correctly. When a green check mark appears next to each item under Cluster Configuration, the cluster is configured correctly. Note: The system reports cluster health status for individual cluster members during the initial cluster configuration; it doesn’t reflect runtime status. To view cluster runtime events, view the event log. The event log reports cluster status events in 15-second intervals.
Figure 9-13. Cluster health status
Because SCM has direct visibility into the appliances, you can also investigate the status of the individual gateways within a cluster using the Appliances Overview page. You can correlate the gateway’s status with the overall cluster health because each gateway contributes to the cluster health.
To view a data center appliance status 1. Choose Appliances > Overview.
2. Find the data center gateways belonging to the cluster in the appliance list.
3. Check the appliance configuration status.
Up to date - Indicates that appliance is running the most recent configuration.
SteelConnect Manager User’s Guide 111 Data Center Gateway Clusters Viewing cluster health
Pending - Indicates that the appliance hasn’t yet received the pushed configuration and the appliance is offline.
Firmware upgrade - Indicates that a new firmware version has been downloaded to the appliance but the firmware version hasn’t been updated yet. For details on upgrading the individual appliances belonging to a cluster, see “Upgrading a data center cluster” on page 158. When one of the appliances in a cluster is offline, SCM reports an unhealthy cluster.
Deleting a cluster
Deleting a cluster deletes all data center uplinks associated with the appliances. The interfaces and BGP neighbors are not deleted and are still available as part of the individual 5030 appliance configurations. 1. Choose Network Design > Clusters.
2. Select a cluster.
3. Click Actions and then select Delete this cluster from the drop-down menu. A dialog asks for confirmation. Figure 9-14. Deleting a cluster confirmation
4. Click Confirm.
Viewing cluster status events
You can also check the event log to determine whether the system has initialized the site pool map for the cluster. The site pool map is initialized when the cluster configuration is complete and the cluster determines how it is going to handle the site pools using its physical resources. A site pool map initialization event indicates that the cluster has sent a site pool map to SCM and is ready to handle traffic flows. Cluster status events are reported in 15-second intervals.
112 SteelConnect Manager User’s Guide Viewing cluster health Data Center Gateway Clusters
To view events
Select the Events tab or choose Visibility > Event Log. Figure 9-15. SCM site pool initialization event
SCM also captures high-availability failover events that result in a site pool assignment change, as shown in Figure 9-16.
Figure 9-16. SCM site pool change event
How does SteelConnect allocate resources within a cluster?
During provisioning, the system matches a site pool to a data center gateway belonging to a cluster, creating a site map. Site pools are used for data center resiliency to ensure that in the event of a physical appliance, software, or link failure, the data center can keep track of the physical branch gateways so that their perception of IP reachability doesn’t change after a failure. Site pools allow network nodes to be dynamically provisioned while improving failover performance time and ensuring that there is never a single point of failure. Site pools contain abstractions of physical appliances using a virtual entity. The system uses the abstractions to provide seamless high availability without having to coordinate all of the components across the entire topology. The branches are segregated into separate site pools using a round robin algorithm, so if a data center gateway fails, it impacts only a subset of the branches. The system assigns one of the site designator instances in the lead role to be in charge of site assignment coordination across the entire cluster. The site designator splits the branch sites into two distinct site pools, such as site pool 1 and site pool 2, during provisioning. After assuming the lead role, the site designator takes an inventory of the data center gateways that can be tasked with servicing individual site pool assignments.
SteelConnect Manager User’s Guide 113 Data Center Gateway Clusters Viewing cluster health
In Figure 9-17, the site map designates data center gateway 2 with an active service assignment for site pool 1. The initial site pool assignment ensures backup service using data center gateway 1. After an appliance failure on data center gateway 2, the system reassigns site pool 2 flows to the backup data center gateway 1. No further changes to service assignment need to happen when the data center gateway 2 recovers from the failure. For details on high availability, see “How does data center high availability work?” on page 157.
Figure 9-17. Site pool and map assignments
Multiple site pools are processed by a single 5030. In terms of CPU resource allocation, there is a fixed amount of CPU processing allocated to each site pool. A bin packing algorithm balances the resource consumers (traffic processing to and from the remote sites) with the resource producers (the CPU cycles required to process the traffic). Resource consumption is directly proportional to site size. For details, go to https://en.wikipedia.org/wiki/Bin_packing_problem. For a first approximation to place resource consumers into site pools, SteelConnect provides a uniform distribution of small, medium, and large sites into all site pools. For example, suppose you have “x” small sites, “y” medium sites, and “z” large sites allocated between four site pools (A, B, C, and D). An ideal allocation of resource consumers to site pools is to allocate one quarter of all sites (x, y, and z) to each site pool (A, B, C, and D). The default site size is medium. You can adjust the distribution of resource consumers based on site size. The small, medium, and large site sizes are relative to ensure efficient bin packing with a fair distribution.
To adjust the distribution of resource consumers by site size
1. Choose Network Design > Sites.
114 SteelConnect Manager User’s Guide Viewing cluster health Data Center Gateway Clusters
2. Select a site.
3. Select the Size tab.
4. Choose a site size from the drop-down list: small, medium, or large.
5. Click Submit. Changing the site size might reassign it to another 5030 in the cluster, depending on how the system redistributes the resources.
How does SteelConnect allocate site pools with multiple cluster uplinks? Each 5030 gateway can handle multiple site pools. When a data center cluster has multiple uplinks, SCM uses tunnel endpoints (TEPs) from each uplink to create a pool. For example, suppose that there are six to ten remote sites and the cluster uplink 1 has TEPs T1 and T3. Cluster uplink 2 has TEPs T2 and T4. In this example, SteelConnect creates one pool with TEPs T1 and T2 with remote sites R1 to R5, and another pool with TEPs T3 and T4 with remote sites R6 to R10.
SteelConnect Manager User’s Guide 115 Data Center Gateway Clusters Viewing cluster health
116 SteelConnect Manager User’s Guide 10
Integrating a SteelHead Interceptor with a Data Center Gateway
Overview A SteelHead Interceptor (model 9600) can be integrated with SteelConnect data center SDI-5030 gateways to help route and optimize network traffic. The SteelHead Interceptor provides scalable data referencing (SDR)-aware load balancing and traffic redirection. However, before you can use the SteelHead Interceptor in a SteelConnect data center, you need to integrate the SteelHead Interceptor with the gateway in the data center and enable SD-WAN on each SteelHead Interceptor in the cluster.
Note: You must use the Riverbed command-line interface (CLI) to enable SD-WAN on each SteelHead Interceptor in the cluster. For more information about SteelHead Interceptors, see the SteelHead Interceptor User’s Guide. For more information about SteelHead Interceptor deployments, see the SteelHead Interceptor Deployment Guide.
Changing the default gateway configuration To integrate a SteelHead Interceptor with a SteelConnect gateway, you need to change the default gateway configuration.
Note: This procedure assumes that you have already configured a data center site and associated a zone with it.
To change the default gateway configuration
1. Choose Network Design > Zones.
2. Select the data center zone used to connect to the SteelHead Interceptor.
3. Select the Gateways tab.
4. Click Manual as the default gateway configuration. The Edit and Delete buttons in the Gateway assignments area become available.
SteelConnect Manager User’s Guide 117 Integrating a SteelHead Interceptor with a Data Center Gateway Changing the default gateway configuration
Figure 10-1. Default gateway configuration change
5. Click Delete and then click Confirm when prompted to delete the default gateway assignment.
6. Click Edit.
7. Select the Gateway 5030 appliance.
8. Click Member for the Gateway type.
9. Click Manual for the IP assignment.
10. Enter the IPv4 address assigned to the gateway.
11. Leave the remaining fields set to Off.
12. Click Submit. Figure 10-2. Default gateway assignment change
118 SteelConnect Manager User’s Guide Changing the default gateway configuration Integrating a SteelHead Interceptor with a Data Center Gateway
Why is the Datacenter tab dimmed?
When the Datacenter tab is dimmed, it means that the data center is not associated with a SteelConnect data center gateway (5030).
Figure 10-3. Datacenter tab dimmed
To make the Datacenter tab active
Choose Network Design > Sites and enter the IPv4 address assigned to the gateway. Figure 10-4. Missing IPv4 address
SteelConnect Manager User’s Guide 119 Integrating a SteelHead Interceptor with a Data Center Gateway Changing the default gateway configuration
120 SteelConnect Manager User’s Guide 11
Connecting a Topology Using VPN
Setting up site-to-site VPN AutoVPN is a SteelConnect feature that connects multiple sites with a secure, full-mesh virtual private network (VPN) without tedious manual configuration. AutoVPN is a fast way to create a resilient VPN backbone between all your sites; however, SteelConnect also provides SwitchVPN to make a zone available in a remote site and Classic VPN for use with third-party gateways.
AutoVPN modes
AutoVPN links the gateways or access points at an organization’s sites. In most traditional products, to link sites together using a mesh design, you need to create and configure multiple virtual private network (VPN) tunnels to and from each other to carry private network traffic from one endpoint system to another. Further, to create more sites, you have to add more tunnels and hope you enter everything correctly so that the tunnels line up perfectly. Even if you manage to configure the tunnels without mistakes, it can take days of work to scale.
SteelConnect Manager User’s Guide 121 Connecting a Topology Using VPN Setting up site-to-site VPN
SteelConnect automatically sets up a full-meshed VPN configuration in minutes. By default, AutoVPN is on and includes any zones you configure. The AutoVPN connections use IPSec based on StrongSwan with AES256-SHA1 encryption and IKEv2 where NAT traversal is always active. If you’re interested in alternative ways to configure AutoVPN beyond the default setting, keep reading.
Figure 11-1. Full-mesh VPN using AutoVPN
You can configure AutoVPN in these operating modes: Leaf mode, RouteVPN, and SwitchVPN.
122 SteelConnect Manager User’s Guide Setting up site-to-site VPN Connecting a Topology Using VPN
Leaf mode You can configure AutoVPN to work in a hub-and-spoke network. Simply configure a site or a zone to operate in leaf mode and specify whether you want it to connect to a data center or any other site. You can use this method to mix and match which site or zone you want include in the full mesh VPN, or to connect to a site or other zone. You simply turn AutoVPN off for zones that you don’t want to include in the VPN. For details, see “AutoVPN leaf mode” on page 125.
Figure 11-2. Hub-and-spoke network using AutoVPN
RouteVPN (Layer 3) RouteVPN is essentially a WAN created over the internet as a result of AutoVPN. SteelConnect routes all IP subnets (IPv4, IPv6, additional networks, third-party routing) of a zone through AutoVPN. RouteVPN is SteelConnect’s Layer 3 VPN, based on IPSec. It automatically builds the required VPN tunnels between sites if its zones are flagged as reachable from other sites in the same organization. SCM constantly monitors the VPN links, and traffic is included in policy controls. RouteVPN knows what to send into the tunnels based on the zones that are defined in the ecosystem. When you configure a new zone, the routes are advertised to all gateways. If you chose an internet breakout point, SteelConnect sends all traffic from the source site over the RouteVPN, including internet traffic. This allows central enforcement and policy but gains the advantage of internet at the edge. Guest zones can’t communicate through the RouteVPN.
SteelConnect Manager User’s Guide 123 Connecting a Topology Using VPN Setting up site-to-site VPN
SwitchVPN (Layer 2) SwitchVPN is SteelConnect’s Layer 2 VPN, based on IPSec. It automatically makes a zone available in a remote site when you use the same zone for multiple sites. No manual configuration is necessary.
Figure 11-3. Zone sharing using SwitchVPN
SwitchVPN use case Although SwitchVPN allows you to create Layer 2 VPN connectivity across a Layer 3 WAN, we don’t recommend that you use it for Layer 2 VPN connectivity in a production network. Instead, use SwitchVPN to easily create one-off connections for temporary network troubleshooting or network configuration. For example, you could use SwitchVPN to configure short-lived Layer 2 VPN connections that allow a server to be Trivial File Transfer Protocol (TFTP) booted across the WAN. We don’t recommend SwitchVPN as an approved network design deployed throughout a production network for the creation of Layer 2 point-to-point VPN connections or point-to-multipoint VPN connections.
SwitchVPN limitations These limitations apply to SwitchVPN deployments:
124 SteelConnect Manager User’s Guide Setting up site-to-site VPN Connecting a Topology Using VPN
Make sure that the connections between the two sides of the zone partition are low bandwidth. We recommend less than 5 Mbps per connection.
You must deploy fewer than ten devices on either side of the zone partition, because MAC learning and Address Resolution Protocol (ARP) storms on ten or more devices will have a detrimental impact on the performance of the SteelConnect gateways.
Don’t use significant broadcast domains on either side of the zone partition.
The SwitchVPN deployment must use less than two percent of all zones in an organization.
Deploy SwitchVPN only for point-to-point VPN connectivity. Don’t use SwitchVPN for point-to- multipoint VPN connectivity.
AutoVPN leaf mode
SteelConnect automatically uses AutoVPN between the gateways to create a full-mesh overlay and establish communication between the sites. While the full-mesh overlay makes communication easy, you might have deployments that need to scale without using full mesh. For a more traditional point- to-point configuration, you can enable AutoVPN leaf mode. Leaf mode turns off the mesh for a site and allows you to choose a remote gateway to peer with, as shown in “Hub-and-spoke network using AutoVPN” on page 123. Instead of peering with everyone, you peer with a designated nonleaf master. The master site sends and receives AutoVPN traffic. Leaf mode still participates in the VPN but only sends internal enterprise traffic to a single site.
AutoVPN leaf mode use case Suppose a bank with many branches only needs to communicate with the data center and does not need to use AutoVPN connections to all the sites. It simply needs a single tunnel back to the data center. Other sites can still participate in the full mesh across that VPN simultaneously. You can implement leaf mode across the entire organization or you can configure it site by site.
To enable AutoVPN leaf mode
1. Choose Network Design > Sites.
SteelConnect Manager User’s Guide 125 Connecting a Topology Using VPN Setting up site-to-site VPN
2. Select the WAN/AutoVPN tab. Figure 11-4. Enabling AutoVPN leaf mode
3. Turn AutoVPN leaf mode on.
4. Select a master site. The master site should not be behind the NAT router, and the more bandwidth it has, the better.
5. Click Submit.
To remove a zone from AutoVPN
1. Choose Network Design > Zones.
2. Select the zone to exclude.
3. Select the WAN/AutoVPN tab.
4. Remove the zone from the RouteVPN membership.
126 SteelConnect Manager User’s Guide Setting up site-to-site VPN Connecting a Topology Using VPN
Deployment examples
AutoVPN between gateways Figure 11-5 shows AutoVPN through an automatically imported remote zone. The headquarters zone was imported automatically by using it in an SSID broadcast in the branch office.
Figure 11-5. AutoVPN
To set up AutoVPN between gateways as shown in Figure 11-5
1. Choose WiFi > Broadcasts.
2. Click New Broadcast.
3. Select the Branch Office site from the drop-down list.
4. Select your SSID.
5. Select the default zone Headquarters VLAN 1003.
AutoVPN between access point and gateway For a home office without a SteelConnect gateway, you might want to enable AutoVPN for the access point. In this example, the access point receives the remote zones through the AutoVPN feature.
Figure 11-6. AutoVPN for a home office without a gateway
SteelConnect Manager User’s Guide 127 Connecting a Topology Using VPN Connecting to a third-party VPN
AutoVPN between access points An access point has the same VPN capabilities as an gateway and access points support fully meshed AutoVPN or leaf mode. A typical use case is two sites without a SteelConnect gateway deployed. In this configuration, you can enable AutoVPN on the access points to access each other’s zones.
Figure 11-7. AutoVPN for home and branch office without a gateway
To enable AutoVPN on an access point
1. Choose Appliances > Access Points.
2. Select the access point.
3. Select the AutoVPN tab.
4. Click On. When an access point and the zone of a broadcast are in the same zone site without a gateway, the access point establishes L3 VPN locally. When an access point and the zone of a broadcast are in different sites, the system establishes a L2 tunnel.
Connecting to a third-party VPN Some deployments require a SteelConnect gateway connection to an IPSec VPN built by a third-party vendor. You can connect to a third-party VPN using Classic VPN. Classic VPN creates a manual VPN tunnel using the standard IPSec IKEv1 or IKEv2 protocol. A remote gateway is not necessary. Classic VPN configurations can classify traffic based on TCP/UDP port number, providing a more granular approach to traffic steering. Classic VPN only supports main mode key exchange.
Classic VPN use cases
Classic VPN is an easy and flexible method to use when:
128 SteelConnect Manager User’s Guide Connecting to a third-party VPN Connecting a Topology Using VPN
connecting to a third-party IPSec VPN gateway, such as a firewall or a Unified Threat Management (UTM) appliance.
migrating from an existing VPN solution to SteelConnect RouteVPN. You can even use the IP subnets of the remote networks and rules.
integrating sites with overlapping IPv4 addresses, using one-to-one NAT configuration. When connecting networks through VPN that use the same IP addresses on both sides, it’s impossible to create a simple IPSec tunnel, as routing through the tunnel doesn’t work. Classic VPN uses an integrated NAT layer, in which you can map an overlapping network one-to-one into a virtual network. This means that you can communicate with the remote location using the virtual NAT network, yet prior to entering the tunnel, the system transparently replaces IPv4 addresses with the matching address from the remote side, allowing both networks to remain unchanged.
using one-to-one NAT configuration for local zones. For example, you can NAT a /xx network behind another /xx network using NETMAP. You can also configure a masquerading NAT for the complete local zone behind one IP address. In this case, the remote VPN peers can’t connect to the local zone/network, but using Classic VPN makes it possible to have many clients connecting from the local zone to the remote zone. The administrator uses a /32 network mask in the 1:1 NAT net field of the local zones in Classic VPN configuration.
connecting to cloud security services such as ZScaler. You need one tunnel per site.
connecting two predefined organizations with a tunnel, using mirrored settings. Each organization creates its own key.
To create a Classic VPN connection
1. Choose Network Design > ClassicVPN.
2. Click New Classic VPN Connection.
3. Type a name for the connection, up to 32 characters.
4. Type the remote gateway IP address or a hostname.
5. Type the networks that are served behind the remote gateway. Use this format: a.b.c.d/n
6. Select the gateway initiating the tunnel.
7. If you are connecting to another SteelConnect gateway, select the zones allowed to communicate over the VPN.
8. Click Submit. SCM shows all VPN configuration details as soon as the system creates the third-party VPN connection.
To edit a Classic VPN connection
1. Choose Network Design > ClassicVPN.
2. Select a Classic VPN connection.
3. Change the network name, remote network, 1:1 NAT network, or add port numbers separated by commas to steer specific traffic to a destination. For example, you could specify 80,443 to steer internet traffic on ports 80/443 to a cloud proxy.
SteelConnect Manager User’s Guide 129 Connecting a Topology Using VPN Connecting to a third-party VPN
4. Click Submit. SCM shows all VPN configuration details as soon as the system creates the third-party VPN connection.
130 SteelConnect Manager User’s Guide 12
Enabling Branch Dynamic Routing
Dynamic routing overview To simplify integration into existing networks and provide flexible routing, SteelConnect leverages the Border Gateway Protocol (BGP) and the Open Shortest Path First (OSPF) protocol version 2.
BGP - A Layer 4 protocol that exchanges routing information between peers to determine the optimal paths for traffic flows. Through the SteelConnect Manager (SCM), you enable SteelConnect gateways to use BGP to advertise all of their associated LAN zones (IP subnets) to an upstream router in the MPLS provider’s BGP environment. For details on zones, see “Zones within a site” on page 74.
OSPF - A Layer 3 link state protocol for routing traffic information within a single area. OSPF selects the most suitable and shortest data path for network traffic. A SteelConnect gateway in the branch learns routes dynamically from other routers in the OSPF routing domain and advertises the routes it learns. Routes specifically on the LAN-side of a SteelConnect gateway are published into the AutoVPN.
Why enable dynamic routing? Without eBGP or OSPF, gateways use static routing to directly connect manually configured routes that access a single default route. This type of routing is suitable for small networks, but managing the static configurations becomes very time-consuming as network routing choices expand.
Benefits of dynamic routing with OSPF
Dynamic routing with OSPF on the LAN side provides reachability to multiple network prefixes over a single OSPF zone interface. All of the networks learned from an OSPF zone interface are mapped to the OSPF area that the interface is connected to. When an OSPF-enabled uplink connects to a customer edge (CE) router, the gateway acts as a CE router to distribute routes between OSPF on the LAN side and eBGP running on the WAN side. OSPF provides flexible subnet management as follows:
The gateway learns local networks from the OSPF area that the zone interface is connected to.
The gateway maps the learned networks to the zone.
When the zone is member of a WAN, all of the networks learned from that OSFP area become routable over the WAN.
SteelConnect Manager User’s Guide 131 Enabling Branch Dynamic Routing BGP
While the peering session is up, the neighbors will send updates about a new route or the need to withdraw a previous announcement. For OSPF details, see “Configuring OSPF routing” on page 139.
Benefits of dynamic routing with eBGP
eBGP provides flexible subnet management in an MPLS network in these ways:
Instead of sending static routes, the gateway sends dynamic zone advertisements through an uplink.
A gateway can advertise all available IPv4 and IPv6 zones (subnets) to an MPLS provider’s eBGP environment. All of the eBGP-connected sites in the MPLS become aware of the zones offered by the gateway.
The uplink advertises a site’s local network zones (LAN and virtual IP pools) and third-party routes. Guest zones are not advertised.
The gateway learns about remote IPv4 and IPv6 zones through eBGP from the MPLS autonomous system (AS), including both gateway-based sites and CE router-based sites.
While the peering session is up, the neighbors will send eBGP updates from one to the other each time one of the neighbors knows about a new BGP route or needs to withdraw a previous announcement.
The uplink can also advertise additional network IPv4 segments (added using the ADDL Networks tab) as part of the zone on the same VLAN. For details, see “Adding a second IPv4 network subnet to a zone” on page 90.
The uplink can also advertise third-party redistributed zones.
CE and PE routers
Customer edge (CE) routers and provider edge (PE) routers are components in an MPLS architecture. A CE router is located on the customer premises. It provides an Ethernet interface between the customer's LAN and the provider's core network. PE routers sit at the edge of the network. CE routers connect to PE routers. SteelConnect gateways also connect to PE routers. A SteelConnect gateway can replace a CE router to advertise and receive route announcements from the MPLS underlay.
BGP With BGP enabled, a SteelConnect gateway establishes a TCP IPv4 control channel connection over static uplinks to a neighbor on the WAN side of an MPLS network. An established neighbor can then receive BGP updates using this peering session. The gateway shares all of the BGP routes inside its private network with its BGP neighbor. The BGP neighbor shares its BGP remote subnet routes from the IP-based virtual private network (VPN), and the gateway learns the routes. When the BGP neighbor router in the MPLS WAN becomes aware of all LAN zones offered by the gateway, it can then learn and establish reachability to the gateway’s LAN zones. When the gateway learns all of the BGP remote subnet routes, it can then establish reachability to the remote subnets.
132 SteelConnect Manager User’s Guide Branch dynamic routing topologies with eBGP Enabling Branch Dynamic Routing
BGP is configured differently on a data center gateway. For details on data center dynamic routing, see “Why enable dynamic routing for a cluster?” on page 102.
BGP modes
BGP can run in two modes that have different behavior when advertising routing information: eBGP and iBGP. Both modes share the same low-level protocol for exchanging routes, but external BGP (eBGP) runs between routers in different autonomous systems (ASes). An AS is a single network or a set of networks and routers that are managed and supervised by a common network administrator (or group of administrators) on behalf of a single administrative entity, such as a business division. An AS is assigned a globally unique number that identifies the network to the world. Internal BGP (iBGP) runs between routers in the same AS. SCM dynamic routing uses eBGP and not iBGP.
Branch dynamic routing topologies with eBGP BGP supports the topology as shown in Figure 12-1. The figure shows three sites. Each site has a gateway, and each gateway is behind an intermediate provider edge (PE) router.
Figure 12-1. An eBGP deployment for gateways behind intermediate PE routers
SteelConnect Manager User’s Guide 133 Enabling Branch Dynamic Routing Branch dynamic routing topologies with eBGP
In addition to the topology shown in Figure 12-1, SteelConnect 2.1 and later support the topology shown in Figure 12-2, which shows four sites. This deployment supports route learning from remote sites (site 1 and site 2) with subnets behind a third-party customer edge router.
Figure 12-2. An eBGP deployment in SCM 2.1 and later
New sites are connected to the MPLS through the SteelConnect gateway. The gateway uses eBGP to advertise its LAN-side subnets into the MPLS AS. The advertised subnets are propagated to all existing CE-based sites and also to the gateway sites. The gateway learns about remote IP subnets from the MPLS AS, including both gateway-based sites and CE-based sites. You can enable Message Digest 5 (MD5) authentication between two eBGP neighbors to have SteelConnect verify each segment sent on the TCP connection between the neighbors.
Communication between gateways, sites, and routers
The gateway sites communicate through the underlay or overlay.
The CE router-based sites communicate with each other through the MPLS underlay only.
The CE router-based sites communicate with the gateway sites through the MPLS underlay only.
A CE router communicates with another CE router through the MPLS underlay only. Note: The maximum number of learned and advertised routes is 3000 across all gateway models. If the number of prefixes advertised by the PE exceeds 3000, SteelConnect brings down the eBGP peer connection with the PE. After the connection is disabled, you must disable and subsequently reenable the BGP uplink on the SCM side. To view the message indicating that the limit was reached, click the Events tab or select Visibility > Event log.
Note: For data center dynamic routing topology, see “Why enable dynamic routing for a cluster?” on page 102.
134 SteelConnect Manager User’s Guide Branch dynamic routing topologies with eBGP Enabling Branch Dynamic Routing
Enabling eBGP on static IP uplinks
To establish point-to-point connections between neighbors, you configure an eBGP session on a static IP uplink for a gateway and define its eBGP neighbor. Uplinks using DHCP don’t support eBGP. By default, eBGP is disabled.
Note: If BGP is already configured on an uplink you cannot configure OSPF on the same uplink. If the uplink is already attached to the OSPF area, you cannot configure BGP configuration on the uplink.
To configure BGP on an uplink
1. Choose Network Design > Uplinks and click New Uplink to create an uplink, or select an existing uplink. For a new uplink, select static IP and type the IP addresses.
2. Select the BGP tab and click On next to BGP Enable. SCM dims the On button for DHCP client uplinks because eBGP is only available for static IP uplinks. Figure 12-3. Enabling dynamic routing on a gateway uplink
3. Fill out these required session attributes:
Router ID - Specify the router IPv4 or IPv6 address to uniquely identify the router in the local autonomous system (AS). The gateway can peer with any remote router that supports eBGP. eBGP must be enabled on the router. If another uplink is configured with a router ID on the same appliance, SCM defaults to the same router ID used on the previously configured uplink and you can’t change the setting. You must restart SCM after changing this setting.
SteelConnect Manager User’s Guide 135 Enabling Branch Dynamic Routing Branch dynamic routing topologies with eBGP
Local AS - Specify the AS number the router belongs to: for example, 100. The range is from 1 to 4294967295. If another uplink is configured with a local AS on the same appliance, SCM defaults to the same local AS setting used on the previously configured uplink and you can’t change the setting.
Graceful Restart - Click On to minimize the negative effects on routing caused by an eBGP restart from a failed peer or a changed configuration. Graceful restart allows a router to preserve its forwarding state during an eBGP peer restart. It retains eBGP peer routes and continues to forward traffic to other peers during the restart. When all eBGP sessions are reestablished, the restarting peer can receive and process eBGP messages as usual. When enabled, SteelConnect handles configuration changes gracefully without bringing down the existing BGP sessions, with one exception: changing the local AS for an existing BGP session. SCM tears down and replaces the existing BGP session with the new BGP session using the changed local AS.
Neighbor Name - Specify the peer name for the provider. Each uplink can support one eBGP peer. You must restart SCM after changing this setting.
Neighbor IPv4 Address - Specify the peer IPv4 address. You must restart SCM after changing this setting.
Remote AS - Specify the autonomous system number the peer belongs to: for example, 200. The range is from 1 to 4294967295. If another uplink is configured with a remote AS on the same appliance, SCM defaults to the same remote AS setting used on the previously configured uplink and you can’t change the setting.
Password - Type a password to enable MD5 authentication. You must use the same password on both BGP neighbors. If you don’t require MD5 authentication you can leave this field blank. Click the eye icon to see the password as you type. The view persists until you click the eye icon again to hide the password. You must restart SCM after changing this setting.
Keep Alive Time - Specify the amount of time, in seconds, that the eBGP neighbors exchange keepalive messages to determine whether a link has failed or is no longer available. The neighbors exchange keepalive messages often enough so that the hold time does not expire. The default setting is 60. You must restart SCM after changing this setting.
Hold Time - Specify the amount of time, in seconds, that a gateway neighbor waits for an incoming keepalive, update, or notification message from a neighbor before it assumes its neighbor is down. If the gateway doesn’t receive a keepalive, update, or notification message from its neighbor within the period specified, it closes the connection and routing through that neighbor becomes unavailable. A 0 value means that no keepalive messages are sent and the connection will never close. The hold-time range is from 0 to 65535. The default setting is 180. The hold-time value is three times the interval at which keepalive messages are sent. Using the default values for the keepalive time of 60 and the hold time of 180, the settings work together like this: after two neighbors establish an eBGP session, 60 seconds later they’ll each send a keepalive message. When a gateway receives a keepalive message from its neighbor, that gateway’s hold time for the session will have counted down from 180 to 120, but it’s then reset to 180. This process continues every 60 seconds. However, should neighbor A lose power, then neighbor B won’t receive any keepalives. So after 180 seconds, neighbor B determines that neighbor A is down and closes the session.
136 SteelConnect Manager User’s Guide Branch dynamic routing topologies with eBGP Enabling Branch Dynamic Routing
You must restart SCM after changing this setting.
4. Click Submit.
5. Choose Ports, select the gateway, and add the uplink to the gateway.
6. Click Submit.
7. Repeat this process for gateways behind other routers; if you have two MPLS providers, you need to create a BGP configuration for each one.
Viewing eBGP learned and advertised routes
SCM displays the advertised and learned network routes and peering session state information. To filter the list, type a search filter in the search box, for example, type IPv6 to narrow the search to all IPv6 networks.
To view eBGP network routes per gateway
1. Choose Network Design > Uplinks.
2. Select an uplink with eBGP enabled.
3. Select the Networks tab. The Networks tab is dimmed when eBGP isn’t enabled on the gateway. Figure 12-4. The learned and advertised routes for the gateway
The display shows all advertised and learned network routes for the gateway, along with the route IP version number.
SteelConnect Manager User’s Guide 137 Enabling Branch Dynamic Routing OSPF
To view eBGP neighbor activity
Select the Events tab or choose Visibility > Event Log. Figure 12-5. The event log records eBGP neighbor status
OSPF A SteelConnect branch gateway supports OSPF version 2 in a broadcast network for dynamic routing. The gateway uses OSPF zone interfaces connected to LAN segments to learn routes dynamically from other routing devices. In OSPF, a single AS can be divided into smaller groups called areas. An area is a set of networks and hosts within an AS that are grouped together by an administrator as a collection of IP subnetted networks. The SteelConnect gateway on the LAN side joins an existing OSPF area in the branch network. You can also create an exclusive area. An OSPF-enabled gateway discovers and advertises subnets in an MPLS network as follows:
LAN-side discovered subnets are advertised on the MPLS underlay on the WAN through uplinks attached to the OSPF area. Statically configured zones are not advertised.
WAN-side subnet discovery and advertisements work like this:
SCM learns about subnets in a remote SD-WAN site's OSPF routing domain and configures reachability to the discovered subnets on the overlay tunnel to the remote site.
Subnets discovered from the WAN side are advertised to the OSPF zone on the LAN side to allow reachability between subnets in the OSPF routing domain across two sites.
The underlay connectivity between SD-WAN sites and legacy non-SD-WAN sites provides reachability between discovered subnets (assuming that both the sites have connectivity through a common MPLS WAN).
138 SteelConnect Manager User’s Guide Configuring OSPF routing Enabling Branch Dynamic Routing
OSPF topology
SteelConnect supports OSPF for a branch site with one or two MPLS providers, where each provider is connected to a CE router. A SteelConnect branch gateway is deployed behind the CE routers. The CE routers on the MPLS WAN side are speaking eBGP and the CE routers on the LAN side are speaking OSPF. Between the CE routers and SCM on the LAN side is the OSPF domain, OSPF area 1.2.3.4 in Figure 12-6.
Figure 12-6. An OSPF area with a branch gateway
Configuring OSPF routing By default, OSPF is enabled. To configure OSPF routing on a gateway, you create an OSPF network, define a single area (or use an existing area), and attach a LAN-side zone and/or interface to the area.
Prerequisites
Before configuring OSPF on a gateway, check these requirements.
The gateway must be registered with SCM. For details, see “Adding shadow appliances” on page 209.
The gateway must be running 2.6 or later. For details, see “How can I tell if the appliance firmware is up to date?” on page 62.
The default gateway configuration of the zone must be set to manual mode. To set the default gateway configuration, select the gateway, select the zone, select the Gateways tab, and select Manual.
The site where the OSPF network is located must already exist.
OSPF must be enabled on any routing devices that will peer with the gateway. The basic steps to enable OSPF routing are:
Select a site and create an OSPF network for that location that includes one area.
Attach a zone and one or more uplinks to the OSPF area.
To create an OSPF network and area
1. Choose Routing.
SteelConnect Manager User’s Guide 139 Enabling Branch Dynamic Routing Configuring OSPF routing
2. Click New OSPF Network. Figure 12-7. Creating an OSPF network on a branch gateway
3. Fill out these network attributes:
Site - Select the site where the OSPF network is located.
Name - Specify a network name.
Area Name - Specify a name for the area.
Area ID - Specify the area in which the zone resides. Either specify a 32-bit unsigned number from 0 to 4294967295 or an IPv4 address in dotted decimal notation (x.x.x.x). The default setting is the backbone area ID 0; however, you can change the value to your existing area ID. For small LANs, area 0 might be all you need, but as a network grows, you will need more than one area connecting to area 0. For a routing device to become an OSPF neighbor with another device, both devices must belong to the same area ID and their passwords and authentication methods must match.
Password - Specify a password. The authentication methods appear when typing a password. All OSPFv2 exchanges between routing devices can be authenticated using one of these methods:
140 SteelConnect Manager User’s Guide Configuring OSPF routing Enabling Branch Dynamic Routing
– MD5 - Select this tab to use the Message Digest 5 algorithm as the authentication method. MD5 authentication enables routing devices to securely identify one another before they establish adjacency. MD5 is a cryptographic hash function with a 128-bit hash value derived from the contents of the OSPF packet and a key and key ID. This method doesn’t send the password but instead calculates and includes an encoded MD5 checksum in the transmitted packet. The receiving routing device uses the key and key ID to verify the packet. The MD5 key doesn’t have to be the same within the area, but it must be exactly the same between two OSPF neighbors.
Tip: Click the eye icon to see the password as you type. The view persists until you click the eye icon again to hide the password.
– Simple - Select this tab to include an unencrypted plain text password with the packet. The receiving routing device uses the password to verify the packet. The simple password can be from one to eight characters and can include ASCII strings. If you include spaces, enclose the password in quotation marks. Use this authentication method when devices within an area don’t support the more secure MD5 authentication, as Simple is the least secure setting.
MD5 Key ID - (Appears when you select MD5.) Specify a value to associate with the MD5 key. The ID is used by the receiver of the OSPF packet to determine which key to use for authentication. To change your MD5 key, specify a new key and key ID. When both OSPF neighbors have a new key and key ID, the old key is deleted and the current MD5 key and key ID become active.
Hello Interval - Specify how often, in seconds, to send a hello packet. Initially the gateway sends a hello packet to all OSPF-enabled interfaces to form an adjacency as a neighbor. The routing devices become neighbors and exchange link-state advertisements. After the gateway learns the common network topology, it sends the hello to check if an OSPF neighbor is alive. The range is from 1 to 65535. The default is 10. The hello interval must be exactly the same between two OSPF neighbors.
Dead Interval - Specify how many seconds to wait for a hello packet before declaring an OSPF neighbor out of service, triggering a refresh of the link-state database and routing information. The range is from 1 to 65535. The default is 40. The dead interval must be exactly the same between two OSPF neighbors.
Priority - Specify the priority for becoming the network’s designated routing device. The designated router originates network link advertisements on behalf of the network, and establishes adjacencies with all routing devices on the network. The routing device that has the highest priority value on the logical IP network or subnet is elected as the designated router. A priority value of 0 means that the routing device never becomes the designated router; it doesn’t even participate in the election process. A value of 1 means that the routing device participates in the election process but has the least chance of becoming a designated router. A priority of 255 means the routing device is always the designated router. To ensure that a routing device is elected as the designated routing device, configure the priority value to a higher value than any other interface on the Ethernet network. The range is from 0 to 255. The default value is 1.
Cost - Specify a routing metric used in the link-state calculation. OSPF selects Ideal routes by locating destination routes with the least cost. Routes with lower total path metrics are preferred to those with higher path metrics. This setting controls the cost calculation of OSPF network segments. The default formula to calculate the cost for the OSPF metric is dividing the reference bandwidth (100 Mbps by default) by the interface bandwidth. For example, in the case of Ethernet, it is 100 Mbps / 10 Mbps = 10.
SteelConnect Manager User’s Guide 141 Enabling Branch Dynamic Routing Configuring OSPF routing
You can manipulate the cost by specifying a number within the range of 1 to 65535. 10 is the default setting. The OSPF network needs a zone and, optionally, one or more uplinks to report OSPF learned routes to SCM.
To add a zone and uplink to an OSPF network
Next to OSPF Interfaces, select a zone to associate with the area. Select only one zone per area for the LAN side. Only nonmanagement zones are allowed as OSPF interfaces.
To attach an OSPF interface: 1. Select a site from the drop-down list.
2. Select the OSPF Interfaces tab.
3. Click Attach Interface. Figure 12-8. Attaching an OSPF interface
4. Fill out these interface attributes:
Zone/Uplink - Select the interface on which to enable OSPF communication from the drop-down list. Note: If BGP is already configured on an uplink, you cannot configure OSPF on the same uplink. If the uplink is already attached to the OSPF area, you cannot configure BGP configuration on the uplink.
OSPF Area - Select the OSPF area associated with the interface from the drop-down list. Select the area created in “To create an OSPF network and area” on page 139.
Inherit OSPF Parameters - Click On to allow the interface to automatically inherit the area settings and any changes to an area. When enabled, making a change to the area also changes the OSPF parameters on the interface. Click Off to lock the interface configuration so any changes to the area don’t overwrite the interface parameters. Click Off to define unique settings for the area.
5. Click Submit. After you attach the interface to the OSPF area, the gateway configures the zone to run OSPF and establishes OSPF neighbors with LAN routers in the same network segment.
142 SteelConnect Manager User’s Guide Configuring OSPF routing Enabling Branch Dynamic Routing
Viewing learned routes
After configuring OSPF, you can monitor learned routes in SCM. When a SteelConnect gateway is participating in an OSPF area, it discovers LAN-side subnets and reports all discovered subnets to SCM. SCM automatically configures discovered remote SD-WAN sites as reachable over the overlay tunnels. Similarly, network subnets that are discovered on the WAN-side (primarily networks that advertise for the remote site with other SD-WAN or legacy, non-SD-WAN sites) are shown on the Networks tab associated with the uplink by which the gateway discovered those networks.
To view the learned network routes on the LAN side of the OSPF area
1. Choose Network Design > Zones.
2. Select the zone attached to the OSPF area.
3. Select the Discovered Networks tab. The Discovered Networks tab is dimmed until OSPF is enabled on the gateway. Figure 12-9. Discovered route details
The display shows all advertised and learned network subnets for the gateway, along with the route IP version number and internet breakouts. It takes approximately 30 to 60 seconds for the discovered networks to appear. All discovered subnets are automatically reachable on the overlay tunnel between sites.
To view the learned network routes on the WAN side of the OSPF area 1. Choose Network Design > Uplinks.
2. Select the uplink attached to the OSPF area.
SteelConnect Manager User’s Guide 143 Enabling Branch Dynamic Routing Configuring OSPF routing
3. Select the Networks tab. Figure 12-10. The WAN side learned routes
Viewing OSPF neighbor activity
After you connect a zone to an OSPF area, the gateway in the zone initiates neighbor peering with routers in that OSPF area. All neighbor peering activity appears in the event log.
To view OSPF neighbor activity
Select the Events tab or choose Visibility > Event Log. Figure 12-11. The event log records OSPF neighbor activity
The display shows the OSPF neighbors and their IP addresses, the neighbor state, which neighbor is the designated router (DR), and the neighbor’s interface priority.
How does an OSPF zone interact with traffic rules in SCM?
When your configuration includes traffic path rules for balancing traffic or to enable security, an OSPF zone interacts with the rules as follows:
144 SteelConnect Manager User’s Guide Configuring OSPF routing Enabling Branch Dynamic Routing
Traffic path rule - You can create a traffic path rule for balancing traffic over multiple WANs by selecting a zone either as a source, a target, or both. The traffic path rule assigns a specific order of path preference and QoS priority to the source and target combination. When you select a static zone as the source, target, or both, the path rule applies to a specific subnet associated with the static zone. However, with a dynamic OSPF zone, the path rule provides reachability to a range of subnets learned through that OSPF zone, because the zone is associated with more than one subnet. A traffic path rule applies the specified path preference and QoS priority for the rule to all subnets learned from the OSPF zone. For details, see “Balancing traffic using traffic path rules” on page 177.
Outbound or internal rule - You can create an outbound rule that works as a filter to allow or deny traffic between a specific source and target combination. When an OSPF zone is selected as source, a target, or both for an outbound rule, the rule applies to all subnets learned from the OSPF zone. For details, see “How do inbound and outbound rules work?” on page 167. Currently, you must create an outbound rule with the OSPF zone as the source to allow TCP traffic originating from any of the OSPF discovered subnets behind the SteelConnect gateway.
SteelConnect Manager User’s Guide 145 Enabling Branch Dynamic Routing Configuring OSPF routing
146 SteelConnect Manager User’s Guide 13
Configuring High Availability
Overview High availability (HA) maintains uninterrupted service in the event of a power, hardware, software, or WAN uplink failure. Configuring HA provides network redundancy and reliability.
SteelConnect Gateway Model Physical Appliances
This table lists the common uses cases for SteelConnect gateways.
Gateway Model Use Case
SDI-130 Small branch or retail SDI-330 Medium branch SDI-1030 Large branch, campus, or data center SDI-5030 Campus or data center
Branch high availability overview SteelConnect Manager (SCM) connects the branch gateway pair that includes the master and backup gateways over the links in the management network zone to monitor and route traffic.
SteelConnect Manager User’s Guide 147 Configuring High Availability How does branch high availability work?
The two gateways use active-passive mode. In active-passive mode, only the master gateway processes traffic while the backup gateway remains in standby mode, ready to take over if the master gateway fails.
Figure 13-1. HA active-passive deployment
How does branch high availability work? SCM sends the master gateway configuration to both gateways. The first gateway to send Virtual Router Redundancy Protocol (VRRP) packets on the network becomes the master and SCM applies the master configuration to the gateway. No additional configuration is required on the backup gateway. Gateways in an HA pair establish an encrypted communication channel between each other. After the communication channel is established between the master and backup gateway, the communication channel replicates all DHCP lease release and renewals between the master and backup in both directions, so that in the event of a failover, a new master gateway doesn’t assign duplicate leases. The gateway pair also synchronizes firewall state and connection tracking information between the master and backup gateway providing stateful transition if failover occurs.
Gateway failover performance A failover due to failure of the master gateway will trigger within 3-4 seconds of the master gateway going offline. After the backup gateway assumes the master role, it can pass internet traffic in approximately 9-10 seconds. The AutoVPN tunnels are typically reestablished after an additional 4 to 5 seconds.
Note: AutoVPN tunnels and site-to-site connectivity after failover can take more than five minutes to reestablish when MAC address cloning is not enabled. We recommend enabling MAC address cloning when using DHCP uplinks. For details, see “What impact does a failover from a backup to a master gateway have on the uplinks?” on page 155.
148 SteelConnect Manager User’s Guide How does branch high availability work? Configuring High Availability
Which gateway models support high availability?
SCM supports box-to-box redundancy for these gateway models:
SDI-130 paired with another SDI-130
SDI-330 paired with another SDI-330
SDI-1030 paired with another SDI-1030 (requires the use of a dedicated HA port) You can pair two gateways of the same model, two shadow appliances of the same model, or one hardware and one shadow appliance of the same model for high availability.
Important: You can use shadow and physical gateways in a high-availability pair. You can also use virtual gateways.
HA features
Smart update To ensure minimal service interruption during a firmware upgrade for an HA pair, SCM uses this smart updating process to gracefully install firmware updates: 1. SCM notifies appliances about the availability of a new firmware image.
2. The master appliance immediately starts downloading the image. The backup appliance downloads the image through a proxied connection through the master appliance.
3. After the download of the firmware image is complete on the backup gateway, SCM instructs it to install the new firmware and reboot. At this point, the master gateway has received the new firmware file; however, it’s still handling client traffic for the HA pair and a failover has not yet occurred.
4. After SCM receives a notification from the backup gateway that it has rebooted and is running the new firmware, SCM instructs the master gateway to install the firmware and reboot.
5. The reboot triggers a failover and the backup gateway assumes the active master role.
6. After the previous master gateway comes back online, it remains in backup mode until the active gateway triggers a failover and relinquishes the active role.
WAN uplink failover HA protects against local WAN uplink issues such as:
an unplugged network cable between the upstream switch port on one of the gateways but not the other.
an Ethernet port failure on the WAN port or corresponding upstream switch port. Failover triggers after an Internet Control Message Protocol (ICMP) ping detects that all uplinks are down. The gateway dynamically determines an appropriate upstream IP address to ping. The ICMP uplink monitoring disregards short uplink drop-outs to avoid reporting false negatives.
SteelConnect Manager User’s Guide 149 Configuring High Availability How does branch high availability work?
WAN uplink failover performance A WAN uplink failover triggers within 13 to16 seconds after down uplinks are detected. After the backup gateway assumes the master role, it can pass internet traffic in approximately 9-10 seconds. The AutoVPN tunnels are typically reestablished after an additional 4 to 5 seconds. For network stability, a failover can’t occur within 60 seconds of a previous failover. WAN uplink failover uses a 60-second dampening factor to limit the advertisements of up and down link transition states. For 60 seconds after a failover, the system suppresses subsequent failovers until it has enough time to verify the uplink state and analyze the gateway heuristics. Uplinks are shared between the master and backup gateways. For example, uplink 1 and (optionally) uplink 2 are physically connected to both the master and backup gateways, so if an upstream outage occurs, both gateways are affected. To provide continued connectivity after an upstream outage, you can create a traffic path rule that selects a secondary path. For details, see “To create a traffic path rule” on page 181.
Prerequisites
Before configuring high availability, check these requirements and recommendations.
Gateway configuration Both gateways must be:
registered with SCM. For details, see “Adding shadow appliances” on page 209.
running the same firmware version. For details, see “How can I tell if the appliance firmware is up to date?” on page 62.
cabled on the LAN side.
cabled directly via the dedicated port (1030 and virtual gateways only). We recommend that the gateways are cabled exactly the same for redundancy.
Important: The backup gateway communicates with SCM through a default route using the site’s management zone. Each site has only one management zone. There must be management zone connectivity between each HA gateway to work. Loss of management zone connectivity will cause a “split brain” state where both HA gateways become the master. Management zone connectivity can be set either explicitly through single-zone ports with the management zone selected or implicitly through a multizone port. See “Port configuration” on page 152.
Switch configuration When HA is configured, never plug in a device other than a switch directly into the gateway. For HA failover to work properly, you can configure a switch in between devices and the HA pair, so that devices can access whichever gateway is currently the master. You can connect one or more switches directly to the HA pair; however, keep in mind that the HA pair will not forward Layer 2 traffic among the connected switches. To forward Layer 2 traffic, you must configure a core switch as a Layer 2 aggregation layer.
150 SteelConnect Manager User’s Guide How does branch high availability work? Configuring High Availability
Make sure that the switches connected to the HA gateways are set to either a single-zone port or a multizone port, based on your requirements.
Figure 13-2. HA switch configuration
Individual and mirrored uplinks Mirrored uplinks configure identical ports for the HA pair. You can assign an individual uplink to a gateway, and the upstream router assigns a port for each member of the HA pair.
Figure 13-3. Individual uplink IP addresses
Individual uplinks don’t require a WAN-side switch, as each uplink has its own Layer 3 configuration.
SteelConnect Manager User’s Guide 151 Configuring High Availability How does branch high availability work?
When should I use nonmirrored, individual uplinks? We recommend using mirrored uplinks. In an active-passive HA configuration, the backup gateway is passive with all uplinks and LAN ports down. The uplinks on the backup gateway aren’t actively routing traffic. However, for deployments where WAN edge equipment can provide Layer 3 ports for greater flexibility, you can associate individual uplinks with a WAN. Figure 13-4 shows a deployment example using one mirrored and two individual uplinks.
Figure 13-4. Mirrored and individual uplinks
In Figure 13-4, the HA pair has connectivity to two WANs: an internet and an MPLS. Three uplinks are configured for the HA pair. The first is a single internet uplink in mirrored mode, as the ISP only provides a single port on their router. A WAN-side switch is necessary to achieve connectivity for both appliance’s mirrored uplink port to the single port on the internet router. The MPLS provider provides two Layer 3 ports on their PE router. For each port on the MPLS router, an individual, nonmirrored uplink is created with a Layer 3 configuration for that port and assigned to each partner in the HA pair. No switch is necessary on the MPLS WAN when using individual uplinks, because each uplink has its own unique Layer 3 configuration.
Note: The SteelHead SD 570-SD gateway, 770-SD gateway, and 3070-SD gateway models don’t support dedicated ports or mirrored uplinks.
Port configuration We recommend that you configure the LAN ports such that each gateway mirrors the other; however, you can configure individual, nonmirrored LAN ports per gateway if required. Take care to ensure that the physical cabling respects the port configuration on each gateway.
152 SteelConnect Manager User’s Guide How does branch high availability work? Configuring High Availability
To set the LAN port operation for HA
1. Choose Ports and select a LAN port. Figure 13-5. LAN port mode
2. Under Mode, select a port mode from the drop-down list.
Singlezone - Enables a single zone. After selecting Singlezone, select the zone for the port to carry.
Multizone (VLAN tagged) - Enables the port to function as an 802.1q trunk. See Figure 13-2.
Uplink - Enables an individual uplink on each partner in an HA pair. After selecting Uplink, select the uplink to use. See Figure 13-3.
Mirrored Uplink - Configures identical ports for the HA pair. One of the nodes in the HA pair needs to have an uplink configured by selecting Uplink in the Port mode field and selecting the specific uplink that needs to be mirrored. On the HA partner, select the corresponding port by selecting Mirrored Uplink. For the mirrored uplink option to be available on the HA partner, the port number must match the partner node’s port number. Select the uplink used in the partner node. SCM configures the port identically to the corresponding port on its partner HA gateway. When MAC cloning is enabled, mirrored uplinks inherit a virtual MAC address from one of the HA partners. SCM overrides and disables the virtual MAC address on all mirrored uplinks, and it populates the virtual MAC address on one of the HA nodes (indeterminate as to which one is selected by SCM) with the MAC address of the corresponding port on the other node. Note: Port modes aren’t available on ports configured as a dedicated port for HA.
3. Click Submit. Note: The Spanning Tree Protocol (STP) prevents network malfunction by blocking ports that can cause loops in redundant network paths. SteelConnect implements the 802.1w Rapid Spanning Tree Protocol (RSTP) defined in the IEEE 802.1D-2004 specification.STP is not supported on branch gateways configured for high availability. Due to the lack of STP, we recommend two deployment options: You can use one multizone or a singlezone LAN port per gateway to the LAN switch to avoid Layer 2 loops and MAC address flapping. Or, on the LAN-side switch, you can disable STP on all switch ports associated with the gateway.
SteelConnect Manager User’s Guide 153 Configuring High Availability How does branch high availability work?
Dedicated port configuration for 1030 and virtual gateways Dedicated port mode designates a single LAN port as the HA control port. This port is used for routing SCM traffic for backup gateways. Configure a dedicated port when you are setting up high availability between a 1030 gateway pair. A dedicated port is required for 1030 gateway high availability to avoid loops and spanning tree issues. You can also configure a dedicated port for a virtual gateway, but it isn’t required. You can select the management zone for a virtual gateway as well as a dedicated port. You must cable the gateways to each other directly using dedicated ports. Don’t add a switch in between the gateways. You can’t configure a dedicated port for 130 and 330 gateways.
To configure a dedicated port
1. Choose Appliances > Overview.
2. Select the fully configured master gateway.
3. Select the HA tab.
4. Next to HA Control Link, select Dedicated Control Port from the drop-down list. The dedicated control port isn’t available on 130 and 330 gateways.
5. Select the control port from the drop-down list. This port must be cabled directly to the other 1030. When you dedicate a port to a gateway, it’s no longer available for use with other gateways. Figure 13-6. Dedicated port for a 1030 gateway
6. Click Submit.
How do I configure an HA pair?
Because SCM mirrors all uplink and gateway assignments for HA partners, you only need to configure the master gateway. You simply add a second gateway, cable it, and plug it in. After registering the backup gateway with SCM, you select it as the master’s backup and specify its IP address.
154 SteelConnect Manager User’s Guide How does branch high availability work? Configuring High Availability
To form a gateway pair for high availability
1. Add two gateways of the same model to a site.
2. Configure the master gateway with zones and uplinks. For details, see “Creating sites” on page 71 and “Creating uplinks” on page 85. Adding a second uplink to an HA pair is optional, as the HA partners can share one uplink. If you use mirrored uplinks, you don’t have to configure the backup gateway, because it will inherit the configuration from the master gateway. The backup gateway is configured with the management zone IP address only. There is no dedicated connection between the two gateways. The backup gateway has a default route, pointing to the master gateway through the management zone for the site. The default route provides access to SCM to receive firmware updates, configuration changes, and so on.
3. Choose Appliances > Overview.
4. Select the fully configured master gateway.
5. Select the HA tab.
6. Select the gateway to use as the backup.
7. Under HA management IP, select the IP address for the master gateway.
8. Under HA partner management IP, select the IP address for the backup gateway. These become the two interface IP addresses the management zone uses for the keepalive daemon between the HA pair. The default IP address for the management zone (typically the .1 address) becomes the virtual IP address. Whichever gateway becomes the master owns the virtual IP address. The virtual IP address only applies to the management zone.
9. Click Submit. You don’t need to reboot SCM.
What impact does a failover from a backup to a master gateway have on the uplinks? High availability supports all uplink types. When an HA pair switches a backup gateway over to a master gateway, the uplinks are impacted differently, depending on the uplink type:
PPPoE - All connections are reestablished. The public IP address might change.
Static IP Address - No impact.
DHCP client - An optional virtual media access control (MAC) cloning feature is available to support addressing on the WAN interfaces. This feature clones the MAC address on the WAN uplinks for both interfaces in the HA pair. The backup gateway then uses the cloned MAC from the master gateway. This feature is useful when using a cable modem/router as an uplink and an ISP expects a consistent MAC address. The ISP can block access if it receives traffic from an unknown MAC address. This feature is disabled by default.
SteelConnect Manager User’s Guide 155 Configuring High Availability How does branch high availability work?
The cloned MAC address will also be used during failover to update the backup gateway with a new virtual MAC address. Without MAC cloning enabled, AutoVPN tunnels can take longer to reestablish after a fail over. For details on failover performance, see “Gateway failover performance” on page 148. Note: MAC cloning only applies to mirrored uplinks. If you require specific MAC addresses on nonmirrored, individual uplinks, use the virtual MAC address feature directly. For details, see “To override a port’s default MAC address” on page 214.
To enable MAC cloning
1. Choose Appliances > Overview.
2. Select the fully configured master gateway.
3. Select the HA tab.
4. Next to MAC cloning, click On.
Monitoring a high availability pair
SCM displays all gateways belonging to a high availability pair with a blue HA icon in all views. After the gateway reports its HA state to SCM, the icon indicates whether it is the master or the backup. The pair stays together in appliance lists to make it clear that the gateway is a partner that belongs in an HA pair. SCM manages both gateways in a pair as one.
Figure 13-7. Gateways in an HA pair appear together in all views
Note: When an HA pair is separated, the gateways continue running with the same port settings, AutoVPN setting, and so on used in the HA pair. SCM unmirrors the uplinks, so one gateway will typically no longer have an uplink associated with it.
156 SteelConnect Manager User’s Guide Data center high availability overview Configuring High Availability
Data center high availability overview High availability (HA) maintains uninterrupted service for a data center 5030 gateway cluster in the event of a power, hardware, software, or link failure. The SteelConnect Manager (SCM) connects three or more 5030 gateways (nodes) to monitor and route traffic. Configuring high availability between 5030 nodes provides network redundancy and reliability. The SteelConnect data center solution uses the notation n + k to describe the engineered capacity (n) and resiliency (k) of nodes in a high-availability solution. Because redundancy is critical, the minimum 5030 high-availability cluster is deployed in an n+ k arrangement of 2 + 1. To increase throughput, you can scale out the deployment by adding more active and spare 5030 nodes.
Data center redundancy A cluster is made up of multiple 5030 nodes in a single data center. In an out-of-path deployment, the data center cluster is deployed on the server side. You can achieve resiliency by deploying at least three data center 5030 nodes out-of-path at one site. In a cluster of three 5030 nodes, all three of the nodes actively handle traffic. A 2+1 cluster is a three appliance active quorum that tolerates one complete 5030 gateway failure and remains operational. High availability ensures no single component failure can bring down an entire cluster. Failure handling is tied to reliable semantics to detect a downed cluster node or service node. Failure recovery is initiated based on the failure notification. A healthy cluster automatically enables data center high availability. There is no need to enable high availability after creating a cluster. For details, see “Creating clusters” on page 97.
How does data center high availability work? Each 5030 node in the cluster is individually connected to the SCM. SCM sends the configuration to all three 5030 nodes.
Node failure Removing or upgrading a cluster node causes connections on that node to failover and tunnels from affected data centers to reconnect. After a node failure, a cluster rebalances the active traffic load to resume traffic flow through the nodes in under a minute. When an active node fails, traffic flow rebalancing occurs automatically. Branch gateways handled by the failed node reconnect to the newly assigned active node. The cluster health is degraded but remains operational.
SteelConnect Manager User’s Guide 157 Configuring High Availability Upgrading a data center cluster
VM failure The control virtual machine (CVM) manages appliance start up, licenses, initial configuration, and interface addressing. CVMs are interconnected through data center Layer 3 connectivity and represent an entire data center cluster as a combined manageable entity. A CVM failure triggers node high-availability failover. A CVM fails if it crashes, panics, hangs, stops execution, or shuts down. The recovery attempted depends on the type of CVM failure. For panics, hangs, and stops, the CVM is restarted. For crashes and shutdowns, the CVM is reinstantiated. CVM recovery is attempted three times with a five-second wait period between each recovery attempt. If the CVM doesn’t recover after three attempts, the 5030 node is rebooted. The 5030 node also reboots after the CVM encounters any errors during the recovery process.
eBGP and high availability
The external Border Gateway Protocol (eBGP) is used when a tunnel endpoint (TEP) moves from one 5030 node to another during a node failover. When a 5030 node owning a TEP fails, the cluster transfers the TEP from the previous active node to a spare node. The spare node becomes active and now owns the TEP. It advertises the TEP into eBGP so it can attract traffic to itself. All data center 5030 nodes must use a private autonomous system number (ASN) to determine the best path between two points and also to prevent looping. But the ASN also comes into play during a failover. The 5030 node uses the AS number as follows:
In a steady, functioning state, a 5030 node prepends the ASN three times in its TEP advertisement. This creates an AS path length of three. Because it’s the only path for the TEP, it becomes the best route.
After a failover, a 5030 node becomes the new owner of a tunnel endpoint. It advertises its ASN once, which results in a route with the shortest AS path. This causes its route advertisement to win over any preexisting, longer path advertisements because it has an AS length of one. This route advertisement method improves network convergence time, speeding up the failover. For details, see “Why enable dynamic routing for a cluster?” on page 102.
Which models support data center high availability?
SCM supports box-to-box redundancy for a 5030 node paired with two other 5030 nodes.
Switch and port configuration See “Data center gateway cluster connectivity” on page 98 for switch and port configuration.
Upgrading a data center cluster This topic describes the firmware upgrade prerequisites for a data center cluster.
Prerequisites
Before starting the rolling upgrade, make sure each 5030 node is:
158 SteelConnect Manager User’s Guide Upgrading a data center cluster Configuring High Availability
in a healthy cluster of three or more nodes. To check the cluster health, choose Datacenters > Clusters. The cluster health status must be “Healthy.” If the cluster health status is “Unhealthy,” see “Secure overlay tunnels” on page 108.
showing the firmware version status “Firmware upgrade,” indicating that a new firmware version has been downloaded to the appliance but the firmware version hasn’t been updated yet. To view the status, choose Appliances > Overview.
using the option to apply firmware upgrades immediately. To verify, choose Organization and select the Maintenance tab. After Apply firmware upgrades immediately, check that the On button is green.
To upgrade a 5030 node cluster 1. Choose Datacenters > Clusters.
2. Select the cluster and select the Settings tab.
3. Select a 5030 cluster member, click the trash can icon, and click Submit to remove the node from the cluster. After the node is separated from the cluster, it reboots with the new firmware version. After a successful upgrade, the appliance status indicates that the appliance is online with an up- to-date configuration. If the appliance is online, but the status indicates that the upgrade has failed, select the 5030 node. Click Actions, select Retry Upgrade, and click Confirm. After the node is successfully upgraded, you need to add it back into the cluster.
4. Choose Datacenters > Clusters.
5. Select the cluster and select the Settings tab.
6. Select the upgraded 5030 node from the drop-down list to add it back into the cluster. All 5030 nodes in the cluster return to online status.
7. Upgrade the other 5030 nodes in the cluster, starting with step 1.
SteelConnect Manager User’s Guide 159 Configuring High Availability Upgrading a data center cluster
160 SteelConnect Manager User’s Guide 14
Using Applications
Overview Applications are networked services that run in the internal network or on the internet. Application definitions are a way to attach a business relevancy to all traffic that goes through your network. A separate application definition allows you to configure multiple rules using the same application. Application definitions also let you group applications, so that you can configure and reuse a single rule for multiple applications with similar characteristics and requirements. Using an application group means that you don’t have to repeat the application definition for each rule, which can reduce the number of rules significantly. You can regulate access to applications using policy rules, as described in “Policy controls” on page 167. Because an application can act as a target or a destination in a rule, you need to add the application definition in both directions. A rule with a source IP address looks only at the source IP address, so you need to create a rule that uses the destination IP for the reverse direction. For details on rules, see “To create a traffic path rule” on page 181.
Application groups
For convenient traffic path rule and security policy creation, SCM predefines a number of application groups like Business or Web Services. When you use an application group in a traffic path rule, a single rule can handle many applications based on similar properties. For example, the Business Voice application group classifies all traffic that requires low latency and a high queue priority. Application groups simplify the configuration and minimize the number of rules needed, providing better scalability.
Upgrade Consideration The default application groups have changed in SCM 2.0 for compatibility with SteelHead CXs. The new application groups are in effect after upgrading from SCM 1.x to 2.0. Any preexisting custom application groups remain the same after the upgrade. Five preexisting application groups were merged into new groups. If you are using preexisting application groups in an inbound or outbound security policy or a traffic path rule that contain any of these groups, you might need to create new rules to use the new group name. The following table shows the application groups merged from 1.x to 2.x.
SteelConnect Manager User’s Guide 161 Using Applications Overview
Preexisting group Merged into group
Photography Images/Photography Communication/IM/Email Messaging/IM/Email Education/Reference News/Education/Reference Games Entertainment/Games Lifestyle/Health/Fitness Lifestyle/Health/Fitness/Sport
To view the complete list of application groups
Choose Applications > Groups. Figure 14-1. Application groups page
A web category catalog is available to include sites that aren’t covered by a specific application. You can add web categories to application groups.
To view a complete list of web categories
1. Choose Applications > Groups.
162 SteelConnect Manager User’s Guide Overview Using Applications
2. Select an application group.
3. Select the Web categories tab for that group. This table describes some default application groups, web categories, and sample applications, but it does not provide an exhaustive list. See the Applications Group page for the most up-to-date app groups, web categories, and apps associated with a group.
Group Web categories Content types Sample applications and protocols
Business Business / Economy Includes a wide range of applications Captures apps such as focused on business use. Google Calendar, Government / Legal Google Maps / Google Military Earth, Salesforce, Political / Activist Wunderlist, DATEV. Groups Computers / Internet Search Engines / Portals Job Search / Careers Real Estate Restaurants / Dining / Food Travel Vehicles Web Applications Web Hosting Translation Content Servers Greeting Cards Marketing Services Ecology / Nature Animals / Pets Images/ Open Image / Media Includes photo and image searches, online Captures applications Photography Search photo albums, digital photo exchange, and such as Flickr, Picasa, image hosting. 500px. Photo Searches
SteelConnect Manager User’s Guide 163 Using Applications Application catalog
Group Web categories Content types Sample applications and protocols
Social Social Networking Includes websites that enable people to Captures applications Networking connect with others to form an online such as Facebook, Personal Pages / community. Instant messaging, file sharing Twitter, Instagram, Blogs and blogs are common features of social LinkedIn, Tinder, networking sites. MySpace. Video/Media/ Media Sharing Includes websites that allow sharing of Captures content such TV media and have a low risk of including as Twitch, Hulu, Netflix, TV / Video Streams objectionable content such as adult or YouTube, Vimeo, Sky / pornographic material. Also includes SkyGo, Amazon Instant websites that provide streams or Video / Lovefilm, Online downloads of television, movie, webcam, or TV Recorder (OTR), other video content that exceeds 15 Maxdone, Plex Media, minutes. MyVideo, SAVE.TV, and Zattoo TV.
Application catalog SCM provides a constantly updated catalog of public applications that are available on the internet. For example, Facebook or Salesforce. Every catalog application is assigned to a default predefined application group. The catalog provides an efficient and accurate way to identify applications for advanced classification of network traffic.
To determine the default predefined group for a specific application
1. Choose Applications > Applications Catalog.
2. Start typing the application name in the search field to narrow the list.
Custom applications
Creating a custom application means that you group together a set of criteria to match certain traffic. You define custom applications to set up access policies for internal services, or specific internet- based services. Internal applications are typically related to a registered server device or device group; however, you can also define applications based on zones, IP addresses, ports, or host/domain names.
To define custom applications 1. Choose Applications > Custom.
2. Click New Application.
3. Complete the name and description.
4. Select the application type from the drop-down list: Device, Device Group, Zones, IP/Ports, or Hostnames (Internet Only). The traffic characteristics change according to the type of application.
164 SteelConnect Manager User’s Guide Application catalog Using Applications
Target devices must be preregistered, either manually or through the self-registration portal. For details, see “To register a device” on page 217.
5. Complete the application characteristics as needed for the app type. Custom apps appear in the Custom Apps column of the Application Group page.
To create a remote desktop application for a Windows 2012 AD server in a data center 1. Select Application > Custom.
2. Click New Application.
3. Name the application RDP_AD.
4. Describe the application as RDP to Active Directory in DC.
5. Select Device as the application type.
6. Select the relevant server from the device list. For example, AD on W3K12 Server in DC.
7. Click On to limit the TCP/UDP ports.
8. Add port 3389.
SteelConnect Manager User’s Guide 165 Using Applications Application catalog
9. Click Submit. Figure 14-2. Custom application for an Active Directory server using port 3389
After defining the application, you can use it in a rule that defines the policy for internal users and devices. In this example, you define a rule to allow the laptop administrator access to the RDP Active Directory server in the data center. For details, see “Outbound and internal rules” on page 167.
166 SteelConnect Manager User’s Guide 15
Enabling Security Using Rules
How do inbound and outbound rules work? Rules determine a secure firewall policy that regulates who you want to have access to what. Security policies can apply to the entire network, such as a single security policy to turn zone access on and off. You can also make the policy more granular to accommodate specific security needs. For example, you can create firewalled zones that require specific user permission to use specific applications.
Policy controls
Policy controls are built on two types of rules:
Outbound/Internal Rules - Define the policy for internal users and devices accessing internal or external applications.
Inbound (NAT) Rules - Define the policy for external (internet) access to internal applications. Inbound rules offer optional support for NAT, port translations, and an external host white list.
Outbound and internal rules The outbound and internal rules specify a source, a target, and an action. The source can be either a special catch-all selection like all registered users, or a custom selection of user groups, device groups, individual users, individual devices, or policy tags. We recommend that you base the outbound and internal rules on user groups and device groups, and then make exceptions using policy tags. The target is either the special selector Any that matches any target, a selection of zones, or a selection of application groups and applications.
SteelConnect Manager User’s Guide 167 Enabling Security Using Rules How do inbound and outbound rules work?
You create a rule, place it in the desired order, and select whether it’s allowed or denied.
Figure 15-1. Creating outbound rules to set a security policy
SteelConnect evaluates the rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied. If the conditions set in the rule don’t match, then the rule isn’t applied and the system moves on to the next rule. For example, if the conditions of rule 1 don’t match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. In the list of rules, a green check mark indicates that the rule’s action is Allow and a red x indicates that the rule’s action is Deny.
To create an outbound rule to allow all users access to all zones
1. Choose Rules > Outbound/Internal.
2. Click New Policy Rule.
3. Select All (excluding guests).
4. Click Allow.
5. Under Applications / Targets, select each zone from the drop-down list.
6. Click Submit.
To create an outbound rule that blocks Facebook from a user and a device 1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. Select the rule position.
4. Under Users/Source, choose Selected Users, Devices, Groups, or Tags.
168 SteelConnect Manager User’s Guide How do inbound and outbound rules work? Enabling Security Using Rules
5. Select a user. If the user isn’t already associated with a device, select a device. Note: To link the user to the device, the MAC address for the device has to be visible to the gateway. Essentially, the gateway has to be on the same Layer 2 broadcast domain, VLAN, or zone as the device. When the gateway can’t see the MAC address, the rule doesn’t work.
6. Click Deny.
7. Under Applications / Targets, choose Selected applications or groups.
8. Select Facebook from the drop-down list.
9. Click Submit.
To create a rule that allows a laptop administrator access to the Active Directory server in the data center using port 3389
This procedure uses the custom application RDP_AD created in “Custom applications” on page 164. 1. Choose Rules > Outbound/Internal.
2. Click New policy rule.
3. Select the rule position.
4. Choose Selected Users, Devices, Groups or Tags (not supported on 5030 gateways).
5. Choose Laptop Admin.
6. Click Allow.
7. Under Applications / Targets, choose Selected applications or groups.
8. Select the custom application RDP_AD from the drop-down list.
SteelConnect Manager User’s Guide 169 Enabling Security Using Rules How do inbound and outbound rules work?
9. Click Submit. Figure 15-2. Rule allowing laptop administrator access to AD server in the data center
Inbound (NAT) rules Because the gateways use a firewalled system, you need rules to allow traffic for both outbound and inbound access. Use inbound rules to control any services you want to advertise to the internet. An inbound rule can use DNAT or full NAT, and you can also apply a port offset. Use inbound NAT when the return traffic in the zone is not routed back to the gateway. With inbound NAT, the source IP address of the inbound traffic is NATed to the IP address of the Riverbed gateway within the zone.
Note: For inbound NAT rules on SteelConnect gateways, the device providing the service must be in a zone that is local to the gateway advertising the service.
A whitelist is available to limit access to the exposed application to specific external hosts.
Example-Creating an inbound rule to allow all users access to a web server inside of your location using port 80
1. Choose Rules > Inbound/NAT.
170 SteelConnect Manager User’s Guide How do inbound and outbound rules work? Enabling Security Using Rules
2. Click New Inbound Rule.
3. Select an internal application.
4. Select an uplink or multiple sets of uplinks to advertise the service on port 80 out; whether it be across an MPLS uplink or a public internet uplink.
5. Select the mode in which to advertise the service; for example, NAT inbound. Optionally, you can select No NAT and type a single, registered WAN IP classful address for that specific web server.
6. Turn reflection on to provide internal users access to the service from inside the local zones. Turn the external host white list on to define a list of IP hosts that are able to access the service. Specify one IPv4/IPv6 host/network or DNS hostname per line.
7. Click Submit.
Example-Creating an inbound rule to make the AD server available to the internet This example uses the custom application RDP_AD, created in “Custom applications” on page 164. 1. Choose Rules > Inbound/NAT.
2. Click New inbound rule.
3. Select RDP_AD.
4. Select the DC uplink.
5. Select DNAT.
6. Under NAT Port mappings, select 3389 > 3389 internal.
7. Leave the NAT port offset and the external host white list off.
SteelConnect Manager User’s Guide 171 Enabling Security Using Rules How do inbound and outbound rules work?
8. Click Submit. Figure 15-3. An inbound rule to make the AD server available to the internet
172 SteelConnect Manager User’s Guide 16
Managing User Identities
Identifying and grouping users SCM provides an easy and intuitive way to define network access by user identity. The Users page associates those accessing the networks with the devices they are using, providing granular and automated user-to-device assignments, with an interface in each zone. Adding users is optional. Whether you propagate user identities depends upon your policy strategy. If you require a per-user, per-device policy, we recommend populating the environment with user identities. Whereas if your policy strategy is focused on application, zone, or site, you can create a policy without referring to the individual users. Adding users and devices provides micro policy focus and usage tracking at the user level. For details on devices, see “Viewing devices” on page 217. You can also implement policy strategies based on a subset of all users such as:
Adding key personnel - Provide key users improved visibility into the applications needed to adjust QoS and path selection.
Creating user groups - Use the same strategy as key personnel, but enable it at a group level.
Adjusting user and device visibility - Use application visibility to identify noncritical, nonbusiness application use during business hours across the enterprise, then drill into zones to identify target sites. With this information, you can adjust user and device level visibility as needed.
Adding users
You can identify users by name, roles, or job functions. You can add users manually or automatically populate them using directory synchronization with Windows Active Directory or Google Apps. You can perform Active Directory synchronization for corporate users in an organization, even if they are in a remote location.
Note: The SteelConnect Manager directory sync is completely separate from the SteelHead Active Directory integration for optimizing Microsoft secure protocols.
To add a user manually
1. Choose Users.
2. Click New User.
SteelConnect Manager User’s Guide 173 Managing User Identities Identifying and grouping users
3. Type full name of the user. The full name is required.
4. Type the user’s email address. The email address is required.
5. Optionally, type the user’s mobile phone number, starting with a + or 0.
6. Optionally, type a policy tag for use with assigning a network zone and security policies. For details, see “Creating user groups” on page 176.
7. Click Submit. The user list displays the users and their home site location, contact information, and any group, tag, and device associations. The home site specifies the location where the user will connect to the network using VPN. By default, agents connect to the default agent home site. You can optionally click the username again to associate the user’s network access rules with a different home site. Specify the home site associated with both the user account and the agent the user will dial into.
To add users automatically
1. Choose Users > Directory Sync.
2. Select Active Directory or Google Apps from the drop-down list.
3. Fill out the fields for either Active Directory or Google Apps, described below.
Windows Active Directory Windows Active Directory performs an LDAP query for the AD users and populates them as SteelConnect users. This is a user import operation only. The system performs the query every 15 minutes. Only active directory users with an email address are synchronized. The user’s mobile phone number is also synchronized.
Note: You have to resynchronize when there is a change to Active Directory; there is no automatic synchronization between SCM and Active Directory.
To automatically populate users using Windows Active Directory
1. Provide an LDAP bind user with at least the backup operator’s privilege to the active directory. This sets the authorization identity used for the query.
2. Choose between using an appliance as a proxy or a secure LDAP server directly to perform the sync. Remember that when you use LDAP the sync is activated and performed from the SteelConnect Manager, so the necessary network ports must be open on the firewall to allow the connection inbound.
3. Provide the search base for your active directory. This setting is an active directory organizational unit.
4. Provide the search filter to perform the search. By default, the search looks for objects that are users and groups. For more search filter operations, go to http://social.technet.microsoft.com/wiki/ contents/articles/5392.active-directory-ldap-syntax-filters.aspx.
174 SteelConnect Manager User’s Guide Identifying and grouping users Managing User Identities
5. Click Submit.
Google Apps If your organization is using a Google domain infrastructure, Riverbed is able to fetch Google domain users to allow easy integration. Users that are added to your directory on https://accounts.google.com can be created automatically on SCM. The Google Apps Sync feature polls the service and updates the users every 15 minutes. SCM fetches the user account’s email address and the user’s mobile phone number from the backend to enable them to use both methods for Portal registration. To setup Directory Sync via Google Apps, first create a Service account key via Google’s Developer Console.
To create a service account key through Google Developer Console
1. Log in to the Google Developers Console: https://console.developers.google.com
2. From the project drop-down menu, select Create a new project.
3. Choose API Manager > Social APIs > Google+ API.
4. Click Enable API.
5. In API Manager, choose Credentials from the left sidebar.
6. Select the Credentials tab.
7. Select Create credentials > Service account key.
8. Create a new service account and select a name for the new account.
9. For Key type, select JSON.
10. Click Create. The JSON key will be downloaded automatically.
To automatically populate users using Google Apps
1. In SCM, choose Users > Directory Sync.
2. Select the Setup tab.
3. Select Google Apps as the directory backend.
4. Specify your Google Apps domain name: for example, acme-inc.com.
5. Specify the email address of the user for which the application is requesting delegated access. This must be an account admin with privileges over the domain.
SteelConnect Manager User’s Guide 175 Managing User Identities Identifying and grouping users
6. Click Browse next to Private key and select the JSON key file to upload.
7. Click Submit.
8. Select the Sync Status tab and select Sync after Operation mode.
9. Click Sync now.
Creating user groups
Groups allow two or more users to be associated so that you can apply rules collectively. Grouping minimizes the amount of rule definitions and reduces administrative overhead. A policy tag field is associated with both users and groups. It allows an additional or alternative method of grouping users. You can use tags to create a subset of a group or to tie users across different groups for the application of other policies. For example, defining policy tags is useful when you want to apply dynamic zone mapping when a user connects through a wireless network.
Note: Granular grouping of users and tagging can increase management complexity. Keep it simple; you need to be able to keep track of which rules and policies apply to a specific user.
176 SteelConnect Manager User’s Guide 17
Defining Traffic Path Rules
Balancing traffic using traffic path rules Traffic path rules (or path selection) is a granular set of rules that balance traffic over multiple WANs: internet, RouteVPN, and MPLS. For example, in a hybrid network environment, you might want more important data like voice to traverse the MPLS private network, Salesforce traffic from your sales team to be sent directly to the internet, and all business traffic to be sent over the secure VPN. All paths are monitored by ICMP pings. If a path is down, the traffic is switched to the remaining paths.
Figure 17-1. Traffic path rules select WAN paths
Traffic path rules:
overwrite path preference for certain types of traffic.
overwrite QoS priorities.
can select the best path based on path preference and path quality metrics (that is, latency, jitter, and loss). SteelConnect performs application detection on the first packet seen by the gateway. The gateway searches for the hostname from the local DNS cache and then it sends the request to the application controller server. If there isn’t a DNS entry in the cache, then the IP address is used. The system checks every third packet to make sure the hostname hasn’t changed. If the hostname changes, it is reclassified and SteelConnect reapplies all firewall rules again. Traffic path rules are applied on the gateway side of the network where the traffic was initiated. This means that when a client creates a TCP connection to a remote server, traffic path rules only apply on the client gateway and not on the server gateway a second time. The return path is expected to use the same path as the gateway that initiated the connection. Because the remote site keeps track of where the traffic entered the gateway, it maintains path consistency based on the interface that initiated the connection. Traffic path rules take effect on different WANs, not uplinks. For example, it isn’t possible to define traffic path rules for two internet connections because they are both on the same WAN.
SteelConnect Manager User’s Guide 177 Defining Traffic Path Rules Configuring path quality based path selection
Currently, all traffic rules fall through; that is, if you have an MPLS rule and it isn’t reachable, then the traffic flow falls through to the next rule until the traffic is matched. If no rule is found, then the traffic reverts to the default rule.
Note: When you create traffic path rules, they overwrite the organization internet breakout and WAN usage preferences that you set when you created an organization.
SteelConnect uses this process to make traffic balancing decisions between WANs: 1. SteelConnect decides whether the traffic is going to the internet or staying in the corporate network.
2. To steer traffic flows between WANs, SteelConnect selects which WAN (for example, MPLS, RouteVPN, or Internet) the traffic will use according to the Path Preference that you set from the first to last.
3. If a Path Quality profile is defined for a rule, path quality metrics are applied to the traffic flow. For example, if your Path Quality profile has Latency Sensitive metrics applied, the system uses latency, jitter, and loss metrics to determine the best path. If a Path Preference is specified (for example, RouteVPN and MPLS), the gateway selects from the preference order specified. If a Path Quality profile is also specified (for example, Latency Sensitive or Interactive Metrics) then the gateway chooses the best path based on measured data metrics from the paths defined in Path Preferences, except for SDI-5030 gateways, which will choose from all available paths regardless of Path Preference. If all paths are equal according to the selected Path Quality profile metrics, then path selection will fall back to Path Preference.
4. When there aren’t any traffic path rules defined, SteelConnect looks at the network default policies and internet breakout settings. It looks first at the network default policies per zone, then per site, and lastly per organization. You can use the network default policy and internet breakout settings to centrally specify a WAN preference for a traffic flow, when there is no specific traffic rule in place. For details, see “Networking defaults” on page 64.
5. After SCM selects the WAN, it chooses the uplink for the WAN. The uplink selection is when the uplink AutoVPN priority and backup only settings come into play. When there is only one uplink for a WAN, that uplink is always used. When there are multiple uplinks per WAN, which is often only the case for Internet uplinks, they are equally balanced by default with failover. You can demote uplinks to be used as a backup only. For example, you could create 3G and 4G uplinks for use as backups that should only be used if all other active uplinks on the WAN are down. For details, see “Creating uplinks” on page 85.
Configuring path quality based path selection SteelConnect provides true path management. You can define traffic flows based on:
Sites - Specific sites or, if not set, all sites
Source - Zones, users, groups, and tags
Destination - Applications, groups, and zones
Path Preference - Specify the path preference priority for WANS. You can set more than one WAN, for example RouteVPN and MPLS, to ensure that traffic is routed through the RouteVPN first. If RouteVPN isn’t available, traffic is routed through the MPLS network.
178 SteelConnect Manager User’s Guide Configuring path quality based path selection Defining Traffic Path Rules
Path Quality - Steers traffic to the best available path based on path quality metrics: latency, jitter, and packet loss.
Path quality profiles
Path quality profiles enable you to steer traffic to the best available link based on latency, jitter, and packet loss metrics for outgoing traffic flows. Path quality picks the path with the highest path preference and best path quality based on the metrics you specify for new and existing connections. Since path selection must be performed quickly, the service uses the latest latency, jitter, and packet loss values for each tunnel and performs path selection on these. For a detailed definition of latency, jitter, and loss, see “Viewing traffic paths” on page 187. You can specify these path quality profile options: – None - Does not apply latency, jitter, or loss data to the given path. Instead, the system will choose the best path from all configured paths supported by the Site and Zones, regardless if a path preference is defined or not. The system uses path preference only when it needs to choose between equal paths. – Latency sensitive metrics - Uses latency, jitter, and loss metrics to determine the best possible path for the traffic flow. – Interactive metrics - Uses latency and loss data only to determine the best possible path for the traffic flow; does not use jitter data. Note: If you previously set Path Quality override on a prior release of SteelConnect, then the Latency Sensitive metrics option is applied to these legacy traffic path rules.
Threshold buckets Paths are grouped together using five quality threshold buckets where the worst packet metric is used to calculate the best available path. The path or uplink is mapped to a bucket and based on this mapping, traffic or flows are steered to the best available path or uplink. This path is determined out of two or three metrics, depending on the setting you have chosen (for example, Interactive has two metrics: latency and loss, whereas Latency sensitive uses latency, jitter, and loss).
New flows Threshold Buckets
0 1 2 3 4
Latency 0-49 ms 50-149 ms 150-499 ms 500-799 ms => 800 ms Jitter 0-6 ms 7-14 ms 15-29 ms 30-49 ms => 50 ms Loss 0.0-0.4% 0.5-0.6% 0.7-1.4% 1.5-1.9% => 2.0%
For example:
Link 1 has 49ms latency but 16ms jitter, Link 1 will be in Bucket 2.
Link 2 has 70ms latency and 7ms jitter, Link 2 will be in Bucket 1.
The preferred link for traffic classified with path rules with Link1 and Link2 as will go through Link 2 as it cumulatively has the least bad metrics.
SteelConnect Manager User’s Guide 179 Defining Traffic Path Rules Configuring path quality based path selection
Existing flows Threshold Buckets
0 1 2 3 4
Latency 0-99 ms 100-199 ms 200-599 ms 600-999 ms => 1000 ms Jitter 0-11 ms 12-19 ms 20-29 ms 30-74 ms => 75 ms Loss 0.0-0.6% 0.7-0.9% 1.0-1.9% 2.0-2.9% => 3.0%
Once a path is selected by the system, the traffic remains on that path and will not seek a better path until the current path degrades. If traffic lands on the worst path (for example, the last threshold bucket), the system seeks a better path. However, if traffic lands in any other intermediary threshold buckets, it will remain there and not seek a better path until the current path degrades. SteelConnect rebalances the flow if path quality drops below a certain threshold (which is lower than the new connection threshold) and allows path selection to choose a more suitable path. If the original path recovers, traffic isn’t moved back to that path except for the SteelConnect SDI-5030 gateway. Path quality profile is off by default (that is, None). If you select a profile, it affects traffic in that traffic path rule only. If a path preference is specified (for example, RouteVPN and MPLS), the gateway selects from the preference order specified. If a path quality profile is also specified (for example, Latency Sensitive or Interactive Metrics) then the gateway chooses the best path based on measured data metrics from the paths defined in path preferences, except for SDI-5030 gateways, which will choose from all available paths regardless of path preference. If all paths are equal according to the selected path quality profile metrics, then path selection will fall back to path preference. Path quality profiles are only in effect if a path preference is specified, instructing gateways to direct traffic over the selected paths and ignore paths that are not specified, even if they would provide the better path quality, except for SDI-5030 gateways which will always choose from all available paths regardless of path preference. Path quality is available only on overlay networks (that is, RouteVPN and additional WANs with encryption turned on). If encryption is turned off for the WAN, but path quality is enabled, then the WAN will only be used if the other paths are down (that is, it falls back to availability based detection).
QoS priority
The QoS priority sets a differentiated services code point (DSCP) value on the traffic path rule. A DSCP value is a packet header mark that indicates the level of service requested for traffic, such as high priority or low delivery. If QoS on the gateway is enabled, then QoS classification and shaping is enforced. You set the QoS priority on the traffic path rule before you configure QoS on the gateway. For details about configuring QoS on the gateway, see “Configuring QoS” on page 195. The QoS priority sets the DSCP value and shapes traffic. You have these options:
Automatic - No DSCP change. If you want a rule with only a path preference, select Automatic.
Custom -Sets the DSCP value to a user defined value.
180 SteelConnect Manager User’s Guide Configuring path quality based path selection Defining Traffic Path Rules
Urgent - Sets the DSCP value to 46 for Latency Sensitive traffic.
High - Sets the DSCP value to 30 for Streaming Media traffic.
Normal - Sets the DSCP value 0 for Best Effort traffic.
Low - Sets the DSCP value to 8 for Background traffic. The system looks at traffic path rules on DSCP first and then QoS for gateways. Traffic path rules and QoS work independently, but they work together if both are enabled. If you have QoS enabled but not traffic path rules, QoS will use the DSCP values as set by the client and server. Any upstream router only sees the overwritten value. When you specify a custom DSCP value, the system honors the QoS class from the traffic path rule; otherwise, it uses the QoS class from the packet.
To create a traffic path rule 1. Choose Rules > Traffic path rules.
2. Click New path rule. Figure 17-2. Creating a traffic path rule
3. Select the position for the rule: Top, Bottom, or After rule #.
4. Optionally, under Site scope, click the search box and select one or more sites from the list to limit the rule to particular sites. If you don’t select a specific site, your rule applies to all sites.
5. Under Users/Source, select a source from the drop-down list (not supported on SDI-5030 gateways). – All, Registered Users and Devices, and Guests apply globally to these sources.
SteelConnect Manager User’s Guide 181 Defining Traffic Path Rules Configuring path quality based path selection
– Selected zones, classic VPN remote networks, users, devices, and groups or tags, apply to selected sources. You can select multiple zones, users, devices, groups, or tags.
6. Under Application/Target, select a target destination from the list. You have these choices: – Selected applications or groups - Start to type the application or application group name in the text box, and then select it from the drop-down menu of the available application and application groups. For example, you could steer all Facebook traffic using this choice. – Selected zones - For example, you can restrict traffic to particular zones using this option. – DSCP values - You might want to create a path based on a DSCP marking. – Any - Apply the rule to all applications.
7. Under Path preference, select the WAN path, for example: Internet, MPLS, or RouteVPN. Select more than one WAN path to ensure traffic is routed to your next path preference if your first choice is unavailable.
8. Under Path Quality profile, select one of the following options to override the specified path preference based on latency metrics (that is, latency, jitter, and loss): – None - Does not apply latency, jitter, or loss data to the traffic path. Path preference is used to determine the best possible path for the traffic flow. – Latency sensitive metrics - Uses latency, jitter, and loss metrics to determine the best possible path for the traffic flow. – Interactive metrics - Uses latency and loss data only to determine the best possible path for the traffic flow; does not use jitter data.
9. Optionally, specify a Custom DSCP value or one of the four QoS classes: Urgent, High, Normal, Low. If you want a path rule with only a path preference, leave the setting at Automatic.
10. Click Submit.
Editing traffic path rules
You can edit path rules by clicking the control you want to edit in the Traffic path rules pane, for example:
Click the traffic path controls (that is, On/Off, Sites, Path preference, Path selection profile, or QoS priority) to display the Edit path rule pane.
Click the source or destination controls (that is, Users/Source or Applications/Target) to display the corresponding panes for the selected control. For example, if you have chosen an application group, the Application Groups page allows you to delete particular applications from the group. If you specified a DSCP value as the destination/target, you can modify the value in the Edit path rule pane. Note: SteelConnect reevaluates traffic flows after a traffic rule changes and adjusts path selections accordingly.
182 SteelConnect Manager User’s Guide Configuring path quality based path selection Defining Traffic Path Rules
To edit traffic path controls
1. In the Traffic path rules pane, click the On/Off, Sites, Path preference, or QoS priority control to display the Edit path rule pane. Figure 17-3. Editing path controls
2. Edit the control and click Submit.
To edit Users/Source or Applications/Target controls
1. In the Traffic path rules pane, click either of these controls to display their respective pages. For example, click Applications/Target to display the Application Groups page. Figure 17-4. Editing applications or application groups
2. Delete the application you want removed from the group and click Submit.
3. To return to the Traffic path rules pane, choose Rules > Traffic path rules.
Deleting traffic path rules
You can delete a traffic path rule by simply clicking the rule in the Traffic Path Rules list and selecting Delete from Actions drop-down list.
SteelConnect Manager User’s Guide 183 Defining Traffic Path Rules Traffic path policy example
To delete a traffic path rule
1. In the Traffic path rules pane, click the rule you want to delete to expand the page. Figure 17-5. Deleting a path rule
2. In the right pane, click Actions and select Delete this rule.
3. Click Confirm.
Traffic path policy example Suppose you have a salesperson named Ryan. Ryan does most of his sales using the phone and email and he records all of his sales data in Salesforce.com. We want to create a traffic policy that applies to all sites and that ensures:
Ryan’s Messaging/IM/Email communication traffic is sent over the MPLS with a QoS priority of High and a path quality profile that applies metrics for latency, jitter, and loss.
Ryan’s sipgate VoIP traffic is sent via the RouteVPN with a QoS priority of Urgent and a path quality profile that applies metrics for latency, jitter, and loss.
Ryan’s Salesforce.com traffic is sent via the Internet without a QoS priority or a path quality profile.
To create a traffic path policy
1. Choose Rules > Traffic path rules.
2. Click New path rule.
3. Under Position, select Top.
4. Under Users/Source, select Selected Users, Devices, Groups or Tags from the drop-down list.
5. Click the search box and select Ryan salesperson from the drop-down list.
6. Under Applications/Target, select Selected applications and groups from the drop-down list.
7. Click the search box, and type the first few letters of the application: for example, mess for Messaging/IM/Email.
8. Under Path preference, click the search box and select MPLS and select Route VPN as the secondary rule. Path quality based path selection relies on having a failover path that provides better service quality if the first one becomes degraded.
184 SteelConnect Manager User’s Guide Traffic path policy example Defining Traffic Path Rules
9. Under Path Quality profile, select Latency Sensitive metrics to override the path preference based on latency, jitter, and loss.
10. Under QoS priority, select High from the drop-down list.
11. Click Submit. Figure 17-6. Path rule to set a traffic policy
You’ve completed your first path rule that ensures that all Messaging/IM/Email traffic is routed over the MPLS with a QoS priority of High.
12. Click New path rule.
13. Under Position, select After Rule #1.
14. Under Users/Source, select Selected Users, Devices, Groups or Tags from the drop-down list.
15. Click the search box and select Ryan salesperson from the drop-down list.
16. Under Applications/Target, select Selected applications and groups from the drop-down list.
17. Click the search box, and type the first few letters of the application; for example, sip for sipgate VoIP.
18. Under Path preference, click the search box and select RouteVPN and select MPLS as the secondary rule. Path quality based path selection relies on having a failover path that provides better service quality if the first one becomes degraded.
19. Under Path Quality profile, select Latency Sensitive metrics to override the path preference based on latency, jitter, and loss.
SteelConnect Manager User’s Guide 185 Defining Traffic Path Rules Traffic path policy example
20. Under QoS priority, select Urgent from the drop-down list.
21. Click Submit. Figure 17-7. Path rule to set a traffic policy for VoIP
You have created a second path rule that applies to all sites where sipgate VoIP traffic is routed over the VPN with a QoS priority of Urgent.
22. Click New path rule.
23. Under Position, select After Rule #2.
24. Under Users/Source, select Selected Users, Devices, Groups or Tags from the drop-down list.
25. Click the search box and select Ryan salesperson from the drop-down list.
26. Under Applications/Target, select Selected applications and groups from the drop-down list.
27. Click the search box, and type the first few letters of the application; for example, sales for Salesforce.com.
28. Under Path preference, click the search box and select Internet.
29. Under Path Quality profile, select None. The Salesforce.com traffic is sent via the Internet without a path quality profile that applies latency sensitive metrics.
30. Under QoS priority, select Automatic from the drop-down list. The Salesforce.com traffic is sent via the Internet without a QoS priority.
186 SteelConnect Manager User’s Guide Viewing traffic paths Defining Traffic Path Rules
31. Click Submit. Figure 17-8. Path rule to set a Salesforce traffic policy
You’ve created a final rule that ensures that the Salesforce.com traffic is sent over the internet and it doesn’t have a QoS priority. Your traffic policy appears as shown in Figure 17-9. Figure 17-9. Complete traffic policy for a salesperson
Viewing traffic paths You can view if a path is up or down after clicking a site marker in the dashboard. A green line indicates that the VPN tunnel is successfully established. A red dashed line indicates that the VPN tunnel can’t be established. The lines automatically update if problems arise. For details on the dashboard, see “Viewing your topology” on page 51.
SteelConnect Manager User’s Guide 187 Defining Traffic Path Rules Viewing traffic paths
Monitoring path quality
SteelConnect measures the health and connectivity of a VPN tunnel between two sites by collecting information about VPN endpoints. These measurements provide important information about your VPN deployment. Path quality reports metrics on established and functional tunnels. A path quality status window reports on key metrics such as tunnel latency, jitter, packet loss, and throughput. By default, path quality measures tunnel statistics every second or 64 packets transmitted and sends them to SCM every minute.
To view path status
On the dashboard map, click a site marker.
Click a green line indicating a path. A status window displays real-time tunnel statistics for the selected path. When appliances at the two sites are using multiple uplinks and multiple WANs, information about all of the tunnels appears. Figure 17-10. Monitoring path quality
The path status includes this information:
Outbound and inbound throughput - Displays the total throughput levels and the total one-way throughput levels for each QoS class. The class metrics appear side-by-side for immediate comparison. Path quality calculates the throughput by sampling both encrypted and decrypted packets and subtracting any retransmitted packets from the total, known as TCP goodput. For details on the QoS classes, see “How does QoS for gateways work?” on page 195.
188 SteelConnect Manager User’s Guide Viewing traffic paths Defining Traffic Path Rules
Path quality metrics - Displays path quality metrics: latency, jitter, and packet loss. For all quality measurements, a low value is best.
Latency - Measures the amount of delay (in bits per second) for a packet traveling from one site to another and back again, known as round-trip time (RTT).
Jitter - Measures any change in one-way packet delay. When the exact amount of delay occurs from one site to another, there is zero jitter. When the delay is inconsistent, jitter is the amount of delay that varied from previous measurements. Jitter is most likely to occur on either slow or heavily congested links.
Packet Loss - Measures any one-way packet loss. Any number indicates a possible problem. Note: Click the double arrows in the top left corner of the status window to see tunnel statistics in the reverse direction.
SteelConnect Manager User’s Guide 189 Defining Traffic Path Rules Viewing traffic paths
190 SteelConnect Manager User’s Guide 18
Connecting a SteelHead with a Gateway
SteelHead compatibility SteelConnect and SteelHead integrate with an automatic and seamless service chain for SD-WAN and WAN optimization, providing SD-WAN to the SteelHead CX xx70s and WAN optimization to SteelConnect users. The combined products provide a smooth transition from WAN optimization to hybrid networking to SD-WAN. One of the powerful features of a SteelConnect gateway is its ability to steer applications over a preferred path, as described in “Balancing traffic using traffic path rules” on page 177. A SteelConnect gateway and a client-side SteelHead CX deployed on a local network work together to identify, classify, and steer traffic flows. The SteelHead CX optimizes connections, classifies the traffic, and sends application identification information to the gateway. The gateway selects a traffic path based on the application ID provided by the SteelHead CX and steers the traffic over the selected path.
Figure 18-1. Gateway and SteelHead CX branch deployment communication
Intelligent path selection is one of the primary benefits of a gateway working with a SteelHead CX xx70. Other benefits include:
SaaS/cloud acceleration on the SteelHead CX
WAN optimization with SDR (data compression) on the SteelHead CX
Web proxy on the SteelHead CX
Visibility of SteelHead CX optimized traffic across the local network
Touchless LAN-side SteelHead CX and SCM gateway discovery and connection
Support for multiple LAN-side SteelHead CXs in a physical in-path deployment By default, SteelConnect compatibility is disabled on the SteelHead CX and disabled globally for an organization in the SteelConnect Manager. SteelHead compatibility must be enabled on both appliances for autodiscovery. You can disable SteelHead compatibility on a specific gateway within an organization.
SteelConnect Manager User’s Guide 191 Connecting a SteelHead with a Gateway SteelHead compatibility
To enable SteelConnect compatibility on a SteelHead CX automatically
Enter the Riverbed command-line interface (CLI) command steelhead steel-connect compatibility enable You can enable or disable SteelHead compatibility for a specific gateway. For details, see “Enabling SteelHead compatibility on the gateway automatically” on page 193. For details on SteelHead CX CLI commands, see the Riverbed Command-Line Interface Reference Manual. For details on the SteelHead CX xx70, see the SteelHead User’s Guide.
The SteelHead gateway connection
A SteelConnect gateway is compatible with a physical or virtual in-path SteelHead CX when the gateway is running SCM 2.5 or later and the SteelHead CX is running RiOS 9.5 or later. The SteelConnect gateway watches for marked SYN packets from a SteelHead CX. After it sees one, it polls the SteelHead CX for availability. When the SteelHead CX receives a poll from a compatible SteelConnect gateway in the network path, the two appliances form a persistent TCP connection monitored by a heartbeat. The appliances discover each other and connect automatically using a TCP JavaScript Object Notation (JSON) control channel. After the SteelHead CX connects with a gateway, it uses the Network Services Header (NSH) protocol to send generic routing encapsulated (GRE) metadata to the gateway on the inner connection between the appliances. The metadata preserves the client and server IP address and port numbers in the TCP/IP header fields for optimized traffic in both directions across the WAN. When the gateway receives the encapsulated metadata, it deencapsulates it and selects the best path based on the application information received. The SteelHead CX and SteelConnect gateway connection automatically disables path selection on the SteelHead CX, and it enables path selection on the SteelConnect gateway. In addition, enabling SteelHead compatibility on the SteelHead automatically turns on application inspection and identification. For details, see “Balancing traffic using traffic path rules” on page 177. If the SteelHead CX connection is lost, the gateway tries to reconnect three times and logs the messages for each attempt. It will try to connect again when it receives another probe from the same SteelHead CX.
Firewalls need to allow the Riverbed TCP option probe For the SteelHead CX to connect with a gateway, firewalls need to allow Riverbed TCP options. The SteelHead CX can’t locate a gateway if a firewall strips out the TCP options from optimized packets. You can configure the firewall to ignore or prevent stripping out the TCP option. The Riverbed Support site has Knowledge Base articles that show example configurations to allow discovery through different firewall types.
How does the gateway classify traffic flows? When the gateway receives metadata about traffic flows from the SteelHead CX, it classifies them based on the current available information. It updates classification decisions based on any new information it receives. The gateway processes traffic flows as follows:
192 SteelConnect Manager User’s Guide SteelHead compatibility Connecting a SteelHead with a Gateway
When the gateway receives the application ID for the optimized connection, it uses it to classify the traffic flow according to the traffic path rules.
When the gateway has no information about the optimized connection, the traffic flow reverts to the default traffic path rule. The default rule is a catch-all rule that you can edit to fit your needs. See “To create a traffic path rule” on page 181.
SteelHead compatibility limitations These limitations apply to SteelHead compatibility deployments:
SteelHead Interceptor deployments are not supported.
When the SteelHead uses fixed-target rules, WAN optimization works fine; however, the SteelHead can’t apply traffic rules because the gateway doesn’t have visibility into the flow.
Enabling SteelHead compatibility on the gateway automatically
By default, SteelHead compatibility is enabled globally for an organization; this topic explains how to reenable it after it has been disabled.
To enable SteelHead compatibility on a gateway automatically
1. Choose Network Design > Sites.
2. Select the SteelHead Compatibility tab. Figure 18-2. Enabling gateway and SteelHead communication
3. Click On.
4. Click Submit.
Viewing SteelHead connections
After connecting a gateway with a SteelHead, you can view the event log to see more detail regarding when the LAN-side SteelHeads are connected and communicating (or when the connection is dropped).
SteelConnect Manager User’s Guide 193 Connecting a SteelHead with a Gateway SteelHead compatibility
To view SteelHead connection events
Select Visibility > Event Log, or click the up arrow at the bottom of the screen and select the Events tab. Figure 18-3. Event log reports connect and disconnect events
On the SteelHead, events such as the gateway connecting with the SteelHead appear in the user log. For details, see the SteelHead User’s Guide.
194 SteelConnect Manager User’s Guide 19
Configuring QoS for Branch Gateways
Configuring QoS QoS for branch gateways is a per-uplink traffic shaper for inbound and outbound traffic. SteelConnect provides an easy-to-use queue management system for inbound and outbound traffic. With QoS for branch gateways:
there are no classes to configure.
you set the bandwidth with a fixed value. SteelConnect looks for the differentiated services code point (DSCP) marking on traffic as it comes into the SteelConnect gateway. This marking can be the DSCP value that you set in the traffic path rules using SCM or the DSCP value that you set using another device, such as a SteelHead appliance, LAN switch, VoIP phone, or router. For details on setting the DSCP value in traffic path rules using SCM, see “QoS priority” on page 180. SteelConnect uses this DSCP value to enforce QoS classification and shaping.
Note: The SDI-5030 data center gateway doesn’t provide QoS enforcement; however, it does support QoS marking.
How does QoS for gateways work?
QoS for gateways uses the common applications kept enhanced (CAKE) scheduler. CAKE uses an advanced fair queue mechanism that distributes bandwidth while considering packet delays. CAKE is a connection-based system that tracks latency on each connection or traffic flow rather than bandwidth per class. CAKE is not a typical traffic shaper or policer: it tries to give each traffic flow a fair share of the traffic. It does not allow fat flows to take up the whole circuit. CAKE is purposely built for internet-based uplinks so it is ideal for dynamic WAN throughput. CAKE automatically adjusts to traffic changes throughout the day, providing increased bandwidth when a traffic flow requires it and less bandwidth if the traffic flow slows down. CAKE also avoids excessive buffering, which can lead to a bad user experience. For details on CAKE, go to https://www.bufferbloat.net/projects/codel/wiki/Cake/.
SteelConnect Manager User’s Guide 195 Configuring QoS for Branch Gateways Enabling QoS on uplinks
The CAKE scheduler dynamically places traffic flows in these traffic class queues for mapping enforcement:
QoS class Example of traffic type DSCP values
Latency Sensitive - VoIP Class Selector (CS)7, CS6, CS5, CS4, Expedited 25% bandwidth Forwarding (EF) Voice Admit (VA) Streaming Media - Video Assured Forwarding (AF)4x, AF3x, AF2x, CS3, CS2, 50% bandwidth TOS4, TOS1 Best Effort - MAPI CS0, AF1x, Type of Service (TOS)2 or if the DSCP 100% bandwidth value isn’t specified Background Traffic - YouTube CS1 6.25% bandwidth Note: The DSCP standards for QoS have been specified and respecified many times, for the latest standards, see DSCP RFC 2474, RFC 3168, RFC 3260, RFC 5865.
According to Bufferbloat.net, CAKE implements soft admission control, making it robust against starvation attacks relying on strict priority that otherwise would be easy to trigger by accident. If a traffic class (including all traffic in higher classes than itself) exceeds its bandwidth threshold, it is demoted in priority until it falls below the threshold again. Thus, if there is no competing traffic, any traffic class can use the full link bandwidth, but it is always possible for new traffic in a different class to start up. For more information, go to https://www.bufferbloat.net/projects/codel/wiki/CakeTechnical/.
How do you assign traffic a DSCP value? Only DSCP marked traffic is placed in the QoS priority queues. Traffic must have a DSCP marking value for QoS traffic to be classified and shaped. You can mark traffic with a DSCP value using:
SCM when you create traffic path rules. For details, see “To create a traffic path rule” on page 181.
the SteelHead appliance QoS feature. For details, see the SteelHead Deployment Guide.
a switch, VoIP phone, or router.
Enabling QoS on uplinks
To enable QoS on outbound traffic 1. Choose Network Design > Uplinks to display the Uplinks.
2. Click the uplink that you want to configure to expand the page.
3. Click the QoS tab to display Outbound and Inbound options.
4. Under Outbound Quality of Service (QoS), click On.
5. Under Bandwidth, specify an upper bandwidth value. For the best results, we recommend you use a slightly lower value than what is allocated by your service provider.
196 SteelConnect Manager User’s Guide Enabling QoS on uplinks Configuring QoS for Branch Gateways
Click the arrows on the right side to increase or decrease the value in the text box.
6. Select either Mbits/sec or Kbits/sec.
7. Click Submit.
To enable QoS on inbound traffic 1. Choose Network Design > Uplinks to display the Uplinks.
2. Click the uplink that you want to configure to expand the page.
3. Click the QoS tab to display Outbound and Inbound options.
4. Under Inbound Quality of Service (QoS), click On.
5. Under Bandwidth, specify an upper bandwidth value. For the best results, we recommend you use a slightly lower value than what is allocated by your service provider. Click the arrows on the right side to increase or decrease the value in the text box.
6. Select either megabits per second or kilobits per second.
7. Click Submit.
SteelConnect Manager User’s Guide 197 Configuring QoS for Branch Gateways Enabling QoS on uplinks
198 SteelConnect Manager User’s Guide 20
Network Visibility
A clear picture of your network Do you know exactly what’s in your network, even if it’s not passing through a gateway? Every device, at every office, right now? When was the last time you mapped it? Are you constantly dealing with users bringing in new devices? Are contractors doing work in your offices or your network room? Has someone plugged something in that they shouldn’t have? Do you know what devices are consuming the most traffic? Visibility is crucial to security. You absolutely can’t protect what you don’t know about. With SCM, you always have a clear picture of your network. By deploying a centrally managed system of products designed from the ground up to work together, you are able to see everything. SteelConnect Manager provides total visibility into your network. Use the Visibility page to read logs, view a history of the DHCP server IP address assignments, see if and where traffic was blocked, and also generate user reports.
Managing network devices and workflow
SCM allows, but does not force, management of multiple network devices. A device is anything with a MAC address. A device differs from a SteelConnect appliance, which can be a gateway, switch, or access point that connects to SCM. SCM automatically detects new devices. You’ll know which devices are connected to your company, networkwide, in real time. You’ll instantly be made aware of new devices, and you’ll be able to see where each device goes and who it belongs to. Complete device management is the foundation for policy controls, because it enables you to apply policy rules to devices instead of IP networks or zones. See “Viewing devices” on page 217. Network visibility provides this information to manage network workflow:
An activity log by user and application
DHCP address assignment
IP address by user
IP address by device
User location and WiFi information
Full visibility into what’s occurring in the network, in real time
Any blocked connections
SteelConnect Manager User’s Guide 199 Network Visibility A clear picture of your network
A list of unknown, detected devices with their OS, vendor, and owner information, if it’s available
To view unregistered devices
Choose Devices > Unregistered. The console shows all the unregistered devices. You can then configure and assign devices to users or groups of users.
To view an inventory of all registered devices on the network 1. Choose Devices.
2. Click a device to view its user, location, IP address, and so on.
To view all network users
Choose Users.
You can search by name to view all devices owned by a particular user.
You can allow users to add their own devices that use a predefined and preapproved security policy.
To view a traffic timeline
1. Choose Visibility > Traffic Timeline. Figure 20-1. The traffic timeline provides network visibility
The timeline shows you everything that happened today in the network for a particular site or companywide.
200 SteelConnect Manager User’s Guide A clear picture of your network Network Visibility
2. Filter to view all the traffic for your headquarters, all the devices, and all the hosts accessed during the day.
3. To view activity by application groups, such as all social networking activity, choose the group: for example, Social Networking.
4. To view a certain slice of the day to identify the cause of traffic spikes or other anomalies, click the traffic activity graph. Click and drag the mouse to select multiple slices.
Viewing the event log
You can use the event log to track a number of events occurring across a network; for example, you can track exactly which user has done what at what time, or you can monitor the link state for online appliances. The event log reports on events approximately every 5 seconds. The event log does not receive events while an appliance is offline.
To view configuration changes
Select Visibility > Event Log. Figure 20-2. The event log tracks administrator activity and appliance link state
A log displays all activity performed by system administrators in any office and in any location. The event log conveys a lot of information about events SCM is detecting. The best way to narrow the log is to use the search field. Note: Because a tunnel is always bidirectional, the log message “AutoVPN tunnel between X and Y came online” also means the tunnel between Y and X came online.
SteelConnect Manager User’s Guide 201 Network Visibility A clear picture of your network
Viewing site status
The Troubleshooting page shows all sites belonging to an organization. You can use this page to troubleshoot a gateway.
To view gateway status 1. Select Visibility > Troubleshooting. Figure 20-3. Gateway troubleshooting
2. Select at least one site.
Click the search box for a list of sites and select a site from the list.
3. Select the Gateways tab. Figure 20-4. Gateways by site
The page lists all gateways for a particular site. You can select a gateway to pinpoint any issues or click the Debug button to request and view a Support package. If the gateways are online with no problems, select any uplinks that might be the source of the problem. If all gateways and uplinks are online, the Tunnels tab displays the tunnels. Clicking the Debug button displays the appliance Debug tab. For details, see “Support package” on page 225.
4. Select the Tunnels tab.
202 SteelConnect Manager User’s Guide A clear picture of your network Network Visibility
Viewing WAN path status
The WAN Paths page shows all VPN tunnels created by SCM. You can sort details on the tunnels per WAN, per destination, per source, or any combination.
To view WAN path status 1. Select Visibility > WAN Paths.
2. Select at least one category: source site, destination site, or WAN.
Click the search box for a list of sites or WANs and select an item from the list. The WAN path status page shows the paths that have been established between uplinks and other sites. The display varies depending on the category you filter. It shows this information:
Source - Includes the site and uplink.
WAN - Includes the WAN that sites use to communicate with each other.
Destination - Includes the site and uplink.
Overlay Lat (ms) - Displays the overlay latency in milliseconds. N/A means that the overlay has not been created (the configuration has not been pushed to create the path).
Tunnel Status - Displays the overlay tunnel status. – Online - Tunnel is up and running. Click Online to view the path quality metrics, similar to what you see on the dashboard map. Click the double arrows in the right edge of each column heading to sort by that column or to toggle the ascending/descending order of the tunnel. – Not Configured - Tunnel is not up (the configuration isn’t created yet). Figure 20-5. WAN path status
Note: For a hub-and-spoke network topology configured with a master site connected to leaf nodes, the WAN Paths page shows only the tunnels between the master site and the leaf nodes. It doesn’t show leaf-to-leaf nodes. However, a master site shows all of the tunnels to its leaf nodes along with any other nodes in the topology that haven’t been configured as a master or a leaf.
SteelConnect Manager User’s Guide 203 Network Visibility A clear picture of your network
204 SteelConnect Manager User’s Guide 21
Managing Appliances
Viewing SteelConnect appliances SteelConnect appliances are gateways, switches, and access points that connect to SCM. The appliances overview lists the SteelConnect hardware configuration within an organization. It includes the hardware, software, and shadow appliances.
Tip: You can perform several of the tasks described in this topic using your iPhone. For details, see the SteelConnect iOS Application User’s Guide.
SteelConnect Manager User’s Guide 205 Managing Appliances Viewing SteelConnect appliances
To view the appliances within an organization
Choose Appliances > Overview. Figure 21-1. Viewing the appliances within an organization
The display includes the appliance status and if its configuration is up-to-date. It also shows if a firmware upgrade is pending or up to date and whether the appliance is set up as an automatic VPN gateway for a site. The license column shows the license expiration date. A blue label displays the bandwidth limit for the appliance if one exists.
Note: For details on 570-SD, 770-SD, and 3070-SD appliances, see the SteelHead SD Installation Guide.
Viewing appliance details
Click an individual appliance to view its properties, such as serial number and firmware version. You can also generate a support package to send to Riverbed support for troubleshooting, ping another appliance, or start a reverse shell access session for troubleshooting. For details, see “Support package” on page 225.
206 SteelConnect Manager User’s Guide Viewing SteelConnect appliances Managing Appliances
Tip: We recommend that you always specify a detailed location for the appliance using the Location field under the Location tab in the appliance page. Setting the location associates an appliance with its location wherever an appliance is referenced. The location is especially important when adding access points.
Appliance date and time
In DHCP client mode, the appliances use the DHCP-provided Network Time Protocol (NTP) server for synchronizing their internal clock. If the DHCP-provided NTP server is not reachable, the appliance connects to known NTP servers on the internet.
Viewing gateways
To view the gateways within an organization
Choose Appliances > Gateways. Figure 21-2. Viewing the gateways for all sites
The display includes the gateways for all sites. You can filter the display by selecting a site from the drop-down list. You can also search for a specific gateway.
To view gateway details
Select a gateway.
SteelConnect Manager User’s Guide 207 Managing Appliances Viewing SteelConnect appliances
SCM displays details on the gateway. You can change settings associated with a gateway using the tabs on the gateway detail page. Use the Actions menu to reboot or delete the gateway (and more). Figure 21-3. Gateway detail page
STP
The Spanning Tree Protocol (STP) prevents network malfunction by blocking ports that can cause loops in redundant network paths. SteelConnect implements the 802.1w Rapid Spanning Tree Protocol (RSTP) defined in the IEEE 802.1D- 2004 specification. By default, RSTP is activated on all ports of SteelConnect gateways and switches. We recommend leaving STP on; however, you can use the STP tab to deactivate it. When you deactivate STP, it’s deactivated for all ports. SCM displays an alert when STP is blocking ports.
Note: STP is never active on WAN ports.
Note: STP is not supported on gateways configured for high availability.
AutoVPN
For sites with more than one gateway, enabling AutoVPN on a gateway makes it the hub concentrator for AutoVPN connections (including RouteVPN and SwitchVPN). The ideal placement for the hub gateway is inline with all traffic entering and exiting the site. Alternatively, if you’re using Classic VPN, you might need to turn AutoVPN off. For details, see “AutoVPN modes” on page 121.
208 SteelConnect Manager User’s Guide Viewing SteelConnect appliances Managing Appliances
Adding shadow appliances
SCM stores all configurations, including your existing and future network plans. This means you can either add an appliance when you physically have it or you can preplan and configure an appliance by adding a shadow appliance and later drop the physical appliance into the topology with no further configuration. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number.
To add shadow appliances
1. Choose Appliances > Gateways.
2. Click Add appliances and select Create Shadow Appliance.
3. Select a gateway from the model drop-down list. The SteelHead SD 570-SD gateway, 770-SD gateway, and 3070-SD gateway models deliver the benefits of SteelHead WAN optimization and SteelConnect SD-WAN while providing the flexibility of a single box solution. For details, see the SteelHead SD Installation Guide.
4. Select the site where you want to deploy the shadow appliance from the site drop-down list. When you deploy a SDI-5030 gateway into a site, a dialog box lets you know that you must associate the appliance with a cluster. Figure 21-4. Adding a 5030 gateway
For details, see “Creating clusters” on page 97.
5. Click Submit.
6. Repeat these steps for each of your appliances. After adding the virtual gateways, SCM automatically connects them using AutoVPN to create secure VPN tunnels. Next, you’ll register the gateways to transform them from shadow appliances to physical appliances.
7. Choose Network Design > Uplinks to see that SCM has automatically assigned uplinks to the new gateways. Before deploying the hardware, you can configure other SteelConnect features now or wait until later.
SteelConnect Manager User’s Guide 209 Managing Appliances Viewing SteelConnect appliances
Registering appliances
When you add an appliance for future deployment, it’s called a shadow appliance. Shadow appliances are basically cardboard cutouts that you can use to represent what will be a physical appliance after registering it with a serial number. For example, you can deploy a shadow SDI-130 gateway into the headquarters site and work with it as though it were a real, physical gateway before deploying the physical SDI-130 gateway in your network. You can create and register an appliance on the Appliances Overview page.
To register a shadow appliance 1. Choose Appliances.
2. Click the shadow appliance description.
3. Click Register hardware.
4. Type the serial number. To help you identify an appliance without unmounting it, unregistered appliances with an OLED display (Gateway 330, Switch S24, and Switch S48) display their serial number in the screen until you register the appliance with SCM.
5. Click Submit.
6. Plug the network cables into the configured ports. The provisioning server hands off the appliance when it connects into the particular organization and the particular site, and it gives the appliance its configuration, brings it online, performs all the firmware upgrades, and realizes your design on the appliance in the real world. This provisioning process also makes the appliances easily replaceable. After AutoVPN establishes the tunnels, you can click a site marker on the dashboard map to see a representation of the network. You can see on the map that the locations are completely connected with a full mesh VPN, and these lines will change if problems arise or if there is downtime at any of the sites.
Gateway provisioning By default, when you register a gateway, SCM automatically creates a DHCP-client uplink and attaches it to the gateway WAN1 port. In addition, it preconfigures all switched LAN ports with the site-local zone. You can add more networks in Network Design > Zones later. You can then assign these zones to a gateway port. When gateway selection is set to automatic (the default setting), the SteelConnect gateway always uses the default gateway IP from the IP configuration of the zone. Additionally you can enable gateway services like IPv4 DHCP server and IPv6 RA per zone.
210 SteelConnect Manager User’s Guide Viewing SteelConnect appliances Managing Appliances
Important: Make sure that internet connectivity and a DHCP server are available on the WAN port of the gateway to allow the first provisioning to succeed. While booting up, one green LED of the gateway will glow as long as a connection to SteelConnect Manager was established successfully. Glowing will stop in normal operation mode.
For networks with no DHCP server available, or when you want to use a static IP or DSL uplink for the gateway, you can use offline provisioning.
How do I provision a gateway offline? Adding a new gateway to your network requires the appliance to contact the SteelConnect Manager, which provides the initial configuration. In a scenario where no DHCP server is available in the existing network, or where a static IP address should be assigned to the new gateway, you can use offline provisioning. You can set up the configuration on SCM, even if the hardware is currently not present at the related site. You’ll need the serial number of the new gateway to create an offline provisioning configuration file.
Note: This procedure supports a gateway only; you can’t provision an access point or switch offline using a USB stick.
To provision an appliance without DHCP
1. Log in to SteelConnect Manager.
2. Choose Network Design > Sites > Add Site(s).
3. Specify at least the site tag, name, and city.
4. Click Submit.
5. Choose Network Design > Uplinks. An uplink is the last network segment connecting the local site to a WAN network.
6. Select the uplink for the new site and define an uplink type: for example, static IPv4 or DSL.
7. Fill out the required IP address or user account information and click Submit.
8. Choose Appliances > Add Appliances > Register Hardware Appliance.
9. Enter the serial number of the SteelConnect Gateway and select the site you want to deploy the appliance.
10. Select the new hardware appliance, click Actions, and select Download config. The system downloads a configuration file named with the gateway serial number.
11. Apply the file on a FAT32 formatted USB stick. The system does not support other file system types like Linux ext2,3,4, NTFS, and so on.
SteelConnect Manager User’s Guide 211 Managing Appliances Viewing SteelConnect appliances
12. Deploy the gateway on the site and power on the appliance. Wait at least 30 seconds until the new appliance powers up correctly before plugging in the USB stick.
Important: Because the gateway does not mount the stick during boot up, it won’t import the configuration automatically.
13. Plug in the USB stick to restore the configuration. The gateway connects to SCM with the previous set up configuration.
212 SteelConnect Manager User’s Guide 22
SteelConnect Ports
Viewing ports A SteelConnect port on an appliance is an Ethernet interface used either for WAN or LAN.
To view ports
Choose Ports. Figure 22-1. The Ports page
The SteelConnect Manager displays the ports and whether they are connected, along with their status, MAC address, and interface counters. You can use the Ports page to:
Set the port mode: single zone, multizone, uplink, or mirrored uplink. Selecting multizone enables the port to function as an 802.1q trunk.
SteelConnect Manager User’s Guide 213 SteelConnect Ports Viewing ports
Set autotrunking on or off. Enable autotrunking to interconnect and form a trunk when more than one zone is mapped across it. For example, as soon as you connect a SteelConnect access point to a SteelConnect switch, they negotiate a trunk automatically. The access point will have a trunk port configured with all zones for that site. By default, autotrunking is enabled.
View the MAC addresses for which traffic is being forwarded through the port.
View the raw port counters for advanced debugging.
Label the patch panel socket or wall socket to which the port is connected.
To set the port mode 1. Select a port.
2. Select the Info/Mode tab.
3. After Port mode, select a mode from the drop-down menu. When enabling single zone, select the zone. When enabling an individual uplink, select the uplink. For details on selecting the port mode for branch HA partners, see “Port configuration” on page 152.
4. Click Submit. By default, a port is automatically configured for multizone when it’s connected to another SteelConnect appliance. For example, as soon as you connect a SteelConnect access point to a SteelConnect switch, they negotiate a trunk. The access point will have a trunk port configured with all zones for that site.
To disable autotrunking
1. Select a port.
2. Select the Advanced tab.
3. Next to AutoTrunking, click Off.
4. Click Submit.
To override a port’s default MAC address
1. Select a port.
2. Select the Advanced tab.
3. Next to Virtual MAC, specify a MAC address.
4. Click Submit.
To provide a socket label to the port
1. Select a port.
2. Select the Info/Mode tab.
214 SteelConnect Manager User’s Guide Viewing ports SteelConnect Ports
3. After Patch Label, type a label up to 16 characters long.
4. Click Submit.
SteelConnect Manager User’s Guide 215 SteelConnect Ports Viewing ports
216 SteelConnect Manager User’s Guide 23
Managing Devices
Viewing devices In the SteelConnect system, a device is anything with a MAC address. This differs from a SteelConnect appliance, which can be a gateway, switch, or access point that connects to SCM. SCM allows management of multiple devices, regardless of physical location. New devices are automatically detected and can be registered by an administrator or the device owner. After a device is registered, it’s recognized throughout the entire organization. Device management provides the foundation for network control, because you can assign access rules to devices. If the device owner has an SCM login or the device uses a WiFi portal, you can also use abstractions such as users and groups instead of IP networks and zones.
To register a device
1. Choose Devices > New Device.
2. Type the device MAC address. Use this format: AA:BB:CC:DD:EE:FF
3. Type a device description to facilitate administration.
4. Optionally, assign a user or a device group.
5. By default, devices use DHCP addressing. To use static IP addressing, click On.
6. Click Submit.
To view the devices within an organization
Choose Devices > Overview. Use the left menu to search for a device by site or SSID.
To track device activity
Choose Visibility. For details, see “Managing network devices and workflow” on page 199.
SteelConnect Manager User’s Guide 217 Managing Devices Viewing devices
Viewing unregistered devices
Any devices that are detected as unregistered will appear on an unregistered list. Network access rules can be applied to allow only registered devices access to the network resources. This adds an additional layer of access control to the internal networks. The default rule only allows internet access. You can set up an employee portal to offload the task of registering users and devices. It can be activated instead per broadcast for wireless networks. Unregistered devices will then be redirected to the portal where the users can register their device into their own user account through a loopback email or SMS text authentication mechanism according to the details entered in the user accounts. For details, see “Registering guest devices using social media” on page 92. When you use a guest portal, the devices become guest devices instead of registered devices.
To track unregistered devices
Choose Devices > Unregistered. Unregistered devices appear on the Unregistered page.
Viewing device details
Click an individual device to view its MAC address, IP address assignment, vendor, zone, traffic information, and WiFi details. If you have a guest portal, all devices appear under guests.
218 SteelConnect Manager User’s Guide 24
Covering a Network with WiFi
How do I use SCM to plan and broadcast WiFi? The WiFi broadcast and planning components explained in this section demonstrate how SCM’s support for embedded security, firewalls, access points, and switches simplifies and consolidates the overall management of branch equipment. You can use SCM’s WiFi broadcast and planning components to:
offer a unified, corporate service set identifier (SSID) for all locations that place users into the local network at their site.
grant users seamless access to the corporate headquarters network from their home offices.
deploy SDI-130 wireless access points to execute the expansion design and blanket your locations in wireless coverage. The hardware is deployed last, because SCM is deployed using a new, dynamic workflow. We strongly recommend using the latest Chrome browser with the WiFi planner.
What is an SSID?
An SSID is a technical term for the name of a wireless network, used to distinguish one wireless network from another. When you set up a wireless network, you give it a name to distinguish it from all other networks in range. You connect a computer to the wireless network using this name. After you create a broadcast for the SSID on SCM, it will always be broadcast on all access points within a site. You can create up to eight SSIDs, per access point or total.
To create an SSID
1. Choose WiFi > SSIDs.
2. Click New SSID.
3. Type the SSID name.
4. Select a security protocol to use to authenticate users from the drop-down list. SCM supports the common WiFi protected access 2 security protocols and version 1 in compatibility mode. Open broadcasts the SSID without password protection.
5. Click Submit. A wireless network, or SSID, is not available until you broadcast it.
SteelConnect Manager User’s Guide 219 Covering a Network with WiFi How do I use SCM to plan and broadcast WiFi?
To broadcast an SSID
1. Choose WiFi > SSIDs. Verify that you have defined appropriate SSIDs: for example, one for your corporate network and one for your guest access.
2. Select Broadcasts and click New Broadcast.
3. Select the site, an SSID, and the default zone the clients will be mapped into when they join the network from that site. You can choose zones from different sites. A VPN tunnel will be automatically created.
4. Click Submit.
5. Repeat steps 2 through 4 for each site in which you want to broadcast the SSID. From now on, any time you deploy hardware, the SSID will be broadcast at that location and will be mapped into the appropriate LAN.
To enable the guest portal for a broadcast
1. Define a guest zone as described in “To create a guest zone” on page 32.
2. Select the guest zone.
3. Select the broadcast.
4. Select the Advanced tab.
5. You can perform wireless network management such as hiding the SSID broadcast. When hidden, the broadcasted SSID becomes invisible so clients can't find it automatically. You can also select to broadcast 2.4 GHz and 5 GHz (or only one of them).
How do I apply network access control across users or user groups? DynZone, or dynamic zone assignment, allows you to apply network access control across users or user groups within a single wireless network broadcast. Devices (and consequently users) can be dynamically mapped into different zones, either by setting tags on zones, user groups, and users or using RADIUS authentication. Use DynZone to automatically tag devices into the correct VLAN. For example, you can assign the sales group to the Sales VLAN. Then, independent of where you connect the device to WiFi, it receives the correct VLAN assignment dynamically without any interaction with the device. You can also use this feature to automatically map known VoIP phones to the VoIP VLAN.
Note: DynZone doesn’t support the Cisco LLDP-MED extension to LLDP.
In these types of deployments it is enough to broadcast a single SSID for the entire site. For nonenterprise SSIDs, you set policy tags for a user group, user, or device objects, and then set one of the same tags on the desired zone.
220 SteelConnect Manager User’s Guide How do I use SCM to plan and broadcast WiFi? Covering a Network with WiFi
When a WiFi client device connects to the SSID, the access point checks if a tag for that user or device matches a tag assigned to a zone. If it does, the system moves the client device into the appropriate VLAN. If no tag matches, the system uses the configured default zone as a fallback. For nonenterprise SSIDs, this works by setting policy tags for a user group, user, or device objects, and then setting one of the same tags on the desired zone. For enterprise SSIDs, the target zone VLAN tag is set on the RADIUS server. Using DynZone through RADIUS/NPS requires a RADIUS server and a WPA2 Enterprise SSID. When RADIUS is used for dynamic VLAN tagging, SteelConnect ignores all other tags such as device, user and zone. If DynZone is used in combination with RADIUS/NPS, SteelConnect retags the wireless clients to a specific VLAN using the following RADIUS attributes (as specified in RFC 3580 at http://tools.ietf.org/html/rfc3580#section-3.31):
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID For details on configuring RADIUS on Windows Server for dynamic VLAN tagging, go to https://supportkb.riverbed.com/support/ index?page=content&id=S28025&cat=STEELCONNECT&actp=LIST.
Policy tag priorities
Device Tags (as ordered in Device Policy Tags)
User Tags (as ordered in User Policy Tags)
To tag users (groups) and the zones
1. Choose Users and select a user.
2. Choose Policy > Policy Tags.
3. Set a policy tag. For example, Sales.
4. Click Submit.
To match the user with a zone
Choose Network Design > Zones.
Select a zone.
Select VLAN > Policy Tags and select the Sales tag.
To activate DynZone
Choose WiFi > Broadcasts > DynZone.
SteelConnect Manager User’s Guide 221 Covering a Network with WiFi How do I use SCM to plan and broadcast WiFi?
Planning WiFi wireless radio coverage
First you’ll need to determine how many access points you need. To assist with access point planning, SCM provides an integrated WiFi planner that eliminates expensive planning tools and guesswork. Use the planner to visualize the WiFi coverage in all sites, upload floor plans, and place access point placeholders as required. You can select different coverage-type presets. The WiFi planner will automatically create shadow devices as placeholders that you can turn into real hardware deployments later.
Important: The WiFi planning tool assumes a barrier-free wireless radio signal coverage.
We recommend using the Chrome browser for the best WiFi planning experience.
To plan the WiFi coverage for a site
1. Choose WiFi > Planning.
2. Click New Plan.
3. Select a site.
4. Type a name for the plan.
5. Select a WiFi profile to influence the recommended access point placement and range.
6. Click Upload Plan or Draw Plan. To upload a predefined plan, choose the filename and click Open. You can upload the floor plans in .jpg, .png, .bmp, and .gif file formats.
7. Click Submit. The next step is to set the general building dimensions to help define the signal strength and ranges.
To set the building dimensions
1. Click Set Scale.
2. Click the plan, expand an item in the drawing, and set the scale. For example: if you know one wall of your building is 26 feet long you can set the scale using this wall measurement of 26 feet.
To add access points
1. Open the WiFi planner.
2. Click Create New AP3 (or AP5 or AP5r). An access point icon appears on the plan, surrounded by a shaded transmit power area.
3. Select 2.4 or 5 GHz.
4. Move the access point to the desired location in the plan.
222 SteelConnect Manager User’s Guide How do I use SCM to plan and broadcast WiFi? Covering a Network with WiFi
5. Type a name for the location.
6. Use the slider to adjust the transmit area.
7. Repeat steps 2-6 to add more access points, making sure they have the correct placement, amount of channel separation, and transmit power.
8. To avoid overlap between access points, right-click the access point and select another channel from the channel drop-down menu. Or, use the channel auto select (the default setting).
9. Adjust the transmit area and placement of the access point as needed.
10. Click Save. Because the WiFi planner is integrated in SCM, it uses the concept of shadow appliances for the access points. When you add an access point for future deployment, it’s called a shadow access point. Shadow access points are basically cardboard cutouts that you can use to represent what will be a physical access point. For details on shadow appliances, see “Enabling appliances” on page 37.
To deploy an access point
1. Choose Appliances.
2. Click Add appliances.
3. Select Register Hardware Appliance.
4. Enter the access point serial number.
5. Select the site to deploy the access point.
6. Click Submit. The access point receives an IP configuration through DHCP from the zone automatically.
7. Choose WiFi > Broadcasts.
8. Click New Broadcast.
9. Select a site for the SSID.
10. Select an SSID.
11. Select a default zone.
12. Click Submit.
13. Repeat steps 8 through 12 for each SSID. All access points in a site broadcast the SSIDs as configured in the WiFi menu. When deploying an access point into a location without a SteelConnect gateway, you might want to enable AutoVPN operation so the access point joins the full-mesh VPN network.
SteelConnect Manager User’s Guide 223 Covering a Network with WiFi How do I use SCM to plan and broadcast WiFi?
To enable AutoVPN on an access point
1. Choose Appliances > Access Points.
2. Select the access point.
3. Select the AutoVPN tab.
4. Click On. When an access point and the zone of a broadcast are in the same zone site without a gateway, the access point establishes L3 VPN locally. When an access point and the zone of a broadcast are in different sites, the system establishes a L2 tunnel. While booting up, two LEDs (green and orange) blink as long as a connection to SCM was established successfully. Blinking will stop in normal operation.
To view the access points
Choose Appliances > Access Points. The access points appear with a status of Shadow until they are registered.
224 SteelConnect Manager User’s Guide 25
Troubleshooting
Support package
What is a support package?
A support package offers appliance status information in a single JavaScript Object Notation (JSON) file that you can view in SCM or download.
To generate a support package
1. Choose Appliances.
2. Select an appliance. Note: You can’t generate a support package for SDI-5030 gateways.
3. Click Live or select the Debug tab.
4. Click (Re-)Request to generate a support package. The Event log reports the request for a support package. After the support package is generated, you can view it in SCM or download it as a JSON file. The package is categorized by diagnostic commands and categories. From SCM you can collapse or expand the output for each command or category. Requesting another support package overwrites any previous support package output.
SteelConnect Manager User’s Guide 225 Troubleshooting Support package
To view a specific support package category without downloading the JSON file
1. If you requested a support package from the Live tab, select the Debug tab. Figure 25-1. The Debug tab
Tip: You can copy and paste the output from the Debug tab for use in another application.
2. Click a category to filter the output.
Category Description
routing Shows the current IP routing table. monitoring Shows the results from system monitoring, such as uplink configuration. wifi Shows the WiFi status, such as whether an SSID is broadcasting, and includes information about wireless interfaces. swconfig Shows the appliance software configuration and status. version Shows the current firmware version. autotrunk Shows the interconnected trunking between two gateways.
226 SteelConnect Manager User’s Guide Ping and traceroute connectivity tests Troubleshooting
Category Description
dmesg Shows the message buffer of the kernel. The output of this command contains the messages produced by the device drivers. ipsec Shows the IPSec encryption tunnel status, including endpoints, virtual IP pools, the IKE daemon status, and more. iptables Shows the filter table rules in place to allow and block traffic and the network address translation (NAT) table rules in place to rewrite packets, allowing NAT. Includes the chain prerouting, input, output, and post routing. ifconfig Shows the appliance interface(s) information, such as configuration, packets received and transmitted, statistics, and status. qos Shows the Quality of Service (QoS) statistics. lldpctl Shows information about the Link Layer Discovery Protocol. ovs Shows the current state of an OpenFlow switch, including features, configurations, table entries, and the configuration database entries. uptime Shows the system uptime in 24-hour format, a timeframe of how long the system has been running, and the average system load. For the system load output, translate the two decimal points as a percentage. For example, 0.25 means 25% and 0.19 means 19%. The sequence 0.25, 0.25, 0.19 represents the load over the past 1 minute, 5 minutes, and 15 minutes. Lower numbers mean better system performance. processes Shows the current running processes. log Shows the last 1000 entries of the appliance log.
To expand or collapse the display
Click Collapse/Expand All to toggle the view for the entire output.
Click an output category to toggle the view for that category.
To download the JSON file
Click Download JSON. You can open the file in any JSON file viewer.
Tip: If the View, Collapse/Expand All, and Download JSON buttons aren’t visible, request another support package. After the support package is generated, the buttons appear.
Ping and traceroute connectivity tests The Ping and Traceroute tests are useful to determine if a destination is reachable.
Ping - Verifies reachability by sending ICMP packets from an appliance to a host on an Internet Protocol (IP) network.
SteelConnect Manager User’s Guide 227 Troubleshooting Ping and traceroute connectivity tests
Traceroute - Sends a sequence of User Datagram Protocol (UDP) packets between two points and shows you the route the packets take. Traceroute also measures the transit delays of packets across an IP network. If the destination is unreachable, the tests report where the connection failed.
Note: The SDI-5030 gateways don’t support the packet capture or traceroute tests.
We recommend using the ping or traceroute tests to verify connectivity, followed by a packet capture or an echo test to dive deeper into troubleshooting. See “Packet capture” on page 230 and “Echo test” on page 230.
To run a ping or traceroute test
1. Choose Appliances and select a gateway. You can select any gateway within an organization. The appliance must be online, registered with SCM, and assigned to a site; offline and shadow appliances are dimmed and unavailable.
2. Select the Tools tab. Figure 25-2. Tools tab
3. Select Ping or Traceroute from the drop-down menu.
4. Select a connection type from the drop-down menu:
Source uplink and static destination IP address or hostname.
Source uplink to a destination uplink.
Source zone to a static destination IP address. The display changes depending on the connection type.
If you’re testing an uplink to a static destination, select the uplink from the drop-down list and type the IP address or hostname.
If you’re testing an uplink to an uplink, select the source uplink, appliance, and destination uplink from the drop-down lists.
228 SteelConnect Manager User’s Guide Ping and traceroute connectivity tests Troubleshooting
If you’re testing a source zone to a static destination, select the source zone and uplink from the drop-down list and type the IP address. Ping and traceroute tests from a source zone using the GUI work differently than ping and traceroute tests from a source zone using the CLI. When you select a source zone from the GUI, the gateway allocates an additional interface with an IP address in the selected zone and runs the ping or traceroute from it. This additional interface emulates the traffic path that a host in the same subnet takes, which might be different than the path the packets take when originating from the gateway. The gateway must be able to allocate a free IP in the selected zone. If your zone only has a /30 subnet, or all IP addresses are in use, the ping or traceroute will fail and display an error message such as "Ping could not complete."
5. Click Run Test. The test response appears. Figure 25-3. Ping test response
Figure 25-4. Traceroute test response
The settings from the previous test remain in place the next time you return to the Tools tab.
SteelConnect Manager User’s Guide 229 Troubleshooting Packet capture
Packet capture You can request an on-demand packet capture for a gateway and download the capture file from the Tools tab. Capture files contain summary information for every internet packet received or transmitted on the appliance interface to help diagnose problems in the system.
Note: The 570-SD, 770-SD, 3070-SD appliances and SDI-5030 gateways don’t support packet capture.
To perform a packet capture 1. Choose Appliances and select a gateway. The gateway must be online and registered with SCM; offline and shadow appliances are dimmed and unavailable.
2. Select the Tools tab.
3. Select Packet Capture from the drop-down menu.
4. Select a physical target port (Management, WAN, or LAN) from the drop-down list. Note: LAN ports must be configured as an uplink to appear on the drop-down list.
5. Optionally, specify the snap length value, in bytes. The snap length equals the number of bytes of each packet to be captured. Specify 1500 for a full packet capture. The default value is 500 bytes per packet.
6. Optionally, specify how long the capture runs, in seconds. The packet capture typically completes within 90 to 100 seconds and times out after 120 seconds. SCM and the gateway work together to provide a best-effort service. SCM sends the snap length and time for capture on a particular port to the gateway. The gateway attempts to capture packets on that port until either:
500 packets are captured (each packet will contain bytes of data set by the snap length value) —or—
The capture time is reached. The packet capture stops when one of these criteria is reached, whichever occurs first. For example, on a very busy port (a port where many packets are flowing) the system might always hit the 500 packet boundary but never reach the capture time. On a relatively idle port, the system might reach the capture time after capturing only 300 packets.
7. Click Run Test. A message reports the test status.
8. Click Download Capture File to view the results of a successful packet capture.
Echo test The echo test dives deeper into troubleshooting by testing network connectivity between a client-side and a server-side zone using a TCP port number and the TCP protocol. The echo test tells you if the communication from appliance A to appliance B is crossing the network overlay.
Note: The 570-SD, 770-SD, 3070-SD appliances and SDI-5030 gateways don’t support the echo test.
230 SteelConnect Manager User’s Guide Appliance configuration Troubleshooting
To run an echo test
1. Choose Appliances and select a gateway. The gateway must be online and registered with SCM; offline and shadow appliances are dimmed and unavailable.
2. Select the Tools tab.
3. Select Echo Test from the drop-down menu.
4. Select a primary zone from the drop-down menu.
5. Select a secondary appliance on the other side from the drop-down menu.
6. Select a secondary zone on the other side from the drop-down menu.
7. Specify a TCP port number from 1 to 65535.
8. Click Run Test.
Appliance configuration
How can I tell if the appliance configuration is up to date?
Choose Appliances > Overview. Under the Config column, “Up-to-date” indicates that the latest configuration was applied successfully.
SteelConnect Windows Agent
How do I install SteelConnect Agent to use Windows 7 Client?
If your laptop client agent fails during installation, check the following:
Is Windows using at least Service Pack 1?
Are the latest security fixes installed?
Are the IKE and AuthIP IPsec Keying Modules start up type set to automatic?
Is Windows UAC (User Account Control) enabled with at least Level 1 settings? Try re-executing the installer: browse to ProgramFiles%\Riverbed\Agent and execute Agent
SteelConnect Manager User’s Guide 231 Troubleshooting Provisioning
Why do I see the error message “Organization ID is invalid! Location is off-site”?
The Windows agent detects its location by checking for Riverbed gateways belonging to the same organization. If it doesn’t receive a match, it assumes that it is off-site. The error message indicates that the agent has recognized that the device it’s installed on is not located behind a Riverbed appliance of its organization. The agent doesn’t negotiate a dedicated IPSec tunnel.
Provisioning
How do I get an appliance to show up in SCM?
In most cases, the first provisioning fails due to local firewall restrictions for TCP port 3900 and 3902. For a gateway, make sure that internet connectivity and a DHCP server are available on the WAN port of the gateway to allow the first provisioning to succeed. While booting up, one green LED of the gateway will glow as long as a connection to SCM was established successfully. Glowing will stop in normal operation mode. An access point appliance attempts to receive an IP address through DHCP from the zone automatically. Make sure that you have added your SSIDs (choose WiFi) and then assign the SSIDs to sites (choose WiFi > Broadcasts). All access points in a site will broadcast the SSIDs as configured in the WiFi section. When deploying an access point in to a location without a Riverbed gateway, you might want to enable AutoVPN operation for the access point to join the full-mesh VPN. See “To enable AutoVPN on an access point” on page 128. While booting up, two LEDs (green and orange) on the access point blink as long as a connection to SCM was established successfully. Blinking stops in normal operation mode.
How do I bring an appliance online?
If the IP address configuration through DHCP fails, check your DHCP server. The DNS resolution of core.riverbed.cc should resolve to 82.115.105.183.
Connect to YourCC.riverbed.cc via TCP Port 3900 and 3902, and enter the telnet command: telnet YourCC.riverbed.cc 3900 telnet YourCC.riverbed.cc 3902
Multiple DNS servers for a site
What is the format for entering more than one DNS server for a site?
Separate the servers by a space: for example, 208.67.222. 123 8.8.8.8.
232 SteelConnect Manager User’s Guide Uplink subnet mask format Troubleshooting
Uplink subnet mask format
What is the format for specifying a subnet mask on an uplink?
The uplink subnet mask format is xxx.xx.xxx.xx/xx. For example: 121.73.131.14/16.
VPN
Why is AutoVPN not working?
AutoVPN is enabled by default and provides connectivity between sites on the same organization. In each site there can be only one appliance acting as an AutoVPN endpoint. The VPN appliance should ideally be the gateway for this site or placed in-path to pass all traffic entering and exiting the site. Sites that don’t have a gateway might enable AutoVPN on an access point to join the full-mesh VPN. If AutoVPN is down, check the uplink status and cabling, and check the tunnel.
Tip: You view the uplink status using your iPhone. For details, see the SteelConnect iOS Application User’s Guide.
To check the uplink status and cabling
1. Select the organization and click Manage.
2. Choose Network Design > Uplinks. Check the Status column. Are any appliance uplinks reported as off-line?
3. Choose Ports to verify that the port is set to Port mode: uplink.
4. Check the cable to the WAN2 port to make sure it’s configured correctly.
To check the tunnel
Check that the uplinks and appliance status are online.
Log in to both affected gateways to verify that a tunnel is established.
Check the IPSec ports via IPSec debugging to see whether inbound IPSec/IKE packets are received.
Ensure you can reach UDP ports 500 and 4500 on the remote gateway.
WiFi
Why are clients not receiving IP addresses via DHCP in guest zone SSID?
Choose WiFi > Broadcasts to check the broadcast SSIDs for the zones.
Choose Appliances > Overview and check the access point's wired configuration mode. Check that the access point port LAN port is set up correctly. It needs to be set up in multizone if more than one WiFi is broadcast.
SteelConnect Manager User’s Guide 233 Troubleshooting Access points
Why is the wireless client roaming inefficiently?
Roaming behavior depends on the wireless client’s network adapter. Some manufacturers such as Intel provide documentation regarding roaming behavior: http://www.intel.com/support/wireless/wlan/sb/CS-015906.htm If the wireless client is roaming inefficiently, check the signal strength and quality first and verify if the issue is persistent on other devices as well.
Access points
Can I run an access point without a SteelConnect gateway? Yes, you just need to ensure that there is a DHCP service running in the configured access point zone to provide IPs to the wireless client services. When no gateway is present, internal servers need to provide network services like DHCP.
Note: If you want to use different broadcasts with more than one zone (VLAN) for your WiFi networks, make sure that the access point is attached to a VLAN-capable switch.
Gateways
What does it mean when a gateway is in recovery mode?
Recovery mode is a mechanism used by the gateway in an attempt to restore communication to its SCM controller when an uplink is not working. The WAN ports on the gateway go into recovery mode approximately five minutes after communication is lost to its SCM controller. In recovery mode, the WAN port receives an IP address through DHCP and then uses this IP address to reach SCM. If recovery mode does not work, you can also restore the gateway using an off-line USB method. For details, see “How do I provision a gateway offline?” on page 211.
234 SteelConnect Manager User’s Guide 26
SteelConnect REST API
REST API Overview SteelConnect features a powerful REST API for northbound traffic. You can use the API to access many features that are also available through the SteelConnect Manager (SCM) graphical user interface (GUI). Using the SteelConnect REST API, you can create client applications that interact with your SCM to
retrieve detailed information about every organization.
pull information from SteelCentral.
assign hardware serial numbers in bulk to different sites.
expose and directly manage items like organizations, zones, sites, users, and switches.
create and delete access points, SSIDs, data center uplinks, and clusters.
view and delete inbound rules, outbound rules, path rules, and more.
Note: The REST API is enabled for a SCM realm by a realm administrator. For details, see “Enabling REST API” on page 243. Administrators that manage an organization within a realm also have access to their organization through the REST API.
The SteelConnect REST API adheres to common REST API principles and supports all request verbs (GET, PUT, POST, DELETE, and so on). All data transfered between the API and client applications is formatted in JavaScript Object Notation (JSON); no data is passed in headers or in the URI. Data encoded in a format other than JSON (binary files, for example) are contained and specified within the JSON data. Object IDs persist through the lifetime of the object even when services, devices, or connections are reset or restarted. Functions are unchanged and always yield the same result regardless of the number of identical requests. The URI handles the versioning, where the version number precedes the resource in the URI (for example, /v1/
Note: The Node datatype encompasses all types of appliances (switches, access points, gateways, and so on) because appliances share many commonalities. So for any given instance of a node object there can be unnecessary fields. Client applications can ignore these unnecessary fields; in fact, the system ignores (or, in some cases, resets) them.
SteelConnect Manager User’s Guide 235 SteelConnect REST API Accessing the API
Accessing the API The SteelConnect API is built right in the SteelConnect product and is accessed over HTTPS. Here is the base URI:
https://
https://example.riverbed.com/api/scm.config/1.0/orgs
https://example.riverbed.com/api/scm.config/1.0/org/org-example-2eac682ed323184d/switch You can also access the SteelConnect API through the Riverbed support site:
https://support.riverbed.com/apis/index.html
Authenticating API requests All API requests are authenticated using BASIC authentication. Admin users authenticated against the API have the same rights as if they were using the GUI. You can use a command like cURL to issue simple requests. Here are a few examples:
curl -k -X GET https://example.riverbed.com:4059/api/scm.config/1.0/orgs
curl -k -X GET https://example.riverbed.com:4059/api/scm.config/1.0/org/org-example- 2eac682ed323184d/switch
Viewing documentation for an object The SteelConnect REST API is hierarchical. You can query the first tier, and then after selecting an organization, you filter into second-tier objects for that particular organization.
To view documentation for an object
1. Select the first tier object: for example, accesspoint.
2. Select a method: for example, POST.
236 SteelConnect Manager User’s Guide Viewing documentation for an object SteelConnect REST API
The object parameters, model schema, and responses for that particular operation appear.
Figure 26-1. Operation documentation
SteelConnect Manager User’s Guide 237 SteelConnect REST API Supported appliance types
Supported appliance types SteelConnect supports the appliances listed in this table.
Appliance Type Image Name Description
Virtual GW SDI-VGW Virtual GW SDI-AWS Virtual GW SDI-SH Access point SDI-AP3 Access point SDI-AP5 Access point SDI-AP5r Gateway SDI-130 Gateway SDI-330 Gateway SDI-1030 Gateway SDI-5030 Switch SDI-S12 12-Port switch Switch SDI-S24 24-Port switch Switch SDI-S48 48-Port switch SteelHead CX-570 SteelHead CX-770 SteelHead CX-3070
238 SteelConnect Manager User’s Guide 27
SteelConnect Connection Ports
P o r t s f o r U D P, T C P, a n d I C M P c o n n e c t i o n s SteelConnect appliances use these ports to establish connections.
Outbound connections
Service Protocol Default port Destination
DNS - UDP 53 Any Gateways only
NTP - Gateways UDP 123 Any only
Uplink IP TCP 80 rfl.riverbed.cc reflector
SteelConnect TCP 443 core.riverbed.cc Manager
Configuration TCP 3900
SSH proxy TCP 3903
Uplink ICMP any Monitoring
FTP TCP 21/22 ftp.riverbed.com
SteelConnect Manager User’s Guide 239 SteelConnect Connection Ports Ports for UDP, TCP, and ICMP connections
Inbound/outbound connections
Service Protocol Default port Destination
AutoVPN UDP 500/4500 Any
Tunneled SSH client connections
Service Protocol Default port Destination
Workstation TCP 3903
240 SteelConnect Manager User’s Guide 28
Administering a Realm
Realm Overview SCM is multitenant management portal; a deployed instance of SCM running in Amazon AWS, called a realm, hosts a number of organizations. An organization is a logical unit under a realm, representing an end customer. It contains the customer details, sites, devices, and zones associated with the devices, the uplinks, and so on. Each realm has realm administrators and organization administrators.
Realm administrators - Super users that view and manage the entire instance.
Organization administrators - Users that manage an organization within a realm. A single Amazon instance could host 50 small organizations in production, whereas a larger organization might have one dedicated Amazon instance.
SteelConnect Manager User’s Guide 241 Administering a Realm Realm Overview
You can change settings associated with a realm after logging in to SCM with realm administrator credentials and using the tabs on the realm map. The procedures described in this topic require realm administrator credentials.
Figure 28-1. Realm map
Maintenance
This tab controls the centrally managed firmware upgrade process. A Riverbed appliance simply needs to be connected and registered, and the upgrade happens automatically when a new version of the firmware is available (unless you reschedule the upgrade or an upgrade schedule is customized for an organization within the realm). For details, see “Upgrade overview” on page 55.
Note: An organization’s maintenance policy overrides the realm’s maintenance policy.
Settings
This tab is where you enable loopback authentication, allow access to the Riverbed Support team, enable APIs, and allow an organization administrator to reset their own password.
242 SteelConnect Manager User’s Guide Realm Overview Administering a Realm
Enabling support access A realm administrator can allow Riverbed Support to directly view and troubleshoot issues for an SCM instance.
To enable support access
1. At the realm level, select the Settings tab.
2. Under Riverbed support access, click On.
Enabling REST API SteelConnect features a powerful REST API for northbound traffic. When you enable REST API, it is enabled for all organizations within the realm. You can use the API to access many features that are also available through the SteelConnect Manager (SCM) graphical user interface (GUI). For details, see “Accessing the API” on page 236.
To enable REST API
1. At the realm level, select the Settings tab.
2. Under REST API, click On.
Enabling two-factor authentication When two-factor authentication is enabled for the realm, all access to the realm GUI must be authenticated with a second authentication mechanism. The value of this setting is also the default setting for two-factor authentication when accessing individual organizations. You can override this default setting per organization.
Note: You must specify a mobile phone number for every administrator before enabling loopback authentication through mobile messaging.
To enable two-factor authentication
1. At the realm level, select the Settings tab.
2. Under Two-factor authentication, click On.
Export Settings
This tab is where you configure SNMP server settings and enable SNMP to report events to an SNMP entity.
Exporting SNMP events Traps are messages sent by an SNMP entity that indicate the occurrence of an event. The traps are sent by SCM from the AWS IP address used for the SCM realm. You must configure a firewall or SNMP proxy to receive the traps. All events that appear in the realm event log will also generate a trap. The traps can be authenticated and encrypted if you enable SNMPv3.
SteelConnect Manager User’s Guide 243 Administering a Realm Realm Overview
For a list of SNMP events, see “SNMP traps” on page 251. RiOS provides support for these SNMP versions:
Version 2 (this is the default setting)
SNMP Version 3 authentication using MD5 and SHA1 privacy
SNMP Version 3 encryption using AES and DES
To enable SNMPv2 1. At the realm level, select the Export Settings tab.
2. Type SNMP server’s IPv4 address.
3. Type the SNMP port number.
To enable SNMPv3
1. At the realm level, select the Export Settings tab.
2. Click On next to Enable SNMPv3 Authentication and Encryption.
3. Type the username.
4. Select an authentication method from the drop-down list.
HMAC-MD5-96 - Use the Message-Digest 5 algorithm, a widely used cryptographic hash function with a 128-bit hash value. This is the default value.
HMAC-SHA1-96 - Use the Secure Hash Algorithm, a set of related cryptographic hash functions. SHA is considered to be the successor to MD5.
5. Specify an authentication password. Click the eye icon to see the password as you type. The view persists until you click the eye icon again to hide the password.
6. Select an encryption method from the drop-down list:
CBC-DES - Use the cyber block chaining (CBC) data encryption standard (DES). This is the default value.
CBS-3DES-EDE - Use the triple data encryption standard, which is similar to the CBC-DES method, but it applies the DES operation three times.
CFB128-AES-128 - Use the advanced encryption standard (AES).
7. Specify an encryption password. Click the eye icon to see the password as you type. The view persists until you click it again to hide the password entry.
8. Click Submit.
3rd party integrations
This tab is where you integrate a third-party email service or alternative SMS provider with the realm.
244 SteelConnect Manager User’s Guide Realm Overview Administering a Realm
Integrating a third-party email service or SMS provider By default, a SteelConnect realm uses the Riverbed hosted Amazon Simple Queue Service (SQS) email server and short message service (SMS) provider. A realm administrator can integrate a third-party email service or SMS relay into a realm for use in place of the Riverbed hosted services. While the Riverbed hosted services are reliable, integrating a third-party provider has the added benefits of easier tracking and improved security because the email addresses and phone numbers never leave the service provider domain, geography, country, or governing region (such as the European Union).
To integrate a third-party email service
1. At the realm level, select the 3rd party integrations tab.
2. Under Email Server Settings, select Custom Setup from the drop-down list.
3. Enter the third-party email server.
4. Enter the port number for the third-party email server.
5. Enter the user name.
6. Enter the password. Click the eye icon to see the password as you type. The view persists until you click it again to hide the password.
7. Click Submit.
To enable a third-party SMS
1. At the realm level, select the 3rd party integrations tab.
2. Under SMS Service Settings, select the alternative service provider MessageBird from the drop- down list.
3. Enter the authorization access key such as AccessKey test_gshuPaZoeEG6ovbc8M79w0QyM.
Legal Disclaimer
This tab provides a place to add a predefined legal disclaimer that appears each time a user logs in to SCM. For example, “This computer system is the private property of its owner, whether individual, corporate, or government. It is for authorized use only.”
SteelConnect Manager User’s Guide 245 Administering a Realm Using realm menus
Using realm menus The left menu provides realm administrators with ways to view organizations and administrators for the organizations. In addition, it provides a way to view a list of all appliances in every organization belonging to the realm.
Figure 28-2. Realm menus
Organizations
Select this menu item to view a list of all organizations belonging to the realm.
Admins
Select this menu item to assign administrative rights to individual administrator accounts per organization. You can also manage appliances and licensing per organization.
246 SteelConnect Manager User’s Guide Using realm menus Administering a Realm
We recommend that you keep the number of realm administrators to a minimum and create organization administrators to manage organizations.
Figure 28-3. Realm and organization administration
Creating an administrator
To create a realm or an organization administrator
1. At the realm level, choose Admins.
SteelConnect Manager User’s Guide 247 Administering a Realm Using realm menus
2. Click New Admin. Figure 28-4. Creating an administrator for a realm or an organization
3. Specify a one-word, case-sensitive username for the administrator. You can use unicode characters.
4. Specify the administrator’s real name.
5. To make the administrator a super user who can view and manage the entire instance, click On next to Realm Admin. We recommend that you keep the number of realm administrators to a minimum and create organization administrators to manage organizations. To make the administrator for an organization, click Off next to Realm Admin. This is the default setting.
6. Specify an administrator password. Click the eye icon to see the password as you type. The view persists until you click it again to hide the password.
7. Specify the administrator’s email address.
8. Specify a mobile phone number for the administrator to use loopback authentication through mobile messaging. The administrator will also receive important text notifications using this number.
9. Click Submit. If the new administrator will be managing an organization, you need to associate the name with the organization.
10. Choose Organizations.
248 SteelConnect Manager User’s Guide Using realm menus Administering a Realm
11. Click the organization name to associate it with the administrator; don’t click the Manage button next to the organization.
12. Select the Admins tab.
13. Click Add assignment.
14. Select the administrator’s name from the drop-down list.
15. Optionally, after Network config write permission and Policy config write permission, you can allow or prevent the administrator’s access to network or policy configuration within the organization:
Click On to allow the administrator read-write permission for network configuration and policy configuration.
Click Off to restrict the administrator to read-only permission. Figure 28-5. Assign organization
16. Click Submit.
Hardware
Select this menu item to view a list of all appliances in every organization belonging to the realm.
SteelConnect Manager User’s Guide 249 Administering a Realm Using realm menus
250 SteelConnect Manager User’s Guide 29
SteelConnect SNMP Traps
The SteelConnect SNMP traps allow easy management of SCM and straightforward integration into existing network management systems.
Note: The SNMP traps are enabled for a realm by a realm administrator. For details, see “Exporting SNMP events” on page 243.
SNMP traps Every SCM supports SNMP traps for conditions that require attention or intervention. Every event sends the related trap. For most events, when the condition clears, the system sends a clear trap. The clear traps are useful in determining when an event has been resolved. This section describes the SNMP traps. It doesn’t list the corresponding clear traps. The SteelConnect Manager tracks key hardware and software metrics and alerts you of any potential problems so that you can quickly discover and diagnose issues. The following table summarizes the SNMP traps sent from the system to configured trap receivers.
Trap Text
configChange A configuration element has been changed. (enterprises.17163.1.20.4.1.1)
applianceOnline An appliance has come online. (enterprises.17163.1.20.4.1.2)
uplinkOnline An uplink has come online. (enterprises.17163.1.20.4.1.3)
tunnelOnline A tunnel has come online. (enterprises.17163.1.20.4.1.4)
portOnline A port has come online. (enterprises.17163.1.20.4.1.5)
applianceOffline An appliance has gone offline. (enterprises.17163.1.20.4.1.1002)
uplinkOffline An uplink has gone offline. (enterprises.17163.1.20.4.1.1003)
SteelConnect Manager User’s Guide 251 SteelConnect SNMP Traps SNMP traps
Trap Text
tunnelOffline A tunnel has gone offline. (enterprises.17163.1.20.4.1.1004)
portOffline A port has gone offline. (enterprises.17163.1.20.4.1.1005)
252 SteelConnect Manager User’s Guide