For some time now I’ve been test driving the Riverbed Solution known as SteelConnect. The particular solution that I am testing was featured at TechFieldDay Extra at ONUG16. In full disclosure, Riverbed provided me with hosted access to SteelConnect Manager, and two physical appliances, the SDI130 gateway and an SDI-AP5. I placed both of these units at my office in Temecula, California, and tried to set it up as our primary network connectivity. My thought was that even though this was presented to us as an SD-WAN solution, I believe it could be used as the primary hardware in an SMB. These are my findings.
In the presentation at TFDx @ ONUG16 the setup and configuration seemed incredibly easy. So much so that I tried to set things up without looking at any documentation. On setting the network up I needed to connect the gateway to my Frontier FiOS which has static IP addressing. Since the gateway appears to ship with DHCP configured I initially installed a border device. I know this is probably what everyone else on the planet is going to do. Still, the gateway seems to have some firewall features embedded and my curiosity of installing without a border device was still there. In the mean time I installed an ASA 5506-X at my Internet edge. The ASA gave the SDI-130 it’s DHCP configuration.
The good folks at Riverbed shared a pretty neat method of configuring static IP addressing on an initial deployment. Here’s how it works.
Configuration is performed via the SteelConnect Manager which is hosted by riverbed. The interface can be seen below. I’ll get to the tunnel part later on.
Now, since the configuration is applied to a hardware device after it registers with the SteelConnect Manager you can define your static IP addressing prior to the device connecting.
And here’s the good part. The device still needs to get an IP address via DHCP so that it can call into the SteelConnect Manager. There is a USB port on the SDI-130 Gateway. You can connect that to a cell phone and enable the personal hotspot feature. The SDI-130 will obtain an address from your phone, call into the SteelConnect Manager, and download the configuration with the static IP address. This process worked extremely well in my testing.
I should also mention here that you’ll need to adopt the hardware once its online. The support documentation is easy to follow and the system is intuitive enough for anyone with a little networking experience.
The SteelConnect Manager
The SteelConnect Manager is navigated on the left hand side.
Selecting an option from the left, in this case “Organization” enabled another menu within that section. I’m sure they have a name for this but I didn’t take the time to find out. Again, I believe the interface is intuitive enough that this type of stuff just makes sense.
The organization area allows you to setup some organization-wide settings. Some things that I think are pretty cool here are the Social Media tab. Here you can add Facebook, Google or Twitter as a login service provider. Numbering Pools lets you define the subnets you want to use internally. SteelConnect Manager will select the next pool in sequence as you add zones. A zone is similar to a subnet and they are configured under Network Design.
Network Design has several areas that were important to me during my testing and setup. The Sites section allows you to define multiple sites. Originally I installed the SDI-130 and the SDI-AP5 at my office. After some time I decided to move the SDI-AP5 to my home office. That’s why you can see the Branch and HQ locations in the image above. One of the really neat things about the Riverbed SD-WAN solution is how it automatically establishes VPNs between devices. Placing the SDI-AP5 at home extended my office network for me with very little setup. Ill cover that later in this article.
In the WANs section there are two things defined here. First we have the two uplinks to the WAN. One of these is defined as the Internet connection for the HQ and the other is for the Branch that I added later in my testing. The branch setup an AutoVPN between HQ and so below that you see the VPN routes that are configured so the Branch LAN can talk to the HQ LAN. I’m not digging very deep here but if you know anything about VPN this would make sense. Its basically the Proxy ACL. Now the RouteVPN is defined between multiple zones. I have two zones configured. Below you can see the Branch LAN and the HQ LAN. The Branch LAN is not in use. What I ended up doing with a little guidance from the good folks at Riverbed, was to add the SDI-AP5 to my home office as you can see below, but there was a trick to making this work seamlessly without a gateway at my house.
The trick here was to set the operation mode to HQ-LAN, which extended my LAN segment at HQ out to the Branch. You’ll find this under the Wired tab. That out the Branch LAN on the same VLAN as HQ so I get an IP on the same subnet. You can find this configuration setting below.
Aside from setting up the LAN you will also need to set the SSID to broadcast on the SDI-AP5. This is setup under the WiFi>Broadcasts menu option.
Over all working with SteelConnect is very simple yet very powerful. I found it to be feature rich and since I’ve been testing they have added several new features. When a new set of features are added you get a nifty notification in the SteelConnect interface and you can choose to update it when its convenient.
The interface provides details of important information, for example the Ports interface shows the ports of the SDI-130, identifies the uplink, the VLAN on the LAN side and the zone thats assigned. Links get you into relevant configurations areas.
MAC addresses are identified and you can even tie them to users. Policy can then be applied to these users.
From where I sit there is plenty of power packed into the Riverbed Solution. As I mentioned, Riverbed provided me with hardware and a demo environment. The devices in the demo are not licensed and to be honest, I don’t know what additional features the license would get me. However I’ve been running it for a time now as my primary networking solution in my small business. I have no need to run the Java-based ASDM to edit firewall policy these days. I also appreciate being able to log into my instance of SteelConnect manager from anywhere and checking the status of my tunnels. If I really need to get into the network while remote I can even spin up a server in AWS and create a VPC.
Clicking Subscribe here opens up the market place where you can deploy a SteelConnect Gateway and join the VPN.
And of course, I could go on with all the features. But don’t take my word for it. Head on over to Riverbed and check out the solutions for yourself. If you want to see a little hands on then I suggest you take a look at the video presentation from TFDx @ ONUG 2016. I’ve embedded it below.
Angelo Comazzeto, Director of Cloud Services, demonstrates the Riverbed SteelConnect user interface and how to provision new units and classify devices in remote offices with a few clicks. Recorded at Tech Field Day Extra at ONUG Spring 2016 on May 10, 2016. For more information, please visit http://Riverbed.com/ or http://TechFieldDay.com/event/onugs16/