SteelConnect EX SD-WAN Architecture Overview

Riverbed logo on a gradient background

The holiday season is just over and while I was looking at my kids taking apart their brand new toys—and telling them they probably should not, I remembered that I was actually the very same years ago. I wanted to understand how things were built and how this new cool 1/18 racing car was able to reproduce the sound of an actual engine and have lights on.

The truth is, now as a grown-up, I still enjoy that, drilling down and get my hands dirty. I like to understand how things are working under the hood. That helps me to anticipate the capabilities and limitations of a product, beyond marketing shiny announcements.

If you are like me and interested in SD-WAN, you are in the right spot: we are going to explore the world of SteelConnect EX, Riverbed’s Enterprise SD-WAN offering.

In this first episode of the series, we are going to discuss the overall architecture of the Riverbed SD-WAN solution.


Following SDN’s disaggregation principles, SteelConnect EX enterprise SD-WAN solution is comprised of several stacks:

  • Director is the component responsible for the management plane of the SD-WAN fabric;
  • Analytics is offering visibility on the Network by collecting metrics and events via IPFIX and Sysflow from branch gateways;
  • Controller is in charge of the Control plane for the SD-WAN Fabric;
  • Branch Gateways—also known as SteelConnect-EX appliances—are the SD-WAN appliances that will be deployed in the various sites. They are available in various form factors including Hardware, Virtual and Cloud (for IaaS platform like AWS, Azure…). Gateways are actually the data plane and will be deployed in all SD-WAN sites: Data centers, Hubs, Cloud (IaaS) and offices.
SteelConnect EX architecture
SteelConnect EX architecture

Each of the components can be deployed in High-Availability mode.

Each of those components is multi-tenant. All of them. Even the Branch Gateways! This will be the topic of a dedicated upcoming blog post.


Director, Analytics and Controller are the three components that we call Head-Ends. They can be deployed in a data center, in the Cloud (Azure, AWS…) or hosted and operated by a Telco Service Provider on their network.

SteelConnect-EX Head-Ends
SteelConnect-EX Head-Ends


The Director is a management system for the provisioning, management and monitoring of the SD-WAN infrastructure. It means that we can:

  • Create template of configurations for networking, SD-WAN policies (overlays, Path-Selection, path resiliency features…), Security and so on.
  • Manage gateways’s full lifecycle (on-boarding, configuration, firmware upgrade, RMA…)
  • Monitor and get alerts

Director can be configured via a web GUI, RESTful APIs or even CLI.
Director pushed the configuration to the Branch Gateways via NetConf. The NetConf commands are routed via the Controller.


Director offers Role-Based Management Access Control (RBAC) which means that one can delegate the management of a portion of the network to different individuals or teams.

Director can integrate with third-party solution as well and orchestrate the deployment of virtual SteelConnect-EX on private and public clouds.

Visibility and monitoring with analytics

SteelConnect Analytics is a big data solution that provides real-time and historical visibility, baselining, correlation, prediction and closed-loop feedback for SteelConnect EX software-defined solutions.
The key features include:

  • Policy driven data logging framework
  • Reporting for multiple networks and security services
  • Real-time and Historical traffic usage and anomaly detection
  • Multi-organizational reporting
  • Analytics will collect IPFIX and Syslog from gateways via the Controller.
SteelConnect Analytics

Analytics is an optional component of the solution but highly recommended to get visibility into the SD-WAN fabric.


From a software point of view, a Controller runs the exact same code (i.e same firmware) than the Branch Gateway. When on-boarded on the Director, that particular appliance is given a role, the controller role, and will be in charge of the control plane.

The Controller is in charge of on-boarding SD-WAN gateways into the network. It uses IKE and PKI certificates to authenticate branch SteelConnect-EX appliances.

From a routing point of view, a Controller acts as a route reflector for SD-WAN branches. When one branch gateway advertises a route to the Controller, it will be “reflected” to all other SD-WAN gateways (within a specific Transport Domain, we will discuss it in a following article). In fact, in addition to route information, the Controller reflects as well the Security Association (SA) information so that the destination branches in a same VPN can establish secure data channels between each others.

The Controller enables IPSEC connectivity between SD-WAN sites without the overhead of maintaining a full mesh of IKE Keys among all branches. This optimization reduces the complexity and overhead of maintaining N2 links and keys. The Control Plane between the Controller and the SteelConnect-EX appliances distributes IPSEC keys to other branch nodes.

The Controller will never route user traffic (data plane). The tunnels formed with branch appliances are only used for the control plane: routing (MP-BGP), security key information, NetConf via SSH, IPFIX, probing… It means that, should you deploy the Head-Ends in your data-center, you will need to have a SD-WAN gateway there too to send traffic across the SD-WAN fabric.

The controller will route control traffic between the Head-Ends and the SD-WAN gateways via the overlay network.
A Controller can handle up to 2’500 sites. Should we need to scale to higher numbers, we can scale horizontally and add more Controllers.

Network topology

Director, Analytics and Controller are colocated and will be connected between each other by a Control Network (Southbound for Analytics and Director). All communications between Analytics, Director and the SD-WAN gateways will be done via the Control Network and routed by the Controller.

This Control Network will not be routed and not advertised on the network.

Head-End Network Topology
Head-End Network Topology

A Management Network is also configured to expose GUI and APIs to the administrators as well as third-party tools.

To conclude

In this first episode of the series about SteelConnect-EX, we highlighted the role of the 4 main components of the solution: the three Head-End devices: Director, Analytics and Controller. SteelConnect-EX gateways that are deployed in all SD-WAN sites.

In the following post, we are going to have a look at the routing principles of the SteelConnect-EX gateways.

If you enjoyed it or if you have questions, feel free to leave a comment or engage us on the Riverbed Community web site and Twitter.

Watch video 


Related Content

selected img