brkapp-2005

BRKAPP-2005

Deploying Wide Area Application Services

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

Agenda

WAAS Overview

WAE Installation

WAE Deployment

WAAS Central Manager Configuration

WAAS Application Optimizer (AO) DeploymentsCIFS Software Distribution

HTTPS Webex Web Conferencing

WAAS Virtual Blade Deployments

WAAS Sizing Guidelines

WAAS Mobile Overview and Deployment


WAAS Overview


Wide Area Application Engine

ObjectStorage

Wide Area Application Services (WAAS) Version 4.2

IOS Platform with Services and CLI

Cisco Linux Kernel

Policy Engine, Filter-Bypass, Egress Method, Directed Mode, Auto-Discovery

FlashIOS Shell

Linux

ApplicationStorage

Virtual BladesKernel Virtual Machine

ConfigurationManagement

System(CMS)

CIFSAO

TCP Proxy with Scheduler Optimizer (SO)DRE, LZ, TFO

EPMAO

MAPIAO

HTTPAO

SSLAO

RTSPAO

WindowsOn

WAAS(WOW)

ACNS*On

WAASACNS

VB

VirtualBlade

# 3

NFSAO

DREStorage

Virtual BladeStorage

EthernetNetwork

I/O

*Application and Content Networking Software 5.5.13


List Price w Enterprise License

Location & Size*Data

Center & Campus

Branch up to 400

users*

Branch: Up to 150

users*

Branch: Up to 50 users*

Branch: Up to 20 users*

Branch Office & Mobile User Platforms

Data Center & Campus Platforms

SRE-700

SRE-900

WAVE-274

WAVE-474

WAVE-574

WAE-674WAE-7341

WAE-7371

Mobile User

(Branch of 1)

WAAS Mobile

•Indicative sizing only. Please refer to WAAS sizing guidelines to size specific to customer requirements.

$135K$59K$22K$12.5K$10K$6.5K

WAN Op + Video Platform

WAN Op + Video + WAAS Virtual Blade Platform

New

New

WAAS Product Line Overview


ApplicationOptimizer

(AO)

TFO

Network

Data Link

Physical

WAAS OverviewSession and Transport Layer Optimization

Host A

Application

Presentation

Session

Transport

Network

Data Link

Physical

WAE 2ApplicationOptimizer

(AO)

TFO

Network

Data Link

Physical

WAE 1

Host B

Application

Presentation

Session

Transport

Network

Data Link

PhysicalOrigin Optimized Origin

WAN

BRKAPP-200514633_05_2008_c1


WAAS OverviewDRE and LZ Manage Bandwidth Utilization

Data Redundancy Elimination (DRE) provides advanced compression to eliminate redundancy from network flows regardless of application

LZ compression provides generic compression for all traffic

FILE.DOC

DRE CACHE DRE CACHE

FILE.DOC

WAN

LZ LZ

Origin ConnectionOrigin Connection

OptimizedConnection

Encode DecodeWindow Scaling

Large Initial WindowsCongestion Mgmt

Improved RetransmitPacket Aggregation


WAAS OverviewApplication Optimizations

Read Ahead

Asynchronous Write

Local Acknowledgement

Data Redundancy Elimination (DRE)

DRE Hinting

LZ Compression

TCP Flow Optimization

Object Caching

Object Prepositioning

Object Meta Data Caching

Encryption/Decryption

Video Stream Splitting

Outlook Address Book (OAB)

UUID Dynamic Classification


WAAS Application Optimizer (AO)Feature Summary

AO Read Ahead

Async Write

Local Ack

DRE/

Hint

LZ

TFO Object Cache

Object Pre-

Position

Meta Data

Cache

Other Lic

Req’d

CIFS Y Y Y Y/Y Y Y Y Y Y - Ent

NFS Y Y Y Y/Y Y Y N N Y - Ent

HTTP N N Y Y/Y Y Y N N Y Conn Reuse

Ent

MAPI Y Y Y Y/Y Y Y N N N OAB Object

Ent

PRT N Y Y Y/Y Y Y N N Y - Ent

RTSP N N Y N/N N Y N N N Split Video

EPM N N N N/N N Y N N N Classify Ent

SSL N N N Y/N Y Y N N N Encrypt/Decrypt

Ent


WAAS OverviewAuto-Discovery—Two WAEs

Expanded for AOs

TCP option 0x21 provides in-band signaling

WAE B closest to host (A) and WAE (C) closest to host (B)

Connection optimized between WAE (B) and (C)

WAEs shift optimized TCP SEQ number 2 billion

If a WAE that was optimizing connections fails:

Receiving host will see segments with SEQ/ACK numbers that are out of range

Host will reset (RST) connection

WAAS will propagate the RST

Host application will re-establish a new TCP connection

A B C D

A:D SYNA:D SYN(OPT) A:D SYN(OPT)

D:A SYN/ACKD:A SYN/ACK(OPT)

D:A SYN/ACK

Origin ConnectionOrigin ConnectionOptimizedConnection


WAAS OverviewAuto-Discovery—Three or More WAEs

WAE (B) closest to host (A) WAE (D) closest to host (E) Intermediate WAE (C) sees TCP option mark in

both directions and goes into Pass Through (PT) WAE supports 10X optimized limit for Pass Through

A:E SYNA:E SYN(OPT)

A:E SYN(OPT)A:E SYN(OPT)

E:A SYN/ACKE:A SYN/ACK(OPT)

E:A SYN/ACK(OPT)E:A SYN/ACK

A:E ACKA:E ACK(OPT)

A:E ACK(OPT)A:E ACK


OptimizedConnection

A B C D E


WAAS OverviewAuto-Discovery—One WAE

WAE (B) is closest to host (A) and host (C)

No TCP option mark is seen in either direction

WAE B goes into Pass Through (PT)

WAE supports 10X optimized limit for Pass Through

A:C TCP SYNA:C SYN(OPT)

C:A SYN ACKC:A SYN ACK


CA B


WAE Installation


WAAS InstallationSetup Script

Prompted on boot of factory default box to run setup script or execute ‘setup’

Script prompts for configuration to communicate, network integrate, manage, and license the WAE

Ideal for pilots and small deployments

Recommend script to setup Central ManagerDevice Mode Central-Manager

Recommend configuration template to stage accelerators for large deployments

device mode application-accelerator

central-manager address 10.1.1.31

primary-interface GigabitEthernet 1/0

cms enable

wccp version 2

wccp router-list 1 10.1.4.254

wccp tcp-promiscuous router-list 1

interface GigabitEthernet 1/0

ip address 10.1.4.100 255.255.255.0

autosense

exit

ip default-gateway 10.1.4.254

ip name-server 167.206.245.130

ip domain-name allcisco.com

hostname br1-wae1

ntp server 10.1.1.254

clock timezone US/Eastern -5 0

license add ...


Integrated WAAS/ISR Configuration with Setup Wizard

Single-screen configuration for WAAS and ISR IOSWCCP auto-configuration

Proactive diagnostic NEW in WAAS 4.2


InstallationDevice Mode Replication Accelerator

Requires WAAS 4.0.19 or Later 4.0.X

Accelerator optimized for a small number of high-throughput TCP connections

EMC SRDF/A and NetApp SnapMirror

Available on the WAE-7341 and WAE-7371 platforms

Only negotiates optimized connections with other WAEs in the same mode

device mode replication-accelerator

hostname dc1-wae1



ip address 10.1.1.31 255.255.255.0

exit


ip name-server 10.1.1.21

central-manager address cm.allcisco.com

cms enable


wae(config)# interface PortChannel 1

wae(config-if)#no shut

wae(config-if)#ip address 10.1.1.31 255.255.255.0

wae(config)# interface gigabitEthernet 1/0

wae(config-if)#no shutdown

wae(config-if)#channel-group 1

wae(config-if)#exit

wae(config)#interface gigabitEthernet 2/0

wae(config-if)#no shut

wae(config-if)#channel-group 1

InstallationWAE Interface Channeling

Interfaces can be bundled into a PortChannel for load-balancing and high availability across switch modules

Requires identical interface configuration on both physical interfaces

IP addresses are defined on the PortChannel interface


InstallationStandby Network Interface Card (NIC)

Must be layer 2 path between two NICs

MAC only on in use interface

Primary preempts

No primary floats

Gratuitous ARPs on failover

Virtual Blade not supported

G 1/0 G 2/0

wae(config)#interface Standby 1

wae(config-if)#ip address 10.1.2.100 255.255.255.0

wae(config-if)#exit

wae(config)#interface GigabitEthernet 1/0

wae(config-if)#standby 1 primary

wae(config-if)#exit

wae(config)#interface GigabitEthernet 2/0

wae(config-if)#standby 1

wae(config-if)#exit

WAE(config)#primary-interface standby 1

wae#show interface standby 1

Interface Standby 1 (2 physical interface(s)):

GigabitEthernet 1/0 (active)

GigabitEthernet 2/0 (active) (primary) (in use)


Central Management System (CMS) Overview

CMS process runs on all WAEs

Provides bidirectional configuration synchronization between CM and accelerators

Communicates over HTTPS using self signed device specific certificates and keys

Central Manager collects health and monitoring data to every five minutes by default

CMS provides means to backup and restore configuration

Provides means to replace a failed device with a new device

Use “show cms info” to get CMS status

ConfigurationGroups

Ability to hide/filter pages

Roles based access control

ReportSystem

Device/Location

Flow

Session

MonitorAlarm

Emergency and critical syslog


Central ManagerLogin

1. https://cm-ip:8443/

2. Accept certificate

3. Username: admin

4. Password: default

5. Initialize and/or open secure store

https://cm-ip:8443/�


Central ManagerGroup Configuration Best Practices

AllDevicesGroupNetwork > DNS

SNMPDate/Time > NTP Server | Time Zone

Login Access Control > SSH | MoD | Exec TimeoutAuthentication

Common criteriaSystem Log Settings

Storage > Disk Error HandlingCoreDevicesGroupSSL Acceleration

EdgeDevicesGroupTransaction logsPrepositioningDisk encryption

Flow Agent


Central ManagerGroup/Device Configuration Strategy

Use groups to the greatest extent possibleA device can belong to multiple device groups

Device configuration is more specific than group configuration

Multiple group configuration conflict is resolved by most recent configuration

Hide configuration pages that should not be used in a group

Create and enforce device group naming policyAll lower case with dashes for spaces

all-device-group

timezone-us-eastern

No spaces with capital for start of wordAllDeviceGroup

TimezoneUSEastern


Central ManagerAdding a New Core Device

1. Install WAE

2. Configure hostname, IP, primary interface, CM IP, and CMS enable

3. Assign device to AllCoresGroup (WAE is auto-activated and auto-assigned to the AllDevicesGroup)

4. Configure WCCP

hostname dc1-wae2



ip address 192.168.200.202 255.255.255.0

exit


central-manager address 192.168.200.204

cms enable

license add Enterprise


Central ManagerWAAS Monitoring

Dashboard Aggregate Statistics

Device flow monitoring

Device CPU and Disk

Acceleration (HTTP, CIFS, NFS, MAPI, Video, SSL)

System-wide, Device Specific and Grouped by Location


Central Manager3rd Party WAAS Monitoring

Router Netflow to NAM, NetQos, Fluke or other 3rd party for reporting of all network traffic

WAAS flow logs to Sawmill for WAAS historical optimized flow level reporting

WAAS flow agent to Cisco Network Analysis Module (NAM) and NetQoS for application latency

NetQoS or Fluke for WAAS CM API reporting

WAN

Data CenterEnd-user Site with Optimization

FlowAgent Data Feed

Netflow

NetQoSSawmill

FTP Export

NAM Fluke

WAAS CM API

WAE WAE WAE-CM


Central ManagerRoles and Domains

1. Admin > AAA > Domains - Create domains based on groups

2. Admin > AAA > Role - Create role based on user’s allowed actions hiding unspecified configuration screens

3. Admin > AAA > User - Create user and associate roles and domains

2

1


Central ManagerAssigning Roles and Domains to Users

3


WAE Inline Deployment


InlineNon-Redundant Branch Deployment

RouterCrossover cable from router to engineEnsure the router bandwidth and duplex match the switch

SwitchStraight through cable from engine to switchEnsure the switch bandwidth and duplex match the router Implement switch port fast for faster failover recovery

EngineOne InLine NIC per WAE appliance (cannot be used with WCCP)Installed in-path between switch and router or firewallUse single pair of inline ports (1/0 or 1/1) removing RJ45 port coversPorts fail-to-wire upon hardware, software, or power failureSupport for interception 802.1q trunksUse GigabitEthernet 1/0 primary interface

s1 e1 r1

1/0/LAN 1/0/WAN

1/0/WAN1/0/LAN

1/1/WAN1/1/LANWAN

g 1/0


Interception with Serial Inline Cluster

Dual inline cards supported in WAAS 4.2.1Supports up to 4 inline groups

Supported on WAE-674, WAE-7341, WAE-7371

Interception Access list allows bypass of non-relevant traffic

Easy approach implementing Large Branch and Small/Medium Data Centers

HA is provided by 2nd WAE

Simplifies PoCs


Serial Inline Cluster Topologies - Branch

WAN

WAN

WAN

WAN

WAE-DC1WAN WAE-DC2

WAN


Serial Inline Cluster Topologies - DC

WAE-DC1WAN WAE-DC2

WAN

WAN

WAN

WAN

WAN


Branch Core

Serial Inline Cluster – Branch Failure or No WAE

WAE-BR

WAE-DC2 WAE-DC1

SYN

SYN+ACK

PT Non-optimizing Peer

SYN+OPT

1 2

3

45SYN+A

CKPT No Peer

6SYN+A

CK

SYN+ACK

Disable Peer Optimization prevents DC WAEs to become peer with each other

WAN

WAE-DC2 is a non-optimizing peer !

DC WAEsform peers with each

other


Configuring Non-Optimizing Peers


Verify Peer Settings

Green check mark indicates correct

configuration


wae(config)#interface InlineGroup 1/0 ?

autosense Interface autosense

bandwidth Interface bandwidth

encapsulation Set encapsulation type for an interface

exit Exit from this submode

failover Modify failover parameters

full-duplex Interface fullduplex

half-duplex Interface halfduplex

inline VLAN's to intercept

ip Interface Internet Protocol Config commands

no Negate a command or set its defaults

shutdown Put the inline interface in passthrough mode

wae#show interface inlinegroup 1/0

Interface is in intercept operating mode.

Standard NIC mode is off.

Disable bypass mode is off.

VLAN IDs configured for inline interception: All

Watchdog timer is enabled.

Timer frequency: 1600 ms.

Autoreset frequency 500 ms.

The watchdog timer will expire in 1195 ms.

InlineConfiguration

Ensure Consistent Bandwidth and Duplex Settings on Router and Switch Side Interfaces

Pass Through All Traffic(Fail to Wire)

Optionally Assign IP Address


Br1-wae1#show interface inlineport 1/0/LAN

Device name : eth5. Bypass slave interface.

Packets Received : 968932

Packets Intercepted: 781189

Packets Bridged : 187743

Packets Forwarded : 785048

Packets Dropped : 0

Packets Received on native : 0

Active flows for this interface :0

Ethernet Driver Status

-------------------------

Type:Ethernet

Ethernet address:00:E0:ED:04:BA:23

Maximum Transfer Unit Size:1500

Metric:1

Packets Received: 968932

Input Errors: 0

Input Packets Dropped: 0

Input Packets Overruns: 0

Input Packets Frames: 0

Packet Sent: 1254163

Output Errors: 0

Output Packets Dropped: 0

Output Packets Overruns: 0

Output Packets Carrier: 0

Output Queue Length:100

Collisions: 0

Base address:0x30c0

Flags:UP BROADCAST RUNNING MULTICAST

Mode: autoselect, full-duplex, 100baseTX

InlineStatus

Received Is Total PacketsIntercepted Is All TCP PacketsBridged Are Non-TCP PacketsForwarded Are Sent from Inline Interface

UP indicates administratively upRunning indicates link up

Recommend auto-negotiation


Serial Inline Cluster Best Practices

Deploy the same platform for both devices in cluster

Disable optimization between serial cluster devices

Apply the same policy/interception ACL on both devices

Configure interception ACL for both direction

Use CM to configure and manage serial inline cluster Automatic peer configuration

Verify peer optimization settings are mutually configured

Location based reporting

Second WAE in serial inline cluster is for HA, not supported for scaling/load balancing


WAE WCCP Deployment


WCCP Deployment - BRKAPP-2021

Deploying and Troubleshooting Web Cache Communication Protocol (WCCP) for WAN Acceleration, Security and Content Delivery

Highly recommend attending for in-depth information on deploying WCCP for redirection in the branch and DC


WCCPAssignment, Redirect, and Return Assignment (engine selection)

Hash - Byte level XOR computation divided into 256 buckets (default)Mask - Bit level AND divided up to 128 buckets (7 bits)

Router WCCP Redirect (router to WAE)GRE - Entire packet GRE tunneled to the engine (default)Layer 2 - Frame MAC address rewritten to engine MAC

WAE WCCP Return (WAE to router)WCCP GRE - Packet statefully returned router (as of 4.0.13)WCCP Layer 2 - Frame statefully rewritten to router MAC (Not yet supported in WAAS)

WAE Egress MethodIP Forward - Engine ARPs for default gateway (default)WCCP negotiated - WCCP GRE or WCCP L2 return (not yet supported in WAAS)Generic GRE - Statefully return in hardware to Catalyst 6500 Sup720/32 (as of WAAS 4.1)

A

B

A B

C

Src Balance 61 62 Dst Balance

e1 e2

r1

r2


WCCPCentral Manager Configuration

wccp router-list 1 192.168.254.2

wccp tcp-promiscuous router-list-num 1

wccp version 2

egress-method negotiated-return intercept-method wccp


WCCPCommon and Specific Configuration

WAE common configurationwae(config)#wccp router-list N <ip-address-list>

wae(config)#wccp version 2

Router common configurationrtr(config)#ip wccp 61 <redirect-list acl-name>

rtr(config)#ip wccp 62 <redirect-list acl-name>

Specific configuration depends onRouter – In or Out

Switch – In only

Topology

WCCP configurations vary forAssignment (WAAS default is hash)

Redirect (WAAS default is WCCP GRE)

Return (WAAS default is IP forward)


Planning and DesignPlatform Recommendations

Function Nexus 7000 Software

ISR & 7200

ASR 1000 Cat 6500 Sup720/32

7600

Cat 6500

Sup2 Cat 4500 Cat 3750

Assign Mask Only Hash or Mask

Mask Only Mask Mask Mask only Mask only

Redirect L2 GRE or L2 GRE or L2 GRE or L2 L2 or GRE / L2 L2 only L2 only

Redirect List L3/L4 ACL Extended ACL

Extended ACL

Extended ACL Extended ACL No Redirect List Support

Extended ACL (no deny)

Direction In or Out In or Out In only In In In only In only

Return L2 only GRE or L2 GRE or L2 L2 L2 L2 only L2 only

VRFs Supported Supported Planned Planned NA NA NA

IOS 4.2(1) 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;15.0(1)M

2.4(2) 6500

12.2(18)SXF14

12.2(33)SXH4

12.2(33)SXI2a

7600

12.2(18)SXD1

12.1(27)E; 12.2(18)SXF14

12.2(50)SG1

12.2(46)SE


ip access-list extended waasremark WAAS WCCP Redirect Listdeny tcp any any eq telnetdeny tcp any any eq 22deny tcp any any eq 161deny tcp any any eq 162deny tcp any any eq 123deny tcp any any eq bgpdeny tcp any any eq tacacsdeny tcp any any eq 2000deny tcp any any eq 2443deny tcp any any eq 5060deny tcp any any eq 1718deny tcp any any eq 1719deny tcp any any eq 1720deny tcp any any eq 8443deny tcp any eq telnet anydeny tcp any eq 22 anydeny tcp any eq 161 anydeny tcp any eq 162 anydeny tcp any eq 123 anydeny tcp any eq bgp anydeny tcp any eq tacacs anydeny tcp any eq 2000 anydeny tcp any eq 2443 anydeny tcp any eq 5060 anydeny tcp any eq 1718 anydeny tcp any eq 1719 anydeny tcp any eq 1720 anydeny tcp any eq 8443 any! Below optional per branch in pilotpermit tcp any <<branch subnet>>permit tcp <<branch subnet>> anydeny tcp any any

WCCPRedirect List

Permit all applications but deny specific

Avoid redirection of management traffic with a universal ACL

Apply bidirectional ACL to service groups 61 and 62

Create the redirect ACL before enabling WCCP service groups 61 and 62

Do not enable logging on WCCP redirect ACL

Permit specific applications only


Router Configurationinterface loopback0ip address 192.168.254.2 255.255.255.0

! ------ If WAE L2 Adjacentinterface GigabitEthernet0/0Description WAE Subnetip address 192.168.201.254 255.255.255.0

! ------ Point to Multipointinterface Tunnel1ip address 192.168.250.254 255.255.255.0no ip redirectstunnel source Loopback0tunnel mode gre multipoint

! ------ Point to Pointinterface Tunnel1ip unnumbered Loopback0no ip redirectstunnel source Loopback0tunnel destination 192.168.201.201

WAE Configuration! ------ WAE Configuration (Not L2 Adjacent)wccp router-list 1 192.168.254.2wccp tcp promiscuous router-list 1 mask-assign

wccp tcp-promiscuous mask src-ip-mask 0xF00wccp version 2

! ------ WAE Configuration (L2 Adjacent)wccp router-list 1 192.168.201.254wccp tcp promiscuous router-list 1 mask-

assignwccp tcp-promiscuous mask src-ip-mask 0xF00wccp version 2

interface GigabitEthernet 1/0ip address 192.168.201.201 255.255.255.0

exit

WCCPCatalyst 6500 Local Path Affinity with Generic GRE Return

Point to Multipoint GREUse local interface VLAN IP tunnel source for local WAE

Use loopback interface IP tunnel source for non-local WAE

Point to Point GRENeed unique IP address per peer for hardware acceleration on 6500


wae#show egress methodsIntercept method : WCCP

TCP Promiscuous 61 :WCCP negotiated return method : WCCP GRE

Egress Method Egress MethodDestination Configured Used ----------- ---------------------- -------------any Generic GRE Generic GRE

TCP Promiscuous 62 :WCCP negotiated return method : WCCP GRE

Egress Method Egress MethodDestination Configured Used ----------- ---------------------- -------------any Generic GRE Generic GRE

Intercept method : Generic L2Egress Method Egress Method

Destination Configured Used ----------- ---------------------- -------------any not configurable IP Forwarding

dc1-wae1#show statistics generic-greTunnel Destination: 192.168.254.2Tunnel Peer Status: UpTunnel Reference Count: 24Packets dropped due to failed encapsulation: 0Packets dropped due to no route found: 0Packets sent: 10422Packets sent to tunnel interface that is down: 0Packets fragmented: 0

WCCP WAAS Egress Methods

Destination is Same as Tunnel Source

Number of WAEs Plus Number of

Connections


dc1-rtr1#show ip wccpGlobal WCCP information:

Router information:Router Identifier: 10.1.3.254Protocol Version: 2.0

Service Identifier: 61Number of Cache Engines: 1Number of routers: 1Total Packets Redirected: 1954820Process: 474Fast: 0CEF: 1954346Redirect access-list: -none-Total Packets Denied Redirect: 0Total Packets Unassigned: 24Group access-list: -none-Total Messages Denied to Group: 0Total Authentication failures: 0Total Bypassed Packets Received: 4

Service Identifier: 62Number of Cache Engines: 1Number of routers: 1Total Packets Redirected: 581196Process: 107Fast: 0CEF: 581089Redirect access-list: -none-Total Packets Denied Redirect: 0Total Packets Unassigned: 17Group access-list: -none-Total Messages Denied to Group: 0Total Authentication failures: 0Total Bypassed Packets Received: 5

dc1-wae1#show wccp routers

Router Information for Service: TCP Promiscuous 61Routers Configured and Seeing this Engine(1)

Router Id Sent To Recv ID10.1.3.254 10.1.2.254 0001CD80

Routers not Seeing this File Engine-NONE-

Routers Notified of but not Configured-NONE-

Multicast Addresses Configured-NONE-

Router Information for Service: TCP Promiscuous 62Routers Configured and Seeing this Engine(1)

Router Id Sent To Recv ID10.1.3.254 10.1.2.254 0001CD7C

Routers not Seeing this File Engine-NONE-

Routers Notified of but not Configured-NONE-

Multicast Addresses Configured-NONE-

dc1-wae1#show wccp greTransparent GRE packets received: 105587Transparent non-GRE packets received: 0Transparent non-GRE non-WCCP packets received: 0Total packets accepted: 100152Packets sent back to router: 0GRE packets sent to router (not bypass): 52222Packets sent to another WAE: 0Packets received with client IP addresses: 100152

WCCPVerify WCCP Operation on Router and WAE


WCCPBranch with Software or Hardware Router

Routerip wccp 61ip wccp 62interface s0ip wccp 61 redirect outip wccp 62 redirect in

interface g1WAEwccp router-list 1 10.1.1.254wccp tcp-promiscuous router-list-num 1wccp version 2egress-method negotiated-return intercept-

method wccp

IPNetwork

h1

h2

e1

A/24

B/24

62

g0 s0

h3 s1

61

g1

IPNetwork

h1

h2

e1A/24

B/24

61

61

g0 s0

Routerip wccp 61 redirect-list local-subnetsip wccp 62ip extended access-list local-subnetsdeny tcp any A/24deny tcp any B/24permit tcp any any

interface g0ip wccp 61 redirect in

interface s0ip wccp 62 redirect in

WAEwccp router-list 1 10.1.1.254wccp tcp promiscuous router-list 1 l2-

redirect mask-assignwccp tcp-promiscuous mask src-ip-mask 0xFwccp version 2

h3 s1

g1

62SiSiSiSiSiSi


r1

r2

WCCPGRE Return Network Path Affinity

Redirect WCCP GRECatalyst 6500 Sup720 and ASR process in hardware7200/ISR in software

Egress/ReturnWCCP GRE

ASR in hardware7200/ISR in software

Generic GRECatalyst 6500/PFC3

Data Center ConnectionBranch Connection Optimized WAN Connection

A

B

A B A BC

D

Src Balance 61 Src Balance 6162 Dst Balance 62 Dst Balance

r3

r4


Multiple WANs Symmetric RoutingShared WAEs on WAN Distribution/Core

WAE with Interface Standby (N+1 Redundancy)Registration – r1/r2 interface IP

Assignment – Mask

Redirect/Egress – WCCP GREReturn/Egress - IP Forwarding, generic GRE (6500), or WCCP GRE (ASR)

Network

Engines on shared subnet between r1 and r2Interface VLAN inter-core link with no WCCP

WAE with Etherchannel (N:N Redundancy)Registration – Loopback IPAssignment – Mask

Redirect – WCCP GRE

Return/Egress - IP forward or generic GRENetwork

Engines on dedicated subnets (no interface standby)

Routed interface link (r1-r2) with no WCCP

r1 r2

WAN

e2 e3 e4e1

WCCP Registration

SiSiSiSiSiSi SiSiSiSiSiSi

r1 r2

WAN

e1

e2

e3

e4SiSiSiSiSiSi SiSiSiSiSiSi

61 61

62 62

61 61

62 62


Multiple WANs Symmetric RoutingShared WAEs on WAN Edge

Local WAE Redirect and ReturnRegistration –r1/r2 interface IP

Software router (7200/ISR)

Assignment – Hash

Redirect - WCCP GRE

Return/Egress – WCCP GRE or IP forward

Hardware router (6500/PFC3 or ASR)

Assignment – Mask


Return/Egress – generic GRE (6500), WCCP GRE (ASR), or IP forward return

Network

Enable routing on engine subnet (no passive interface)

MHSRP to alternate WAE default gateway (e1 to r1 and e2 to r2)

Optional standby interface for router high availability

Remote WAE GRE Redirect and ReturnRegistration – Remote r1/r2 loopback IP

Assignment – Hash (7200/ISR) or mask (6500/ASR)

Redirect - WCCP GRE

Return/Egress - WCCP GRE (ASR/7200/ISR) or Generic GRE (6500)

Network

r1 r2

WAN


r1 r2

WAN


WCCP Registration

e1 e2

e1 e2

62 62

61 61

61 61

62 62


Dual Data CenterAsymmetric Routing Condition

ConditionBranch route summarization

Connections sent to DC-A when application resides in DC-B

SYN and SYN/ACK not seen by same WAE

SolutionsAdvertise summary route for each data center to eliminate asymmetric routing

WAE in server farm distribution with WCCP or ACE

WAE cross registers with WAN edge or distribution routers in both data centers DC-A DC-B

0.0.0.0

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi


Dual Data CenterAsymmetric Routing Solutions

WAE in server farm distribution with WCCP or ACE

WAE cross registers with WAN edge or distribution routers in both data centers

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi

61

61 61

62

62

62

62

62 62

61 61

61

62 62


Server

Farm 2

Server

Farm 1

Dual Data Center Asymmetric Routing WAN Distribution Catalyst 6500 WCCP

Registration – r3/r4/r5/r6 loopback IP

Assignment - Mask

Redirect - WCCP GRE

Return/Egress - IP forwarding or generic GRE

NetworkEngines (e1, e2, e3, e4,...) attached to WAN distributionInterfaces from WAN (r1 and r2) have WCCP 61 inInterfaces from Server Farms (r7,r8,r9,r10) have WCCP 62 inNo WCCP on inter-switchlinks between r3, r4, r5, and r6

e1 e2

r1r3

r2

WAN#1

WAN#2

r4

r5 r6

r7

r8

r9

r10

e3 e4

SiSiSiSiSiSi


SiSiSiSiSiSi

WCCP Registration

62

61

62

62

61

62

62 62

61 61


WCCPChoosing the Right Mask

BranchDHCP allocated addressing

Balance hosts to multiple engines 0xF to 0x7F (or similar)

Balancing to a single engine (mask selection is irrelevant)

Retail Data CenterSite /24 allocation per site

Balance sites or engines with 0xF00 to 0x7F00 (or similar)

Enterprise Data CenterRegional/16 allocation

Balance regions with 0xF0000 to 0x7F0000 (or similar)

0xF = 0000:0000.0000:0000.0000:0000.0000:11110xF00 = 0000:0000.0000:0000.0000:1111.0000:0000

0xF0000 = 0000:0000.0000:1111.0000:0000.0000:0000


WCCP DirectionUse 61 from client

Use 62 from server

Branch/24 subnet

10.0.X.0/24

DHCP allocation

2 WAE per branch

0x3 WCCP mask

Data Center4 WAEs in core cluster

0x700 WCCP mask (0000:0111.0000:0000)

Each core peers with only two branches

WCCPEnterprise Mask Assignment Example

0.0/24:0000

#10001

#21011

10.0.3.7 (:0111)

10.0.3.4 (:0100)

10.0.3.6 (:0110)

10.0.3.5 (:0101)

WAE #1:0000:0001

1.0/24:0001

2.0/24:0010 3.0/24

:0011

4.0/24:0100 5.0/24

:0101

6.0/24:0110 7.0/24

:0111

WAE #2:0010:0011

WAE #3:0100:0101

WAE #4:0110:0111

62

61


WCCPConfiguration Best Practices

RegistrationDo NOT use a virtual gateway address (HSRP, VRRP, GLBP)

Use interface IP address if L2 adjacent to WCCP router

Use highest loopback address if not L2 adjacent to WCCP routerDo not configure large MTU (>1500 bytes) on WCCP client interfaces

AssignmentUse mask assignment for all hardware routers (6500, 7600, ASR)Do NOT use the default mask

Use hash assignment software routers (7200, ISR)

RedirectWCCP GRE redirect for 6500/PFC3, 7600, ASR, ISR, 7200

L2 redirect for Catalyst 6500, 4500, 3750, 3560

Redirect list should be basic extended ACL with no port ranges, DSCP matches, etc.

ReturnIP forward return by default

WCCP GRE return on ISR/7200 (consider performance) and ASRGeneric GRE return on Catalyst 6500 and 7600 if asymmetric routed data center

For GRE return, implement static /32 route to WCCP router id or GRE loopback for optimal return


WCCPOperational Best Practices

Router initial configurationCreate WCCP redirect ACLConfigure global IP WCCP # redirect-list…

Configure interfaces

Router configuration changesGlobal service group configuration changes – Unregister all affected WCCP clients with no WCCP version 2, remove interface config, remove/change global config, apply new global config, apply new interface config, re-register WCCP clients

Interface configuration changes – Leave WAE WCCP clients registered

Redirect-list changes – Leave WAE WCCP clients registered

WAE Moves, Adds and ChangesAdd – Configure egress-method, WCCP router-list, WCCP TCP-promiscuous, WCCP version 2

Moves/Changes – No WCCP version 2, follow add procedure


WAAS AO Deployments


WAAS AO DeploymentsLicensing

Managed at a device level

Transport includes DRE/LZ/TFO

Enterprise includes NFS, HTTP, SSL, WAFS/CIFS, MAPI, Print, and DRE/TFO/LZ

Video requires enterprise

Virtual blade requires enterprise

CLI commandsshow license

license add <license-name>

clear license

clear license <license-name>

#show license

License Name Status Activation Date Activated By

-------------- ----------- --------------- --------------

Transport not active

Enterprise active 03/20/2008 admin

Video not active

Virtual-Blade not active

#license add Video

#show license


-------------- ----------- --------------- --------------


Enterprise active 03/20/2008 admin

Video active 04/01/2008 admin

Virtual-Blade not active

#clear license Enterprise

The License Management system policy validation failed.

Video license is configured to include Enterprise license.

Please, clear Video license first.

#clear license Video

#clear license Enterprise

#show license


-------------- ----------- --------------- --------------


Enterprise not active

Video not active

Virtual Blade not active


WAAS AO Deployments Configuration

1. Go To AllDevicesGroup2. Globally enable WAAS

Accelerators3. Enable Blacklist if firewalls

upstream from core drop SYN packets with options else disable


WAAS CIFS Software DistributionMy WAN > Prepositioning

1. Create a read-only account on the software distribution server (do not use administrator)

2. Identify file server by name or IP address

3. Identify core location to browse files

4. Configure read-only account in WAAS

5. Identify portion of file cache to use for prepositioning

6. Select minimum and maximum file size as appropriate

7. Set job duration

8. Select Type


WAAS CIFS Software DistributionMy WAN > Prepositioning > Content Settings

1. Chose the share and directory using browse

2. Implement any specific file name features


WAAS CIFS Software DistributionMy WAN > Prepositioning > Assign Edge Groups

Assign AllEdgesGroup


WAAS CIFS Software DistributionMy WAN > Prepositioning > Schedule

Chose Start Time considering the job duration

Set schedule which is commonly daily or weekly for software distribution


WAAS CIFS Software DistributionMy WAN > Prepositioning > Status

View Progress and completion until next job

If files don’t change, then no need to re-run job


Single Screen HTTP AO Configuration


WAAS AO DeploymentCentral Manager Secure Store for SSL

CM’s secure store keeps all imported host and accelerated SSL certificates and private keys

Certificates and private keys are encrypted with user pass-phrase:

When secure store is being initialized first time (initialization)

After CM device reloads to open secure store (opening)

CM secure store must be open to synchronize configuration between SSL capable CM and WAEs

Upon reboot, if CM detects the secure store is initialized but not open a critical alarm is raised

CLI commands are available:cm#cms secure-store [init|open|change]

To initialize, open or change current pass-phrase

cm#show cms secure-storeTo show current status of CM secure store


WAAS AO DeploymentKey Management

Accelerated serviceSSL services traffic to accelerate

Consists of two SSL sessions

Client to core

Core to server

Peering serviceSend accelerated service session keys from core to edge

Management serviceSync config to/from CM and WAE

WAE secure store encryption key from CM

Encryption key encrypts server private keys on core WAE

CM admin serviceConfigure WAEs using CM

Upload certificates and private keys to CM

Server

Core WAE

WAN1WAN1Client

Edge WAE

Edge WAN Router

Core WAN Router

Common Name = hr.analog.com

WAE to WAEPeering Service

Central ManagerAdmin Browser

CM to Edge WAEManagement Service

CM to Core WAEManagement Service

CM AdministrationAdmin Service

Client to ServerAccelerated Service

SSL Service – TCP connection carrying SSL traffic on a well known TCP Port (e.g. 443)

Client to Core SSL Session Core to Server SSL Session

SSL Data

TCP Session

SSL Sessions


WAAS AO DeploymentWebex SSL Acceleration Example

BRANCH OFFICE

BRANCH OFFICE

BRANCH OFFICE

REGIONAL HUB

REGIONAL HUB

ServersServers

Servers

DB

Recording

Collaboration Bridge

Collaboration Bridge

Meeting Zone

Multi-Media Platform

Multi-Media Platform

Web Zone

Internet

InternetWAN

ASR 1000

ASR 1000

WAN

Meeting Traffic,VoIP, Video

CB

MMP

CB

MMP

SSL

SSL

ASR-1000 WebEx Nodes (SPA Blades)

SSL

ASR-1000 WebEx Nodes optimize Internet DeliveryOnly 1 stream per site45-90% Bandwidth SavingsEliminates WAN UpgradesOffloads Firewall/Proxies due to reduced trafficFully transparent solution

WAAS

WebEx SaaS Cloud

WAAS 4.2 optimizes WebEx Delivery to the Branch DRE and LZ compressionImproved user responseUp to 80% Bandwidth ReductionDelay WAN UpgradesFully transparent solution

WAAS Optimizations can also be delivered for other SaaS traffic in the enterprise


Three-Step HTTPS Optimization Configuration1 of 3 – Provide Server Addresses


Three-Step HTTPS Optimization Configuration2 of 3 – Provide Certificate


Three-Step HTTPS Optimization Configuration3 of 3 – Enable Accelerated Service


WAAS AO DeploymentsWebex Acceleration

Networkers WAAS presentation delivered Via Webex

BRKAPP-2005 presentation bytes reduced 58% by WAAS HTTPS


WAAS RTSP AO DeploymentEdge Splitting

Enable Video Accelerator

Windows Media 9 or later

Operates on RTSPT only

Splitting occurs on the edge

Auto-discovery puts intermediate engines into Pass Through

ACNS/CDS origin configured with ‘wmt disallow-client-protocols rtspu mmsu’ to force TCP use

Option to TCP optimize or drop unaccelerated streams

Support for Windows Media 9 logs

WAN


WAASIntermediate Firewall Support

Configured endpoint tunnel through firewallNot support by WAAS

Permit tunnel through firewall

Renders firewall useless for stateful L3/L4 packet filtering

Does not scale administratively

Permit TCP options with automated UDP 4050 tunnel (WAAS Directed Mode)

Traffic optimized by WAAS using auto-discovery but then tunneled between WAEs

Firewall rendered useless for L3, L4, or L5 packet filtering and stateful inspection

Permit TCP options and disable sequence number checking on firewall

WAAS auto-discovery and transparency works

Firewall implements stateless L3/L4 packet filters

Cisco firewall with WAAS awarenessTraffic transparently optimized by WAAS using auto-discovery

Cisco firewall preserves L3/L4 stateful inspection by permitting TCP options and statefully tracking TCP sequence number shift

A B D

Origin ConnectionOrigin ConnectionOptimized Connection

No Connection Layer Security

EC


WAAS Directed Mode (DM)Non-Cisco Firewall Support

Obeys existing router and FW ACLs during TCP handshake

Maintains TCP Transparency on LAN

Auto-Discovery as in transparent WAAS mode (TCP options must pass)

No change in available optimizations

Integrated with WAAS and NetQoS Monitoring

FW configuration to permit UDP:4050

Allows UDP State Inspection

With DM ON, WAE will not be transparent

DM mode is OFF by default Configuration

wae(config)#directed-mode enable ?port Directed mode UDP port

A B D

Origin ConnectionOrigin Connection Optimized Connection

EC

UDP:4050


WAASUpstream Firewall and Blacklist

1. Upstream firewall drops packets with TCP option

2. WAAS D sends SYN with TCP option which is dropped by firewall E

3. WAAS D re-sends SYN with TCP option but it is dropped

4. WAAS puts server in Blacklist for default 60 minutes

5. WAAS D forwards SYN without TCP option

6. WAAS re-tries sending SYN with TCP option to server after 60 minutes

A B D

Origin ConnectionOrigin Connection Optimized Connection

E FC

TCP Option RemovedFrom SYN


WAAS Replication AcceleratorDeployment

Data center high bandwidth medium latency link acceleration

SnapMirror and SRDF/A over IP

DRE cache size equals platform memory

7341/7371 use 9GB/18GB

7341/7371 have fanout of 4/9

DRE cache is still persistent across the reboots

TFO tuned for high throughput and few connections

Replication AcceleratorDevice mode (CLI only)

Requires reload

DRE cache cleared

DRE aggregation disabled

LZ compression level set to 1

“tfo perf-poc” enabled

Default policy changed as applicable with the new device mode

Connection from/to Replication Accelerator to/from Application Accelerator are put to pass-through


WAAS Virtual BladeOverview A Virtual Blade is a guest virtual machine of the

WAAS host

WAAS presentsFirmware—BIOS and possible extensions

Hardware—one or more CPUs, memory, host bridge, VGA, one or two NICs, disk controller, disk, CD drive, serial port, PXE Boot, etc.

Preservation of Virtual Machine state on WAAS reboot

Virtual Blade supportWindows on WAAS (WoW) – Windows 2003/2008 Server print and directory services (2008 available pre-installed), MS SVVP for Windows 2008

Application and Content Networking System (ACNS VB)Windows Services (SCCM and 3rd party Services like Altiris)

Enterprise and Virtual Blade licenses required

Cisco Linux

Kernel Virtual Machine

WindowsOn

WAAS(WOW)

ACNSVirtualBlade(ACNS

VB)

VirtualBlade

# N

VirtualBlade

Storage

EthernetNetwork

I/O


Interface Bridge

WAAS Virtual BladeDedicated VB Interface or Shared Port Channel

ACNS VB1 WoW VB2

WAASinterface g 2/0

no ip addr

WAASinterface g 1/0

ip address B.1/24

LANip address A.2/24

IPNetwork

e1

A/2462s0

61g 1/0 g 2/0

interface g 1/0ip address A.1/24

Interface Bridge

ACNS VB1 WoW VB2

interface g 2/0channel-group 1

interface g 1/0channel-group 1

LANip address A.3/24

interface g 1/0ip address A.2/24

WAASinterface PortChannel 1

ip address A.1/24

h1

Interface Bridge

IPNetwork

e1

A/2462g0

g 1/0

g 2/0

h1

g1

s0

LAN-1 LAN-2

LAN-1 LAN-2

virtual-blade X

description VB Shared Port Channel

interface 1 bridge PortChannel 1

virtual-blade X

description Dedicated VB Network

interface 1 bridge GigabitEthernet 2/0

B/24

61

80

g061

80


WAAS Virtual BladeACNS and WAAS WCCP Channel Configuration

ROUTERip wccp 61 redirect-list WAASip wccp 62 redirect-list WAASip wccp 80!ip extended access-list WAASdeny tcp any any eq 554deny tcp any eq 554 anypermit tcp any any

!interface s0ip wccp 62 redirect in

!interface g0ip address A.254 255.255.255.0ip wccp 80 redirect inip wccp 61 redirect in

WAAS WAEinterface PortChannel 1ip address A.1 255.255.255.0

wccp router-list 1 A.254wccp tcp-promiscuous router-list 1wccp version 2

ACNS Virtual Bladeinterface GigabitEthernet 1/0ip address A.2 255.255.255.0

exitwccp router-list 1 A.254wccp rtsp router-list-num 1wccp version 2

IPNetwork

e1

A/2462g0 s061

g 1/0 g 2/0

h180


WAAS Virtual BladeACNS and WAAS WCCP Channel Configuration

ROUTERip wccp 61 redirect-list WAASip wccp 62 redirect-list WAASip wccp 80!ip extended access-list WAASdeny tcp any any eq 554deny tcp any eq 554 anypermit tcp any any

!interface s0ip wccp 62 redirect in

!interface g0ip address A.254 255.255.255.0ip wccp 80 redirect inip wccp 61 redirect in

!interface g1ip address B.254 255.255.255.0

WAAS WAEinterface GigabitEthernet 1/0ip address B.1 255.255.255.0

exitinterface GigabitEthernet 2/0no ip address

exitwccp router-list 1 A.254wccp tcp-promiscuous router-list 1wccp version 2ACNS Virtual Bladeinterface GigabitEthernet 2/0ip address A.1 255.255.255.0

exitwccp router-list 1 A.254wccp rtsp router-list-num 1wccp version 2

IPNetwork

e1

A/2462g061

g 1/0

g 2/0

h1

g1

s0

B/24

80


WAAS Virtual BladeOS Installation

Copy an ISO CD or DVD image to the system (copy FTP disk…)

Allocate disk, memory, network resources

Run the virtual blade, booting from CD

Use VNC to guide the installation

Stop the virtual blade, and restart it booting from disk

br1-wae1#pwd/local1/vbsbr1-wae1#dir

size time of last change name-------------- ------------------------- -----------

593117184 Wed Jun 18 17:54:01 2008 en_windows_server_2003.iso2634078208 Wed Jun 18 16:08:59 2008 en_windows_server_2008.iso277676032 Tue Dec 9 17:20:43 2008 ACNS-5.5.12.40-K9.iso178952192 Sat May 4 12:35:30 2002 winboot2.0.116qd.iso


WAAS Virtual BladeACNS VB Configuration

virtual-blade 1config:description ACNS VBdevice cpu qemu32device nic e1000device disk IDEdevice keyboard en-usmemory 1024disk 80 80interface 1 bridge PortChannel 1no boot fd-imageboot cd-image disk /local1/vbs/ACNS-5.5.X.isoboot from diskno vncautostart

state:

running

serial console session active

vnc server disabled

current cd /local1/vbs/ACNS-5.5.X.iso

current floppy [not inserted]


WAAS Virtual BladeWindows on WAAS (WoW)

config:description WoW - 2008 Serverdevice cpu qemu64device nic rtl8139device disk IDEdevice keyboard en-usmemory 1024disk 30interface 1 bridge G 1/0 mac-address 00::19no boot fd-imageboot cd-image disk /local1/vbs/win2008.isoboot from cd-romautostart

state:

running

serial console session inactive

vnc server active

vnc client connected

current cd /local1/vbs/win2008.iso

current floppy [not inserted]


Configuring Virtual Blade using Central ManagerUsing Two CPUs for Single VB


WAAS Virtual BladeActions

br1-wave1#virtual-blade 1 ?

cd Change virtual blade cd

kill-save-state Delete the virtual-blade saved state

save Save memory state of virtual blade

session Open telnet connection to remote host/port

start Start the virtual blade

stop Stop the virtual blade


WAAS Virtual BladeVideo/Keyboard/Mouse and Console

An emulated video card display is visible with VNC

VNC connect to emulated video card via WAE-IP:# where # is the VB number

Once the VB OS is installed, a remote desktop connection may be set up using the IP address inside the Virtual Blade

An emulated serial port is accessible from the WAAS CLI

br1-wave1#virtual-blade 1 sessionSession already in usebr1-wave1#virtual-blade 1 session clearbr1-wave1#virtual-blade 1 sessionTrying 127.0.0.1...Connected to localhost.Escape character is '^]'.

Cisco Content Engine Console

Username: adminPassword:

NO-HOSTNAME#


Cisco WAAS 4.2.1Sizing Considerations

Connection capacityConcurrent TCP connectionsEstimate 10 TCP connections per clientVerify C:\>netstat -a | find "ESTABLISHED“Connections Per Second (CPS)

Video streams

NetworkWAN bandwidthLAN bandwidth

Core fan out peering

StorageDRE days historyVirtual BladeCIFS object storage

Virtual blade memory, disk, and CPU capacity


Cisco WAE FamilyWAAS 4.2.1 Performance

Capacity SRE-700

SRE- 900

WAE-274

WAE-474

WAE-574-3GB

WAE-574-6GB

WAE-674-4GB

WAE-674-8GB

WAE-674-

8GB+VB

WAE-7341 WAE-7371

WAN Bandwidth (Mbps) 20 50 2 4 8 20 45 90 90 310 1000

Optimized TCP Connections 500 400 200 400 750 1300 2000 6000 4000

12000

9000/3000*

50000

12000/28000*

Optimized Throughput (Mbps) 150 250 90 90 100 150 250 350 350 800 1500

Total Disk Capacity (GB) 500 500 250 250 500 500 600 600 600 900 1500

DRE Disk Capacity (GB) 120 120 40 60 80 120 120 320 150 500 1000

CIFS Disk Capacity (GB) 120 120 120 120 120 120 120 120 120 230 230

Maximum LAN Video Streams 200 200 40 80 150 300 400 1000 600 1000 1000

Virtual Blades Supported 2 2 2 6 2 6

Total Virtual Blade Disk Capacity 30 30 60 175 120 200

Core Fan Out 35 70 100 200 200 1400 2800

CM Managed Devices 125 250 500 1000 1500 1500 2000

* SSL connections / TCP connectionsNote: These are guidelines for sizing based on certain assumptions. Enabling multiple features will have an impact on scalability.


Data Redundancy EliminationReduces amount of data transmitted

Handles any size fileSingle instance, bi-directional delta byte caching

Transport Flow OptimizationMaximizes link throughput

Dynamically adjusts to network conditionsOptimizes performance over lossy and/or high latency networks

CIFS/SMB file share HTTPMS Exchange HTTPS

Application Protocol OptimizationMitigates network latency

Cisco WAAS Mobile Acceleration Technologies


Cisco WAAS Mobile Networking:Deployment Topology

Intranet

Internet

Remote Access

VPN

App Servers &Storage

Data Center

App Servers&

Storage

Data Center

Cisco WAAS Mobile Client

Cisco WAAS Mobile Server

Cisco WAAS MobileServer

Mobile users connect through VPN aggregation point to multiple

Cisco WAAS Mobile Servers

Small Office

Cisco WAAS Mobile Clients

Workers in small offices may connect to multiple

Cisco WAAS Mobile Servers

Simultaneously accelerate traffic to applications hosted in multiple data centers


Cisco WAAS Mobile Networking:Client-Server Data Flow

Cisco WAAS Mobile client proxies all accelerated TCP traffic and sends it via UDP port 1182 to the Cisco WAAS Mobile Server

Accelerated Applications CIFS SMB Other

Applications

Intercept/Redirect (TDI driver)

Acceleration Process

Intercept/Redirect (TDI driver)

Acceleration Process

TCP TCPData

UDP 1182

TCP

Cisco WAAS Mobile Client

Cisco WAAS Mobile Server

Other Application

Servers

Application Servers

File Servers

TCP

TCPControl

TCP 1182


Cisco WAAS Mobile Scalability

Scale up to handle maximum throughput of any data center• Up to 10,000 concurrent users per Cisco WAAS Mobile server

• Multiple Cisco WAAS Mobile Servers can be aggregated into Cisco WAAS Mobile server farms for load balanced, redundant capacity

Scale out to handle multiple data centers• Cisco WAAS Mobile server farms hosted at multiple data centers provide

acceleration for any worker to any application

Scalable Cisco WAAS Mobile Manager data flow• Manager communicates with Cisco WAAS Mobile worker servers

• Worker servers communicate with Cisco WAAS Mobile clients

• A single Cisco WAAS Mobile Manager can manage hundreds of servers and hundreds of thousands of clients


WAAS Mobile ManagementCentral Manager

Highly scalable• Manage hundreds of Cisco WAAS Mobile servers or just a single server

• Manage hundreds of thousands of end users from a single user interface

Total system visibility• View performance at system level, or drill down to a server farm, a single

server, a group of end users, or a single user

Consolidated end-user management and monitoring• Visibility into the performance and status of accelerated traffic by

application and path for any end user from the Cisco WAAS Mobile Manager

Highly available• Central manager not required to be operational for acceleration services

to be operational.


Cisco WAAS Mobile Management: Manage All Clients Centrally

View all clients from the central console and filter to find the user or set of users of interest


Enterprise Deployment ConsiderationsHigh Availability

To provide high availability and capacity within a data center

• Multiple Cisco WAAS Mobile servers in a data center may be configured to be members of a Cisco WAAS Mobile server farm

• Traffic load is automatically balanced across the servers in a server farm

– Initial access is random

– On subsequent access, client attempts to connect to previous server. If unable, tries another server in the same farm

To provide high availability in the event of a data center outage

• Cisco WAAS Mobile server farms may be located at backup data centers

• When clients are unable to connect to the primary server farm, they will automatically attempt to connect to backup server farms


Enterprise Deployment Considerations Manageability

Software installation• Client profiles are packaged as executable .msi files

Software upgrades• Automatic upgrade and downgrade

Configuration updates• Automatic updates

Policy‐based management• Separate configuration profiles for different user groups

• Optional Active Directory group policies

Central monitoring console• Graphical displays of acceleration and traffic breakdown


Enterprise Deployment ConsiderationsArchitecture Scalability

Highly scalable storage system

• Each file or data sequence is only stored once

• Single instance of a file or data sequence is shared with all users

Highly efficient memory utilization

• Uses only 2 MB of server RAM for each simultaneous active download

• 1000:1 disk to RAM ratio for search index supports deep histories

Scalable CPU utilization

• Multi‐threaded architecture makes efficient use of multi‐core CPUs

Optimized disk utilization

• Employs a dynamic disk seek algorithm that optimizes throughput under high load by dynamically trading off acceleration gain vs disk activity to mitigate thrashing


Cisco WAAS Mobile Server Configurations

Cisco WAAS Mobile is deployable on bare metal server or as virtual machine

For 5-10 user evaluations:

See Appendix A of the Cisco WAAS Mobile Administration Guide for production server sizing and operating system guidelines

Minimum Configuration

CPU 1.8 GHz dual core

System Memory (RAM) 2 GB

Disk Space Available for Delta Cache

5 GB

Operating System Windows Server 2003, 2003 R2, 2008, or 2008 R2

http://www.cisco.com/en/US/products/ps9523/products_installation_and_configuration_guides_list.html�

http://www.cisco.com/en/US/products/ps9523/products_installation_and_configuration_guides_list.html�


Cisco WAAS Mobile and UCSIndustry’s Most Scalable Mobile Acceleration

10,000 Concurrent Cisco WAAS Mobile Clients

Concurrent licensing supports 30,000 –40,000 end users

Unparalleled Throughput

600 Mbps LAN-side 200 Mbps WAN-side

100,000 TCP connections

Flexible Multi-Service Platform

Co-host Cisco WAAS Mobile with other applications

Cisco WAAS MobileVirtual Appliance

Evolve from hundreds to thousands of concurrent users

Cisco WAAS MobileClients

Cisco WAAS MobileServer

Cisco UCS C-200M1


Cisco WAAS Mobile Client Configurations

Supported Recommended Minimum

CPU 750 MHz 1.5 GHz

System Memory (RAM) 512 MB 1 GB

Disk Space Available for Cache

80 MB 1 GB

Operating System Windows XP, prior to SP2

Windows XP SP2, Vista, or Windows 7


Review

WAAS Overview

WAE Installation


WAE DeploymentInline

Web Cache Control Protocol (WCCP)

WAAS Application Optimizer (AO) Deployments





Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available onsite at the Cisco Company Store


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.

http://www.ciscolivevirtual.com/�


Backup Slides


Storage > Disk Error Handling

Network > DNS

SNMP

Date/Time > NTP Server | Time Zone

Security > Login Access Control > SSH | MoD | Exec-Timeout

Authentication

Common criteria

System Log Settings

Application Policies (no video)

Central ManagerCommon AllDevicesGroup Configuration


Central ManagerAllDevicesGroup Hidden Features

Troubleshoot (device specific)

Interception (device specific)

TCP Buffer Settings

Legacy File and Print Services

Disk Encryption (edge only)

Network—Port Channel, Directed Mode, IP Routers (device specific)

Transaction logs (edge only)


Central ManagerAllEdgesGroup Configured & Hidden Features


Central ManagerAllCoresGroup Configured & Hidden Features


WCCPRegistration and Clustering

Engine (WCCP Client) Router (WCCP Server)

Register Registers service groups (61/62)

“Here I Am” - 10 sec interval

Accepts registration

“I See You” with 3X hold down

Cluster Lead elected by lowest IP

Lead creates distribution assignment and instructs all routers

Router reflects state of all engines

All routers identically redirect based on lead engine instruction

A B

e1 e2

r1

r2


WCCPWAAS Redirect, Return, and Egress Configuration

WCCP GRE Redirect WCCP L2 Redirect

IP Forward Return / Egress

7200,ISR,ASR,6500


7200,ISR,ASR,6500,3750,3560,4500

wccp tcp-promiscuous router-list 1 l2-redirect mask-assign

wccp tcp-promiscuous mask src-ip-mask < 0xF | 0xF00 | 0xF0000 >

WCCP GRE Return / Egress

7200,ISR,ASR

egress-method negotiated-return intercept-method wccp


Not supported

WCCP L2 Return

Not supported Not supported

Native GRE Return / Egress

egress-method generic-gre intercept-method WCCP

7200,ISR


6500,ASR

wccp tcp-promiscuous router-list 1 mask-assign

wccp tcp-promiscuous mask src-ip-mask < 0xF | 0xF00 | 0xF0000 >

Not supported (minor alarm)

“wccp router-list ”and

“wccp version 2” not shown


WCCPRedundant L2 Branch

Registration – r1/r2 interface IP

Assignment – Hash

Redirect - WCCP GRE

Return/Egress - IP forward or GRE return

NetworkPassive interface routing on all host subnets

Route on WAE subnet (no passive interface)mHSRP routing e1 to rtr1 and e2 to r2 to create outbound WAN load balancing

Registration – r1/r2 interface IP

Assignment – Hash


Return/Egress - GRE return

NetworkPassive interface routing on host and engine subnets if no inter-router link

Route on inter-router subnet (no passive interface)Preserves Gateway Load Balancing Protocol (GLBP) outbound

r1

r2

sw1

sw2

h1

h2

h3

h4

e1 e2 WAN

r1

r2

sw1

sw2

62

61

62

61

WAN

h1

e1

e2

h2

62

61

62

61


WCCPRedundant L3 Switch Branch

Registration – sw1/sw2 interface IP

Assignment – Mask

Redirect - WCCP L2 redirect

Return/Egress – IP forwarding

NetworkPassive interface routing on all host subnets

Route on WAE subnet (no passive interface)

Preserves upstream WAN load balancing using CEF equal cost paths

Commonly Cisco Catalyst 3560, 3750, 4500, or 6500

r1

r2

sw1h1

h2

e1 e2

sw1

sw2SiSiSiSiSiSi

SiSiSiSiSiSi

WAN

6261

6261


Software router (7200/ISR)Registration – r1/r2 loopback IP

Assignment – Hash

Redirect - WCCP GRE

Return/Egress - WCCP GRE

Hardware router (6500/ASR)Registration – r1/r2 loopback IP

Assignment – Mask

Redirect - WCCP GRE Redirect

Return/Egress - generic GRE (6500) or WCCP GRE (ASR)

ServerFarm 2

ServerFarm 1

Dual Data Center Asymmetric RoutingWAN Edge WCCP with GRE Path Affinity

r3

WAN#1

WAN#2

r4

r5 r6

r7

r8

r9

r10

SiSiSiSiSiSi


SiSiSiSiSiSi

r1 r2

61 61

62 62

61 61

WCCP Registration

e1

e2

e3

e462 62


Inter-switch routed (N:N HA)Register – r7/r8/r9/r10 Loopback IPAssignment – MaskRedirect - WCCP GRE RedirectReturn/Egress - generic GRE (6500) or IP forwardNetwork – WAE Etherchannel

Inter-switch VLAN (N+1 HA)Register – r7/r8/r9/r10 interface IPAssignment – MaskRedirect - WCCP L2 RedirectReturn/Egress – IP forwardNetwork – WAE Standby Interface

ServerFarm 2

ServerFarm 1

Dual Data Center Asymmetric RoutingServer Farm WCCP

r3

WAN#1

WAN#2

r4

r5 r6

r7

r8

r9

r10

SiSiSiSiSiSi


SiSiSiSiSiSi

r1 r2

62 62

61 61

WCCP Registration

e1

e2

e3

e4

61

61

61

6162

62 62

62

brkapp-2005

Documents

cisco andor

cisco publicpresentation

waas overviewdre

waas mobileindicative

application lz compression

advanced compression

generic compression

data center campusbranch