Waas

Deploying Cisco Wide Area Application Services (WAAS)
BRKAPP-2005
www.ciscolivevirtual.com
Agenda
WAAS Overview WAAS Installation and Configuration
Network Interception
WAAS Application Optimiser (AO) Deployments
WAAS Sizing Guidelines
BRKAPP-2005
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
WAAS Overview
WAAS Helps To Accelerate Top-of-mind CIO Initiatives
VDI & BYOD
Video
Single box solution addresses VoD, Live Streaming
Cloud
App Rollouts Industry leading app performance with NEW appliances
WAN Refresh
100% ISR G2s ship WAASready SRE provides flexible options
Solutions for Private and Public Cloud
BRKAPP-2005
Cisco Public
Application Delivery Challenges

LAN Connectivity
High bandwidth
Round Trip Time ~ 0ms
Low latency
Reliability
Client LAN Switch Server
WAN Connectivity
Latency Low bandwidth Congestion Packet Loss
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Round Trip Time ~ Many milliseconds
Client
LAN Switch
WAN
LAN switch
Server
Cisco Public
Cisco WAAS: WAN Optimisation Solution

Virtual Private Cloud
Branch Office
WAAS Express
vWAAS WAE Server VMs Nexus 1000v vPATH
VMware ESXi Server
Nexus 1000v VSM WAAS Services Ready Engine
UCS /x86 Server FC SAN
Branch Office
WAN
Data Centre or Private Cloud
WAAS Appliances
Branch Office
WAAS Appliance
Server VMs
VMware ESXi
Regional Office
BRKAPP-2005
WAAS Appliance
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
vWAAS Appliances
WAAS CMs
WAAS Product Portfolio

vWAAS
vWAAS-200 vWAAS-750
vWAAS-6000 vWAAS-12000
WAAS Appliances WAAS ISR Modules WAAS Express WAAS Mobile
WAVE-294
WAVE-594
WAVE-694
WAVE-7541
WAVE-7571
WAVE-8541
SM-SRE-7X0
SM-SRE-9X0
890
1941/2901
29xx
39xx
WAAS Mobile
Tele Worker
BRKAPP-2005
Small Branch
Medium Branch
Large Branch
Cisco Public
Small-Medium Data Centre & Campus Data Centre

7
Next Generation WAVE Appliances

Purpose built hardware Optional I/O modules including Optical and 10Gbps Ethernet Up to 2 Gbps optimised throughput
Up to 8 Virtual Blades (WAVE-694)
BRKAPP-2005
Cisco Public
WAAS Context Aware Cache Architecture CIFS Object Cache

Signatures (in memory)
Peer 1
SIGNATURE SIGNATURE SIGNATURE SIGNATURE SIGNATURE
WAAS 4.4
Includes File Pre-positioning Ideal for High latency / Low BW links

Peer 2
Peer n
App Aware Cache Manager

Optimises cache behaviour based upon traffic directionality
Data Store (Disk)
Per Peer Signatures- provides fault isolation, prevents branch starvation and enables lowest latency data store access
Adaptive DRE Cache

Unified Data Store- Single store for all peers App Policy Controlled: Uni-Directional Traffic- only written to destination cache. No cache consumption at source Bi-Directional Traffic- written to both caches
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Citrix XenApp and XenDesktop Support

High Performance virtual desktops
No changes to clients
Transparent Handshake
WAAS 4.5
Zero-touch deployment, auto-interoperability with ICA encryption & compression
No changes to servers
WAN
Branch Office Data Centre
Cisco WAAS 4.5.1 is jointly tested, validated, supported and verified as a Citrix Ready solution
10
Session and Transport Layer Optimisation

Client
Application
Presentation Session Transport Network Data Link Physical
WAAS Application Policy defines: L4: basic optimisation L5-7: latency mitigation
Host
Application Presentation Session Transport Network
WAAS 1
Application Optimiser (AO)
WAAS 2
Application Optimiser (AO)
TFO Network
TFO Network
Data Link
Data Link
Data Link
Origin
Physical
Optimised
Physical
Origin
Physical
WAN
BRKAPP-2005 BRKAPP-2005 14633_05_2008_c1
Cisco Public
11
TFO vs Regular TCP in the WAN

Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations
cwnd
TFO
TCP
Slow Start Congestion Avoidance
Time (RTT)
TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP http://netsrv.csc.ncsu.edu/export/bitcp.pdf

12
Advanced Compression
Data Redundancy Elimination (DRE) Application-agnostic compression Up to 100:1 compression WAAS 4.4: Context Aware DRE Benefits Session-based compression Application-agnostic compression Up to 10:1 compression Up to 100:1 compression Works even cold DRE cache WAAS 4.4: during Context Aware DRE
WAN
LZ DRE
Persistent LZ Compression
LZ
DRE Synchronised Compression History

13
Application-Specific Acceleration
Application/Protocol Awareness - Latency mitigation LAN-like Performance Application Optimisers (AOs)
CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI
Licensed, developed and validated with application vendors

Remote Office Data Centre
WAN
LAN-like Performance
BRKAPP-2005
Object Cache Verification Security and Control WAN Optimisation WAN Bandwidth Savings
Cisco Public
Server Safely Offloaded Fewer Servers Needed Power/Cooling Savings

14
Network Transparency
B/24 C/24 A/24
WAN
D/24 E/24
Packets between each network are routed as normal. WAAS auto-discovery will find WAVEs in path WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features
Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting Security functions (ACLs, firewall policies)
15
Auto Discovery - Two WAVE Configuration

In-band signalling with TCP option 0x21 WAE B closest to client (A) and WAVE (C) If a WAVE that was optimising fails: closest to server (B) Hosts will see segments with SEQ/ACK Connection optimised between WAVE (B) numbers that are out of range and (C) Host will reset (RST) connection WAVE shifts optimised TCP SEQ number Client will re-establish a new TCP by 2 billion connection A B C D
A:D SYN
A:D SYN(OPT) D:A SYN/ACK(OPT) Optimised Connection

Cisco Public
A:D SYN(OPT) D:A SYN/ACK
D:A SYN/ACK
Origin Connection
BRKAPP-2005
Origin Connection
16
Auto-Discovery Multi WAVE Configuration

Optimised connection established between WAVE (B) and WAVE (D) Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT) Each WAVE supports 10X optimised connection limit for Pass Through connections
A
A:E SYN
A:E SYN(OPT)
A:E SYN(OPT) E:A SYN/ACK(OPT)
A:E SYN(OPT) E:A SYN/ACK
E:A SYN/ACK A:E ACK
E:A SYN/ACK(OPT)
A:E ACK(OPT)
A:E ACK(OPT)
A:E ACK Origin Connection 17
Optimised Connection Origin Connection BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
WAAS Sizing Guidelines
WAVE - Platform Performance (4.5)

SRE-9X0-M SRE 7X0-M SRE-7X0-S SRE-9X0-S SRE-9X0-L 594-12G 694-16G 694-24G 294-4G 294-8G 594-6G 7541 7571 WAN Bandwidth (Mbps) Optimised TCP Connections Optimised LAN Throughput (Mbps) Total Disk Capacity (GB) DRE Disk Capacity (GB) CIFS Disk Capacity (GB) Maximum LAN Video Streams Virtual Blades Supported Total Virtual Blade Disk Capacity Peer Fan Out CM Managed Devices
BRKAPP-2005
20 200 200 500 80 57 40
20 500 200 500 80 57 150
50 200 300 500 120 95 40
50 500 300 500 120 95 150
50 1000 300 500 120 95 300
10 200 100 250 40 75 40 2 60
20 400 150 250 55 75 80 2 60
50 750 250 500 80 100 150 2 175 50
100 1300 300 500 120 100 300 4 175 100 1000
200 2500 450 600 120 100 400 4 180 150 2000
200 6000 500 600 200 100 1000 6 180 300 2000
500 18k 1000 2250 500 225 1000
1000 60k 2000 3150 1000 225 1000
2000 150k 4000 4200 2000 300 1000
700
1400
2800
250
250
1000
8541
Cisco Public
20
vWAAS - Platform Performance (4.5)

vWAAS-12000 vWAAS-6000 vWAAS-200 vWAAS-750 Number of vCPU Virtaul Memory (GB) Virtual Disk Datastore (GB) Target WAN Bandwidth (Mbps) Optimised TCP Connections Optimised LAN Throughput (Mbps) Peer Fan-out DRE Disk Capacity CIFS Disk Capacity Max LAN Video Streams CM Managed Devices
1 2 160 10 200 100
2 4 250 50 750 250 50
4 8 500 200 6000 500 300 320 95 1000
4 12 750 310 12000 1000 1400 450 175 1000
2 2 250
600
50 75 40
95 95 150
100
2000
vCM-2000N 4 8
vCM-100N
21
WAAS Deployment
Installation and Configuration
WAAS Deployment Overview

1.
2. 3.
Initial setup is done using Console CLI Setup Script recommended

License configuration is required Always bring up the Central Manager (CM) first
New WAAS devices are auto-registered to WAAS CM and become a member of AllWAASGroup
When creating an AccelerationGroup make sure you apply the correct application policies (e.g. set default one) and auto-membership for this group is enabled
4. 5.
Next bring up all Application Accelerators Configure traffic interception (inline, WCCP etc)
Start traffic interception on Core or Central devices followed by Remote Devices
6.
Further configuration should be done from within the CM

BRKAPP-2005
23
WAAS Setup Script

Prompted on boot of factory default box to run setup script or execute setup Script prompts for configuration to communicate, network integrate, manage, and license the WAE WAVE default mode is Accelerator. Change to CM requires reboot Optional Proactive Diagnostics
BRKAPP-2005
Cisco Public
24
Deploying WAAS Central Manager
Central Management System (CMS)

CMS process runs on all WAVEs Bidirectional configuration synchronisation between CM and accelerators All management communication uses HTTPS (self signed device specific certificates and keys) Bidirectional config sync between CM and Accelerator Central Manager collects health and monitoring data to every 5 min by default CMS provides means to backup and restore configuration
sre700#sho cms info Device registration information : Device ID=11506 Device registered as Current WAAS Central Manager Registered with WAAS Central Manager Status Time of last config-sync CMS services information : Service cms_ce is running
= = = = =
WAAS Application Engine 10.42.40.1 10.42.40.1 Online Thu Dec 29 17:56:19 2011
Cisco Public
26
CM Configuration
Device located in Data Centre Setup script recommended Non-default configuration
Device mode Hostname Primary-interface IP configuration Date/time configuration Configuration Management System (CMS)
device mode central-manager
hostname dc1-cm1 license add Enterprise primary-interface GigabitEthernet 1/0 interface GigabitEthernet 1/0
ip address 10.1.1.31 255.255.255.0

exit ip default-gateway 10.1.1.254 ip name-server 10.1.1.21 clock timezone AEST 10 0 ntp server ntp.foo.com cms enable copy run start
CMS must be enabled to access the CM GUI Reload required (role change) Optionally use standby interface to dualhome to two switches
27
WAAS CM Dashboard
https://cm-ipaddress:8443
BRKAPP-2005
Cisco Public
28
Group Configuration Best Practices
EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent
AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling SSLDevicesGroup SSL Acceleration AccelerationGroup Application Policies (Optional)
BRKAPP-2005
Cisco Public
29
WAAS Monitoring
Dashboard Aggregate Statistics Optimisation Summary Connection Trending Application Acceleration

HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI
30
Deploying Physical Appliance

WAE/WAVE
Basic Configuration Accelerator

Default configuration
Hostname Primary-interface
hostname branch1-wave primary-interface GigabitEthernet 0/0 interface GigabitEthernet 0/0 ip address 10.1.100.101 255.255.255.0 ! Optionally configure speed and duplex exit ip default-gateway 10.1.100.254 ip name-server 10.1.1.21 ! Implement DNS for CM mobility central-manager address cm1.foo.com cms enable copy run start
IP configuration
CMS enable
CMS required to register with CM
Use of hostname for CM recommended

Interface HA Modes
Standby Interface PortChannel Interface
32
WAVE Port Allocation

Onboard Ports
GigabitEthernet 0/0
GigabitEthernet 0/1
I/O Modules
GigabitEthernet1/0, 1/1 1/7 (Standalone mode) InlineGroup1/0, 1/1, 1/2, 1/3 (Inline mode) TenGigabitEthernet 1/0, 1/1
WAVE-INLN-GE-4T
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
33
Standby Interface
Must be layer 2 path between the two WAVE ethernet ports MAC only on in-use interface Primary preempts Gratuitous ARPs on failover
WAVE(config)#interface Standby 1 WAVE(config-if)#ip address 10.1.2.100 255.255.255.0 WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/0 WAVE(config-if)#standby 1 primary WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#standby 1 WAVE(config-if)#exit WAVE(config)#primary-interface standby 1 WAVE#show interface standby 1 Interface Standby 1 (2 physical interface(s)): GigabitEthernet 0/0 (active)(primary)(in use) GigabitEthernet 0/1 (active)
Gi 0/0
Gi 0/1
BRKAPP-2005
Cisco Public
34
PortChannel Interface
IP Address defined on PortChannel interface Default Load Balance Method
Source-Destination IP and Port
WAVE(config)# interface PortChannel 1 WAVE(config-if)#no shut WAVE(config-if)#ip address 10.1.1.31 255.255.255.0 WAVE(config)# interface GigabitEthernet 0/0 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1 WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1
LACP is not currently supported. Hard Code Speed/Duplex
Gi 0/0
BRKAPP-2005
Gi 0/1
Gi 0/0
Gi 0/1
Interface Configs MUST MATCH
Cisco Public
35
CM Management
BRKAPP-2005
Cisco Public
36
Device Group Assignment
New WAAS devices are automatically added to AllWAASGroup Add the new device to other (e.g. Edge, SSL etc) groups where necessary
37
Deploying Virtual Appliance

vWAAS
vWAAS Overview
Target Use Cases
Private Cloud (Enterprise DC) Virtual Private Cloud Hybrid Cloud
vWAAS is a virtualised WAAS offering on top of ESX/ESXi running on UCS/x86 servers

vWAAS
Interception Methods Supported

Traditional methods such as WCCP Nexus 1000v w/ vPath
Storage used by vWAAS

Direct Attached Storage (DAS) FibreChannel SAN iSCSI SAN NAS not currently supported
VMWare ESX/ESXi
UCS /x86 Servers
39
vWAAS Interception Options

vWAAS vWAAS vWAAS
WCCP Interception
Multiple vWAAS VMs can exist in same WCCP cluster
WAN
VMWare ESX/ESXi
vPath Interception
WCCP Cat6K/N7K
UCS /x86 Server
Based on port-profile policy configured in Nexus 1000v

Bidirectional Interception - (no IN/OUT configuration)
Nexus 2K/5K
Pass-through traffic automatic bypass
Nexus 1000V /VN-Link vPATH
ESX/ESXi with N1000v
UCS Compute/ Virtualised Servers

UCS /x86 Server
40
vWAAS Installation
vWAAS Virtual Appliance (OVF) preconfigured with disk, memory, CPU, NICs and other VMWare configuration settings
vWAAS-200, 750, 6000, 12000, EVAL vCM-100N, 2000N
System Requirements
VMware vSphere 4.x/5.x ESXi Hypervisor VMware vCenter server & vSphere client 4.x/5.x Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL Ensure Intel VT is enabled in the hosts BIOS Thick provisioned storage
vPath (optional) requires Nexus 1000v v4.2(1)SV1(4) or later
BRKAPP-2005
Cisco Public
41
vWAAS Installation
BRKAPP-2005
Cisco Public
42
vWAAS Installation
BRKAPP-2005
Cisco Public
43
vWAAS Installation
BRKAPP-2005
Cisco Public
44
vWAAS Installation
BRKAPP-2005
Cisco Public
45
vWAAS Configuration
vWAAS configuration is the same as for WAVE Connect to the Console through vCenter
Use of Setup Script is recommended

Some differences you will notice
Interface virtual 1/0
Interception other (for vPATH)
BRKAPP-2005
Cisco Public
46
Inline Mode
Inline Interception Overview

Simple Plug-and-Play Deployment
Physical in-path deployment between switch and router Mechanical fail-to-wire
High Availability
Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing Serial in-path clustering with fail-over
Seamless Transparent Integration

Transparency and automatic discovery 802.1q VLAN trunking support Supported on all WAVE appliance models
WAN
WAVE-INLN-GE-4T
BRKAPP-2005
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
Cisco Public
48
Serial Inline Cluster

Simple High Availability Design for Small to Medium Data Centres HA supported by secondary WAVE Not intended for scaling, only HA Design requires 4 inline groups (8 ports) per WAVE Configure and manage via CM
Auto peer configuration Location based reporting
HA
WAN1
WAN2
Interception Access List supported

Bypass for non-relevant traffic
WAVE-INLN-GE-4T
BRKAPP-2005
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
Cisco Public
49
Inline Non-Redundant Branch

Router
Crossover cable from router to engine Fix speed and duplex settings for Fast Ethernet connections Ensure the router and switch have matching speed and duplex
Switch
Straight through cable from engine to switch Ensure the router and switch have matching speed and duplex Implement portfast for faster recovery
WAVE
One Inline port group Ports fail-to-wire upon hardware, software, or power failure Support for interception 802.1q trunks Use Gi0/0 primary interface
WAN
50
WCCP Mode
Transparent Off-path Interception

WCCPv2 Interception
Transparent network integration Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation Near-linear scalability and performance improvement when adding devices
WCCP Cluster
Policy-Based Routing (PBR) Interception

Routing of flows to be optimised through a Cisco WAVE as a next-hop router Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism
WAN
HA only, no load balancing

52
WCCP Functions
Assign
Intercept
Redirect Return/Egress
WAVE Cluster
Intercept takes place in both directions for WAAS
INTERCEPT Identify packets for WCCP processing (in or out) ASSIGN Select the target WAVE REDIRECT Router/switch sends the packet to the WAVE RETURN For unprocessed traffic, WAVE returns the packet to the router EGRESS For processed/optimised traffic, WAVE egresses the packet back to the router
53
WCCP Redirect-List
Matches traffic for interception Permit all applications but deny specific protocols
Avoid redirection of management traffic with a universal ACL Apply bidirectional ACL to service groups 61 and 62 Create the redirect ACL before enabling WCCP service groups 61 and 62 Do not enable logging on WCCP redirect ACL (performance)
ip access-list extended waas-redirect remark WAAS WCCP Redirect List deny tcp any any eq telnet deny tcp any any eq 22 deny tcp any any eq 161 deny tcp any any eq 162 deny tcp any any eq 123 deny tcp any any eq bgp deny tcp any any eq tacacs deny tcp any any eq 2000 ! Reverse Direction deny tcp any eq telnet any deny tcp any eq 22 any deny tcp any eq 161 any deny tcp any eq 162 any deny tcp any eq 123 any deny tcp any eq bgp any deny tcp any eq tacacs any deny tcp any eq 2000 any ! permit tcp any <<branch subnet>> permit tcp <<branch subnet>> any ! Implicit DENY ALL
Optionally permit specific IP subnets Optimise ACL to minimise TCAM usage

54
WCCP Redirection
Default Service Groups 61 and 62 (Multiple SGs now supported)
Redirect 61 FROM Clients (balance on Src IP) Redirect 62 FROM Servers (balance on Dst IP)
Always use Redirect IN wherever possible

Never use Redirect OUT on Catalyst switch Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design
Avoid WCCP LOOPS! (more on this later)

WAN
61 62
61
62
BRKAPP-2005
Cisco Public
55
WCCP Assignment Hash or Mask

Router uses assignment method to determine which WAVE to redirect traffic to Hash Assignment
Byte level XOR computation divided into 256 buckets Default for SW based routing platforms (eg ISR/ISR G2) All buckets allocated evenly across WAVEs (by default)
Mask Assignment
Mask - Bit level AND divided up to 128 buckets (7 bits) Optimised for hardware based routing platforms (eg Nexus, Catalyst) Always keep Mask size as small as possible Number of buckets (and size of mask) based on number of WAVEs in cluster
2 WAVEs 1 bit mask eg 0x1 8 WAVEs 3 bit mask eg 0x7

000
001
Cisco Public
010
011
100
101
110
111
56
Hash Assignment
Hash applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions
Src 10.1.1.1 Dest 20.1.1.1 61
Src 10.1.1.1
62
0127 WAVE-A
WAN
128255
WAVE-B
Src 20.1.1.1 Dest 10.1.1.1
61
Dst 10.1.1.1
62
0127 WAVE-A 128255 WAVE-B
WAN
BRKAPP-2005
Cisco Public
57
Mask Assignment
Mask applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions
Src 10.1.1.1 Dest 20.1.1.1 61
Src 10.1.1.1
62
00 WAVE-A 01 WAVE-B 11 WAVE-D
WAN
eg Four WAVEs Mask 0x3 (2 bits)
10 WAVE-C
Src 20.1.1.1 Dest 10.1.1.1
61
Dst 10.1.1.1
62
WAN
eg Four WAVEs Mask 0x3 (2 bits)

00 WAVE-A 01 WAVE-B
Cisco Public
10 WAVE-C 11 WAVE-D 58
Mask Assignment Examples

Branch
ISR G2 - Hash or Mask supported (Hash more efficient in SW) Use Hash or keep Mask small (typically only one or two bits)
If balancing across multiple engines with Mask, set mask to match host bits
Src/Dst IP (Dec) = 10. 1. 1. 1 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Two WAVE Cluster Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Result 01 WAVE-B
Data Centre
Assuming /24 allocation per site (or per subnet) Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00
Src/Dst IP (Dec) = 10. 1. 1. 1 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Eight WAVE Cluster Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Result 001 WAVE-B
59
Redirect, Return and Egress Methods

WCCP specifics are configured on WAVE (WCCP Client) MUST match WCCP router capabilities WCCP Redirect Methods
WCCP GRE - Entire packet inside GRE tunnel to WAVE (default)
Layer 2 - Frame Destination MAC address rewritten to WAVE MAC
WCCP Return Methods

WCCP GRE - GRE Packet returned Router WCCP Layer 2 - Frame rewritten to Router MAC
WCCP Egress Methods

IP Forward WAVE ARPs for configured Default Gateway (default) WCCP negotiated Flow sent back inside WCCP GRE tunnel to Router
Generic GRE Flow sent back inside preconfigured Generic GRE tunnel to Switch (specific for HW assisted interception on Catalyst 6500)
60
Layer 2 Methods
WAVE must be L2 adjacent to router
L2 Redirect
Rewrite frame dest MAC to WAVE MAC address Transmit frame towards WAVE
Today
L2 Return
Rewrite frame dest MAC to Router MAC address Transmit frame towards router
Redirect: L2
Return: L2 Egress: IP FWD
L2 Egress
Rewrite frame dest MAC to Router MAC address Transmit frame towards redirecting router
WAAS v5.0 (Future)
IP Forwarding Egress
WAVE ARPs for default gateway
Forward frame as IP packet to gateway address
Redirect: L2
Return: L2 Egress: L2
61
Layer 3 or GRE Methods

WAVE must be L3 reachable
WCCP GRE Redirect (default)
Encapsulate frame in GRE header Transmit GRE packet to WAVE (Source: Router-ID IP)
Router/Switch
WCCP GRE Return (negotiated)

Encapsulate frame in GRE header Transmit GRE packet to redirecting router Destination IP: Router-ID
Redirect: GRE
Return: GRE Egress: GRE
WCCP GRE Egress

Encapsulate frame in GRE header Transmit GRE packet to redirecting router Destination IP: Router-ID
Router-ID defaults to loopback or highest IP. Configurable with ip wccp sourceaddress command in ASR
MUST USE Alternative Generic GRE on Catalyst 6500

62
WCCP Loop Avoidance

Common Loop Scenarios
Cause: Default Egress Method is IP FWD Solution: Configure WCCP GRE Egress
61 62
WAN
Redirect Loop
Cause: Redirect OUT configured Solution: Reconfigure to Redirect IN

Redirect Loop
61
62
WAN
Cause: Redirect OUT configured Solution A: Reconfigure to Redirect IN Solution B: Configure Redirect-Exclude IN
Redirect Loop
61 62
WAN
ip wccp redirect exclude in

63
WAAS Network Deployment

WCCP - Platform Recommendations
Nexus 7000 WCCP Function Assign Redirect Redirect List
Mask L2 L3/L4 ACL Hash or Mask GRE or L2 Extended ACL Mask GRE or L2 Extended ACL
ISR & 7200
ASR 1000
Cat 6500 Cat 7600 Sup720/32

Hash or Mask GRE or L2 Extended ACL
Cat 6500 Sup2T

(Hash*) or Mask GRE or L2 Extended ACL
Cat 4500
Mask L2 only No
Cat 3750
Mask L2 only Extended ACL (no deny) In L2
Direction Return VRFs IOS
In or Out L2
In or Out GRE or L2
In or Out L2
In or Out Generic GRE or L2
In (or Out*) Generic GRE or L2 Supported 15.0(1)SY
In L2
Supported 4.2(1) 5.1(5)
Supported 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8; ISR G2 15.0(1)M use L2/Mask
Planned XE3.1.0S IOS 15.0(1)S
Planned 6500 12.2(33)SXH
N/A <Sup6 12.2(50)SG1
N/A 12.2(37)SE
7600
Sup6
12.2(18)SXF
15.0(2)SG
Sup7 15.1(1)SG
This list is dynamic over time, see release notes for latest information
64
WAAS Configuration Example
Enable GRE Egress
Turn on WCCP AFTER configuration

BRKAPP-2005
wccp router-list 1 192.168.254.2 wccp tcp-promiscuous router-list-num 1 egress-method negotiated-return intercept-method wccp wccp version 2
65
WCCP Router Configuration

Router Global Configuration
Router(config)# ip cef Router(config)# ip wccp 61 <optional-redirect-list acl-name> Router(config)# ip wccp 62 <optional-redirect-list acl-name> Router(config)# ip wccp version 2
Router Interface Configuration

Router(config-if)# ip wccp 61 redirect <in|out> Router(config-if)# ip wccp 62 redirect <in|out> Router(config-if)# ip wccp redirect exclude in
Determined by topology
61
62
WAN
61
62
BRKAPP-2005
Cisco Public
66
Branch WCCP Configuration Example

g0 61 s0 62
WAN
61
g0
Si
s0 sm1/0
62
WAN
Looped Intercept Risk!

Router ip wccp version 2 ip wccp 61 ip wccp 62 interface gigabit0 ip wccp 61 redirect in interface serial0 ip wccp 62 redirect in WAVE wccp router-list 1 10.1.1.254 wccp tcp-promiscuous router-list-num 1 egress-method negotiated-return interceptmethod wccp wccp version 2
SRE-700
Hash
Router ip wccp version 2 ip wccp 61 ip wccp 62 interface gigabit0 ip wccp 61 redirect in interface serial0 ip wccp 62 redirect in
Mask
WAVE wccp router-list 1 10.1.1.254 wccp tcp promiscuous router-list 1 l2redirect mask-assign wccp tcp-promiscuous mask src-ip-mask 0x1 wccp version 2
Cisco Public
67
Data Centre Example Single DC

WCCP at WAN Edge WAVE or vWAAS Deployed
WAVE/vWAAS WAVE/vWAAS
WAVE Registration Loopback IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect WCCP GRE Return/Egress WCCP GRE Variable WCCP timers configured for fast convergence Network WAVEs on dedicated or shared VLAN WAVEs could be vPC connected to Nexus access layer Routed edge link with no WCCP
ASR 1000
ASR 1000
WAN
High Availability via WCCP Maintains Symmetric Traffic Flows

WCCP Registration
68
Data Centre Example Multiple DC

WCCP at WAN Edge WAVE or vWAAS Deployed
vWAAS WAVE Registration Loopback IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to all edge routers (full mesh) Assignment Mask (0x300 or 0x700 for growth) Redirect WCCP GRE Return/Egress WCCP GRE ASR 1000 Variable WCCP timers configured Network WAVEs on dedicated or shared VLAN WAVEs could be vPC connected to Nexus access layer Routed edge link with no WCCP
WAVE/
WAVE/ vWAAS
WAVE/ vWAAS
WAVE/ vWAAS
ASR 1000
ASR 1000
ASR 1000
WAN

WCCP Registration not displayed
69
Data Centre Example Single DC

WCCP at Aggregation Layer WAVE or vWAAS Deployed
WAVE/vWAAS WAVE/vWAAS
WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect Layer 2 Return/Egress Layer 2/IP FWD (L2 Egress in WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vPC connected to Nexus access layer L2 between Aggregation Switches
Nexus 7000
Nexus 7000
ASR 1000 L3 Routed
ASR 1000
WAN

WCCP Registration
70
Data Centre Example Multiple DC

WCCP at Aggregation Layer WAVE or vWAAS Deployed
WAVE/v WAAS WAVE/v WAVE/v WAAS WAAS WAVE/v WAAS
WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to all agg Nexus switches (full mesh) 7000 Assignment Mask (0x300 or 0x700 for growth) Redirect Layer 2 ASR Return/Egress Layer 2/IP FWD (L2 Egress in 1000 WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vPC connected L2 between Aggregation Switches Routed edge link
L2 Trunk Nexus 7000 Nexus 7000 Nexus 7000
L3 Routed ASR 1000 ASR 1000
ASR 1000
WAN
WCCP Registration not displayed
High Availability via WCCP Maintains Symmetric Traffic Flows BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
WAAS WCCP Deployment

Registration
Configuration Best Practices

Do NOT use a virtual gateway address (HSRP, VRRP, GLBP) Use interface IP address if L2 adjacent to WCCP router Use highest loopback address if not L2 adjacent to WCCP router
Software Platforms ISR, ISR G2

GRE Redirect (Default) Hash Assignment (Default) Inbound Interception "ip wccp redirect exclude in" on WCCP client interface (outbound interception only) WAAS Egress Method: IP Forwarding
Hardware Platform ASR, Nexus 7000, Catalyst 6500, 4500

L2 Nexus 7000, Catalyst 6500, 4500, ASR WCCP GRE Redirect Catalyst 6500, ASR if required for design Mask Assignment keep mask small Inbound Interception Do not use "ip wccp redirect exclude in Catalyst 6500 WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)
72
vPath Mode
vPATH Overview
FC Array VSN
vWAAS1 1
Web-Server 1 DBServer Web-Server 2
SAN
VSN
Web-Server 3 App Server
vWAAS2
vCM
1
vPATH
Nexus 1000v VEM

VMware ESX Server 1
Nexus 1000v VEM

VMware ESXi Server 2
1 2
VEM: Virtual Ethernet Module VSM: Virtual Supervisor Module
BRKAPP-2005 VSN: Virtual Service Node 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 1000v VSM
vCenter Server
Optimised Port-Profile for WAAS 1 Optimised Port-Profile for WAAS 2 Non Opt Port-Profile vWAAS Port-Profile 74
vPath Configuration Example

port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled port-profile type vethernet server-3 vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address 10.42.40.210 vlan 40 fail open no shutdown state enabled
BRKAPP-2005
Cisco Public
75
vWAAS vPath Deployment Port-Profile Configuration

Port-Profile
Network Admin view
vPATH interception
Port-group
Nexus 1000v VSM
Server Admin view
vSphere client
Attach Opt-port-profile to server VMs
BRKAPP-2005
Cisco Public
76
Deploying WAAS AOs

Secure Application Optimisers
SSL AO Overview
Central WAVE acts as a Trusted Intermediary Node for SSL requests by client Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE Central WAVE participates in SSL Handshake to derive the Session Key Central WAVE securely sends the session key in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session
Edge WAVE Send session key Secure Channel Central WAVE
Client
SSL Handshake
SSL Handshake
Server
WAN
Original Data - Encrypted Optimised & Encrypted Original Data - Encrypted
SSL Session Client to Core WAE (WAAS)

SSL Session Central WAVE to Server

78
SSL Secure Store

CM secure store keeps all imported host and accelerated SSL certificates and private keys
Certificates and private keys encrypted with user pass-phrase:
When secure store is being initialised first time (initialisation) After CM device reloads to open secure store (opening)
CM secure store must be open to synchronise configuration between SSL capable CM and WAVEs
Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised
79
E-MAPI AO Overview
Preserves end-to-end security with Kerberos Operational consistency with MS infrastructure
New in WAAS v5.0 June 2012
Consistent across version changes of MS Exchange
Kerberos/NTLM Kerberos/NTLM
Outlook Client
BRKAPP-2005
Kerberos/NTLM
Branch WAE
Send session key

Transparent Secure Channel
DC WAE
KDC/AD/DC
WAN
Original Data Encrypted/Signed Optimised & Encrypted/Signed Original Data Encrypted/Signed Exchange Server 80
Cisco Public
E-MAPI AO Operation
Grant WAE Workstation account Key permission
Kerberos session key allows access to Encrypt/Read/Sign Data

Branch WAAS Core WAAS Active Directory Controller (Kerberos KDC) Securely transfer key to remote branch. Encrypted MAPI Request WAN-Secure
WAN
Outlook Client Application Data: Encrypted Authentication: Kerberos Application Data: Optimised, Encrypted Authentication: Kerberos
Cisco Public
Application Data: Encrypted Authentication: Kerberos
Exchange Server
BRKAPP-2005
81
E-MAPI Active Directory Integration

POC and Commercial Deployment Work Flow with Admin Account
Set Time, DNS and Domain info
Enter User in WAE
Ready!
Enterprise Deployment Work Flow

Workstation Account Set Time, DNS and Domain info User Account
Set Time, DNS and Domain info
BRKAPP-2005
Require Active Directory team involvement
Join WAE to Domain Create User in AD
Grant WAVE Key Permission
Set WAVE to Use M/A
Ready!
Grant WAVE Key Permission

Cisco Public
Enter User in Ready! WAVE

82
E-MAPI AO Configuration
Requirements
WAVE requires DNS configuration to resolve AD domain queries. All WAVEs should be NTP Time Synchronised with the AD domain
AD Provisioning
User account identity - account created in the AD domain and provisioned on the WAVE Machine account identity - WAVE to join the AD domain. Domain Controller to delegate read only access for the root of the AD DB to the WAVE identity account
CM Configuration
Enable E-MAPI AO through CM
BRKAPP-2005
Cisco Public
83
Citrix ICA AO Overview

ICA Optimisation enabled by default No changes to client configurations No changes to server-side configurations
WAN
Virtual Desktops
WAAS
Branch Clients
WAAS
Citrix Hosting Infrastructure
HDX Mediastream
BRKAPP-2005
HDX with ICA

Cisco Public
CGP / Session Reliability

84
Citrix ICA AO Deployment Guidelines

Disable CGP unless needed for lossy links such as satellite
Use Client Side Rendering for HDX Mediastream for flash where possible for optimal end user experience Use Direct Print where possible for optimal print performance
When using Redirected Print Mode, ensure Printer Redirection bandwidth and printer redirection bandwidth percentage settings are set to default (0)
DRE Caching is more effective with greater number of users
BRKAPP-2005
Cisco Public
85
Q&A
Complete Your Online Session Evaluation

Complete your session evaluation:
Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your username and password
Visit one of the Cisco Live internet stations located throughout the venue
Open a browser on your own computer to access the Cisco Live onsite portal
Dont forget to activate your Cisco Live Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Cisco Public
BRKAPP-2005
87
BRKAPP-2005
Cisco Public
88

Waas

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Waas

Uploaded by

Copyright:

Available Formats

Deploying Cisco Wide Area Application Services (WAAS)

WAAS Sizing Guidelines

2012 Cisco and/or its affiliates. All rights reserved.

WAAS Helps To Accelerate Top-of-mind CIO Initiatives

VDI & BYOD

App Rollouts Industry leading app performance with NEW appliances

Solutions for Private and Public Cloud

2012 Cisco and/or its affiliates. All rights reserved.

Application Delivery Challenges

Round Trip Time ~ Many milliseconds

Cisco WAAS: WAN Optimisation Solution

Nexus 1000v VSM WAAS Services Ready Engine

UCS /x86 Server FC SAN

Data Centre or Private Cloud

WAAS Product Portfolio

WAAS Appliances WAAS ISR Modules WAAS Express WAAS Mobile

Small-Medium Data Centre & Campus Data Centre

2012 Cisco and/or its affiliates. All rights reserved.

Next Generation WAVE Appliances

Up to 8 Virtual Blades (WAVE-694)

2012 Cisco and/or its affiliates. All rights reserved.

WAAS Context Aware Cache Architecture CIFS Object Cache

Includes File Pre-positioning Ideal for High latency / Low BW links

App Aware Cache Manager

Data Store (Disk)

Adaptive DRE Cache

Citrix XenApp and XenDesktop Support

Zero-touch deployment, auto-interoperability with ICA encryption & compression

Session and Transport Layer Optimisation

BRKAPP-2005 BRKAPP-2005 14633_05_2008_c1

2012 Cisco and/or its affiliates. All rights reserved.

TFO vs Regular TCP in the WAN

Slow Start Congestion Avoidance

TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP http://netsrv.csc.ncsu.edu/export/bitcp.pdf

DRE Synchronised Compression History

Licensed, developed and validated with application vendors

Server Safely Offloaded Fewer Servers Needed Power/Cooling Savings

2012 Cisco and/or its affiliates. All rights reserved.

Auto Discovery - Two WAVE Configuration

A:D SYN(OPT) D:A SYN/ACK(OPT) Optimised Connection

A:D SYN(OPT) D:A SYN/ACK

2012 Cisco and/or its affiliates. All rights reserved.

Auto-Discovery Multi WAVE Configuration

A:E SYN(OPT) E:A SYN/ACK(OPT)

A:E SYN(OPT) E:A SYN/ACK

E:A SYN/ACK A:E ACK

A:E ACK Origin Connection 17

WAAS Sizing Guidelines

WAVE - Platform Performance (4.5)

20 200 200 500 80 57 40

20 500 200 500 80 57 150

50 200 300 500 120 95 40

50 500 300 500 120 95 150

50 1000 300 500 120 95 300

10 200 100 250 40 75 40 2 60

20 400 150 250 55 75 80 2 60

50 750 250 500 80 100 150 2 175 50

500 18k 1000 2250 500 225 1000

1000 60k 2000 3150 1000 225 1000

2000 150k 4000 4200 2000 300 1000

vWAAS - Platform Performance (4.5)

1 2 160 10 200 100