Professional Documents
Culture Documents
BRKAPP-2005
www.ciscolivevirtual.com
Agenda
WAAS Overview WAAS Installation and Configuration
Network Interception
WAAS Application Optimiser (AO) Deployments
BRKAPP-2005
Cisco Public
WAAS Overview
Video
Single box solution addresses VoD, Live Streaming
Cloud
WAN Refresh
100% ISR G2s ship WAASready SRE provides flexible options
BRKAPP-2005
Cisco Public
Low latency
Reliability
Client LAN Switch Server
WAN Connectivity
Latency Low bandwidth Congestion Packet Loss
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Client
LAN Switch
WAN
LAN switch
Server
Cisco Public
Branch Office
WAN
WAAS Appliances
Branch Office
WAAS Appliance
Server VMs
VMware ESXi
Regional Office
BRKAPP-2005
WAAS Appliance
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
vWAAS Appliances
WAAS CMs
vWAAS-6000 vWAAS-12000
WAVE-294
WAVE-594
WAVE-694
WAVE-7541
WAVE-7571
WAVE-8541
SM-SRE-7X0
SM-SRE-9X0
890
1941/2901
29xx
39xx
WAAS Mobile
Tele Worker
BRKAPP-2005
Small Branch
Medium Branch
Large Branch
Cisco Public
BRKAPP-2005
Cisco Public
WAAS 4.4
Peer n
SIGNATURE SIGNATURE SIGNATURE SIGNATURE SIGNATURE
Per Peer Signatures- provides fault isolation, prevents branch starvation and enables lowest latency data store access
WAAS 4.5
No changes to servers
WAN
Branch Office Data Centre
Cisco WAAS 4.5.1 is jointly tested, validated, supported and verified as a Citrix Ready solution
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
WAAS Application Policy defines: L4: basic optimisation L5-7: latency mitigation
Host
Application Presentation Session Transport Network
WAAS 1
Application Optimiser (AO)
WAAS 2
Application Optimiser (AO)
TFO Network
TFO Network
Data Link
Data Link
Data Link
Origin
Physical
Optimised
Physical
Origin
Physical
WAN
Cisco Public
11
cwnd
TFO
TCP
Time (RTT)
12
Advanced Compression
Data Redundancy Elimination (DRE) Application-agnostic compression Up to 100:1 compression WAAS 4.4: Context Aware DRE Benefits Session-based compression Application-agnostic compression Up to 10:1 compression Up to 100:1 compression Works even cold DRE cache WAAS 4.4: during Context Aware DRE
WAN
LZ DRE
Persistent LZ Compression
LZ
13
Application-Specific Acceleration
Application/Protocol Awareness - Latency mitigation LAN-like Performance Application Optimisers (AOs)
CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI
WAN
LAN-like Performance
BRKAPP-2005
Object Cache Verification Security and Control WAN Optimisation WAN Bandwidth Savings
Cisco Public
Network Transparency
B/24 C/24 A/24
WAN
D/24 E/24
Packets between each network are routed as normal. WAAS auto-discovery will find WAVEs in path WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features
Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting Security functions (ACLs, firewall policies)
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
A:D SYN
D:A SYN/ACK
Origin Connection
BRKAPP-2005
Origin Connection
16
A
A:E SYN
A:E SYN(OPT)
E:A SYN/ACK(OPT)
A:E ACK(OPT)
A:E ACK(OPT)
Optimised Connection Origin Connection BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100 1300 300 500 120 100 300 4 175 100 1000
200 2500 450 600 120 100 400 4 180 150 2000
200 6000 500 600 200 100 1000 6 180 300 2000
700
1400
2800
250
2012 Cisco and/or its affiliates. All rights reserved.
250
1000
8541
Cisco Public
20
2 2 250
600
50 75 40
95 95 150
100
2000
vCM-2000N 4 8
vCM-100N
21
WAAS Deployment
Installation and Configuration
4. 5.
Next bring up all Application Accelerators Configure traffic interception (inline, WCCP etc)
Start traffic interception on Core or Central devices followed by Remote Devices
6.
BRKAPP-2005
23
BRKAPP-2005
Cisco Public
24
= = = = =
WAAS Application Engine 10.42.40.1 10.42.40.1 Online Thu Dec 29 17:56:19 2011
Cisco Public
26
CM Configuration
Device located in Data Centre Setup script recommended Non-default configuration
Device mode Hostname Primary-interface IP configuration Date/time configuration Configuration Management System (CMS)
device mode central-manager
hostname dc1-cm1 license add Enterprise primary-interface GigabitEthernet 1/0 interface GigabitEthernet 1/0
CMS must be enabled to access the CM GUI Reload required (role change) Optionally use standby interface to dualhome to two switches
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
WAAS CM Dashboard
https://cm-ipaddress:8443
BRKAPP-2005
Cisco Public
28
AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling SSLDevicesGroup SSL Acceleration AccelerationGroup Application Policies (Optional)
BRKAPP-2005
Cisco Public
29
WAAS Monitoring
30
IP configuration
CMS enable
32
GigabitEthernet 0/1
I/O Modules
GigabitEthernet1/0, 1/1 1/7 (Standalone mode) InlineGroup1/0, 1/1, 1/2, 1/3 (Inline mode) TenGigabitEthernet 1/0, 1/1
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAVE-INLN-GE-4T
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
33
Standby Interface
Must be layer 2 path between the two WAVE ethernet ports MAC only on in-use interface Primary preempts Gratuitous ARPs on failover
WAVE(config)#interface Standby 1 WAVE(config-if)#ip address 10.1.2.100 255.255.255.0 WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/0 WAVE(config-if)#standby 1 primary WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#standby 1 WAVE(config-if)#exit WAVE(config)#primary-interface standby 1 WAVE#show interface standby 1 Interface Standby 1 (2 physical interface(s)): GigabitEthernet 0/0 (active)(primary)(in use) GigabitEthernet 0/1 (active)
Gi 0/0
Gi 0/1
BRKAPP-2005
Cisco Public
34
PortChannel Interface
IP Address defined on PortChannel interface Default Load Balance Method
Source-Destination IP and Port
WAVE(config)# interface PortChannel 1 WAVE(config-if)#no shut WAVE(config-if)#ip address 10.1.1.31 255.255.255.0 WAVE(config)# interface GigabitEthernet 0/0 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1 WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1
Gi 0/0
BRKAPP-2005
Gi 0/1
Gi 0/0
Gi 0/1
Cisco Public
35
CM Management
BRKAPP-2005
Cisco Public
36
New WAAS devices are automatically added to AllWAASGroup Add the new device to other (e.g. Edge, SSL etc) groups where necessary
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
vWAAS Overview
Target Use Cases
Private Cloud (Enterprise DC) Virtual Private Cloud Hybrid Cloud
VMWare ESX/ESXi
39
WCCP Interception
Multiple vWAAS VMs can exist in same WCCP cluster
WAN
VMWare ESX/ESXi
vPath Interception
WCCP Cat6K/N7K
UCS /x86 Server
Nexus 2K/5K
40
vWAAS Installation
vWAAS Virtual Appliance (OVF) preconfigured with disk, memory, CPU, NICs and other VMWare configuration settings
vWAAS-200, 750, 6000, 12000, EVAL vCM-100N, 2000N
System Requirements
VMware vSphere 4.x/5.x ESXi Hypervisor VMware vCenter server & vSphere client 4.x/5.x Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL Ensure Intel VT is enabled in the hosts BIOS Thick provisioned storage
BRKAPP-2005
Cisco Public
41
vWAAS Installation
BRKAPP-2005
Cisco Public
42
vWAAS Installation
BRKAPP-2005
Cisco Public
43
vWAAS Installation
BRKAPP-2005
Cisco Public
44
vWAAS Installation
BRKAPP-2005
Cisco Public
45
vWAAS Configuration
vWAAS configuration is the same as for WAVE Connect to the Console through vCenter
BRKAPP-2005
Cisco Public
46
Network Interception
Inline Mode
High Availability
Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing Serial in-path clustering with fail-over
WAN
WAVE-INLN-GE-4T
BRKAPP-2005
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
Cisco Public
48
HA
WAN1
WAN2
WAVE-INLN-GE-4T
BRKAPP-2005
WAVE-INLN-GE-8T
WAVE-INLN-GE-4SX
WAVE-10GE-2SFP
Cisco Public
49
Switch
Straight through cable from engine to switch Ensure the router and switch have matching speed and duplex Implement portfast for faster recovery
WAVE
One Inline port group Ports fail-to-wire upon hardware, software, or power failure Support for interception 802.1q trunks Use Gi0/0 primary interface
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
WAN
50
Network Interception
WCCP Mode
52
WCCP Functions
Assign
Intercept
Redirect Return/Egress
WAVE Cluster
INTERCEPT Identify packets for WCCP processing (in or out) ASSIGN Select the target WAVE REDIRECT Router/switch sends the packet to the WAVE RETURN For unprocessed traffic, WAVE returns the packet to the router EGRESS For processed/optimised traffic, WAVE egresses the packet back to the router
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
WCCP Redirect-List
Matches traffic for interception Permit all applications but deny specific protocols
Avoid redirection of management traffic with a universal ACL Apply bidirectional ACL to service groups 61 and 62 Create the redirect ACL before enabling WCCP service groups 61 and 62 Do not enable logging on WCCP redirect ACL (performance)
ip access-list extended waas-redirect remark WAAS WCCP Redirect List deny tcp any any eq telnet deny tcp any any eq 22 deny tcp any any eq 161 deny tcp any any eq 162 deny tcp any any eq 123 deny tcp any any eq bgp deny tcp any any eq tacacs deny tcp any any eq 2000 ! Reverse Direction deny tcp any eq telnet any deny tcp any eq 22 any deny tcp any eq 161 any deny tcp any eq 162 any deny tcp any eq 123 any deny tcp any eq bgp any deny tcp any eq tacacs any deny tcp any eq 2000 any ! permit tcp any <<branch subnet>> permit tcp <<branch subnet>> any ! Implicit DENY ALL
54
WCCP Redirection
Default Service Groups 61 and 62 (Multiple SGs now supported)
Redirect 61 FROM Clients (balance on Src IP) Redirect 62 FROM Servers (balance on Dst IP)
61
62
BRKAPP-2005
Cisco Public
55
Mask Assignment
Mask - Bit level AND divided up to 128 buckets (7 bits) Optimised for hardware based routing platforms (eg Nexus, Catalyst) Always keep Mask size as small as possible Number of buckets (and size of mask) based on number of WAVEs in cluster
000
001
Cisco Public
010
011
100
101
110
111
56
Hash Assignment
Hash applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions
Src 10.1.1.1 Dest 20.1.1.1 61
Src 10.1.1.1
62
0127 WAVE-A
WAN
128255
WAVE-B
61
Dst 10.1.1.1
62
0127 WAVE-A 128255 WAVE-B
WAN
BRKAPP-2005
Cisco Public
57
Mask Assignment
Mask applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions
Src 10.1.1.1 Dest 20.1.1.1 61
Src 10.1.1.1
62
00 WAVE-A 01 WAVE-B 11 WAVE-D
WAN
10 WAVE-C
61
Dst 10.1.1.1
62
WAN
00 WAVE-A 01 WAVE-B
Cisco Public
10 WAVE-C 11 WAVE-D 58
If balancing across multiple engines with Mask, set mask to match host bits
Src/Dst IP (Dec) = 10. 1. 1. 1 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Two WAVE Cluster Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Result 01 WAVE-B
Data Centre
Assuming /24 allocation per site (or per subnet) Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00
Src/Dst IP (Dec) = 10. 1. 1. 1 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Eight WAVE Cluster Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Result 001 WAVE-B
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Generic GRE Flow sent back inside preconfigured Generic GRE tunnel to Switch (specific for HW assisted interception on Catalyst 6500)
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Layer 2 Methods
WAVE must be L2 adjacent to router
L2 Redirect
Rewrite frame dest MAC to WAVE MAC address Transmit frame towards WAVE
Today
L2 Return
Rewrite frame dest MAC to Router MAC address Transmit frame towards router
Redirect: L2
L2 Egress
Rewrite frame dest MAC to Router MAC address Transmit frame towards redirecting router
IP Forwarding Egress
WAVE ARPs for default gateway
Forward frame as IP packet to gateway address
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redirect: L2
Return: L2 Egress: L2
61
Router/Switch
Redirect: GRE
Router-ID defaults to loopback or highest IP. Configurable with ip wccp sourceaddress command in ASR
62
WAN
Redirect Loop
61
62
WAN
Cause: Redirect OUT configured Solution A: Reconfigure to Redirect IN Solution B: Configure Redirect-Exclude IN
Redirect Loop
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
61 62
WAN
ASR 1000
Cat 4500
Mask L2 only No
Cat 3750
Mask L2 only Extended ACL (no deny) In L2
In or Out L2
In or Out GRE or L2
In or Out L2
In L2
Supported 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8; ISR G2 15.0(1)M use L2/Mask
N/A 12.2(37)SE
7600
Sup6
12.2(18)SXF
15.0(2)SG
Sup7 15.1(1)SG
This list is dynamic over time, see release notes for latest information
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
64
wccp router-list 1 192.168.254.2 wccp tcp-promiscuous router-list-num 1 egress-method negotiated-return intercept-method wccp wccp version 2
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
65
Determined by topology
61
62
WAN
61
62
BRKAPP-2005
Cisco Public
66
WAN
61
g0
Si
s0 sm1/0
62
WAN
SRE-700
Hash
Router ip wccp version 2 ip wccp 61 ip wccp 62 interface gigabit0 ip wccp 61 redirect in interface serial0 ip wccp 62 redirect in
Mask
WAVE wccp router-list 1 10.1.1.254 wccp tcp promiscuous router-list 1 l2redirect mask-assign wccp tcp-promiscuous mask src-ip-mask 0x1 wccp version 2
Cisco Public
67
WAVE Registration Loopback IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect WCCP GRE Return/Egress WCCP GRE Variable WCCP timers configured for fast convergence Network WAVEs on dedicated or shared VLAN WAVEs could be vPC connected to Nexus access layer Routed edge link with no WCCP
ASR 1000
ASR 1000
WAN
WCCP Registration
68
WAVE/
WAVE/ vWAAS
WAVE/ vWAAS
WAVE/ vWAAS
ASR 1000
ASR 1000
ASR 1000
WAN
69
WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect Layer 2 Return/Egress Layer 2/IP FWD (L2 Egress in WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vPC connected to Nexus access layer L2 between Aggregation Switches
Nexus 7000
Nexus 7000
ASR 1000
WAN
WCCP Registration
70
WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to all agg Nexus switches (full mesh) 7000 Assignment Mask (0x300 or 0x700 for growth) Redirect Layer 2 ASR Return/Egress Layer 2/IP FWD (L2 Egress in 1000 WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vPC connected L2 between Aggregation Switches Routed edge link
ASR 1000
WAN
High Availability via WCCP Maintains Symmetric Traffic Flows BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
71
72
Network Interception
vPath Mode
vPATH Overview
FC Array VSN
vWAAS1 1
Web-Server 1 DBServer Web-Server 2
SAN
VSN
vWAAS2
vCM
1
vPATH
1 2
VEM: Virtual Ethernet Module VSM: Virtual Supervisor Module
BRKAPP-2005 VSN: Virtual Service Node 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
vCenter Server
Optimised Port-Profile for WAAS 1 Optimised Port-Profile for WAAS 2 Non Opt Port-Profile vWAAS Port-Profile 74
BRKAPP-2005
Cisco Public
75
Port-group
vSphere client
BRKAPP-2005
Cisco Public
76
SSL AO Overview
Central WAVE acts as a Trusted Intermediary Node for SSL requests by client Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE Central WAVE participates in SSL Handshake to derive the Session Key Central WAVE securely sends the session key in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session
Edge WAVE Send session key Secure Channel Central WAVE
Client
SSL Handshake
SSL Handshake
Server
WAN
Original Data - Encrypted Optimised & Encrypted Original Data - Encrypted
CM secure store must be open to synchronise configuration between SSL capable CM and WAVEs
Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised
BRKAPP-2005 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
79
E-MAPI AO Overview
Preserves end-to-end security with Kerberos Operational consistency with MS infrastructure
Kerberos/NTLM Kerberos/NTLM
Outlook Client
BRKAPP-2005
Kerberos/NTLM
Branch WAE
DC WAE
KDC/AD/DC
WAN
Original Data Encrypted/Signed Optimised & Encrypted/Signed Original Data Encrypted/Signed Exchange Server 80
Cisco Public
E-MAPI AO Operation
Grant WAE Workstation account Key permission
WAN
Outlook Client Application Data: Encrypted Authentication: Kerberos Application Data: Optimised, Encrypted Authentication: Kerberos
Cisco Public
Exchange Server
BRKAPP-2005
81
Ready!
Ready!
E-MAPI AO Configuration
Requirements
WAVE requires DNS configuration to resolve AD domain queries. All WAVEs should be NTP Time Synchronised with the AD domain
AD Provisioning
User account identity - account created in the AD domain and provisioned on the WAVE Machine account identity - WAVE to join the AD domain. Domain Controller to delegate read only access for the root of the AD DB to the WAVE identity account
CM Configuration
Enable E-MAPI AO through CM
BRKAPP-2005
Cisco Public
83
WAN
Virtual Desktops
WAAS
Branch Clients
WAAS
HDX Mediastream
BRKAPP-2005
When using Redirected Print Mode, ensure Printer Redirection bandwidth and printer redirection bandwidth percentage settings are set to default (0)
DRE Caching is more effective with greater number of users
BRKAPP-2005
Cisco Public
85
Q&A
Visit one of the Cisco Live internet stations located throughout the venue
Open a browser on your own computer to access the Cisco Live onsite portal
Dont forget to activate your Cisco Live Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Cisco Public
BRKAPP-2005
87
BRKAPP-2005
Cisco Public
88