Deploying Cisco Wide Area Application Services (WAAS)d2zmdbbm9feqrf.cloudfront.net/2012/anz/pdf/BRKAPP-2005.pdf · Deploying Cisco Wide Area Application Services (WAAS) ... Cisco

BRKAPP-2005

Deploying Cisco Wide Area Application Services (WAAS)

www.ciscolivevirtual.com

http://www.ciscolivevirtual.com/

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 2

Agenda

WAAS Overview

WAAS Installation and Configuration

Network Interception

WAAS Application Optimiser (AO) Deployments

WAAS Sizing Guidelines

WAAS Overview


WAAS Helps To Accelerate Top-of-mind CIO Initiatives

VDI & BYOD Video Cloud App Rollouts WAN Refresh

Single box

solution

addresses

VoD, Live

Streaming

Solutions for

Private and

Public Cloud

Industry

leading app

performance

with NEW

appliances

100% ISR G2s

ship WAAS-

ready

SRE provides

flexible

options


Application Delivery Challenges

LAN Connectivity

High bandwidth

Low latency

Reliability

WAN Connectivity

Latency

Low bandwidth

Congestion

Packet Loss

Server LAN

Switch

Client

Round Trip Time ~ 0ms

LAN

Switch Server LAN

switch Client WAN

Round Trip Time ~ Many milliseconds


Cisco WAAS: WAN Optimisation Solution

Branch Office

WAAS

Services Ready

Engine WAN

Branch Office WAAS

Express

Branch Office

WAAS

Appliance

Regional Office

WAAS

Appliance

Data Centre or

Private Cloud WAAS

Appliances

VMware ESXi vWAAS

Appliances

Server VMs

vWAAS

WAE

Server

VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private

Cloud

WAAS CMs


Data Centre & Campus

Large Branch

Medium Branch

Small Branch

Tele Worker

Small-Medium

Data Centre

SM-SRE-7X0 SM-SRE-9X0

1941/2901 29xx 39xx

WAAS

Appliances

WAAS ISR

Modules

WAAS

Express

vWAAS vWAAS-750 vWAAS-6000

WAAS

Mobile WAAS Mobile

vWAAS-12000

WAAS Product Portfolio

WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541

890

vWAAS-200


Next Generation WAVE Appliances

Purpose built hardware

Optional I/O modules including Optical and 10Gbps Ethernet

Up to 2 Gbps optimised throughput

Up to 8 Virtual Blades (WAVE-694)


WAAS Context Aware Cache Architecture

App Aware Cache Manager Optimises cache behaviour based

upon traffic directionality

Per Peer Signatures- provides fault

isolation, prevents branch starvation and

enables lowest latency data store access

CIFS Object Cache Includes File Pre-positioning

Ideal for High latency / Low BW links

Data Store (Disk)

Signatures (in memory)

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer 1

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer 2

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer n

Adaptive DRE Cache Unified Data Store- Single store for all peers

App Policy Controlled:

Uni-Directional Traffic- only written to destination cache.

No cache consumption at source

Bi-Directional Traffic- written to both caches

WAAS

4.4


Citrix XenApp and XenDesktop Support

No changes

to clients No changes

to servers

Branch Office Data Centre

Transparent

Handshake

WAN

Zero-touch deployment, auto-interoperability with ICA encryption & compression

High Performance virtual desktops

WAAS

4.5

Cisco WAAS 4.5.1 is jointly tested, validated,

supported and verified as a Citrix Ready™ solution


Application Optimiser

(AO)

TFO

Network

Data Link

Physical

Client

Application

Presentation

Session

Transport

Network

Data Link

Physical

WAAS 2 Application Optimiser

(AO)

TFO

Network

Data Link

Physical

WAAS 1

Host

Application

Presentation

Session

Transport

Network

Data Link

Physical Origin Optimised Origin

WAN

BRKAPP-2005

14633_05_2008_c1

Session and Transport Layer Optimisation

WAAS Application Policy defines: L4: basic optimisation L5-7: latency mitigation


Time (RTT) Slow Start Congestion Avoidance

cwnd

TCP

TFO

Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations

TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP

http://netsrv.csc.ncsu.edu/export/bitcp.pdf

TFO vs Regular TCP in the WAN

http://netsrv.csc.ncsu.edu/export/bitcp.pdf


Advanced Compression

Synchronised

Compression

History

DRE

LZ LZ

DRE

Data Redundancy Elimination

(DRE)

•Application-agnostic compression

•Up to 100:1 compression

•WAAS 4.4: Context Aware DRE

WAN

Benefits

• Application-agnostic compression

• Up to 100:1 compression

• WAAS 4.4: Context Aware DRE

•Session-based compression

•Up to 10:1 compression

•Works even during cold DRE cache

Persistent LZ Compression

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=


Application-Specific Acceleration

Remote Office Data Centre

• Object Cache Verification

• Security and Control

• WAN Optimisation

•WAN Bandwidth Savings

• Server Safely Offloaded

• Fewer Servers Needed

• Power/Cooling Savings • LAN-like Performance

WAN

Application/Protocol Awareness - Latency mitigation

LAN-like Performance

Application Optimisers (AOs) –CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI

Licensed, developed and validated with application vendors


WAN

Network Transparency

Packets between each network are routed as normal.

WAAS auto-discovery will find WAVEs in path

WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features

Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting

Security functions (ACLs, firewall policies)

B/24

C/24

D/24

E/24

A/24


Auto Discovery - Two WAVE Configuration

In-band signalling with TCP option 0x21

WAE B closest to client (A) and WAVE (C) closest to server (B)

Connection optimised between WAVE (B) and (C)

WAVE shifts optimised TCP SEQ number by 2 billion

If a WAVE that was optimising fails:

Hosts will see segments with SEQ/ACK numbers that are out of range

Host will reset (RST) connection

Client will re-establish a new TCP connection

A B C D

A:D SYN A:D SYN(OPT) A:D SYN(OPT)

D:A SYN/ACK D:A SYN/ACK(OPT) D:A SYN/ACK

Origin Connection Origin Connection Optimised

Connection


Auto-Discovery – Multi WAVE Configuration

Optimised connection established between WAVE (B) and WAVE (D)

Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT)

Each WAVE supports 10X optimised connection limit for Pass Through connections

A:E SYN A:E SYN(OPT) A:E SYN(OPT) A:E SYN(OPT)

E:A SYN/ACK E:A SYN/ACK(OPT) E:A SYN/ACK(OPT)

E:A SYN/ACK

A:E ACK A:E ACK(OPT)

A:E ACK(OPT) A:E ACK

Origin Connection Origin Connection

Optimised Connection

A B C D E

WAAS Sizing Guidelines


WAVE - Platform Performance (4.5)

SR

E-7

X0-S

SR

E 7

X0-M

SR

E-9

X0-S

SR

E-9

X0-M

SR

E-9

X0-L

294-4

G

294-8

G

594-6

G

594-1

2G

694-1

6G

694-2

4G

7541

7571

8541

WAN Bandwidth (Mbps) 20 20 50 50 50 10 20 50 100 200 200 500 1000 2000

Optimised TCP Connections

200 500 200 500 1000 200 400 750 1300 2500 6000 18k 60k 150k

Optimised LAN Throughput (Mbps)

200 200 300 300 300 100 150 250 300 450 500 1000 2000 4000

Total Disk Capacity (GB) 500 500 500 500 500 250 250 500 500 600 600 2250 3150 4200

DRE Disk Capacity (GB) 80 80 120 120 120 40 55 80 120 120 200 500 1000 2000

CIFS Disk Capacity (GB) 57 57 95 95 95 75 75 100 100 100 100 225 225 300

Maximum LAN Video Streams

40 150 40 150 300 40 80 150 300 400 1000 1000 1000 1000

Virtual Blades Supported 2 2 2 4 4 6

Total Virtual Blade Disk Capacity

60 60 175 175 180 180

Peer Fan Out 50 100 150 300 700 1400 2800

CM Managed Devices 250 250 1000 1000 2000 2000


vWAAS - Platform Performance (4.5)

vW

AA

S-2

00

vW

AA

S-7

50

vW

AA

S-6

000

vW

AA

S-1

200

0

vC

M-1

00N

vC

M-2

000N

Number of vCPU 1 2 4 4 2 4

Virtaul Memory (GB) 2 4 8 12 2 8

Virtual Disk Datastore (GB) 160 250 500 750 250 600

Target WAN Bandwidth (Mbps) 10 50 200 310

Optimised TCP Connections 200 750 6000 12000

Optimised LAN Throughput (Mbps) 100 250 500 1000

Peer Fan-out 50 300 1400

DRE Disk Capacity 50 95 320 450

CIFS Disk Capacity 75 95 95 175

Max LAN Video Streams 40 150 1000 1000

CM Managed Devices 100 2000

WAAS Deployment Installation and Configuration


WAAS Deployment Overview

1. Initial setup is done using Console CLI – Setup Script recommended

2. License configuration is required

3. Always bring up the Central Manager (CM) first

– New WAAS devices are auto-registered to WAAS CM and become a member of AllWAASGroup

– When creating an AccelerationGroup make sure you apply the correct application policies (e.g. set default one) and auto-membership for this group is enabled

4. Next bring up all Application Accelerators

5. Configure traffic interception (inline, WCCP etc)

– Start traffic interception on Core or Central devices followed by Remote Devices

6. Further configuration should be done from within the CM


WAAS Setup Script

Prompted on boot of factory default box to run setup script or execute ‘setup’

Script prompts for configuration to communicate, network integrate, manage, and license the WAE

WAVE default mode is Accelerator. Change to CM requires reboot

Optional Proactive Diagnostics

Deploying WAAS Central Manager


Central Management System (CMS)

CMS process runs on all WAVEs

Bidirectional configuration synchronisation between CM and accelerators

All management communication uses HTTPS (self signed device specific certificates

and keys)

Bidirectional config sync between CM and Accelerator

Central Manager collects health and monitoring data to every 5 min by default

CMS provides means to backup and restore configuration

sre700#sho cms info

Device registration information :

Device ID=11506

Device registered as = WAAS Application Engine

Current WAAS Central Manager = 10.42.40.1

Registered with WAAS Central Manager = 10.42.40.1

Status = Online

Time of last config-sync = Thu Dec 29 17:56:19 2011

CMS services information :

Service cms_ce is running


CM Configuration

Device located in Data Centre

Setup script recommended

Non-default configuration

Device mode

Hostname

Primary-interface

IP configuration

Date/time configuration

Configuration Management System (CMS)

CMS must be enabled to access the CM GUI

Reload required (role change)

Optionally use standby interface to dual-home to two switches

device mode central-manager

hostname dc1-cm1

license add Enterprise

primary-interface GigabitEthernet 1/0

interface GigabitEthernet 1/0

ip address 10.1.1.31 255.255.255.0

exit

ip default-gateway 10.1.1.254

ip name-server 10.1.1.21

clock timezone AEST 10 0

ntp server ntp.foo.com

cms enable

copy run start


WAAS CM Dashboard

https://cm-ipaddress:8443


Group Configuration Best Practices

AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling

SSLDevicesGroup SSL Acceleration

EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent

AccelerationGroup Application Policies (Optional)


WAAS Monitoring

Dashboard Aggregate Statistics

Optimisation Summary

Connection Trending

Application Acceleration

HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI

Deploying Physical Appliance WAE/WAVE


Basic Configuration – Accelerator

Default configuration

Hostname

Primary-interface

IP configuration

CMS enable

CMS required to register with CM

Use of hostname for CM recommended

Interface HA Modes

Standby Interface

PortChannel Interface

hostname branch1-wave

primary-interface GigabitEthernet 0/0

interface GigabitEthernet 0/0

ip address 10.1.100.101 255.255.255.0

! Optionally configure speed and duplex

exit

ip default-gateway 10.1.100.254

ip name-server 10.1.1.21

! Implement DNS for CM mobility

central-manager address cm1.foo.com

cms enable

copy run start


Onboard Ports

GigabitEthernet 0/0

GigabitEthernet 0/1

I/O Modules

GigabitEthernet1/0, 1/1… 1/7 (Standalone mode)

InlineGroup1/0, 1/1, 1/2, 1/3

(Inline mode)

TenGigabitEthernet 1/0, 1/1

WAVE Port Allocation

WAVE-INLN-GE-4SX

WAVE-INLN-GE-4T

WAVE-10GE-2SFP

WAVE-INLN-GE-8T


Must be layer 2 path between the two WAVE ethernet ports

MAC only on in-use interface

Primary preempts

Gratuitous ARPs on failover

Gi 0/0 Gi 0/1

WAVE(config)#interface Standby 1

WAVE(config-if)#ip address 10.1.2.100 255.255.255.0

WAVE(config-if)#exit

WAVE(config)#interface GigabitEthernet 0/0

WAVE(config-if)#standby 1 primary



WAVE(config-if)#standby 1


WAVE(config)#primary-interface standby 1

WAVE#show interface standby 1

Interface Standby 1 (2 physical interface(s)):

GigabitEthernet 0/0 (active)(primary)(in

use)

GigabitEthernet 0/1 (active)

Standby Interface


WAVE(config)# interface PortChannel 1

WAVE(config-if)#no shut

WAVE(config-if)#ip address 10.1.1.31

255.255.255.0

WAVE(config)# interface GigabitEthernet 0/0

WAVE(config-if)#speed 1000

WAVE(config-if)#duplex full

WAVE(config-if)#no shutdown

WAVE(config-if)#channel-group 1


WAVE(config-if)#speed 1000

WAVE(config-if)#duplex full

WAVE(config-if)#no shutdown

WAVE(config-if)#channel-group 1

IP Address defined on PortChannel interface

Default Load Balance Method

Source-Destination IP and Port

LACP is not currently supported. Hard Code Speed/Duplex

Interface Configs MUST MATCH

PortChannel Interface

Gi 0/0 Gi 0/1 Gi 0/0

Gi 0/1


CM Management


Device Group Assignment

New WAAS devices are automatically added to AllWAASGroup

Add the new device to other (e.g. Edge, SSL etc) groups where necessary

Deploying Virtual Appliance vWAAS


Target Use Cases Private Cloud (Enterprise DC)

Virtual Private Cloud

Hybrid Cloud

Interception Methods Supported Traditional methods such as WCCP

Nexus 1000v w/ vPath

Storage used by vWAAS Direct Attached Storage (DAS)

FibreChannel SAN

iSCSI SAN

NAS not currently supported

vWAAS is a virtualised WAAS offering on top of ESX/ESXi running on UCS/x86 servers

UCS /x86 Servers

vWAAS

VMWare ESX/ESXi

vWAAS Overview


WAN

UCS Compute/ Virtualised Servers

Nexus 2K/5K

Cat6K/N7K

Nexus 1000V /VN-Link vPATH

ESX/ESXi with N1000v

UCS /x86 Server

WCCP UCS /x86 Server

vWAAS vWAAS vWAAS

VMWare ESX/ESXi

vWAAS Interception Options

WCCP Interception

Multiple vWAAS VMs can exist in

same WCCP cluster

vPath Interception

Based on port-profile policy configured

in Nexus 1000v

Bidirectional Interception - (no IN/OUT

configuration)

Pass-through traffic automatic bypass


vWAAS Virtual Appliance (OVF) preconfigured with disk, memory, CPU, NIC’s and other VMWare configuration settings

vWAAS-200, 750, 6000, 12000, EVAL

vCM-100N, 2000N

System Requirements

VMware vSphere 4.x/5.x ESXi Hypervisor

VMware vCenter server & vSphere client 4.x/5.x

Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL

Ensure Intel VT is enabled in the host’s BIOS

Thick provisioned storage

vPath (optional) requires Nexus 1000v v4.2(1)SV1(4) or later

vWAAS Installation


vWAAS Installation


vWAAS Installation


vWAAS Installation


vWAAS Installation


vWAAS Configuration

vWAAS configuration is the same as for WAVE

Connect to the Console through vCenter

Use of Setup Script is recommended

Some differences you will notice

Interface “virtual 1/0”

Interception “other” (for vPATH)

Network Interception Inline Mode


Inline Interception Overview

Simple Plug-and-Play Deployment

Physical in-path deployment between switch and router

Mechanical fail-to-wire

High Availability

Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing

Serial in-path clustering with fail-over

Seamless Transparent Integration

Transparency and automatic discovery

802.1q VLAN trunking support

Supported on all WAVE appliance models WAN

WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T


WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T

Serial Inline Cluster

WAN2 WAN1

HA

Simple High Availability Design for Small to Medium Data Centres

HA supported by secondary WAVE

Not intended for scaling, only HA

Design requires 4 inline groups (8 ports) per WAVE

Configure and manage via CM

Auto peer configuration

Location based reporting

Interception Access List supported

Bypass for non-relevant traffic


Inline Non-Redundant Branch

Router

Crossover cable from router to engine

Fix speed and duplex settings for Fast Ethernet connections

Ensure the router and switch have matching speed and duplex

Switch

Straight through cable from engine to switch

Ensure the router and switch have matching speed and duplex

Implement portfast for faster recovery

WAVE

One Inline port group

Ports fail-to-wire upon hardware, software, or power failure

Support for interception 802.1q trunks

Use Gi0/0 primary interface

WAN

Network Interception WCCP Mode


Transparent Off-path Interception

WCCPv2 Interception

Transparent network integration

Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation

Near-linear scalability and performance improvement when adding devices

Policy-Based Routing (PBR) Interception

Routing of flows to be optimised through a Cisco WAVE as a next-hop router

Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism

HA only, no load balancing

WAN

WCCP Cluster


INTERCEPT – Identify packets for WCCP processing (in or out)

ASSIGN – Select the target WAVE

REDIRECT – Router/switch sends the packet to the WAVE

RETURN – For unprocessed traffic, WAVE returns the packet to the router

EGRESS – For processed/optimised traffic, WAVE egresses the packet back to the router

WCCP Functions

WAVE Cluster

Intercept

Assign

Redirect

Return/Egress Intercept takes place in

both directions for WAAS


ip access-list extended waas-redirect

remark WAAS WCCP Redirect List

deny tcp any any eq telnet

deny tcp any any eq 22




deny tcp any any eq bgp

deny tcp any any eq tacacs


! Reverse Direction

deny tcp any eq telnet any

deny tcp any eq 22 any




deny tcp any eq bgp any

deny tcp any eq tacacs any


!

permit tcp any <<branch subnet>>

permit tcp <<branch subnet>> any

! Implicit DENY ALL

WCCP Redirect-List Matches traffic for interception

Permit all applications but deny specific protocols

Avoid redirection of management traffic with a universal ACL

Apply bidirectional ACL to service groups 61 and 62

Create the redirect ACL before enabling WCCP service groups 61 and 62

Do not enable logging on WCCP redirect ACL (performance)

Optionally permit specific IP subnets

Optimise ACL to minimise TCAM usage


Default Service Groups 61 and 62 (Multiple SGs now supported)

Redirect 61 FROM Clients (balance on Src IP)

Redirect 62 FROM Servers (balance on Dst IP)

Always use Redirect IN wherever possible

Never use Redirect OUT on Catalyst switch

Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design

Avoid WCCP LOOPS! (more on this later)

WCCP Redirection

WAN 62 61 62 61


WCCP Assignment – Hash or Mask Router uses assignment method to determine which WAVE to redirect traffic to

Hash Assignment

Byte level XOR computation divided into 256 buckets

Default for SW based routing platforms (eg ISR/ISR G2)

All buckets allocated evenly across WAVEs (by default)

Mask Assignment

Mask - Bit level AND divided up to 128 buckets (7 bits)

Optimised for hardware based routing platforms (eg Nexus, Catalyst)

Always keep Mask size as small as possible

Number of buckets (and size of mask) based on number of WAVEs in cluster

2 WAVEs – 1 bit mask eg 0x1

8 WAVEs – 3 bit mask eg 0x7

0 1

000 001 010 011 100 101 110 111


Hash applied to Source OR Destination IP based on Service Group (61/62)

Assignment matches in both directions

Hash Assignment

61 62

Src 10.1.1.1 Dest 20.1.1.1

Src 10.1.1.1

0-

127

128-

255

61 62

Src 20.1.1.1 Dest 10.1.1.1

Dst 10.1.1.1

WAN

0-

127

128-

255

WAVE-A

WAVE-B

WAN

WAVE-A

WAVE-B


Mask applied to Source OR Destination IP based on Service Group (61/62)

Assignment matches in both directions

Mask Assignment

61 62

Src 10.1.1.1 Dest 20.1.1.1

Src 10.1.1.1

00

01

61 62

Src 20.1.1.1 Dest 10.1.1.1

Dst 10.1.1.1

WAN

00

01

WAN

10

11

10

11

eg Four WAVEs

Mask 0x3 (2 bits)

eg Four WAVEs

Mask 0x3 (2 bits)

WAVE-A

WAVE-B

WAVE-A

WAVE-B

WAVE-C

WAVE-D

WAVE-C

WAVE-D


Branch

ISR G2 - Hash or Mask supported (Hash more efficient in SW)

Use Hash or keep Mask small (typically only one or two bits)

If balancing across multiple engines with Mask, set mask to match host bits

Data Centre

Assuming /24 allocation per site (or per subnet)

Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00

Mask Assignment Examples

Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1

Result 01 WAVE-B

Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1

Result 001

Two WAVE Cluster

WAVE-B

Eight WAVE Cluster


Redirect, Return and Egress Methods WCCP specifics are configured on WAVE (WCCP Client)

MUST match WCCP router capabilities

WCCP Redirect Methods

WCCP GRE - Entire packet inside GRE tunnel to WAVE (default)

Layer 2 - Frame Destination MAC address rewritten to WAVE MAC

WCCP Return Methods

WCCP GRE - GRE Packet returned Router

WCCP Layer 2 - Frame rewritten to Router MAC

WCCP Egress Methods

IP Forward – WAVE ARPs for configured Default Gateway (default)

WCCP negotiated – Flow sent back inside WCCP GRE tunnel to Router

Generic GRE – Flow sent back inside preconfigured Generic GRE tunnel to Switch

(specific for HW assisted interception on Catalyst 6500)


WAVE must be L2 adjacent to router

L2 Redirect

Rewrite frame dest MAC to WAVE MAC address

Transmit frame towards WAVE

L2 Return

Rewrite frame dest MAC to Router MAC address

Transmit frame towards router

L2 Egress

Rewrite frame dest MAC to Router MAC address

Transmit frame towards redirecting router

IP Forwarding Egress

WAVE ARPs for default gateway

Forward frame as IP packet to gateway address

Layer 2 Methods

Redirect: L2 Return: L2

Egress: IP FWD

Redirect: L2 Return: L2

Egress: L2

Today

WAAS v5.0 (Future)


WAVE must be L3 reachable

WCCP GRE Redirect (default)

Encapsulate frame in GRE header

Transmit GRE packet to WAVE (Source: Router-ID IP)

WCCP GRE Return (negotiated)


Transmit GRE packet to redirecting router

Destination IP: Router-ID

WCCP GRE Egress


Transmit GRE packet to redirecting router

Destination IP: Router-ID

MUST USE Alternative Generic GRE on Catalyst 6500

Layer 3 or GRE Methods

Redirect: GRE Return: GRE

Egress: GRE

Router/Switch

Router-ID defaults to loopback or

highest IP.

Configurable with “ip wccp source-

address” command in ASR


Common Loop Scenarios

WCCP Loop Avoidance

WAN 62 61

WAN

62

61

WAN

62

61

Redirect Loop

Cause: Default Egress Method is IP FWD

Solution: Configure WCCP GRE Egress

Cause: Redirect OUT configured

Solution: Reconfigure to Redirect IN

Cause: Redirect OUT configured

Solution A: Reconfigure to Redirect IN

Solution B: Configure Redirect-Exclude IN

Redirect Loop

Redirect Loop ip wccp redirect exclude in


WAAS Network Deployment WCCP - Platform Recommendations

WCCP Function

Nexus 7000

ISR & 7200 ASR 1000 Cat 6500 Cat 7600

Sup720/32

Cat 6500

Sup2T

Cat 4500

Cat 3750

Assign Mask Hash or Mask Mask Hash or Mask (Hash*) or Mask Mask Mask

Redirect L2 GRE or L2 GRE or L2 GRE or L2 GRE or L2 L2 only L2 only

Redirect List L3/L4 ACL Extended ACL Extended ACL Extended ACL Extended ACL No Extended ACL (no deny)

Direction In or Out In or Out In or Out In or Out In (or Out*) In In

Return L2 GRE or L2 L2 Generic GRE

or L2

Generic GRE

or L2

L2 L2

VRFs Supported Supported Planned Planned Supported N/A N/A

IOS 4.2(1)

5.1(5)

12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;

ISR G2 15.0(1)M use L2/Mask

XE3.1.0S

IOS 15.0(1)S

6500

12.2(33)SXH

7600

12.2(18)SXF

15.0(1)SY <Sup6

12.2(50)SG1

Sup6

15.0(2)SG

Sup7

15.1(1)SG

12.2(37)SE

This list is dynamic over time, see release notes for latest information


WAAS Configuration Example

wccp router-list 1 192.168.254.2

wccp tcp-promiscuous router-list-num 1

egress-method negotiated-return intercept-method wccp

wccp version 2

Turn on WCCP

AFTER configuration

Enable GRE Egress


WCCP Router Configuration Router Global Configuration

Router Interface Configuration

Router(config)# ip cef

Router(config)# ip wccp 61 <optional-redirect-list acl-name>

Router(config)# ip wccp 62 <optional-redirect-list acl-name>

Router(config)# ip wccp version 2

Router(config-if)# ip wccp 61 redirect <in|out>

Router(config-if)# ip wccp 62 redirect <in|out>

Router(config-if)# ip wccp redirect exclude in

Determined by

topology

WAN 62 61 62 61


Branch WCCP Configuration Example

WAN 62 g0 s0

61 61

g0 s0 62

SiSiSiSiSiSiWAN

SRE-700

sm1/0

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0

ip wccp 61 redirect in

interface serial0


WAVE


wccp tcp-promiscuous router-list-num 1

egress-method negotiated-return intercept-method wccp

wccp version 2

Hash

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0


interface serial0


WAVE


wccp tcp promiscuous router-list 1 l2-redirect mask-assign

wccp tcp-promiscuous mask src-ip-mask 0x1

wccp version 2

Mask

Looped Intercept Risk!


Data Centre Example – Single DC WCCP at WAN Edge

WAVE or vWAAS Deployed

WAVE Registration – Loopback IP of router

ASR Router-ID Configured – Loopback IP

Single WCCP cluster – each WAVE to both routers

Assignment – Mask

Redirect – WCCP GRE

Return/Egress – WCCP GRE

Variable WCCP timers configured for fast convergence

Network

WAVEs on dedicated or shared VLAN

WAVEs could be vPC connected to Nexus access layer

Routed edge link with no WCCP

High Availability via WCCP

Maintains Symmetric Traffic Flows

WAN

WAVE/vWAAS WAVE/vWAAS

ASR 1000 ASR 1000

WCCP Registration


WCCP at WAN Edge


WAVE Registration – Loopback IP of router


Single WCCP cluster – each WAVE to all edge routers (full mesh)

Assignment – Mask (0x300 or 0x700 for growth)

Redirect – WCCP GRE

Return/Egress – WCCP GRE

Variable WCCP timers configured

Network

WAVEs on dedicated or shared VLAN


Routed edge link with no WCCP



WCCP Registration not displayed

WAN

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

Data Centre Example – Multiple DC


WCCP at Aggregation Layer


WAVE Registration – Interface IP of router


Single WCCP cluster – each WAVE to both routers

Assignment – Mask

Redirect – Layer 2

Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)

Network

WAVEs on dedicated VLAN – no redirect

All server VLAN SVIs – 62 Redirect IN


L2 between Aggregation Switches


Maintains Symmetric Traffic Flows WCCP Registration

WAN

WAVE/vWAAS WAVE/vWAAS

ASR 1000 ASR 1000

Nexus 7000 Nexus 7000

L3 Routed

Data Centre Example – Single DC


WCCP at Aggregation Layer


WAVE Registration – Interface IP of router


Single WCCP cluster – each WAVE to all agg switches (full mesh)

Assignment – Mask (0x300 or 0x700 for growth)

Redirect – Layer 2

Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)

Network

WAVEs on dedicated VLAN – no redirect

All server VLAN SVIs – 62 Redirect IN

WAVEs could be vPC connected

L2 between Aggregation Switches

Routed edge link



WCCP Registration not displayed

WAN

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

Nexus 7000

Nexus 7000

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

Nexus 7000

Nexus 7000

L2 Trunk

L3 Routed

Data Centre Example – Multiple DC


WAAS WCCP Deployment Configuration Best Practices

Registration

Do NOT use a virtual gateway address (HSRP, VRRP, GLBP)

Use interface IP address if L2 adjacent to WCCP router

Use highest loopback address if not L2 adjacent to WCCP router

Software Platforms – ISR, ISR G2

GRE Redirect (Default)

Hash Assignment (Default)

Inbound Interception

"ip wccp redirect exclude in" on WCCP client interface (outbound interception only)

WAAS Egress Method: IP Forwarding

Hardware Platform – ASR, Nexus 7000, Catalyst 6500, 4500

L2 – Nexus 7000, Catalyst 6500, 4500, ASR

WCCP GRE Redirect – Catalyst 6500, ASR – if required for design

Mask Assignment – keep mask small

Inbound Interception

Do not use "ip wccp redirect exclude in” – Catalyst 6500

WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)

Network Interception vPath Mode


VMware ESX Server 1

vWAAS1

1

1 1

VMware ESXi Server 2

2

Nexus 1000v VSM

vCenter Server

vCM

VEM: Virtual Ethernet Module

VSM: Virtual Supervisor Module

VSN: Virtual Service Node

Web-Server 1 Web-Server 3 DBServer App Server Web-Server 2 VSN

FC Array

SAN

Non Opt Port-Profile

vWAAS Port-Profile

Optimised Port-Profile

for WAAS 1

Optimised Port-Profile

for WAAS 2

1

2

vPATH

vWAAS2

Nexus 1000v VEM

Nexus 1000v VEM

VSN

vPATH Overview


vPath Configuration Example

port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled

port-profile type vethernet server-3 vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address 10.42.40.210 vlan 40 fail open no shutdown state enabled


Nexus 1000v VSM

Network Admin view

vPATH interception

vSphere client

Server Admin view

Attach Opt-port-profile

to server VMs

Port-Profile Port-group

vWAAS vPath Deployment Port-Profile Configuration

Deploying WAAS AOs Secure Application Optimisers


WAN

Central WAVE acts as a Trusted Intermediary Node for SSL requests by client

Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE

Central WAVE participates in SSL Handshake to derive the “Session Key”

Central WAVE securely sends the “session key” in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session

Send “session key”

SSL Session Central WAVE to Server SSL Session Client to Core WAE (WAAS)

Edge WAVE Central WAVE

Secure Channel

Original Data - Encrypted Optimised & Encrypted Original Data - Encrypted

SSL Handshake SSL Handshake Client Server

SSL AO Overview


SSL Secure Store CM secure store keeps all imported host

and accelerated SSL certificates and private keys

Certificates and private keys encrypted with user pass-phrase:

When secure store is being initialised first time (initialisation)

After CM device reloads to open secure store (opening)

CM secure store must be open to synchronise configuration between SSL capable CM and WAVEs

Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised


WAN

Branch WAE DC WAE

Transparent

Secure Channel

Original Data – Encrypted/Signed Optimised & Encrypted/Signed Original Data – Encrypted/Signed

Kerb

ero

s/N

TL

M

Kerberos/NTLM

KDC/AD/DC

Kerb

ero

s/N

TL

M

New in WAAS

v5.0

June 2012

Preserves end-to-end security with Kerberos

Operational consistency with MS infrastructure

Consistent across version changes of MS Exchange

Send “session key”

Outlook

Client

Exchange

Server

E-MAPI AO Overview


Exchange Server

Active Directory

Controller

(Kerberos KDC)

Core WAAS Branch WAAS

Outlook Client

WAN

Encrypted MAPI Request

Securely transfer key to

remote branch.

Kerberos session key

allows access to

Encrypt/Read/Sign Data

Application Data:

Encrypted

Authentication:

Kerberos

Application Data:

Optimised, Encrypted

Authentication:

Kerberos

Application Data:

Encrypted

Authentication:

Kerberos

WAN-Secure

Grant WAE “Workstation”

account Key permission

E-MAPI AO Operation

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 82 82

E-MAPI Active Directory Integration POC and Commercial Deployment Work Flow with Admin Account

Set Time, DNS

and Domain info

Join WAE

to Domain Ready!

Workstation Account

User Account Set Time, DNS and

Domain info Ready!

Require Active Directory

team involvement

Ready! Set Time, DNS

and Domain info

Enter User in

WAE

Enterprise Deployment Work Flow

Enter User in

WAVE

Set WAVE

to Use M/A

Create User

in AD

Grant WAVE Key

Permission

Grant WAVE Key

Permission

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 83 83 83

Requirements WAVE requires DNS configuration to resolve AD domain queries.

All WAVEs should be NTP Time Synchronised with the AD domain

AD Provisioning User account identity - account created in the AD domain and provisioned on the WAVE

Machine account identity - WAVE to join the AD domain.

Domain Controller to delegate read only access for the root of the AD DB to the WAVE

identity account

CM Configuration Enable E-MAPI AO through CM

E-MAPI AO Configuration


WAAS

Branch Clients Citrix Hosting Infrastructure

Virtual Desktops

WAAS

HDX Mediastream HDX with ICA CGP / Session Reliability

WAN

No changes to

client

configurations

ICA Optimisation

enabled by default

No changes to

server-side

configurations

Citrix ICA AO Overview


Disable CGP unless needed for lossy links such as satellite

Use Client Side Rendering for HDX Mediastream for flash where possible for optimal end user experience

Use Direct Print where possible for optimal print performance

When using Redirected Print Mode, ensure Printer Redirection bandwidth and printer redirection bandwidth percentage settings are set to default (0)

DRE Caching is more effective with greater number of users

Citrix ICA AO Deployment Guidelines

Q & A


Complete Your Online Session Evaluation

Complete your session evaluation:

Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your username and password

Visit one of the Cisco Live internet stations located throughout the venue

Open a browser on your own computer to access the Cisco Live onsite portal

Don’t forget to activate your Cisco Live

Virtual account for access to all session

materials, communities, and on-demand and

live activities throughout the year. Activate your

account at any internet station or visit

www.ciscolivevirtual.com.

http://www.ciscoliveaustralia.com/mobile

http://www.ciscolivevirtual.com/


Documents

Deploying Cisco Wide Area Application Services (WAAS)d2zmdbbm9feqrf.cloudfront.net/2012/anz/pdf/BRKAPP-2005.pdf · Deploying Cisco Wide Area Application Services (WAAS) ... Cisco