deploying waas -...

© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public

Deploying WAAS BRKAPP-2005

1


Agenda

WAAS Overview

WAAS Installation and Configuration

Network Interception

WAAS Application Optimizer (AO) Deployments

WAAS Sizing Guidelines

2

WAAS Overview


WAAS Helps To Accelerate Top-of-mind CIO Initiatives

VDI & BYOD Video Cloud App Rollouts WAN Refresh

Single box

solution

addresses

VoD, Live

Streaming

Solutions for

Private and

Public Cloud

Industry

leading app

performance

with NEW

appliances

100% ISR G2s

ship WAAS-

ready

SRE provides

flexible

options

4


Application Delivery Challenges

LAN Connectivity

‒High bandwidth

‒Low latency

‒Reliability

WAN Connectivity

‒Latency

‒Low bandwidth

‒Congestion

‒Packet Loss

Server LAN

Switch

Client

Round Trip Time ~ 0ms

LAN

Switch Server LAN

switch Client WAN

Round Trip Time ~ Many milliseconds

5


Cisco WAAS: WAN Optimization Solution

Branch Office

WAAS

Services Ready

Engine WAN

Branch Office WAAS

Express

Branch Office

WAAS

Appliance

Regional Office

WAAS

Appliance

Data Center or

Private Cloud WAAS

Appliances

VMware ESXi vWAAS

Appliances

Server VMs

vWAAS

WAE

Server

VMs

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Server

FC SAN

Nexus 1000v VSM

Virtual Private

Cloud

WAAS CMs

6


Data Centre & Campus

Large Branch

Medium Branch

Small Branch

Tele Worker

Small-Medium

Data Centre

SM-SRE-7X0 SM-SRE-9X0

1941/2901 29xx 39xx

WAAS

Appliances

WAAS ISR

Modules

WAAS

Express

vWAAS vWAAS-750 vWAAS-6000

WAAS

Mobile WAAS Mobile

vWAAS-12000

WAAS Product Portfolio

WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541

890

vWAAS-200 vWAAS-50000

WAAS

5.0

7


Next Generation WAVE Appliances

Up to 2 Gbps optimized throughput

Optional I/O modules including Optical and 10Gbps Ethernet

8


Application Optimizer

(AO)

TFO

Network

Data Link

Physical

Client

Application

Presentation

Session

Transport

Network

Data Link

Physical

WAAS 2 Application Optimizer

(AO)

TFO

Network

Data Link

Physical

WAAS 1

Host

Application

Presentation

Session

Transport

Network

Data Link

Physical Origin Optimized Origin

WAN

BRKAPP-2005

14633_05_2008_c1

Session and Transport Layer Optimisation

WAAS Application Policy defines: L4: basic optimization L5-7: latency mitigation

9


Time (RTT) Slow Start Congestion Avoidance

cwnd

TCP

TFO

Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations

TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP

http://netsrv.csc.ncsu.edu/export/bitcp.pdf

TFO vs Regular TCP in the WAN

10

http://netsrv.csc.ncsu.edu/export/bitcp.pdf


Advanced Compression

Synchronized

Compression

History

DRE

LZ LZ

DRE

Data Redundancy Elimination

(DRE)

•Application-agnostic compression

•Up to 100:1 compression

•WAAS 4.4: Context Aware DRE

WAN

Benefits

• Application-agnostic compression

• Up to 100:1 compression

• WAAS 4.4: Context Aware DRE

•Session-based compression

•Up to 10:1 compression

•Works even during cold DRE cache

Persistent LZ Compression

11

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=


WAAS Context Aware Cache Architecture

App Aware Cache Manager Optimizes cache behavior based upon

traffic directionality

Per Peer Signatures- provides fault

isolation, prevents branch starvation and

enables lowest latency data store access

CIFS Object Cache Includes File Pre-positioning

Ideal for High latency / Low BW links

Data Store (Disk)

Signatures (in memory)

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer 1

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer 2

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE

SIGNATURE Peer n

Adaptive DRE Cache Unified Data Store- Single store for all peers

App Policy Controlled:

Uni-Directional Traffic- only written to destination cache.

No cache consumption at source

Bi-Directional Traffic- written to both caches

WAAS

4.4

12


Application-Specific Acceleration

Remote Office Data Center

• Object Cache Verification

• Security and Control

• WAN Optimisation

•WAN Bandwidth Savings

• Server Safely Offloaded

• Fewer Servers Needed

• Power/Cooling Savings • LAN-like Performance

WAN

Application/Protocol Awareness - Latency mitigation

LAN-like Performance

Application Optimizers (AOs) –CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI, SMBv2

Licensed, developed and validated with application vendors

13


WAN

Network Transparency

Packets between each network are routed as normal.

WAAS auto-discovery will find WAVEs in path

WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features

‒ Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting

‒ Security functions (ACLs, firewall policies)

B/24

C/24

D/24

E/24

A/24

14


Auto-Discovery - Two WAVE Configuration

In-band signaling with TCP option 0x21

WAE B closest to client (A) and WAVE (C) closest to server (B)

Connection optimized between WAVE (B) and (C)

WAVE shifts optimized TCP SEQ number by 2 billion

If a WAVE that was optimizing fails:

Hosts will see segments with SEQ/ACK numbers that are out of range

Host will reset (RST) connection

Client will re-establish a new TCP connection

A B C D

A:D SYN A:D SYN(OPT) A:D SYN(OPT)

D:A SYN/ACK D:A SYN/ACK(OPT) D:A SYN/ACK

Origin Connection Origin Connection optimized

Connection

15


Auto-Discovery – Multiple WAVE Configuration

optimized connection established between WAVE (B) and WAVE (D)

Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT)

Each WAVE supports 10X optimized connection limit for Pass Through connections

A:E SYN A:E SYN(OPT) A:E SYN(OPT) A:E SYN(OPT)

E:A SYN/ACK E:A SYN/ACK(OPT) E:A SYN/ACK(OPT)

E:A SYN/ACK

A:E ACK A:E ACK(OPT)

A:E ACK(OPT) A:E ACK

A B C D E

16


WAAS Overview Intermediate Firewall Support Options

Tunnel through Firewall Not managed by WAAS

Firewall unable to perform stateful L3/L4 packet filtering

Permit TCP options and disable sequence number checking on firewall Allowing WAAS TFO Autodiscovery

Firewall implementing stateless L3/L4 filters

WAAS Directed Mode Permit TCP options and UDP 4050 tunnel

Traffic optimized by WAAS using auto-discovery but then tunneled between WAE’s

Firewall cannot perform stateful inspection

Cisco firewall with WAAS awareness Traffic transparently optimized by WAAS using auto-

discovery

Cisco firewall preserves L3/L4 stateful inspection by permitting TCP options and statefully tracking TCP sequence number shift

A B D

Origin Connection Origin Connection Optimized Connection No Connection Layer Security

E C

17

WAAS Installation and Configuration


WAAS Deployment Overview

1. Initial setup is done using Console CLI – Setup Script recommended

2. License configuration is required

3. Always bring up the Central Manager (CM) first

– New WAAS devices are auto-registered to WAAS CM and become a member of

AllWAASGroup

– When creating an AccelerationGroup make sure you apply the correct application policies (e.g.

set default one) and auto-membership for this group is enabled

4. Next bring up all Application Accelerators

5. Configure traffic interception (AppNav, inline, WCCP etc)

– Start traffic interception on Core or Central devices followed by Remote Devices

6. Further configuration should be done from within the CM

19


WAAS Setup Script

Prompted on boot of factory default box to run setup script or execute ‘setup’

Script prompts for configuration to communicate, network integrate, manage, and license the WAE

WAVE default mode is Accelerator. Change to CM requires reboot

Optional Proactive Diagnostics

20

Deploying WAAS Central Manager


Central Management System (CMS)

CMS process runs on all WAVEs

Bidirectional configuration synchronization between CM and accelerators

All management communication uses HTTPS (self signed device specific certificates

and keys)

Bidirectional config sync between CM and Accelerator

Central Manager collects health and monitoring data to every 5 min by default

CMS provides means to backup and restore configuration

sre700#sho cms info

Device registration information :

Device ID=11506

Device registered as = WAAS Application Engine

Current WAAS Central Manager = 10.42.40.1

Registered with WAAS Central Manager = 10.42.40.1

Status = Online

Time of last config-sync = Thu Dec 29 17:56:19 2011

CMS services information :

Service cms_ce is running

22


WAAS CM Dashboard

https://cm-ipaddress:8443

23


CM Configuration device mode central-manager

hostname dc1-cm1

license add Enterprise

primary-interface GigabitEthernet 1/0

interface GigabitEthernet 1/0

ip address 10.1.1.31 255.255.255.0

exit

ip default-gateway 10.1.1.254

ip name-server 10.1.1.21

clock timezone AEST 10 0

ntp server ntp.foo.com

cms enable

copy run start

Device located in Data Center

Setup script recommended

Non-default configuration ‒ Device mode

‒ Hostname

‒ Primary-interface

‒ IP configuration

‒ Date/time configuration

‒ Configuration Management System (CMS)

CMS must be enabled to access the CM GUI

Reload required (role change)

Optionally use standby interface to dual-home to two switches

24


Group Configuration Best Practices

AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling

SSLDevicesGroup SSL Acceleration

EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent

AccelerationGroup Application Policies (Optional)

25


WAAS Monitoring

Dashboard Aggregate Statistics

Optimisation Summary

Connection Trending

Application Acceleration

‒ HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI

26

Deploying Physical Appliance

WAE/WAVE


Basic Configuration – Accelerator

hostname branch1-wave

primary-interface GigabitEthernet 0/0

interface GigabitEthernet 0/0

ip address 10.1.100.101 255.255.255.0

! Optionally configure speed and duplex

exit

ip default-gateway 10.1.100.254

ip name-server 10.1.1.21

ntp server ntp.foo.com

central-manager address cm1.foo.com

cms enable

copy run start

Basic configuration – Manual or Setup

‒ Hostname

‒ Primary-interface

‒ IP configuration

‒ NTP

‒ CMS enable

CMS required to register with CM

Use of hostname for CM recommended

Interface HA Modes

‒ Standby Interface

‒ PortChannel Interface

28


WAVE Port Allocation

Onboard Ports

‒ GigabitEthernet 0/0

‒ GigabitEthernet 0/1

I/O Modules

‒ GigabitEthernet 1/0, 1/1… 1/7

(Standalone mode)

‒ InlineGroup 1/0, 1/1, 1/2, 1/3

(Inline mode)

‒ TenGigabitEthernet 1/0, 1/1

WAVE-INLN-

GE-4SX

WAVE-INLN-

GE-4T

WAVE-

10GE-2SFP

WAVE-

INLN-GE-8T

29


Standby Interface

Must be layer 2 path between the two WAVE ethernet ports

MAC only on in-use interface

Primary preempts

Gratuitous ARPs on failover

Gi 0/0 Gi 0/1

WAVE(config)#interface Standby 1

WAVE(config-if)#ip address 10.1.2.100 255.255.255.0

WAVE(config-if)#exit

WAVE(config)#interface GigabitEthernet 0/0

WAVE(config-if)#standby 1 primary



WAVE(config-if)#standby 1


WAVE(config)#primary-interface standby 1

WAVE#show interface standby 1

Interface Standby 1 (2 physical interface(s)):

GigabitEthernet 0/0 (active)(primary)(in

use)

GigabitEthernet 0/1 (active)

30


WAVE(config)# interface PortChannel 1

WAVE(config-if)#no shut

WAVE(config-if)#ip address 10.1.1.31

255.255.255.0

WAVE(config)# interface GigabitEthernet 0/0

WAVE(config-if)#speed 1000

WAVE(config-if)#duplex full

WAVE(config-if)#no shutdown

WAVE(config-if)#channel-group 1


WAVE(config-if)#speed 1000

WAVE(config-if)#duplex full

WAVE(config-if)#no shutdown

WAVE(config-if)#channel-group 1

PortChannel Interface

IP Address defined on PortChannel

interface

Default Load Balance Method

‒ Source-Destination IP and Port

LACP is not currently supported.

Hard Code Speed/Duplex

Interface Configs MUST MATCH Gi 0/0 Gi 0/1 Gi 0/0

Gi 0/1

31


CM Management

32


Device Group Assignment

New WAAS devices are automatically added to AllWAASGroup

Add the new device to other (e.g. Edge, SSL etc) groups where

necessary

33

Deploying Virtual Appliance

vWAAS


vWAAS Overview

Target Use Cases ‒ Enterprise DC

‒ Virtual Private Cloud

‒ Remote virtual platform

Interception Methods Supported ‒ Traditional methods such as WCCP

‒ Nexus 1000v w/ vPath

Storage used by vWAAS ‒ Direct Attached Storage (DAS)

‒ FibreChannel SAN

‒ iSCSI SAN

‒ NAS not currently supported

vWAAS is a virtualised WAAS appliance on vSphere ESXi running on UCS/x86 servers

UCS /x86 Servers

vWAAS

VMWare ESX/ESXi

35


WAN

UCS Compute/ Virtualised Servers

Nexus 2K/5K

Cat6K/N7K

Nexus 1000V vPATH

ESXi with N1000v

UCS /x86 Server

WCCP UCS /x86 Server

vWAAS vWAAS vWAAS

VMWare ESX/ESXi

vWAAS Interception Options

WCCP Interception

Multiple vWAAS VMs can exist in

same WCCP cluster

vPath Interception

Based on port-profile policy configured

in Nexus 1000v

Bidirectional Interception - (no IN/OUT

configuration)

Pass-through traffic automatic bypass

36


vWAAS Installation

vWAAS Virtual Appliance (OVF) preconfigured with disk,

memory, CPU, NIC’s and other VMWare configuration settings

‒ vWAAS-200, 750, 6000, 12000, 50000 EVAL

‒ vCM-100N, 2000N

System Requirements

‒ VMware vSphere 4.x/5.x ESXi Hypervisor

‒ VMware vCenter server & vSphere client 4.x/5.x

‒ Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL

‒ Ensure Intel VT is enabled in the host’s BIOS

‒ Thick provisioned storage

vPath (optional) requires Nexus 1000v v4.2(1)SV1(4) or later`

37


vWAAS Installation

38


vWAAS Installation

39


vWAAS Installation

40


vWAAS Installation

41


vWAAS Configuration

vWAAS configuration is the same as for WAVE

Connect to the Console through vCenter

Use of Setup Script is recommended

Some differences you will notice

‒ Interface “virtual 1/0”

‒ Interception “other” (for vPATH)

42


Inline Mode


Inline Interception Overview

Simple Plug-and-Play Deployment

‒ Physical in-path deployment between switch and router

‒ Mechanical fail-to-wire

High Availability

‒ Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing

‒ Serial in-path clustering with fail-over

Seamless Transparent Integration

‒ Transparency and automatic discovery

‒ 802.1q VLAN trunking support

‒ Supported on all WAVE appliance models

WAN

WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T

44


WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T

Serial Inline Cluster

WAN2 WAN1

HA

Simple High Availability Design for Small to Medium Data Centres

HA supported by secondary WAVE

Not intended for scaling, only HA

Design requires 4 inline groups (8 ports) per WAVE

Configure and manage via CM

Auto peer configuration

Location based reporting

Interception Access List supported

Bypass for non-relevant traffic

45


Inline Non-Redundant Branch

Router ‒ Crossover cable from router to engine

‒ Fix speed and duplex settings for Fast Ethernet connections

‒ Ensure the router and switch have matching speed and duplex

Switch ‒ Straight through cable from engine to switch

‒ Ensure the router and switch have matching speed and duplex

‒ Implement portfast for faster recovery

WAVE ‒ One Inline port group

‒ Ports fail-to-wire upon hardware, software, or power failure

‒ Support for interception 802.1q trunks

‒ Use Gi0/0 primary interface

WAN

46


WCCP Mode


Transparent Off-path Interception

WCCPv2 Interception

‒ Transparent network integration

‒ Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation

‒ Near-linear scalability and performance improvement when adding devices

Policy-Based Routing (PBR) Interception

‒ Routing of flows to be optimized through a Cisco WAVE as a next-hop router

‒ Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism

‒ HA only, no load balancing

WAN

WCCP Cluster

48


WCCP Functions

INTERCEPT – Identify packets for WCCP processing (in or out)

ASSIGN – Select the target WAVE

REDIRECT – Router/switch sends the packet to the WAVE

RETURN – For unprocessed traffic, WAVE returns the packet to the router

EGRESS – For processed/optimized traffic, WAVE egresses the packet back to

the router

WAVE Cluster

Intercept

Assign

Redirect

Return/Egress Intercept takes place in

both directions for WAAS

49


ip access-list extended waas-redirect

remark WAAS WCCP Redirect List

deny tcp any any eq telnet

deny tcp any any eq 22




deny tcp any any eq bgp

deny tcp any any eq tacacs


! Reverse Direction

deny tcp any eq telnet any

deny tcp any eq 22 any




deny tcp any eq bgp any

deny tcp any eq tacacs any


!

permit tcp any <<branch subnet>>

permit tcp <<branch subnet>> any

! Implicit DENY ALL

WCCP Interception Traffic Selection

Redirect-list matches traffic for interception

Permit all applications but deny specific protocols

‒ Avoid redirection of management traffic with a universal ACL

‒ Apply bidirectional ACL to service groups 61 and 62

‒ Create the redirect ACL before enabling WCCP service groups 61 and 62

‒ Do not enable logging on WCCP redirect ACL (performance)

Optionally permit specific IP subnets

Optimize ACL to minimize TCAM usage

50


Default Service Groups 61 and 62 (Multiple SGs now supported)

Redirect 61 FROM Clients (balance on Src IP)

Redirect 62 FROM Servers (balance on Dst IP)

Always use Redirect IN wherever possible

Never use Redirect OUT on Catalyst switch

Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design

Avoid WCCP LOOPS! (more on this later)

WCCP Interception

WAN 62 61 62 61

51


WCCP Assignment – Hash or Mask Router uses assignment method to determine which WAVE to redirect traffic to

Hash Assignment

‒ Byte level XOR computation divided into 256 buckets

‒ Default for SW based routing platforms (eg ISR/ISR G2)

‒ All buckets allocated evenly across WAVEs (by default)

Mask Assignment

‒ Mask - Bit level AND divided up to 128 buckets (7 bits)

‒ optimized for hardware based routing platforms (eg Nexus, Catalyst)

‒ Always keep Mask size as small as possible (Default was 0x1741, now 0xF00)

‒ Number of buckets (and size of mask) based on number of WAVEs in cluster

2 WAVEs – 1 bit mask eg 0x1

8 WAVEs – 3 bit mask eg 0x7

0 1

000 001 010 011 100 101 110 111

52


Hash Assignment

Hash applied to Source OR Destination IP based on Service Group (61/62)

Assignment matches in both directions

WAVE-B

61 62

Src 10.1.1.1 Dest 20.1.1.1

Src 10.1.1.1

0-

127

128-

255

61 62

Src 20.1.1.1 Dest 10.1.1.1

Dst 10.1.1.1

WAN

0-

127

128-

255

WAVE-A

WAVE-B

WAN

WAVE-A

53


Mask Assignment

Mask applied to Source OR Destination IP based on Service Group (61/62)

Assignment matches in both directions

61 62

Src 10.1.1.1 Dest 20.1.1.1

Src 10.1.1.1

00

01

61 62

Src 20.1.1.1 Dest 10.1.1.1

Dst 10.1.1.1

WAN

00

01

WAN

10

11

10

11

eg Four WAVEs

Mask 0x3 (2 bits)

eg Four WAVEs

Mask 0x3 (2 bits)

WAVE-A

WAVE-B

WAVE-A

WAVE-B

WAVE-C

WAVE-D

WAVE-C

WAVE-D

54


Mask Assignment Examples

Branch

‒ ISR G2 - Hash or Mask supported (Hash more efficient in SW)

‒ Use Hash or keep Mask small (typically only one or two bits)

‒ If balancing across multiple engines with Mask, set mask to match host bits

Data Center

‒ Assuming /24 allocation per site (or per subnet)

‒ Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00

Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1

Result 01 WAVE-B

Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1

Result 001

Two WAVE Cluster

WAVE-B

Eight WAVE Cluster

55


Redirect, Return and Egress Methods

WCCP specifics are configured on WAVE (WCCP Client)

MUST match WCCP router capabilities

WCCP Redirect Methods

‒ WCCP GRE - Entire packet inside GRE tunnel to WAVE (default)

‒ Layer 2 - Frame Destination MAC address rewritten to WAVE MAC

WCCP Return Methods

‒ WCCP GRE - GRE Packet returned Router (negotiated)

‒ WCCP Layer 2 - Frame rewritten to Router MAC

WCCP Egress Methods

‒ IP Forward – WAVE ARPs for configured Default Gateway (default)

‒ WCCP negotiated – Flow sent back inside WCCP GRE tunnel to Router

‒ Generic GRE – Flow sent back inside preconfigured Generic GRE tunnel to Switch

(specific for HW assisted interception on Catalyst 6500)

56


Layer 2 Methods WAVE must be L2 adjacent to router

L2 Redirect

‒ Rewrite frame dest MAC to WAVE MAC address

‒ Transmit frame towards WAVE

L2 Return

‒ Rewrite frame dest MAC to Router MAC address

‒ Transmit frame towards router

L2 Egress

‒ Rewrite frame dest MAC to Router MAC address

‒ Transmit frame towards redirecting router

IP Forwarding Egress

‒ WAVE ARPs for default gateway

‒ Forward frame as IP packet to gateway address

Redirect: L2 Return: L2

Egress: IP FWD

Redirect: L2 Return: L2

Egress: L2

Default

WAAS v5.0

57


Layer 3 or GRE Methods WAVE must be L3 reachable

WCCP GRE Redirect (default)

‒ Encapsulate frame in GRE header

‒ Transmit GRE packet to WAVE (Source: Router-ID IP)

WCCP GRE Return (negotiated)


‒ Transmit GRE packet to redirecting router

‒ Destination IP: Router-ID

WCCP GRE Egress


‒ Transmit GRE packet to redirecting router

‒ Destination IP: Router-ID

‒ MUST USE Alternative Generic GRE on Catalyst 6500

Redirect: GRE Return: GRE

Egress: GRE

Router/Switch

Router-ID defaults to loopback or

highest IP.

Configurable with “ip wccp source-

address” command in ASR

58


WCCP Loop Avoidance Common Loop Scenarios

WAN 62 61

WAN

62

61

WAN

62

61

Redirect Loop

Cause: Default Egress Method is IP FWD

Solution: Configure WCCP GRE Egress

Cause: Redirect OUT configured

Solution: Reconfigure to Redirect IN w/ GRE

Cause: Redirect OUT configured

Solution A: Reconfigure to Redirect IN

Solution B: Configure Redirect-Exclude IN

Redirect Loop

Redirect Loop ip wccp redirect exclude in

59


WAAS Network Deployment WCCP - Platform Recommendations

This list is dynamic over time, see release notes for latest information

WCCP Function

Nexus 7000

ISR & 7200 ASR 1000 Cat 6500 Cat 7600

Sup720/32

Cat 6500

Sup2T

Cat 4500

Cat 3750

Assign Mask Hash or Mask Mask Hash or Mask (Hash*) or Mask Mask Mask

Redirect L2 GRE or L2 GRE or L2 GRE or L2 GRE or L2 L2 only L2 only

Redirect List L3/L4 ACL Extended ACL Extended ACL Extended ACL Extended ACL No Extended ACL (no deny)

Direction In or Out In or Out In or Out In or Out In (or Out*) In In

Return L2 GRE or L2 L2 Generic GRE

or L2

Generic GRE

or L2

L2 L2

VRFs Supported Supported Planned N/A Supported N/A N/A

IOS 4.2(1)

5.1(5)

12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;

ISR G2 15.0(1)M use L2/Mask

XE3.1.0S

IOS 15.0(1)S

6500

12.2(33)SXH

7600

12.2(18)SXF

15.0(1)SY <Sup6

12.2(50)SG1

Sup6

15.0(2)SG

Sup7

15.1(1)SG

12.2(37)SE

60


WAAS Network Deployment WCCP – Feature Enhancements

WCCP Configurable Timers

Supports 9 second failure discovery (30 sec default)

Supported in WAAS (v4.4 onwards)

Requires router support

ISR G2 – Support in 15.2(3)T

ASR – Support in IOS XE 3.2.0S

Nexus 7000 – Support in 5.1(1)

Catalyst 6500 – Support coming MA2 (Q3CY12)

Configurable Router-ID

Allows control of router-id for WCCP GRE

Router support as above

61


WCCP Router Configuration

Router Global Configuration

Router Interface Configuration

Router(config)# ip cef

Router(config)# ip wccp version 2

Router(config)# ip wccp 61 <optional-redirect-list acl-name>

Router(config)# ip wccp 62 <optional-redirect-list acl-name>

Router(config-if)# ip wccp 61 redirect <in|out>

Router(config-if)# ip wccp 62 redirect <in|out>

Router(config-if)# ip wccp redirect exclude in

Determined by

topology

WAN 62 61 62 61

62


WAAS Configuration Example

wccp router-list 1 192.168.254.2

wccp tcp-promiscuous router-list-num 1

egress-method negotiated-return intercept-method wccp

wccp version 2

Turn on WCCP

AFTER configuration

Enable GRE Egress

63


Branch WCCP Configuration Example

WAN 62 g0 s0

61 61

g0 s0 62

SiSiSiSiSiSiWAN

SRE-700

sm1/0

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0

ip wccp 61 redirect in

interface serial0


WAVE


wccp tcp-promiscuous router-list-num 1

egress-method negotiated-return intercept-method wccp

wccp version 2

Hash

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0


interface serial0


WAVE


wccp tcp promiscuous router-list 1 l2-redirect mask-assign

wccp tcp-promiscuous mask src-ip-mask 0x1

wccp version 2

Mask

Looped Intercept Risk!

64


Data Centre Example – Single DC WCCP at WAN Edge

WAVE or vWAAS Deployed

‒ WAVE Registration – Loopback IP of router

‒ ASR Router-ID Configured – Loopback IP

‒ Single WCCP cluster – each WAVE to both routers

‒ Assignment – Mask

‒ Redirect – WCCP GRE

‒ Return/Egress – WCCP GRE

‒ Variable WCCP timers configured for fast convergence

‒ Network

WAVEs on dedicated or shared VLAN

WAVEs could be vPC connected to Nexus access layer

Routed edge link with no WCCP

High Availability via WCCP

Maintains Symmetric Traffic Flows WAN

WAVE/vWAAS WAVE/vWAAS

ASR 1000 ASR 1000

WCCP Registration

65


Data Centre Example – Multiple DC WCCP at WAN Edge


‒ WAVE Registration – Loopback IP of router


‒ Single WCCP cluster – each WAVE to all edge routers (full mesh)

‒ Assignment – Mask (0x300 or 0x700 for growth)

‒ Redirect – WCCP GRE

‒ Return/Egress – WCCP GRE

‒ Variable WCCP timers configured

‒ Network

WAVEs on dedicated or shared VLAN


Routed edge link with no WCCP


Maintains Symmetric Traffic Flows WCCP Registration not displayed

WAN

WAVE/vWAA

S

WAVE/vWAA

S

ASR 1000

ASR 1000

WAVE/vWAA

S

WAVE/vWAA

S

ASR 1000

ASR 1000

66


Data Centre Example – Single DC WCCP at Aggregation Layer


‒ WAVE Registration – Interface IP of router


‒ Single WCCP cluster – each WAVE to both routers

‒ Assignment – Mask

‒ Redirect – Layer 2

‒ Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)

‒ Network

WAVEs on dedicated VLAN – no redirect

All server VLAN SVIs – 62 Redirect IN


L2 between Aggregation Switches


Maintains Symmetric Traffic Flows

WCCP Registration

WAN

WAVE/vWAAS WAVE/vWAAS

ASR 1000 ASR 1000

Nexus 7000 Nexus 7000

L3 Routed

67


Data Centre Example – Multiple DC WCCP at Aggregation Layer


‒ WAVE Registration – Interface IP of router


‒ Single WCCP cluster – each WAVE to all agg switches (full mesh)

‒ Assignment – Mask (0x300 or 0x700 for growth)

‒ Redirect – Layer 2

‒ Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)

‒ Network

WAVEs on dedicated VLAN – no redirect

All server VLAN SVIs – 62 Redirect IN

WAVEs could be vPC connected

L2 between Aggregation Switches

Routed edge link


Maintains Symmetric Traffic Flows

WCCP Registration not displayed

WAN

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

Nexus 7000

Nexus 7000

WAVE/vWAAS

WAVE/vWAAS

ASR 1000

ASR 1000

Nexus 7000

Nexus 7000

L2 Trunk

L3 Routed

68


WAAS WCCP Deployment Configuration Best Practices Registration

‒ Do NOT use a virtual gateway address (HSRP, VRRP, GLBP)

‒ Use interface IP address if L2 adjacent to WCCP router

‒ Use highest loopback address if not L2 adjacent to WCCP router

Software Platforms – ISR, ISR G2

‒ GRE Redirect (Default)

‒ Hash Assignment (Default)

‒ Inbound Interception

‒ "ip wccp redirect exclude in" on WCCP client interface (outbound interception only)

‒ WAAS Egress Method: IP Forwarding

Hardware Platform – ASR, Nexus 7000, Catalyst 6500, 4500

‒ L2 – Nexus 7000, Catalyst 6500, 4500, ASR

‒ WCCP GRE Redirect – Catalyst 6500, ASR – if required for design

‒ Mask Assignment – keep mask small

‒ Inbound Interception

‒ Do not use "ip wccp redirect exclude in” – Catalyst 6500

‒ WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)

69


vPath Mode


VMware ESX Server 1

vWAAS1

1

1 1

VMware ESXi Server 2

2

Nexus 1000v VSM

vCenter Server

vCM

VEM: Virtual Ethernet Module

VSM: Virtual Supervisor Module

VSN: Virtual Service Node

Web-Server 1 Web-Server 3 DBServer App Server Web-Server 2 VSN

FC Array

SAN

Non Opt Port-Profile

vWAAS Port-Profile

Optimized Port-Profile

for WAAS 1

Optimized Port-Profile

for WAAS 2

1

2

vPATH

vWAAS2

Nexus 1000v VEM

Nexus 1000v VEM

VSN

vPATH Overview

71


vPath Configuration Example

port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled

port-profile type vethernet Exchange-Server vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address 10.42.40.210 vlan 40 fail open no shutdown state enabled

72


Nexus 1000v VSM

Network Admin view

vPATH interception

vSphere client

Server Admin view

Attach Opt-port-profile

to server VMs

Port-Profile Port-group

vWAAS vPath Deployment Port-Profile Configuration

73


AppNav


WAAS + AppNav:

Unmatched Performance and Scale

AppNav

• Massive Virtual Clusters

• Deploy Anywhere

• Application Affinity

• Load-Aware Distribution

• Content-Aware Policies

WAVE Appliances

• 150,000 Sessions

• 2Gbps Throughput

• Dynamic Status Reporting

Context-Aware DRE

• Highest Throughput

• Eliminates Disk Latency

• Application Aware

• Unified Datastore

75


What is Cisco AppNav?

AppNav gives the ability to Virtualize WAN optimization resources

into pools of elastic resources with business driven bindings

WAN

Exchange WEB Apps

Business Unit2 Business Unit1

WAN optimization Pools

vWAAS

WAVE WAE

vWAAS

76


What is Cisco AppNav?

AppNav is a next generation physical Input / Output Module (IOM) for

the latest generation of Cisco WAVE Appliances.

• The AppNav IOM contains its own network hardware, processing data independent of the WAVE Appliance.

• The host appliance for a AppNav module can still be used to optimize traffic.

• AppNav can scale up to 8 AppNav modules, along with 32 WAAS or vWAAS Appliances.

• AppNav can be deployed In-Path and Out-of-Path

77


AppNav Simplifies Service Insertion Easily Solve Deployment and Scalability Headaches

Deployment

Consideration In Path Off Path

AppNav

(In Path)

AppNav

(Off Path)

No Cable Insertion

Outage ✗ ✓ ✗ ✓

No Router / Switch

Code Dependency ✓ ✗ ✓ ✓

No Router / TCAM

Impact ✓ ✗ ✓ ✓

Load and

performance aware

flow distribution ✗ ✗ ✓ ✓

Asymmetric flow

support ✓ ✓ ✓ ✓

Inline Modes Parallel and Serial N/A Only Parallel

Required N/A

Ability to scale out /

add capacity

Constrained by

Inline Device

Constrained by

Router TCAM

Constrained by

Inline Device

10’s of Gbps /

Millions of

Connections

78


AppNav Has a Complete Understanding of The Network

AppNav High

Availability

WAAS Traffic Load

WAAS I/O Load

Application Persistence

Previous Path

Affinity Custom Affinity Rules

WAAS Device Status

WAAS Optimization

Load

WAAS High Availability

AppNav

Dynamic

Load-Aware

Distribution

79


AppNav Branch-Based Clustering and Affinity

Br1_WAAS

Br2_WAAS

Br3_WAAS

Branch1 Traffic

Branch2 Traffic

Branch3 Traffic

Data Center

Cisco

AppNav

AppNav’s powerful policy engine allows for easy separation of branch traffic at the Data Center. No knowledge of IP addresses or ACLs required.

Branch Office_1

Branch Office_3

Branch Office_2

WAN

80


AppNav Enables Application-Aware Affinity

Other Cluster

SSL Cluster

HTTP Cluster

Data Center

Cisco

AppNav

AppNav can simply split traffic into separate application clusters. This flexible deployment allows WAAS to easily adapt to application traffic increases and changes.

Branch Office

Branch Office

Branch Office

WAN

HTTP Traffic

SSL Traffic

Other Traffic

81


WAAS1 Cisco AppNav

AppNav Dynamic Status Reporting

Branch Office

Branch Office

Branch Office

WAN

STOP

GO

AppNav and WAAS communicate capacity and status for every optimization process per flow. This allows AppNav to easily route around failures and/or capacity problems.

WAAS2

?

WAAS cannot accept connections

WAAS can only accept pre-existing

connections

WAAS is optimizing normally

82


WAAS_1

WAAS_2

Data Center

WAAS_3

Cisco WAAS device failure

Branch Office

Branch Office

WAN

AppNav provides intelligent WAAS failure mitigation.

• On WAAS failure, AppNav maintain pre- existing TCP connections to other WAAS units

• AppNav Can also be configured with explicit backup HA units for critical devices.

• AppNav can also intelligently pass-through traffic if a failure would result in an overload condition for remaining units

WAAS High Availability

83


AppNav High Availability

Branch Office

• AppNav performs a per-flow state update between all AppNav devices.

• These states keep all devices aware of each other with information on how connections that are being handled.

• In the event of a failure, the remaining AppNav units can immediately handle all connections that were utilizing the failed AppNav

WAN

Data Center

84


Simple Status: AppNav 360° Device View

• Graphical overview of AppNav deployment and configuration

• Quick, at-a-glance statistics and load information

• Data-driven tooltips and status indicators that give quick access to device health.

• Support for viewing 8 AppNav Controllers and 32 WAAS Nodes

85


AppNav Cluster Wizard: Simple, yet powerful

deployment Step by step configuration of AppNav

through the Cluster Wizard

Validation and feedback for

every step to prevent errors

and misconfigurations

86


Complete AppNav Configuration

Configure cluster settings

Select cluster devices

Validate cluster interfaces

87

Deploying WAAS AOs Secure Application optimizers


WAN

SSL AO Overview

Central WAVE acts as a Trusted Intermediary Node for SSL requests by client

Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE

Central WAVE participates in SSL Handshake to derive the “Session Key”

Central WAVE securely sends the “session key” in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session

Send “session key”

SSL Session Central WAVE to Server SSL Session Client to Core WAE (WAAS)

Edge WAVE Central WAVE

Secure Channel

Original Data - Encrypted Optimized & Encrypted Original Data - Encrypted

SSL Handshake SSL Handshake Client Server

89


SSL Secure Store CM secure store keeps all imported host

and accelerated SSL certificates and private keys

Certificates and private keys encrypted with user pass-phrase:

‒ When secure store is being initialized first time (initialization)

‒ After CM device reloads to open secure store (opening)

CM secure store must be open to synchronize configuration between SSL capable CM and WAVEs

Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised

90


WAN

Branch WAE DC WAE

Transparent

Secure Channel

Original Data – Encrypted/Signed Optimized & Encrypted/Signed Original Data – Encrypted/Signed

Kerb

ero

s/N

TL

M

Kerberos/NTLM

KDC/AD/DC

Kerb

ero

s/N

TL

M

New in WAAS

v5.0

Preserves end-to-end security with Kerberos

Operational consistency with MS infrastructure

Consistent across version changes of MS Exchange

Send “session key”

Outlook

Client Exchange

Server

E-MAPI AO Overview

91


Exchange Server

Active Directory

Controller

(Kerberos KDC)

Core WAAS Branch WAAS

Outlook Client

WAN

Encrypted MAPI Request

Securely transfer key to

remote branch.

Kerberos session key

allows access to

Encrypt/Read/Sign Data

Application Data:

Encrypted

Authentication:

Kerberos

Application Data:

Optimized, Encrypted

Authentication:

Kerberos

Application Data:

Encrypted

Authentication:

Kerberos

WAN-Secure

Grant WAE “Workstation”

account Key permission

E-MAPI AO Operation

92


E-MAPI Active Directory Integration

POC and Commercial Deployment Work Flow with

Admin Account

Set Time, DNS

and Domain info

Join WAE

to Domain Ready!

Workstation Account

User Account Set Time, DNS and

Domain info Ready!

Require Active Directory

team involvement

Ready! Set Time, DNS

and Domain info

Enter User in

WAE

Enterprise Deployment Work Flow

Enter User in

WAVE

Set WAVE

to Use M/A

Create User

in AD

Grant WAVE Key

Permission

Grant WAVE Key

Permission

93


E-MAPI AO Configuration

Requirements

WAVE requires DNS configuration to resolve AD domain queries.

All WAVEs should be NTP Time Synchronised with the AD domain

AD Provisioning

User account identity - account created in the AD domain and provisioned on the WAVE

Machine account identity - WAVE to join the AD domain.

Domain Controller to delegate read only access for the root of the AD DB to the WAVE

identity account

CM Configuration

Enable E-MAPI AO through CM

94


Citrix XenApp and XenDesktop Support

Zero-touch deployment, auto-interoperability with ICA encryption & compression

High Performance virtual desktops

No changes

to clients No changes

to servers

Branch Office Data Centre

Transparent

Handshake

WAN

WAAS

4.5

Cisco WAAS 4.5.1 is jointly tested, validated,

supported and verified as a Citrix Ready™ solution

95


WAAS

Branch Clients Citrix Hosting Infrastructure

Virtual Desktops

WAAS

HDX Mediastream HDX with ICA CGP / Session Reliability

WAN

No changes to

client

configurations

ICA Optimization

enabled by default

No changes to

server-side

configurations

Citrix ICA AO Overview

96


Citrix ICA AO Deployment Guidelines

Disable CGP unless needed for lossy links such as satellite

Use Client Side Rendering for HDX Mediastream for flash where possible for

optimal end user experience

Use Direct Print where possible for optimal print performance

When using Redirected Print Mode, ensure Printer Redirection bandwidth and

printer redirection bandwidth percentage settings are set to default (0)

DRE Caching is more effective with greater number of users

97

WAAS Sizing Guidelines


WAVE - Platform Performance (4.5)

SR

E-7

X0-S

SR

E 7

X0-M

SR

E-9

X0-S

SR

E-9

X0-M

SR

E-9

X0-L

294-4

G

294-8

G

594-6

G

594-1

2G

694-1

6G

694-2

4G

7541

7571

8541

WAN Bandwidth (Mbps) 20 20 50 50 50 10 20 50 100 200 200 500 1000 2000

Optimized TCP Connections

200 500 200 500 1000 200 400 750 1300 2500 6000 18k 60k 150k

Optimized LAN Throughput (Mbps)

200 200 300 300 300 100 150 250 300 450 500 1000 2000 4000

Total Disk Capacity (GB) 500 500 500 500 500 250 250 500 500 600 600 2250 3150 4200

DRE Disk Capacity (GB) 80 80 120 120 120 40 55 80 120 120 200 500 1000 2000

CIFS Disk Capacity (GB) 57 57 95 95 95 75 75 100 100 100 100 225 225 300

Maximum LAN Video Streams

40 150 40 150 300 40 80 150 300 400 1000 1000 1000 1000

Virtual Blades Supported 2 2 2 4 4 6

Total Virtual Blade Disk Capacity

60 60 175 175 180 180

Peer Fan Out 50 100 150 300 700 1400 2800

CM Managed Devices 250 250 1000 1000 2000 2000

99


vWAAS - Platform Performance (4.5)

vW

AA

S-2

00

vW

AA

S-7

50

vW

AA

S-6

000

vW

AA

S-1

200

0

vC

M-1

00N

vC

M-2

000N

Number of vCPU 1 2 4 4 2 4

Virtual Memory (GB) 2 4 8 12 2 8

Virtual Disk Datastore (GB) 160 250 500 750 250 600

Target WAN Bandwidth (Mbps) 10 50 200 310

Optimized TCP Connections 200 750 6000 12000

Optimized LAN Throughput (Mbps) 100 250 500 1000

Peer Fan-out 50 300 1400

DRE Disk Capacity 50 95 320 450

CIFS Disk Capacity 75 95 95 175

Max LAN Video Streams 40 150 1000 1000

CM Managed Devices 100 2000

100


Ease of Enterprise-

Wide Deployment

Transparent Secure

Application Delivery

Secure and Seamless

Cloud Connectivity

Lower Footprint and TCO

Superior End-User

Experience

Wide Area Application Services


Complete Your Online

Session Evaluation Give us your feedback and you

could win fabulous prizes.

Winners announced daily.

Receive 20 Passport points for each

session evaluation you complete.

Complete your session evaluation

online now (open a browser through

our wireless network to access our

portal) or visit one of the Internet

stations throughout the Convention

Center.

102

Don’t forget to activate your

Cisco Live Virtual account for access to

all session material, communities, and

on-demand and live activities throughout

the year. Activate your account at the

Cisco booth in the World of Solutions or visit

www.ciscolive.com.

http://www.ciscolive.com


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of

Solutions, booth 1042

Come see demos of many key solutions and products in the main Cisco

booth 2924

Visit www.ciscoLive365.com after the event for updated PDFs, on-

demand session videos, networking, and more!

Follow Cisco Live! using social media:

‒ Facebook: https://www.facebook.com/ciscoliveus

‒ Twitter: https://twitter.com/#!/CiscoLive

‒ LinkedIn Group: http://linkd.in/CiscoLI

1

0

3

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI

deploying waas -...

Documents