BRKAPP-2005
Deploying Cisco Wide Area Application Services (WAAS)
www.ciscolivevirtual.com
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 2
Agenda
WAAS Overview
WAAS Installation and Configuration
Network Interception
WAAS Application Optimiser (AO) Deployments
WAAS Sizing Guidelines
WAAS Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 4
WAAS Helps To Accelerate Top-of-mind CIO Initiatives
VDI & BYOD Video Cloud App Rollouts WAN Refresh
Single box
solution
addresses
VoD, Live
Streaming
Solutions for
Private and
Public Cloud
Industry
leading app
performance
with NEW
appliances
100% ISR G2s
ship WAAS-
ready
SRE provides
flexible
options
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 5
Application Delivery Challenges
LAN Connectivity
High bandwidth
Low latency
Reliability
WAN Connectivity
Latency
Low bandwidth
Congestion
Packet Loss
Server LAN
Switch
Client
Round Trip Time ~ 0ms
LAN
Switch Server LAN
switch Client WAN
Round Trip Time ~ Many milliseconds
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 6
Cisco WAAS: WAN Optimisation Solution
Branch Office
WAAS
Services Ready
Engine WAN
Branch Office WAAS
Express
Branch Office
WAAS
Appliance
Regional Office
WAAS
Appliance
Data Centre or
Private Cloud WAAS
Appliances
VMware ESXi vWAAS
Appliances
Server VMs
vWAAS
WAE
Server
VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private
Cloud
WAAS CMs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 7
Data Centre & Campus
Large Branch
Medium Branch
Small Branch
Tele Worker
Small-Medium
Data Centre
SM-SRE-7X0 SM-SRE-9X0
1941/2901 29xx 39xx
WAAS
Appliances
WAAS ISR
Modules
WAAS
Express
vWAAS vWAAS-750 vWAAS-6000
WAAS
Mobile WAAS Mobile
vWAAS-12000
WAAS Product Portfolio
WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541
890
vWAAS-200
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 8
Next Generation WAVE Appliances
Purpose built hardware
Optional I/O modules including Optical and 10Gbps Ethernet
Up to 2 Gbps optimised throughput
Up to 8 Virtual Blades (WAVE-694)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 9
WAAS Context Aware Cache Architecture
App Aware Cache Manager Optimises cache behaviour based
upon traffic directionality
Per Peer Signatures- provides fault
isolation, prevents branch starvation and
enables lowest latency data store access
CIFS Object Cache Includes File Pre-positioning
Ideal for High latency / Low BW links
Data Store (Disk)
Signatures (in memory)
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer 1
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer 2
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer n
Adaptive DRE Cache Unified Data Store- Single store for all peers
App Policy Controlled:
Uni-Directional Traffic- only written to destination cache.
No cache consumption at source
Bi-Directional Traffic- written to both caches
WAAS
4.4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 10
Citrix XenApp and XenDesktop Support
No changes
to clients No changes
to servers
Branch Office Data Centre
Transparent
Handshake
WAN
Zero-touch deployment, auto-interoperability with ICA encryption & compression
High Performance virtual desktops
WAAS
4.5
Cisco WAAS 4.5.1 is jointly tested, validated,
supported and verified as a Citrix Ready™ solution
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 11
Application Optimiser
(AO)
TFO
Network
Data Link
Physical
Client
Application
Presentation
Session
Transport
Network
Data Link
Physical
WAAS 2 Application Optimiser
(AO)
TFO
Network
Data Link
Physical
WAAS 1
Host
Application
Presentation
Session
Transport
Network
Data Link
Physical Origin Optimised Origin
WAN
BRKAPP-2005
14633_05_2008_c1
Session and Transport Layer Optimisation
WAAS Application Policy defines: L4: basic optimisation L5-7: latency mitigation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 12
Time (RTT) Slow Start Congestion Avoidance
cwnd
TCP
TFO
Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations
TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP
http://netsrv.csc.ncsu.edu/export/bitcp.pdf
TFO vs Regular TCP in the WAN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 13
Advanced Compression
Synchronised
Compression
History
DRE
LZ LZ
DRE
Data Redundancy Elimination
(DRE)
•Application-agnostic compression
•Up to 100:1 compression
•WAAS 4.4: Context Aware DRE
WAN
Benefits
• Application-agnostic compression
• Up to 100:1 compression
• WAAS 4.4: Context Aware DRE
•Session-based compression
•Up to 10:1 compression
•Works even during cold DRE cache
Persistent LZ Compression
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 14
Application-Specific Acceleration
Remote Office Data Centre
• Object Cache Verification
• Security and Control
• WAN Optimisation
•WAN Bandwidth Savings
• Server Safely Offloaded
• Fewer Servers Needed
• Power/Cooling Savings • LAN-like Performance
WAN
Application/Protocol Awareness - Latency mitigation
LAN-like Performance
Application Optimisers (AOs) –CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI
Licensed, developed and validated with application vendors
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 15
WAN
Network Transparency
Packets between each network are routed as normal.
WAAS auto-discovery will find WAVEs in path
WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features
Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting
Security functions (ACLs, firewall policies)
B/24
C/24
D/24
E/24
A/24
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 16
Auto Discovery - Two WAVE Configuration
In-band signalling with TCP option 0x21
WAE B closest to client (A) and WAVE (C) closest to server (B)
Connection optimised between WAVE (B) and (C)
WAVE shifts optimised TCP SEQ number by 2 billion
If a WAVE that was optimising fails:
Hosts will see segments with SEQ/ACK numbers that are out of range
Host will reset (RST) connection
Client will re-establish a new TCP connection
A B C D
A:D SYN A:D SYN(OPT) A:D SYN(OPT)
D:A SYN/ACK D:A SYN/ACK(OPT) D:A SYN/ACK
Origin Connection Origin Connection Optimised
Connection
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 17
Auto-Discovery – Multi WAVE Configuration
Optimised connection established between WAVE (B) and WAVE (D)
Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT)
Each WAVE supports 10X optimised connection limit for Pass Through connections
A:E SYN A:E SYN(OPT) A:E SYN(OPT) A:E SYN(OPT)
E:A SYN/ACK E:A SYN/ACK(OPT) E:A SYN/ACK(OPT)
E:A SYN/ACK
A:E ACK A:E ACK(OPT)
A:E ACK(OPT) A:E ACK
Origin Connection Origin Connection
Optimised Connection
A B C D E
WAAS Sizing Guidelines
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 20
WAVE - Platform Performance (4.5)
SR
E-7
X0-S
SR
E 7
X0-M
SR
E-9
X0-S
SR
E-9
X0-M
SR
E-9
X0-L
294-4
G
294-8
G
594-6
G
594-1
2G
694-1
6G
694-2
4G
7541
7571
8541
WAN Bandwidth (Mbps) 20 20 50 50 50 10 20 50 100 200 200 500 1000 2000
Optimised TCP Connections
200 500 200 500 1000 200 400 750 1300 2500 6000 18k 60k 150k
Optimised LAN Throughput (Mbps)
200 200 300 300 300 100 150 250 300 450 500 1000 2000 4000
Total Disk Capacity (GB) 500 500 500 500 500 250 250 500 500 600 600 2250 3150 4200
DRE Disk Capacity (GB) 80 80 120 120 120 40 55 80 120 120 200 500 1000 2000
CIFS Disk Capacity (GB) 57 57 95 95 95 75 75 100 100 100 100 225 225 300
Maximum LAN Video Streams
40 150 40 150 300 40 80 150 300 400 1000 1000 1000 1000
Virtual Blades Supported 2 2 2 4 4 6
Total Virtual Blade Disk Capacity
60 60 175 175 180 180
Peer Fan Out 50 100 150 300 700 1400 2800
CM Managed Devices 250 250 1000 1000 2000 2000
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 21
vWAAS - Platform Performance (4.5)
vW
AA
S-2
00
vW
AA
S-7
50
vW
AA
S-6
000
vW
AA
S-1
200
0
vC
M-1
00N
vC
M-2
000N
Number of vCPU 1 2 4 4 2 4
Virtaul Memory (GB) 2 4 8 12 2 8
Virtual Disk Datastore (GB) 160 250 500 750 250 600
Target WAN Bandwidth (Mbps) 10 50 200 310
Optimised TCP Connections 200 750 6000 12000
Optimised LAN Throughput (Mbps) 100 250 500 1000
Peer Fan-out 50 300 1400
DRE Disk Capacity 50 95 320 450
CIFS Disk Capacity 75 95 95 175
Max LAN Video Streams 40 150 1000 1000
CM Managed Devices 100 2000
WAAS Deployment Installation and Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 23
WAAS Deployment Overview
1. Initial setup is done using Console CLI – Setup Script recommended
2. License configuration is required
3. Always bring up the Central Manager (CM) first
– New WAAS devices are auto-registered to WAAS CM and become a member of AllWAASGroup
– When creating an AccelerationGroup make sure you apply the correct application policies (e.g. set default one) and auto-membership for this group is enabled
4. Next bring up all Application Accelerators
5. Configure traffic interception (inline, WCCP etc)
– Start traffic interception on Core or Central devices followed by Remote Devices
6. Further configuration should be done from within the CM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 24
WAAS Setup Script
Prompted on boot of factory default box to run setup script or execute ‘setup’
Script prompts for configuration to communicate, network integrate, manage, and license the WAE
WAVE default mode is Accelerator. Change to CM requires reboot
Optional Proactive Diagnostics
Deploying WAAS Central Manager
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 26
Central Management System (CMS)
CMS process runs on all WAVEs
Bidirectional configuration synchronisation between CM and accelerators
All management communication uses HTTPS (self signed device specific certificates
and keys)
Bidirectional config sync between CM and Accelerator
Central Manager collects health and monitoring data to every 5 min by default
CMS provides means to backup and restore configuration
sre700#sho cms info
Device registration information :
Device ID=11506
Device registered as = WAAS Application Engine
Current WAAS Central Manager = 10.42.40.1
Registered with WAAS Central Manager = 10.42.40.1
Status = Online
Time of last config-sync = Thu Dec 29 17:56:19 2011
CMS services information :
Service cms_ce is running
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 27
CM Configuration
Device located in Data Centre
Setup script recommended
Non-default configuration
Device mode
Hostname
Primary-interface
IP configuration
Date/time configuration
Configuration Management System (CMS)
CMS must be enabled to access the CM GUI
Reload required (role change)
Optionally use standby interface to dual-home to two switches
device mode central-manager
hostname dc1-cm1
license add Enterprise
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address 10.1.1.31 255.255.255.0
exit
ip default-gateway 10.1.1.254
ip name-server 10.1.1.21
clock timezone AEST 10 0
ntp server ntp.foo.com
cms enable
copy run start
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 28
WAAS CM Dashboard
https://cm-ipaddress:8443
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 29
Group Configuration Best Practices
AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling
SSLDevicesGroup SSL Acceleration
EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent
AccelerationGroup Application Policies (Optional)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 30
WAAS Monitoring
Dashboard Aggregate Statistics
Optimisation Summary
Connection Trending
Application Acceleration
HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI
Deploying Physical Appliance WAE/WAVE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 32
Basic Configuration – Accelerator
Default configuration
Hostname
Primary-interface
IP configuration
CMS enable
CMS required to register with CM
Use of hostname for CM recommended
Interface HA Modes
Standby Interface
PortChannel Interface
hostname branch1-wave
primary-interface GigabitEthernet 0/0
interface GigabitEthernet 0/0
ip address 10.1.100.101 255.255.255.0
! Optionally configure speed and duplex
exit
ip default-gateway 10.1.100.254
ip name-server 10.1.1.21
! Implement DNS for CM mobility
central-manager address cm1.foo.com
cms enable
copy run start
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 33
Onboard Ports
GigabitEthernet 0/0
GigabitEthernet 0/1
I/O Modules
GigabitEthernet1/0, 1/1… 1/7 (Standalone mode)
InlineGroup1/0, 1/1, 1/2, 1/3
(Inline mode)
TenGigabitEthernet 1/0, 1/1
WAVE Port Allocation
WAVE-INLN-GE-4SX
WAVE-INLN-GE-4T
WAVE-10GE-2SFP
WAVE-INLN-GE-8T
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 34
Must be layer 2 path between the two WAVE ethernet ports
MAC only on in-use interface
Primary preempts
Gratuitous ARPs on failover
Gi 0/0 Gi 0/1
WAVE(config)#interface Standby 1
WAVE(config-if)#ip address 10.1.2.100 255.255.255.0
WAVE(config-if)#exit
WAVE(config)#interface GigabitEthernet 0/0
WAVE(config-if)#standby 1 primary
WAVE(config-if)#exit
WAVE(config)#interface GigabitEthernet 0/1
WAVE(config-if)#standby 1
WAVE(config-if)#exit
WAVE(config)#primary-interface standby 1
WAVE#show interface standby 1
Interface Standby 1 (2 physical interface(s)):
GigabitEthernet 0/0 (active)(primary)(in
use)
GigabitEthernet 0/1 (active)
Standby Interface
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 35
WAVE(config)# interface PortChannel 1
WAVE(config-if)#no shut
WAVE(config-if)#ip address 10.1.1.31
255.255.255.0
WAVE(config)# interface GigabitEthernet 0/0
WAVE(config-if)#speed 1000
WAVE(config-if)#duplex full
WAVE(config-if)#no shutdown
WAVE(config-if)#channel-group 1
WAVE(config)#interface GigabitEthernet 0/1
WAVE(config-if)#speed 1000
WAVE(config-if)#duplex full
WAVE(config-if)#no shutdown
WAVE(config-if)#channel-group 1
IP Address defined on PortChannel interface
Default Load Balance Method
Source-Destination IP and Port
LACP is not currently supported. Hard Code Speed/Duplex
Interface Configs MUST MATCH
PortChannel Interface
Gi 0/0 Gi 0/1 Gi 0/0
Gi 0/1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 36
CM Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 37
Device Group Assignment
New WAAS devices are automatically added to AllWAASGroup
Add the new device to other (e.g. Edge, SSL etc) groups where necessary
Deploying Virtual Appliance vWAAS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 39
Target Use Cases Private Cloud (Enterprise DC)
Virtual Private Cloud
Hybrid Cloud
Interception Methods Supported Traditional methods such as WCCP
Nexus 1000v w/ vPath
Storage used by vWAAS Direct Attached Storage (DAS)
FibreChannel SAN
iSCSI SAN
NAS not currently supported
vWAAS is a virtualised WAAS offering on top of ESX/ESXi running on UCS/x86 servers
UCS /x86 Servers
vWAAS
VMWare ESX/ESXi
vWAAS Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 40
WAN
UCS Compute/ Virtualised Servers
Nexus 2K/5K
Cat6K/N7K
Nexus 1000V /VN-Link vPATH
ESX/ESXi with N1000v
UCS /x86 Server
WCCP UCS /x86 Server
vWAAS vWAAS vWAAS
VMWare ESX/ESXi
vWAAS Interception Options
WCCP Interception
Multiple vWAAS VMs can exist in
same WCCP cluster
vPath Interception
Based on port-profile policy configured
in Nexus 1000v
Bidirectional Interception - (no IN/OUT
configuration)
Pass-through traffic automatic bypass
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 41
vWAAS Virtual Appliance (OVF) preconfigured with disk, memory, CPU, NIC’s and other VMWare configuration settings
vWAAS-200, 750, 6000, 12000, EVAL
vCM-100N, 2000N
System Requirements
VMware vSphere 4.x/5.x ESXi Hypervisor
VMware vCenter server & vSphere client 4.x/5.x
Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL
Ensure Intel VT is enabled in the host’s BIOS
Thick provisioned storage
vPath (optional) requires Nexus 1000v v4.2(1)SV1(4) or later
vWAAS Installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 42
vWAAS Installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 43
vWAAS Installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 44
vWAAS Installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 45
vWAAS Installation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 46
vWAAS Configuration
vWAAS configuration is the same as for WAVE
Connect to the Console through vCenter
Use of Setup Script is recommended
Some differences you will notice
Interface “virtual 1/0”
Interception “other” (for vPATH)
Network Interception Inline Mode
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 48
Inline Interception Overview
Simple Plug-and-Play Deployment
Physical in-path deployment between switch and router
Mechanical fail-to-wire
High Availability
Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing
Serial in-path clustering with fail-over
Seamless Transparent Integration
Transparency and automatic discovery
802.1q VLAN trunking support
Supported on all WAVE appliance models WAN
WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 49
WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T
Serial Inline Cluster
WAN2 WAN1
HA
Simple High Availability Design for Small to Medium Data Centres
HA supported by secondary WAVE
Not intended for scaling, only HA
Design requires 4 inline groups (8 ports) per WAVE
Configure and manage via CM
Auto peer configuration
Location based reporting
Interception Access List supported
Bypass for non-relevant traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 50
Inline Non-Redundant Branch
Router
Crossover cable from router to engine
Fix speed and duplex settings for Fast Ethernet connections
Ensure the router and switch have matching speed and duplex
Switch
Straight through cable from engine to switch
Ensure the router and switch have matching speed and duplex
Implement portfast for faster recovery
WAVE
One Inline port group
Ports fail-to-wire upon hardware, software, or power failure
Support for interception 802.1q trunks
Use Gi0/0 primary interface
WAN
Network Interception WCCP Mode
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 52
Transparent Off-path Interception
WCCPv2 Interception
Transparent network integration
Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation
Near-linear scalability and performance improvement when adding devices
Policy-Based Routing (PBR) Interception
Routing of flows to be optimised through a Cisco WAVE as a next-hop router
Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism
HA only, no load balancing
WAN
WCCP Cluster
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 53
INTERCEPT – Identify packets for WCCP processing (in or out)
ASSIGN – Select the target WAVE
REDIRECT – Router/switch sends the packet to the WAVE
RETURN – For unprocessed traffic, WAVE returns the packet to the router
EGRESS – For processed/optimised traffic, WAVE egresses the packet back to the router
WCCP Functions
WAVE Cluster
Intercept
Assign
Redirect
Return/Egress Intercept takes place in
both directions for WAAS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 54
ip access-list extended waas-redirect
remark WAAS WCCP Redirect List
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq bgp
deny tcp any any eq tacacs
deny tcp any any eq 2000
! Reverse Direction
deny tcp any eq telnet any
deny tcp any eq 22 any
deny tcp any eq 161 any
deny tcp any eq 162 any
deny tcp any eq 123 any
deny tcp any eq bgp any
deny tcp any eq tacacs any
deny tcp any eq 2000 any
!
permit tcp any <<branch subnet>>
permit tcp <<branch subnet>> any
! Implicit DENY ALL
WCCP Redirect-List Matches traffic for interception
Permit all applications but deny specific protocols
Avoid redirection of management traffic with a universal ACL
Apply bidirectional ACL to service groups 61 and 62
Create the redirect ACL before enabling WCCP service groups 61 and 62
Do not enable logging on WCCP redirect ACL (performance)
Optionally permit specific IP subnets
Optimise ACL to minimise TCAM usage
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 55
Default Service Groups 61 and 62 (Multiple SGs now supported)
Redirect 61 FROM Clients (balance on Src IP)
Redirect 62 FROM Servers (balance on Dst IP)
Always use Redirect IN wherever possible
Never use Redirect OUT on Catalyst switch
Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design
Avoid WCCP LOOPS! (more on this later)
WCCP Redirection
WAN 62 61 62 61
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 56
WCCP Assignment – Hash or Mask Router uses assignment method to determine which WAVE to redirect traffic to
Hash Assignment
Byte level XOR computation divided into 256 buckets
Default for SW based routing platforms (eg ISR/ISR G2)
All buckets allocated evenly across WAVEs (by default)
Mask Assignment
Mask - Bit level AND divided up to 128 buckets (7 bits)
Optimised for hardware based routing platforms (eg Nexus, Catalyst)
Always keep Mask size as small as possible
Number of buckets (and size of mask) based on number of WAVEs in cluster
2 WAVEs – 1 bit mask eg 0x1
8 WAVEs – 3 bit mask eg 0x7
0 1
000 001 010 011 100 101 110 111
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 57
Hash applied to Source OR Destination IP based on Service Group (61/62)
Assignment matches in both directions
Hash Assignment
61 62
Src 10.1.1.1 Dest 20.1.1.1
Src 10.1.1.1
0-
127
128-
255
61 62
Src 20.1.1.1 Dest 10.1.1.1
Dst 10.1.1.1
WAN
0-
127
128-
255
WAVE-A
WAVE-B
WAN
WAVE-A
WAVE-B
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 58
Mask applied to Source OR Destination IP based on Service Group (61/62)
Assignment matches in both directions
Mask Assignment
61 62
Src 10.1.1.1 Dest 20.1.1.1
Src 10.1.1.1
00
01
61 62
Src 20.1.1.1 Dest 10.1.1.1
Dst 10.1.1.1
WAN
00
01
WAN
10
11
10
11
eg Four WAVEs
Mask 0x3 (2 bits)
eg Four WAVEs
Mask 0x3 (2 bits)
WAVE-A
WAVE-B
WAVE-A
WAVE-B
WAVE-C
WAVE-D
WAVE-C
WAVE-D
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 59
Branch
ISR G2 - Hash or Mask supported (Hash more efficient in SW)
Use Hash or keep Mask small (typically only one or two bits)
If balancing across multiple engines with Mask, set mask to match host bits
Data Centre
Assuming /24 allocation per site (or per subnet)
Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00
Mask Assignment Examples
Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1
Result 01 WAVE-B
Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1
Result 001
Two WAVE Cluster
WAVE-B
Eight WAVE Cluster
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 60
Redirect, Return and Egress Methods WCCP specifics are configured on WAVE (WCCP Client)
MUST match WCCP router capabilities
WCCP Redirect Methods
WCCP GRE - Entire packet inside GRE tunnel to WAVE (default)
Layer 2 - Frame Destination MAC address rewritten to WAVE MAC
WCCP Return Methods
WCCP GRE - GRE Packet returned Router
WCCP Layer 2 - Frame rewritten to Router MAC
WCCP Egress Methods
IP Forward – WAVE ARPs for configured Default Gateway (default)
WCCP negotiated – Flow sent back inside WCCP GRE tunnel to Router
Generic GRE – Flow sent back inside preconfigured Generic GRE tunnel to Switch
(specific for HW assisted interception on Catalyst 6500)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 61
WAVE must be L2 adjacent to router
L2 Redirect
Rewrite frame dest MAC to WAVE MAC address
Transmit frame towards WAVE
L2 Return
Rewrite frame dest MAC to Router MAC address
Transmit frame towards router
L2 Egress
Rewrite frame dest MAC to Router MAC address
Transmit frame towards redirecting router
IP Forwarding Egress
WAVE ARPs for default gateway
Forward frame as IP packet to gateway address
Layer 2 Methods
Redirect: L2 Return: L2
Egress: IP FWD
Redirect: L2 Return: L2
Egress: L2
Today
WAAS v5.0 (Future)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 62
WAVE must be L3 reachable
WCCP GRE Redirect (default)
Encapsulate frame in GRE header
Transmit GRE packet to WAVE (Source: Router-ID IP)
WCCP GRE Return (negotiated)
Encapsulate frame in GRE header
Transmit GRE packet to redirecting router
Destination IP: Router-ID
WCCP GRE Egress
Encapsulate frame in GRE header
Transmit GRE packet to redirecting router
Destination IP: Router-ID
MUST USE Alternative Generic GRE on Catalyst 6500
Layer 3 or GRE Methods
Redirect: GRE Return: GRE
Egress: GRE
Router/Switch
Router-ID defaults to loopback or
highest IP.
Configurable with “ip wccp source-
address” command in ASR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 63
Common Loop Scenarios
WCCP Loop Avoidance
WAN 62 61
WAN
62
61
WAN
62
61
Redirect Loop
Cause: Default Egress Method is IP FWD
Solution: Configure WCCP GRE Egress
Cause: Redirect OUT configured
Solution: Reconfigure to Redirect IN
Cause: Redirect OUT configured
Solution A: Reconfigure to Redirect IN
Solution B: Configure Redirect-Exclude IN
Redirect Loop
Redirect Loop ip wccp redirect exclude in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 64
WAAS Network Deployment WCCP - Platform Recommendations
WCCP Function
Nexus 7000
ISR & 7200 ASR 1000 Cat 6500 Cat 7600
Sup720/32
Cat 6500
Sup2T
Cat 4500
Cat 3750
Assign Mask Hash or Mask Mask Hash or Mask (Hash*) or Mask Mask Mask
Redirect L2 GRE or L2 GRE or L2 GRE or L2 GRE or L2 L2 only L2 only
Redirect List L3/L4 ACL Extended ACL Extended ACL Extended ACL Extended ACL No Extended ACL (no deny)
Direction In or Out In or Out In or Out In or Out In (or Out*) In In
Return L2 GRE or L2 L2 Generic GRE
or L2
Generic GRE
or L2
L2 L2
VRFs Supported Supported Planned Planned Supported N/A N/A
IOS 4.2(1)
5.1(5)
12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;
ISR G2 15.0(1)M use L2/Mask
XE3.1.0S
IOS 15.0(1)S
6500
12.2(33)SXH
7600
12.2(18)SXF
15.0(1)SY <Sup6
12.2(50)SG1
Sup6
15.0(2)SG
Sup7
15.1(1)SG
12.2(37)SE
This list is dynamic over time, see release notes for latest information
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 65
WAAS Configuration Example
wccp router-list 1 192.168.254.2
wccp tcp-promiscuous router-list-num 1
egress-method negotiated-return intercept-method wccp
wccp version 2
Turn on WCCP
AFTER configuration
Enable GRE Egress
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 66
WCCP Router Configuration Router Global Configuration
Router Interface Configuration
Router(config)# ip cef
Router(config)# ip wccp 61 <optional-redirect-list acl-name>
Router(config)# ip wccp 62 <optional-redirect-list acl-name>
Router(config)# ip wccp version 2
Router(config-if)# ip wccp 61 redirect <in|out>
Router(config-if)# ip wccp 62 redirect <in|out>
Router(config-if)# ip wccp redirect exclude in
Determined by
topology
WAN 62 61 62 61
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 67
Branch WCCP Configuration Example
WAN 62 g0 s0
61 61
g0 s0 62
SiSiSiSiSiSiWAN
SRE-700
sm1/0
Router
ip wccp version 2
ip wccp 61
ip wccp 62
interface gigabit0
ip wccp 61 redirect in
interface serial0
ip wccp 62 redirect in
WAVE
wccp router-list 1 10.1.1.254
wccp tcp-promiscuous router-list-num 1
egress-method negotiated-return intercept-method wccp
wccp version 2
Hash
Router
ip wccp version 2
ip wccp 61
ip wccp 62
interface gigabit0
ip wccp 61 redirect in
interface serial0
ip wccp 62 redirect in
WAVE
wccp router-list 1 10.1.1.254
wccp tcp promiscuous router-list 1 l2-redirect mask-assign
wccp tcp-promiscuous mask src-ip-mask 0x1
wccp version 2
Mask
Looped Intercept Risk!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 68
Data Centre Example – Single DC WCCP at WAN Edge
WAVE or vWAAS Deployed
WAVE Registration – Loopback IP of router
ASR Router-ID Configured – Loopback IP
Single WCCP cluster – each WAVE to both routers
Assignment – Mask
Redirect – WCCP GRE
Return/Egress – WCCP GRE
Variable WCCP timers configured for fast convergence
Network
WAVEs on dedicated or shared VLAN
WAVEs could be vPC connected to Nexus access layer
Routed edge link with no WCCP
High Availability via WCCP
Maintains Symmetric Traffic Flows
WAN
WAVE/vWAAS WAVE/vWAAS
ASR 1000 ASR 1000
WCCP Registration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 69
WCCP at WAN Edge
WAVE or vWAAS Deployed
WAVE Registration – Loopback IP of router
ASR Router-ID Configured – Loopback IP
Single WCCP cluster – each WAVE to all edge routers (full mesh)
Assignment – Mask (0x300 or 0x700 for growth)
Redirect – WCCP GRE
Return/Egress – WCCP GRE
Variable WCCP timers configured
Network
WAVEs on dedicated or shared VLAN
WAVEs could be vPC connected to Nexus access layer
Routed edge link with no WCCP
High Availability via WCCP
Maintains Symmetric Traffic Flows
WCCP Registration not displayed
WAN
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
Data Centre Example – Multiple DC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 70
WCCP at Aggregation Layer
WAVE or vWAAS Deployed
WAVE Registration – Interface IP of router
ASR Router-ID Configured – Loopback IP
Single WCCP cluster – each WAVE to both routers
Assignment – Mask
Redirect – Layer 2
Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)
Network
WAVEs on dedicated VLAN – no redirect
All server VLAN SVIs – 62 Redirect IN
WAVEs could be vPC connected to Nexus access layer
L2 between Aggregation Switches
High Availability via WCCP
Maintains Symmetric Traffic Flows WCCP Registration
WAN
WAVE/vWAAS WAVE/vWAAS
ASR 1000 ASR 1000
Nexus 7000 Nexus 7000
L3 Routed
Data Centre Example – Single DC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 71
WCCP at Aggregation Layer
WAVE or vWAAS Deployed
WAVE Registration – Interface IP of router
ASR Router-ID Configured – Loopback IP
Single WCCP cluster – each WAVE to all agg switches (full mesh)
Assignment – Mask (0x300 or 0x700 for growth)
Redirect – Layer 2
Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)
Network
WAVEs on dedicated VLAN – no redirect
All server VLAN SVIs – 62 Redirect IN
WAVEs could be vPC connected
L2 between Aggregation Switches
Routed edge link
High Availability via WCCP
Maintains Symmetric Traffic Flows
WCCP Registration not displayed
WAN
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
Nexus 7000
Nexus 7000
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
Nexus 7000
Nexus 7000
L2 Trunk
L3 Routed
Data Centre Example – Multiple DC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 72
WAAS WCCP Deployment Configuration Best Practices
Registration
Do NOT use a virtual gateway address (HSRP, VRRP, GLBP)
Use interface IP address if L2 adjacent to WCCP router
Use highest loopback address if not L2 adjacent to WCCP router
Software Platforms – ISR, ISR G2
GRE Redirect (Default)
Hash Assignment (Default)
Inbound Interception
"ip wccp redirect exclude in" on WCCP client interface (outbound interception only)
WAAS Egress Method: IP Forwarding
Hardware Platform – ASR, Nexus 7000, Catalyst 6500, 4500
L2 – Nexus 7000, Catalyst 6500, 4500, ASR
WCCP GRE Redirect – Catalyst 6500, ASR – if required for design
Mask Assignment – keep mask small
Inbound Interception
Do not use "ip wccp redirect exclude in” – Catalyst 6500
WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)
Network Interception vPath Mode
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 74
VMware ESX Server 1
vWAAS1
1
1 1
VMware ESXi Server 2
2
Nexus 1000v VSM
vCenter Server
vCM
VEM: Virtual Ethernet Module
VSM: Virtual Supervisor Module
VSN: Virtual Service Node
Web-Server 1 Web-Server 3 DBServer App Server Web-Server 2 VSN
FC Array
SAN
Non Opt Port-Profile
vWAAS Port-Profile
Optimised Port-Profile
for WAAS 1
Optimised Port-Profile
for WAAS 2
1
2
vPATH
vWAAS2
Nexus 1000v VEM
Nexus 1000v VEM
VSN
vPATH Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 75
vPath Configuration Example
port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled
port-profile type vethernet server-3 vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address 10.42.40.210 vlan 40 fail open no shutdown state enabled
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 76
Nexus 1000v VSM
Network Admin view
vPATH interception
vSphere client
Server Admin view
Attach Opt-port-profile
to server VMs
Port-Profile Port-group
vWAAS vPath Deployment Port-Profile Configuration
Deploying WAAS AOs Secure Application Optimisers
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 78
WAN
Central WAVE acts as a Trusted Intermediary Node for SSL requests by client
Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE
Central WAVE participates in SSL Handshake to derive the “Session Key”
Central WAVE securely sends the “session key” in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session
Send “session key”
SSL Session Central WAVE to Server SSL Session Client to Core WAE (WAAS)
Edge WAVE Central WAVE
Secure Channel
Original Data - Encrypted Optimised & Encrypted Original Data - Encrypted
SSL Handshake SSL Handshake Client Server
SSL AO Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 79
SSL Secure Store CM secure store keeps all imported host
and accelerated SSL certificates and private keys
Certificates and private keys encrypted with user pass-phrase:
When secure store is being initialised first time (initialisation)
After CM device reloads to open secure store (opening)
CM secure store must be open to synchronise configuration between SSL capable CM and WAVEs
Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 80
WAN
Branch WAE DC WAE
Transparent
Secure Channel
Original Data – Encrypted/Signed Optimised & Encrypted/Signed Original Data – Encrypted/Signed
Kerb
ero
s/N
TL
M
Kerberos/NTLM
KDC/AD/DC
Kerb
ero
s/N
TL
M
New in WAAS
v5.0
June 2012
Preserves end-to-end security with Kerberos
Operational consistency with MS infrastructure
Consistent across version changes of MS Exchange
Send “session key”
Outlook
Client
Exchange
Server
E-MAPI AO Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 81
Exchange Server
Active Directory
Controller
(Kerberos KDC)
Core WAAS Branch WAAS
Outlook Client
WAN
Encrypted MAPI Request
Securely transfer key to
remote branch.
Kerberos session key
allows access to
Encrypt/Read/Sign Data
Application Data:
Encrypted
Authentication:
Kerberos
Application Data:
Optimised, Encrypted
Authentication:
Kerberos
Application Data:
Encrypted
Authentication:
Kerberos
WAN-Secure
Grant WAE “Workstation”
account Key permission
E-MAPI AO Operation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 82 82
E-MAPI Active Directory Integration POC and Commercial Deployment Work Flow with Admin Account
Set Time, DNS
and Domain info
Join WAE
to Domain Ready!
Workstation Account
User Account Set Time, DNS and
Domain info Ready!
Require Active Directory
team involvement
Ready! Set Time, DNS
and Domain info
Enter User in
WAE
Enterprise Deployment Work Flow
Enter User in
WAVE
Set WAVE
to Use M/A
Create User
in AD
Grant WAVE Key
Permission
Grant WAVE Key
Permission
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 83 83 83
Requirements WAVE requires DNS configuration to resolve AD domain queries.
All WAVEs should be NTP Time Synchronised with the AD domain
AD Provisioning User account identity - account created in the AD domain and provisioned on the WAVE
Machine account identity - WAVE to join the AD domain.
Domain Controller to delegate read only access for the root of the AD DB to the WAVE
identity account
CM Configuration Enable E-MAPI AO through CM
E-MAPI AO Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 84
WAAS
Branch Clients Citrix Hosting Infrastructure
Virtual Desktops
WAAS
HDX Mediastream HDX with ICA CGP / Session Reliability
WAN
No changes to
client
configurations
ICA Optimisation
enabled by default
No changes to
server-side
configurations
Citrix ICA AO Overview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 85
Disable CGP unless needed for lossy links such as satellite
Use Client Side Rendering for HDX Mediastream for flash where possible for optimal end user experience
Use Direct Print where possible for optimal print performance
When using Redirected Print Mode, ensure Printer Redirection bandwidth and printer redirection bandwidth percentage settings are set to default (0)
DRE Caching is more effective with greater number of users
Citrix ICA AO Deployment Guidelines
Q & A
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 87
Complete Your Online Session Evaluation
Complete your session evaluation:
Directly from your mobile device by visiting www.ciscoliveaustralia.com/mobile and login by entering your username and password
Visit one of the Cisco Live internet stations located throughout the venue
Open a browser on your own computer to access the Cisco Live onsite portal
Don’t forget to activate your Cisco Live
Virtual account for access to all session
materials, communities, and on-demand and
live activities throughout the year. Activate your
account at any internet station or visit
www.ciscolivevirtual.com.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-2005 88