BRKAPP-2005

© 2013 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public

Deploying Cisco WAAS Richard Schulting

WAAS CSE

[email protected]

BRKAPP-2005


Deploying Cisco WAAS – Agenda

• WAAS Overview

• WAAS News

• WAAS Deployment (Installation and Configuration)

‒ WAAS Central Manager

‒ WAAS Accelerator

• Application Optimizers, WAAS on SRE/UCS-E and Virtual WAAS

‒ WAAS Express

‒ WAAS Virtual Blades

• WAAS NAM VB (and others)

• Deploying WAAS Devices into the Network

‒ Inline

‒ WCCP

‒ AppNav

‒ Nexus 1000v + vPath

• WAAS Sizing Guidelines 3


Virtualization, Cloud & BYOD create new Demands on the

Network to Deliver Applications with Higher Performance…

4


Cisco’s Network Integrated Approach Delivers Highest

Performance for Any App, Any Device with the Lowest TCO

BYOD & VDI Cloud App Performance App Visibility

5


Field Rumors initiated by competition…

WAAS vs. ACE: Different Results, Different Strategies

• WAAS is not ACE, developed by different Business Units inside Cisco

• Strategic decision to stop ACE development was based on sales pipeline

• WAAS is doing great, no reason to worry, WAAS is here to stay!

H1CY12 Unit Market Share- Source: Infonetics

WAAS Share In

WAN Opt

#1

ACE Share in

ADC / Load Bal.

#6

6


“WAAS is an essential element of Cisco’s

network-centric platform strategy, enabling key

transitions such as data center consolidation,

virtualization, cloud, virtual desktops and BYOD”

http://blogs.cisco.com/borderless/cisco-waas-setting-the-record-straight/

7













WAAS Overview


WAAS Overview

Application Delivery Challenges

• LAN Connectivity

‒ High bandwidth

‒ No latency

‒ Reliable

• WAN Connectivity

‒ Latency

‒ Low bandwidth

‒ Congestion

‒ Packet Loss

Server LAN

Switch

Client

Round Trip Time ~ 0ms

LAN

Switch Server LAN

switch Client WAN

Round Trip Time ~ Many milliseconds

9


WAAS Overview

Cisco WAAS: WAN Optimization Solution

Branch Office

WAAS

Service

Module

Branch Office

WAAS

Express

Branch Office

WAAS

Appliance

Regional Office

WAAS

Appliance

vWAAS

VM

FC SAN

Nexus 1000v VSM

Virtual Private

Cloud DB

VM

VMware ESXi Server

Nexus 1000v vPATH

UCS /x86 Host

APP

VM WAAS

CM’s

WAAS CM’s

Data Center or

Private Cloud

WAAS Appliances

VMware ESXi

vWAAS VMs

Server VMs

AppNav

AppNav

10


Data Center & Campus

Large Branch

Medium Branch

Small Branch

Tele Worker

Larger Branch

to Small Data

Center

SM-SRE-7X0 SM-SRE-9X0

1941/2901 29xx 39xx

WAAS

Appliances

WAAS ISR

G2 Modules

WAAS

Express

vWAAS

vWAAS-750 vWAAS-6000

WAAS

Mobile WAAS Mobile

vWAAS-12000

WAAS Overview

Product Offerings

WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541

880/890

vWAAS-200

UCS-E (SW) UCS-E (DW)

vWAAS-50000

11


Application

Optimizer

(AO)

TFO

Network

Data Link

Physical

Client

Application

Presentation

Session

Transport

Network

Data Link

Physical

WAVE-2

Application

Optimizer

(AO)

TFO

Network

Data Link

Physical

WAVE-1

Server

Application

Presentation

Session

Transport

Network

Data Link

Physical Original Optimized Original

WAN

WAAS Overview

Transport and Session Layer Optimization • WAAS application policies define type of

optimization (L4 or L5)

• L4: basic optimization

L5: latency mitigation

12


Time (RTT) Slow Start Congestion Avoidance

cwnd

TCP

TFO

TFO provides an average of 95% WAN Bandwidth compared to 75% with regular TCP

WAAS Overview

TFO versus regular TCP in the WAN (L4)

• Transport Flow Optimization

TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP

http://netsrv.csc.ncsu.edu/export/bitcp.pdf

13

http://netsrv.csc.ncsu.edu/export/bitcp.pdf


WAAS Overview

Advanced Compression (L4)

Synchronized

Compression

History

DRE

LZ LZ

DRE

Data Redundancy Elimination (DRE)

Persistent LZ compression

Benefits

• Application-agnostic compression

• Up to 100:1 compression

• Context Aware DRE

• Session-based compression

• Up to 10:1 compression

• Works even during cold DRE cache

• Disabled when DRE is >90% active

WAN

14

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=

http://images.google.com/imgres?imgurl=http://withcoupon.com/images/envelope.gif&imgrefurl=http://www.withcoupon.com/gettingstarted.cfm&h=149&w=150&sz=7&tbnid=qmH44IwYmq9HNM:&tbnh=89&tbnw=90&hl=en&start=12&prev=/images?q=email+envelope&svnum=10&hl=en&lr=


WAAS Overview

Application-Specific Acceleration (L5)

Remote Office Data Center

• Object Cache Verification

• Security and Control

• WAN Optimization

• WAN Bandwidth Savings

• Server Safely Offloaded

• Fewer Servers Needed

• Power/Cooling Savings • LAN-like Performance

WAN

• Provides Latency Mitigation

• LAN-like performance

• WAAS Application Optimizers (AO’s)

– CIFS/SMBv2, NFS, MAPI/EMAPI, Citrix, Video, HTTP/HTTPS, Windows Printing

• Licensed developed and validated with Application Vendors like Microsoft and Citrix

15


WAN

WAAS Overview

Network Transparency

• Packets between each network are routed as usual.

WAAS auto-discovery will automatically find WAVE’s in-path

• WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features

‒ Quality of Service (QoS), NBAR

‒ NetFlow, monitoring, reporting

‒ Security functions (ACLs, firewall policies)

B/24

C/24

D/24

E/24

A/24

16


WAAS Overview

Auto-Discovery – Two WAVE’s

• If a WAVE that was optimizing fails:

‒ Server will see segments with SEQ/ACK numbers that are out of range

‒ Host will reset (RST) connection

‒ Client application will re-establish a new TCP connection

A B C D

A:D SYN A:D SYN(OPT) A:D SYN(OPT)

D:A SYN/ACK D:A SYN/ACK(OPT)

D:A SYN/ACK(OPT)

Origin Connection Origin Connection Optimized

Connection

WAAS devices will be discovered automatically

• In-band signaling during TCP handshake with TCP option 0x21

• WAVE B closest to client (A) and WAVE (C) closest to server (C)

• Connection optimized between WAVE (B) and (C)

• WAVE shifts optimized TCP SEQ number by 2 billion (msb flipped)

17


WAAS Overview

Auto-Discovery – Intermediate WAVE’s

• WAVE (B) closest to client (A)

• WAVE (D) closest to server (E)

• Intermediate WAVE (C) sees TCP options in both directions and goes into Pass Through (PT)

• Each WAVE supports 10X optimized limit for Pass Through. E.g. WAVE-594 with max 750 optimized connections supports 7500 connections in pass through

A:E SYN A:E SYN(OPT)

A:E SYN(OPT) A:E SYN(OPT)

E:A SYN/ACK E:A SYN/ACK(OPT)

E:A SYN/ACK(OPT) E:A SYN/ACK(OPT)

Origin Connection Origin Connection Optimized

Connection

A B C D E

Only first and last WAVE’s are being used

18

WAAS News


WAAS News

Cisco is #1 in WAN Op Market w/ Unit-Share

0

2,000

4,000

6,000

8,000

10,000

12,000

1Q10 2Q10 3Q10 4Q10 1Q11 2Q11 3Q11 4Q11 1Q12 2Q12

Cisco Competitor-A Competitor-B

32%

27%

5%

• Cisco is #2 in WAN Op Market w/ Revenue

20


WAAS News

Next Generation WAVE Appliances

• Purpose build hardware

• Optional I/O modules including Fiber and 10Gbps Ethernet

• Up to 2 Gbps optimized throughput

• Up to 8 Virtual Blades (WAVE-694)

21


WAAS News

Cisco WAAS Recent Awards

22

http://www.enterprisestrategygroup.com/


WAAS News WAAS 5.0 Release Highlights

New Central Manager

• iPad Ready

• Visibility without Agents

• Immersive

Secure Applications

• Encrypted Exchange

• Enhanced SSL

• ICA enhancements

SMB v2.X

• Windows Native

• SMB Signing

WAAS Express 2.0

• SSL Support

• WAN Failover

• Upstream DRE

AppNav

• Cluster Virtualization

• Scale as you grow

• Simple Management

June 2012

23


Enhanced Citrix

• MSI Support

• QoS

• Dynamic DSCP Marking

• Improved VDI Performance

Enhanced SharePoint

• Enhanced Acceleration

• Improved User Experience

vWAAS

• VM Hypervisor 5.0

• UCS-E Half and Full Slot

Enhanced Auto-Deploy

• Automate WAAS installation

• Simplified device configuration

WAAS News WAAS 5.1 Release Highlights

Dec 2012

24


Our Continuing Vision with WAAS:

• Deliver optimal & secure user experience at scale for any users

application using any device for the lowest TCO

N/W Integrated WAN Op

• SRE Modules

• Virtual WAAS

• WAAS Express

• Windows VB

VDI, and APM

• Citrix AO

• VDI Video Optm.

• Context Aware DRE

• New Fast Appliances

• NAM integration

Cloud and BYOD

Next Gen WAAS 5.0

• New CM

• Enhanced SSL

• EMAPI

• (Signed) SMBv2

• WAAS Express 2.0

• AppNav Modules

• UCS-E Modules

Enhancements for

• BYOD

• Cloud

• ICA

• APNM

• Video

• AppNav

• IPv6

CY12 CY11

CY10

CY13

25


WAAS News

IPv6 Development

• Planning under way for IPv6

not committed yet at this time

• Possibly a phased approach

‒ Phase 1 (CY13)

IPv6 Management IP Address (Central Manager)

L4 optimization for IPv6 traffic (TFO-DRE-LZ)

‒ Phase 2

Support for all AO’s

• Current WAAS versions forward all IPv6 traffic unoptimized

26

WAAS Deployment

Installation and Configuration


WAAS Deployment

Configuration Overview

1. Initial setup is done using IOS-like Console CLI

Use of Setup Script recommended

2. License configuration is required

3. Always bring up the Central Manager(s) (CM) first

– New WAAS devices will be auto-registered to WAAS CM and become a member of the

AllWaasGroup (used to be AllDeviceGroup)

– When e.g. creating an AccelerationGroup make sure you apply the correct application

policies (e.g. set default one) and auto-membership for this group is enabled

4. Next bring up all Application Accelerators

5. Configure traffic interception (inline, WCCP etc)

– Start traffic interception on Core or Central devices

– Next add interception to Remote Devices

6. Further configuration should be done from within the CM

28


WAAS Deployment

Software Version File Types

• There are MANY software images for each version of code, however there are only 2

main software downloads usually needed

‒ waas-accelerator-5.1.1.16-k9.bin – Accelerator only image ~265 MB

‒ waas-universal-5.1.1.16-k9.bin – Accelerator and CM imaging ~374 MB

Includes Help Files (CM GUI) and Kernel Dump component

• Additional files may be downloaded as needed

‒ waas-sre-installer-5.1.1.16-K9.zip – several files for bare bones SRE deployments ~300 MB

‒ NPE installer files contain No Payload Encryption which is a requirement in certain countries

‒ Rescue-cdrom.iso – Files to completely rebuild a device from scratch ~476 MB

‒ Sysimg 5.1.1.16-k9 – 32 or 64 bits File used to recover flash memory ~32 MB

‒ waas-kdump-5.1.1.16-k9.bin – Kernel Dump component that can be used with the accelerator

image for enhanced troubleshooting.

‒ waas-alarm-errorbooks – release specific alarm and error message documentation

29


WAAS Deployment

Setup Script

• Prompted on boot of factory default box to run setup script or execute ‘setup’

• Script prompts for configuration to communicate, network integrate, manage, and license the WAVE

• WAVE comes as Accelerator, Role Change to Central Manager or AppNav device requires reboot

• Optional Proactive Diagnostics before exit

30


WAAS Deployment

Central Management System (CMS) • CMS process runs on all WAVEs

• All management communication is using HTTPS

(self signed device specific certificates and keys)

• Bidirectional configuration synchronization between Central Manager(s) and

Accelerators, last change wins…

• Central Manager collects health and monitoring-data every five minutes

• CMS provides means to backup and restore configuration

• Provides means to replace a failed device with a new device

• Use “show cms info” to get CMS status

sre700#sho cms info

Device registration information :

Device ID=11506

Device registered as = WAAS Application Engine

Current WAAS Central Manager = 10.42.40.1

Registered with WAAS Central Manager = 10.42.40.1

Status = Online

Time of last config-sync = Thu Dec 29 17:56:19 2011

CMS services information :

Service cms_ce is running

31


WAAS Deployment

Central Manager Configuration

• Device located in Data Center

• Setup script recommended

• Non-default configuration

‒ Device mode

‒ Hostname

‒ Primary-interface

‒ IP configuration

‒ Date/time configuration

‒ Configuration Management System (CMS)

• CMS must be enabled to access the web GUI

• Reload required (role change)

• Optionally use standby interface to dual-home to two switches (L2 connected)

device mode central-manager

hostname dc1-cm1

license add Enterprise

primary-interface GigabitEthernet 1/0

interface GigabitEthernet 1/0

ip address 10.1.1.31 255.255.255.0

exit

ip default-gateway 10.1.1.254

ip name-server 10.1.1.21

clock timezone CET 1 0

ntp server ntp.foo.com

cms enable

copy run start

32


WAAS Deployment

Standby Central Manager Configuration

device mode central-manager

hostname dc1-cm1

license add Enterprise



ip address 10.1.1.32 255.255.255.0

exit



clock timezone CET 1 0

ntp server ntp.foo.com

central-manager role standby

central-manager address 10.1.1.31

cms enable

copy run start

• Configure as regular Central Manager

• Assign CM role as standby

• Assign primary CM address as central-manager address

• Enable CMS

• Do save the configuration…

• Device needs to be reloaded (role change)

wave294-cm-2#sho cms info

### some output removed ###

Current WAAS Central Manager role = Standby


Registered with WAAS CM = 10.1.1.31

Status = Online

Time of last config-sync = Wed Jan 9 12:35:27 2013


Service cms_httpd is running

Service cms_cdm is running

33


WAAS Deployment

Standby Network Interface Card (NIC)

• L2 path needed between the two WAVE Ethernet ports

• MAC only on active (in use) interface

• Primary pre-empts

• Gratuitous ARPs on failover

Gi 1/0 Gi 2/0

WAVE(config)#interface Standby 1

WAVE(config-if)#ip address 10.1.2.100 255.255.255.0

WAVE(config-if)#exit

WAVE(config)#interface GigabitEthernet 1/0

WAVE(config-if)#standby 1 primary


WAVE(config)#interface GigabitEthernet 2/0

WAVE(config-if)#standby 1


WAVE(config)#primary-interface standby 1

WAVE#show interface standby 1

Interface Standby 1 (2 physical interface(s)):

GigabitEthernet 1/0 (active) (primary) (in use)

GigabitEthernet 2/0 (active)

34


WAAS Deployment

Central Manager GUI: https://cm-ip-address:8443

35


WAAS Deployment

CM Group Configuration Best Practices

AllWaasGroup DNS DomainName SNMP NTP Server | Time Zone Login Access Control Authentication Common criteria System Log Settings Disk Error Handling

CoreDeviceGroup SSL Acceleration EMAPI Signed SMBv2

EdgeDeviceGroup Transaction logs Prepositioning Disk encryption Flow Agent

AccelerationGroup Application Policies (Optional)

36


WAAS Deployment

CM Monitoring • Dashboard with Aggregate Statistics

• Optimization Summary

• Connection Trending

• Application Acceleration (HTTP, HTTPS, CIFS, NFS, MAPI, Citrix-ICA, Video, SSL, Print)

• System-wide, Device Specific or Grouped by Location

37


WAAS Deployment

Accelerator Configuration

• Accelerator Mode is default setting

- Hostname

- Primary-interface

- IP configuration

- CMS enable

• No reload required (no mode change)

• CMS required to register with CM

• Use of Hostname for CM recommended

• Use standby to dual-home WAVE to two switches

in a redundant environment

• Auto-registration option enables CM discovery through

DHCP with next server address = CM Address.

DHCP Provided IP Address should be locked to WAVE

• Use EtherChannel® to achieve higher throughput

and HA redundancy

hostname br1-WAVE1



ip address 10.1.100.101 255.255.255.0

! Optionally configure 100 Mb Full Duplex

exit



! Implement DNS for CM mobility

central-manager address cm.foo.com

cms enable

copy run start

38


What is THE number one cause of bad performance... WARNING WARNING WARNING WARNING

Duplex mismatches will cause severe performance

issues and are even more noticeable with CIFS

This is not a WAAS issue, but WAAS makes it more

visible due to back pressure of large amounts of data

CRC-errors on switch ports are a good indication

When using FastEthernet do fix Speed and Duplex to

100Mb FD at both ends of the cable (WAVE and

Switch/Router Port). Do not trust auto sensing...

Any MDX port in crossover mode will become

disconnected when put in non-auto-sensing mode.

Do use Cross Cables where appropriate 39


WAVE(config)# interface PortChannel 1

WAVE(config-if)#no shutdown

WAVE(config-if)#ip address 10.1.1.31 255.255.255.0

WAVE(config)# interface gigabitEthernet 1/0


WAVE(config-if)#channel-group 1


WAVE(config)#interface gigabitEthernet 2/0


WAVE(config-if)#channel-group 1

WAAS Deployment

EtherChanneling

• Interfaces can be bundled into a

PortChannel for higher throughput and HA

• Requires identical interface configuration

on both physical interfaces

• IP addres defined on PortChannel interface

• WAVE and Switch need to be configured

physically the same (speed-duplex etc) as

LACP is not supported yet in WAAS

Gi 1/0 Gi 2/0

40


WAAS Deployment

CM Devices Menu

41


WAAS Deployment

CM Device Groups

• Any newly configured WAAS device is automatically added to the AllWAASGroup

• Any newly configured WAAS Express device is added to the AllWaasExpressGroup

• Add new devices manually to other groups where necessary

42


WAAS Deployment

Deploying WAAS on Service Ready Engine (SRE)

• ISR-G2 generation services module

• Initial SRE Configuration

‒ Configure IP Connectivity between ISR and SRE

• Initial WAAS Installation

‒ Load WAAS Software on SRE (when needed)

‒ WAAS on SRE: min version 4.2.1

• Initial WAAS Configuration

‒ Router based configuration

‒ Standard WAAS configuration steps

• SRE Management

‒ Daily management is done using the CM

‒ No CLI to SRE is needed after initial setup

• UCS-E with vWAAS will be discussed further down this presentation

SRE 7X0/9X0

43


WAAS Deployment

Obtain WAAS SRE Software

• Download WAAS software from CCO

‒ CCO account needed

‒ Look for file named similar to “waas-sre-installer-5.1.1.16-k9.zip

• Extract the ZIP file and copy content to FTP directory

‒ Make sure FTP Server is reachable from ISR!

‒ Directory should contain following 6 files:

waas-accelerator-5.1.1.16-k9.bin

waas-accelerator-5.1.1.16-k9.bin.install.sre

waas-accelerator-5.1.1.16-k9.bin.install.sre.header

waas-accelerator-5.1.1.16-k9.bin.installer

waas-accelerator-5.1.1.16-k9.bin.key

waas-accelerator-5.1.1.16-k9.bin.srebootloader

44


WAAS Deployment

Initial SRE Configuration

• SRE is recognized by IOS as “Interface SM<slot>/0”

• Configure IP Addresses and Gateway (router side and module side)

Router#show run interface SM1/0

interface SM1/0

no ip address

shutdown

service-module fail-open

Router#conf t

Router(config)#interface SM1/0

Router(config)#ip address 10.42.12.254 255.255.255.0

Router(config)#service-module ip address 10.42.12.1 255.255.255.0

Router(config)#service-module ip default-gateway 10.42.12.254

45


WAAS Deployment

SRE WAAS SW Load with Router CLI Script

• CLI Script: service-module sm1/0 install url <path>

• Use full path name to the bin image (include username:password@)

Router# service-module sm 1/0 install url (continued on next line)

ftp://username:[email protected]/waas/SRE/waas-accelerator-5.1.1.16-k9.bin

Proceed with installation? [no]: yes

Loading SRE/waas-accelerator-5.1.1.16.bin.install.sre !

[OK - 1722/4096 bytes]

Welcome to the WAAS installation

Checking resource requirements now

Resource check complete proceeding with installation

46


WAAS Deployment

SRE WAAS Initial Configuration using CLI

• Session into SRE (is reverse telnet on line 2067)

• Device comes up as WAAS Accelerator with Interface IP and DGW already configured

• Once the SRE is up, you can configure it like any other appliance or vWAAS device

Router# service-module sm 1/0 session

Trying 10.42.12.254, 2067 ... Open

NO-HOSTNAME# show run

! waas-accelerator-k9 version 5.1.1 (build b16 Dec 29 2012)

!

device mode application-acceleratorinterface GigabitEthernet 1/0

ip address 10.42.12.1 255.255.255.0

exit

!


47


WAAS Deployment


• Either use WAAS setup script or CLI

• CLI: configure license, hostname, domain-name, dns, primary-interface and central-

manager address before enabling CMS and do save the configuration...

NO-HOSTNAME(config)#hostname SRE700

SRE700(config)#ip domain-name waas.amslab.cisco.com

SRE700(config)#ip name-server 10.42.40.101

SRE700(config)#primary-interface gi 1/0

SRE700(config)#central-manager address 10.42.40.1

SRE700(config)#cms enable

Registering WAAS Application Engine...

Sending device registration request to Central Manager with address 10.42.40.1

Please wait, initializing CMS tables

Successfully initialized CMS tables

Registration complete.

Please preserve running configuration using 'copy running-config startup-config'.

Otherwise management service will not be started on reload and node will be shown

'offline' in WAAS Central Manager UI.

management services enabled

48


WAAS Deployment


• Save the config and check if CMS is running

• Next step (skipped in this example) would be configuring WCCP on SRE and ISR

SRE700(config)#exit

SRE700#wr mem

SRE700#sho cms info

Device registration information :

Device Id = 4206

Device registered as = WAAS Application Engine


Registered with WAAS Central Manager = 10.42.40.1


Service cms_ce is running

49


WAAS Deployment

Ask for Dedicated WAAS on SRE Presentation

• The setup can also be performed using Cisco Configuration Professional (CCP). Due to

the limited time available for this session I haven’t included such information.

• I have prepared a special slide deck (50 slides) with all configuration options which is

availalable for you on request. Send the request to [email protected].

50


vWAAS Deployment

Overview

• Target Use Cases

‒ Private Cloud (Enterprise DC)

‒ Virtual Private Cloud

‒ Hybrid Cloud

• Deployment Methods

‒ Traditional methods such as WCCP

‒ Or Nexus 1000v w/ vPath

• Storage used by vWAAS

‒ Traditional DAS

‒ SAN based NFS, iSCSI,

or Fiber-Channel NAS

vWAAS is a virtualized WAAS offering on top of ESX/ESXi running on UCS/x86 servers

UCS /x86 Servers

vWAAS

VMWare ESX/ESXi

51


WAN

UCS Compute/ Virtualized Servers

Nexus 2K/5K

Cat6K/N7K

ESX/ESXi with N1000v

UCS /x86 Servers

WCCP

cluster

UCS /x86 Servers

vWAAS vWAAS vWAAS

VMWare ESX/ESXi

vWAAS Deployment

Using WCCP or vPath Core Interception w/ WCCP

- Multiple vWAAS VMs can be clustered in same WCCP cluster.

- Both physical and virtual WAVE can be part of same cluster

- Highly recommending AppNav on this location

Access Interception w/ vPath

- Interception based on port-profile policy configured in Nexus 1000v

- Bidirectional Interception - (no IN/OUT configuration)

- Pass-through traffic automatic bypass

Nexus 1000v VPATH

vWAAS vWAAS vWAAS

52


vWAAS Deployment

Packaging

• vWAAS is provided as a Virtual Appliance (OVF)

• Honor based licensing (changing soon)

• Virtual Appliance is a device preconfigured with disk, memory,

CPU, NIC’s and other VMWare related configuration settings

• Appliance based installation (OVF format)

‒ Deploy OVF template from vSphere client

‒ No device configuration

‒ Easy, fast, No mistakes

‒ Different OVF types for sizing

vWAAS-250, 750, 6000, 12000, 50000

vCM-100, 2000

• Contact your Cisco SE for a limited performance

test version of vWAAS and vCM OVFs

(scaling up to 50 connections and 10 nodes) 53


vWAAS Deployment

Minimum Requirements

• VMware ESX/ESXi 4.0+ hypervisor

• VMware vCenter server & vSphere client 4.x

• Cisco UCS or other x86 Server

- Server hardware should have a 64 bit CPU

and be on the VMware Compatibility List (HCL)

- Ensure Intel VT is enabled in the host’s BIOS

• Nexus 1000v version 4.2(1)SV1(4) or higher

(for vPATH Interception)

Memory constraints based on sizing type of vWAAS/vCM

vWAAS-750, 6000, 12000, 50000: 4, 8, 12, 48 GB

vCM-100, 2000: 2, 8 GB

54


UCS-E140S UCS-E140D(P) / UCS-E160D(P)

Processor Intel Xeon (Sandy Bridge)

E3-1105C (1 GHz)

Intel Xeon (Sandy Bridge)

E5-2428L (2 GHz) / E5-2418L (1.8 GHz)

Core 4 4 / 6

Memory 8 - 16 GB

DDR3 1333MHz

8 - 48 GB

DDR3 1333MHz

Storage

200 GB- 2 TB (2 HDD)

SATA, SAS, SED, SSD

200 GB- 3 TB (3 HDD*)

SATA, SAS, SED, SSD

RAID RAID 0 & RAID 1 RAID 0, RAID 1 & RAID 5*

Network Port

Internal: 2 GE Ports

External: 1 GE Port

Internal: 2 GE Ports

External: 2 GE Ports

PCIE Card: 4 GE or 1 10 GE FCOE

vWAAS Deployment

UCS-E series: UCS Servers for ISR G2

55

WAAS 5.1

Dec 2012


vWAAS Deployment

UCS-E vWAAS Requirements

• Both single and double wide slot models are supported

• With the WAAS 5.1 release, WAAS will run only on

VMware Hypervisor for UCS-E

• Plenty of room left for other Applications after vWAAS

installation

• Native WAAS on UCS-E is NOT supported

• UCS-E requires use of Vmware 5.0, earlier versions of

ESXi are not supported

• VMWare tools need to be installed for VMXNET adapter

VMware ESXi

vWAAS

ESXi 4.1

WAAS 5.1

Dec 2012

56


• VMXNET “Card” is highly optimized for performance in a virtual machine

• Vmware Tools must be installed as OS Vendors do not yet offer a driver for VMXNET

VMware ESXi

vWAAS

VMXNet VMXNet

vWAAS Deployment

VMXNET Adapter provides a higher performance WAAS 5.1

Dec 2012

57


Model Maximum

Connections

RAM

(GB)

Disk

(GB)

CPUs

#

Target WAN

Throughput

Remaining

Single Wide

Remaining

Double Wide

vWAAS-200

200

2

160

1

10 Mbps

Cores: 3

Memory: 14GB

Disk: 840 GB

Cores: 5

Memory: 46 GB

Disk: 1.84 TB

vWAAS-750

750

4

250

2

50 Mbps

Cores: 2

Memory: 14GB

Disk: 750 GB

Cores: 4

Memory: 44 GB

Disk: 1.75 TB

vWAAS-6000

6000

8

500

4

200 Mbps

Cores: 0

Memory: 8 GB

Disk: 500 GB

Cores: 2

Memory: 40 GB

Disk: 1.5 TB

vWAAS Deployment

Sizing for vWAAS on UCS-E

• UCS-E modules will have significant resources left over (Cores, Memory and Disk

Space) after vWAAS deployment

WAAS 5.1

Dec 2012

58


vWAAS Deployment

Installation

59


vWAAS Deployment

Installation

60


vWAAS Deployment

Installation

61


vWAAS Deployment

VMware vSphere – Summary Display w/ vWAAS Installed

62


vWAAS Deployment

Configuration steps

• vWAAS configuration done like regular WAAS device

• Connect to console through vCenter

(use Control-ALT to escape from console…)

• Use of the setup wizard is recommended

‒ Either at first boot or by using “setup” cli-command

• Some differences you will notice

‒ Interface “virtual 1/0”

‒ Interception “other” (for vPath)

• Don’t forget (if not using the setup wizard...)

‒ license add...

‒ cms enable

‒ saving the configuration

63


vWAAS Deployment

More Information

• Due to the limited time available for this session I haven’t included specific information

for Nexus1000v and vPath configuration

• I have prepared a special slide deck (50 slides) with all information which is available for

you on request. Send the request to [email protected]

64


WAAS Deployment

WAAS Express Introduction

• IOS-based WAAS solution

‒ Integrates WAAS natively into Cisco IOS via a feature license

‒ 60 days evaluation license available

‒ Increases available bandwidth to small/medium branch sites

‒ Supported on 88x, 89x, 19xx, 29xx and 39xx ISR-G2 platforms

‒ Provides DRE/LZ and TFO only

‒ No latency mitigation (AO’s)

‒ Interoperable with other WAAS products

‒ Managed by WAAS Central Manager

‒ Regular WAAS device(s) needed at central location

Data Center

WAAS Appliances WAAS CM

WAAS Express

Branch Office

ISR G2

WAN

65


Encrypted Application Support

Optimization of Web Applications Requiring SSL/HTTPS:

• Oracle • SAP • MS SharePoint • Office 365 • SalesForce.com • Many Others…

Superior Bandwidth Optimization

Reduce Bandwidth Usage:

• Upload Compression • Redundant WAN Link support

Extended Optimization:

• MS File Services • Web Apps

Embedded Performance

Visibility

Performance Monitoring & Analytics:

• No Agents Required

• No Probes Required

Extended MIBs:

Simplified, Powerful WAN Optimization statistics

WAAS 5.0

June 2012

WAAS Deployment

Whats new in WAAS Express 2.0

66


WAAS Deployment

WAAS Express Minimum Requirements

• Centralized Management by CM requires WAAS version 4.4.x or higher

‒ WAAS Express 2.0 needs CM version 5.0

• Maximum router memory is required

• Router minimum IOS version 15.1(2)T

‒ IOS 15.2.3T required for WAAS Express 2.0

• WAAS Express is configured on the WAN interface

• No intercept configuration like WCCP is needed

• WAAS Express uses CPL for configuration

- Configuration via global policy-map and parameter-map

- Default built-in policy is applied to running-config

- Default Policy is the same as Cisco WAAS default policy (Except for non-supported features)

• Natively interoperates with other Cisco IOS® features

67


WAAS Deployment

WAAS Express Licensing

• When ordered as bundle router it comes with a pre-installed license for WAAS Express

• How to check the license

‒ Show license detail waas_express

Router#show license detail WAAS_Express

Index: 1 Feature: WAAS_Express Version: 2.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Store Index: 1

Store Name: Primary License Storage

68


WAAS Deployment


• A PAK will be provided when you purchase the WAAS Express license at a later date. At

the time of placing order, you can choose the PAK to be mailed to you or be

electronically mailed.

• Collect the output of show license udi command on your router.

Note the PID (Product ID) and SN (Serial number)

• Visit the Cisco License Activation Portal at www.cisco.com/go/license and enter the

PAK, Product ID, and Serial Number information, along with your contact e-mail address.

• A license file will be generated and e-mailed to you

Router#show license udi

Device# PID SN UDI

-----------------------------------------------------------------------------

*0 CISCO2911/K9 FHH122500AZ CISCO2911/K9:FHH122500AZ

69


WAAS Deployment


• Copy the license file to router flash

• Invoke the license install command to install the license

Router#dir flash0:*.lic

Directory of flash0:/*.lic

8 -rw- 1159 Aug 11 2010 16:35:00 -07:00 FHH122500AZ_20100811190225615.lic

254164992 bytes total (138383360 bytes free)

Router#license install flash0:FHH122500AZ_20100811190225615.lic

Installing licenses from "flash0:FHH122500AZ_20100811190225615.lic"

Installing...Feature:WAAS_Express...Successful

1/1 licenses were successfully installed

0/1 licenses were existing licenses

0/1 licenses were failed to install

70


WAAS Deployment

WAAS Express Configuration

Simple one command configuration

End User License Agreement is displayed the first time WAAS Express is enabled

Default build-in WAAS policy will be applied to running config

Router should already be configured as HTTP secure-server This is however not a single command (See next 10 slides…)

Branch Office

WAAS

Express

ISR-G2

router (config-if)# waas enable

Router#configure terminal

Router(config)#interface <wan-interface-name>

Router(config-if)#waas enable

Router(config-if)#exit

Router#

WAN

71


WAAS Deployment

WAAS Express Registration with WAAS Central Manager

• All WAAS Express routers registering with WAAS Central Manager will be assigned to the default

AllWAASExpressGroup. This group has the auto-activation policy enabled

• On WAAS Central Manager, configure login and password credentials for any WAAS Express router. Select the

Device Group on the top. Click on AllWAASExpressGroup to edit the device group.

72


WAAS Deployment


• Under Admin – WAAS Express Credentials enter the Username and Password details which will is used on

the WAAS Express routers

73


WAAS Deployment


• WAAS Express registers with WAAS Central Manager using HTTPS over port 8443.

Once registration is successful, WAAS Central Manager polls the information from

WAAS Express router using XML PI through HTTPS (TCP Port 443).

• In order for WAAS Express to establish HTTPS with the WAAS Central Manager during

registration, it needs to first trust the self-signed certificate presented by WAAS Central

Manager. This can be done by configuring a certificate trust-point and import WAAS

Central Manager’s certificate.

• On the WAAS Central Manager console, use command show crypto certificate-detail

admin to display its self-signed certificate. The output is in PEM format. Make a copy of

the output highlighted on the next slide.

74


WAAS Deployment


• Copy the CM Certificate (including BEGIN and END lines)

Central_Manager#show crypto certificate-detail admin

Bag Attributes

localKeyID: 8D AB 61 85 7B 95 FC 4C 34 FD AC DC A8 F2 B1 A4 80 74 70 9B

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2000021192 (0x7735e6c8)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, ST=California, L=San Jose, OU=CNBU, O=Cisco Systems, Inc,

#### Output suppressed ####

-----BEGIN CERTIFICATE-----

MIICgzCCAeygAwIBAgIEdzXmyDANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMC

VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ0wCwYD


VQQLEwRDTkJVMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zLCBJbmMxIjAgBgNVBAMT

qfvUGz9KDnEns1phPQ9o+k4B7g0/Gu0LQeJrN/jZRke4MEWChEHP+TwY9nobCvpk

JurfE6/zYJ1GRjClBEMnNvFzl6dLIwE=

-----END CERTIFICATE-----

75


WAAS Deployment

WAAS Express Registration with WAAS Central Manager • Create a trust-point and import the Central Managers certificate. Example below creates

a trust-point WCM_1. When asked for Enter the base 64 encoded CA certificate, paste the PEM format copied from the Central Manager

Router(config)#crypto pki trustpoint WCM_1

Router(ca-trustpoint)#revocation-check none

Router(ca-trustpoint)#enrollment terminal pem

Router(ca-trustpoint)#exit

Router(config)#crypto pki authenticate WCM_1

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

MIICgzCCAeygAwIBAgIEdzXmyDANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMC


JurfE6/zYJ1GRjClBEMnNvFzl6dLIwE=

-----END CERTIFICATE-----

quit

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

% Certificate successfully imported

76


WAAS Deployment

WAAS Express Registration with WAAS Central Manager • On the WAAS Express router, configure a trustpoint and enroll.

• It is necessary that you also configure the domain name. There is currently an issue…

Without it the HTTPS server re-generates the self-signed certificate upon reload, and

this will affect the communication with WAAS CM.

Router(config)#ip domain-name example.com

Router(config)#crypto pki trustpoint self-signed-tp

Router(ca-trustpoint)#enrollment selfsigned

Router(ca-trustpoint)#! By default, RSA key size is 512 unless specify otherwise

Router(ca-trustpoint)#! Key size of at least 1024 is recommended

Router(ca-trustpoint)#rsakeypair self-signed 1024

Router(ca-trustpoint)#exit

Router(config)#crypto pki enroll self-signed-tp

Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

77


WAAS Deployment


• Enable HTTPS server by configuring ip http secure-server. Configure authentication.

Associate the newly created persistent trust point to the HTTPS server and client. Save

the configuration.

• As this example is using local authentication, configure the same username and password

as before under WAAS Central Manager credentials.

• Enter the following command in the exec mode to register to WAAS CM: waas cm-

register https://<waas_central_manager_address>:8443/wcm/register

Router(config)#ip http secure-server

Router(config)#ip http authentication local

Router(config)#! Below is needed if there are more than one trust point in the router

Router(config)#ip http secure-trustpoint self-signed-tp

Router(config)#ip http client secure-trustpoint self-signed-tp

Router(config)#username admin privilege 15 password Cisco123 !!!EXAMPLE

Router(config)#exit

Router#wr mem

Router#waas cm-register https://172.30.0.33:8443/wcm/register

Aug 19 19:45:48.763 MDT: %WAAS-6-WAAS_CM_REGISTER_SUCCESS:

IOS-WAAS registered with Central Manager successfully

78


WAAS Deployment


• The WAAS Express Router should be visible within the device list of the WAAS Central

Manager. The initial state is pending until the CM has contacted the Router

79


WAAS Deployment


• WAAS CM will poll the WAAS Express router. When successful, the status of WAAS

Express router will change to Online.

• The registration process is complete and this WAAS Express instance has now become

fully managed by the WAAS Central Manager.

80


WAAS Deployment


• On the WAAS Express router use the command show waas connection to view the

current list of optimized connections. The right most column, Accel, indicates the

optimization applied of the connection, T = TFO, D = DRE, and L = LZ. PROG means

connection is still being established.

Router#show waas connection

ConnID Source IP:Port Dest IP:Port PeerID Accel

26407 172.25.47.2 :24615 172.30.0.57 :110 0014.5e84.2a69 TLD

25481 172.25.47.2 :8421 172.30.0.52 :443 0014.5e84.2a69 T

26352 172.25.47.2 :12847 172.30.0.57 :110 0014.5e84.2a69 TLD

26411 172.25.47.2 :45705 172.30.0.54 :25 0014.5e84.2a69 TLD

25968 172.25.47.2 :42893 172.30.0.54 :25 0014.5e84.2a69 TLD

26198 172.25.47.2 :10585 172.30.0.52 :80 0014.5e84.2a69 TLD

26282 172.25.47.2 :53083 172.30.0.52 :80 0014.5e84.2a69 TLD

26381 172.25.47.2 :37980 172.30.0.52 :80 0014.5e84.2a69 TLD

26173 172.25.47.2 :20573 172.30.0.52 :80 0014.5e84.2a69 TLD

26361 172.25.47.2 :33939 172.30.0.54 :25 0014.5e84.2a69 TLD

26432 172.25.47.2 :20575 172.30.0.52 :80 0000.0000.0000 PROG

26412 172.25.47.2 :21599 172.30.0.52 :80 0014.5e84.2a69 TLD

26421 172.25.47.2 :54850 172.30.0.57 :110 0014.5e84.2a69 TLD

26073 172.25.47.2 :41371 172.30.0.54 :25 0014.5e84.2a69 TLD

26247 172.25.47.2 :19303 172.30.0.52 :80 0014.5e84.2a69 TLD

26331 172.25.47.2 :19306 172.30.0.52 :80 0014.5e84.2a69 TLD

81


WAAS Deployment

Usefull other CLI’s for WAAS Express

• When router CPU approaches 80% load, WAAS Express will begin backing off TCP connections

‒ To change the default CPU threshold of 80%

Router(config)#parameter-map type waas waas_global

Router(config-profile)#cpu-threshold ?

<0-100> Set the Maximum CPU threshold

• The following CLI’s can only be used when WAAS Express is disabled

‒ To remove all WAAS Express related configuration from the router

waas config remove-all

‒ To restore all default values for WAAS Express on the router

waas config restore-default

• When active connections exist WAAS Express cannot be turned off without the forced option

‒ To force WAAS Express to off

no waas enable [forced]

82


WAAS Deployment

Application Optimizers (AO) - Licenses

• Licenses managed at device level

• License name is Case Sensitive

• Transport includes DRE/LZ/TFO (deprecated)

• CM requires Enterprise

• Enterprise includes NFS, HTTP, SSL, CIFS, MAPI, ICA, Print (and DRE/TFO/LZ)

• Enterprise is required for Video and/or Virtual-Blade

• CLI commands

‒ show license

‒ license add <license-name>

‒ clear license

‒ clear license <license-name>

#show license

License Name Status Activation Date

-------------- ----------- --------------- --

Transport not active

Enterprise active 03/20/2011

Video not active

Virtual-Blade not active

#

#license add Video

#show license

License Name Status Activation Date

-------------- ----------- --------------- --

Transport not active

Enterprise active 03/20/2011

Video active 04/01/2012

Virtual-Blade not active

83


WAAS Deployment

WAAS AO’s – Enabling Features • All Application Optimizers are on by default

• Turning off TFO will turn of all optimization...

• Specific AO’s offer Advanced Settings, defaults normally fine for most networks

84


WAAS Deployment

HTTP AO – Optional Settings

• HTTP Proxy settings are on by default as of version 5.0

• Recommended for high latency networks

85


WAAS Deployment

SSL AO - Overview • Central WAVE acts as a Trusted Intermediary Node for SSL requests by Client.

• Server Private Key and Certificate have securely been loaded from CM’s Secure Store into the Central WAVE.

• Central WAVE participates in SSL Handshake to derive the “Session Key”.

• Central WAVE securely sends the “session key” in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session.

Send “session key”

WAN

SSL Session Central WAVE to Server SSL Session Client to Central WAVE

Edge WAVE Central WAVE

Secure Channel

Original Data - Encrypted Optimized & Encrypted Original Data - Encrypted

SSL Handshake SSL Handshake

86


WAAS Deployment

SSL AO – CM’s Secure Store

• CM securely stores all imported host certificates and private keys encrypted

• Certificates and private keys are decrypted and made available to Central WAVE’s

‒ When secure store is being initialized first time

‒ After CM reload when secure store is opened

• CM secure store must be open to provide Keys and Certs to Central WAVE’s

• Upon reboot, if CM detects the secure store is initialized but not open a critical alarm is raised

• With WAAS 4.4.1 and later, the Secure Store can be configured to “auto open”

• Useful CLI commands:

‒ cm#cms secure-store [ init | open | change ] To initialize, open or change current pass-phrase

‒ cm#show cms secure-store To show current status of CM secure store

• 87


WAAS Deployment

SSL AO – SSL Accelerated Services • Standard policy for SSL traffic is TFO

• Enabling Full Optimization brings TFO-DRE/LZ and HTTP AO

‒ Either run using Self Signed Certs (demo/test mode)

‒ Or create specific Server Entry with imported CA Cert and Host Cert/Key

• Certificate chaining with intermediate CA’s is supported

• Certs nearing expiration (60 days) or being expired will trigger a CM Alarm

88


WAAS Deployment

Video AO – Live Stream Splitting

• Compatible with Windows Media 9 or later

• Operates on RTSP over TCP (RTSPT) only

• Stream Splitting occurs at the edge WAVE device

• Auto-discovery puts intermediate engines into Pass Through

• ACNS/CDS origin configured with ‘wmt disallow-client-protocols

rtspu mmsu’ to force TCP use

• Option to TCP optimize or drop un-accelerated streams

• Support for Windows Media formatted Logs

WAN

ACNS

Live Video Source

WAAS

89


Exchange Server

Active Directory Controller

(Kerberos KDC)

Core WAAS Branch WAAS

Outlook Client

WAN

Encrypted MAPI Request

Securely transfer key

to remote branch

Temporary keys allow access to

Encrypt/Read/Sign Data

Application Data:

Encrypted

Authentication:

Kerberos

Application Data:

Optimized, Encrypted

Authentication:

Kerberos

Application Data:

Encrypted

Authentication:

Kerberos

WAN-Secure

WAAS Deployment

MAPI AO (now with support for EMAPI) WAAS 5.0

June 2012

90


WAAS Deploment

MAPI-AO: How to establish trust for WAAS in AD?

• WAAS needs to be configured with a read-only identity to obtain keys to encrypt, read,

and sign data

• WAAS supports two types of Active Directory identities:

‒ Each Core WAAS device can join the Active Directory as a type “Workstation”

Active Directory automatically performs password rotation for Workstation accounts

‒ Configure a dedicated R/O User Account for WAAS on each Core WAAS device

– A single User Account can be used for all Core WAAS devices, if desired

– Multiple User Accounts can be used to support Multi-AD Domain environments

• Be aware, AD’s Kerberos is depending on time being fully in synch on all devices,

the use of NTP is highly recommended…

• Also make sure you use DNS with proper Hostname and IP Assignments

(reverse lookup) for WAAS devices which will contact the AD environment

91


Grant WAAS

Permission

WAAS Deployment

Workflow to Enable Encrypted Exchange

Set Time, DNS and

Domain info

Join WAAS

to Domain Grant WAAS

Permission Ready!

Enter User in

WAAS CM

Ready!

Workstation Account

User Account

“Administrator” User Account

Set Time, DNS and

Domain info

Set Time, DNS and

Domain info

Ready!

Enter User in

WAAS CM

Active Directory Team Tasks:

Grant WAAS account permission to:

- “Replicate Directory Changes”

- “Replicate Directory Changes All” 92


WAAS Deployment

EMAPI Configuration

• Configure Windows Domain Settings for CoreDeviceGroup

• Join the AD Domain

• Configure and enable EMAPI feature

93


WAAS Deployment

Citrix-AO Changes in WAAS 5.1

• Multi-stream ICA (MSI) Support

• QoS Support for ICA MSI and non-MSI Streams

• Enhanced ICA/CGP Optimization

• ICA Implemented Admission Control

WAAS 5.1

Dec 2012

94


• WAAS transparently interoperates with Citrix Protocols

WAAS transparently inserts itself

into the Citrix communication.

WAAS applies TCP flow

optimization to maximize

bandwidth usage and mitigate

packet loss.

WAAS delivers Citrix Aware

Redundancy Elimination that

removes redundant data from

across all end user connections.

WAAS applies inline compression

algorithm over the optimized data,

maximizing savings

Optimized Normal Normal

WAAS Deployment Understanding Citrix Handshake with WAAS

WAAS 5.1

Dec 2012

95


WAAS Deployment Multi-stream ICA (MSI) Splits a User into 5 Streams

MSI is disabled by default in Citrix today

• Enabling Multi-Stream ICA on WAAS automatically enables it through Citrix.

Channel Channel Channel TCP

TCP

TCP

TCP

UDP

Channel Channel Channel …




…

• WAAS can dynamically apply DSCP markings to match Citrix Priorities.

DSCP Marking

Very High (audio)

DSCP Marking

Medium (USB Redirect)

DSCP Marking

Low (COM Port)

• WAAS automatically optimizes channels which use separate TCP connections.

WAAS 5.1

Dec 2012

96


WAAS Deployment

QoS Support for MSI and non-MSI streams

• WAAS can be enabled to implement

Differentiated Service Code Point

(DSCP) tagging of both MSI and non-

MSI ICA and CGP traffic.

• Once enabled, WAAS will interpret the

MSI stream type for the TCP

connection and enable the appropriate

DSCP value.

• The user will be able to enable or

disable tagging MSI or non-MSI traffic

as well as to define different values for

the MSI and non-MSI traffic.

Channel Channel Channel TCP

TCP

TCP

TCP

UDP

Channel Channel Channel




DSCP: 0xaf41

DSCP: 0xaf21

DSCP: 0x0

Best Effort

WAAS 5.1

Dec 2012

97


WAAS Deployment Enhanced Compression and Stream Throughput

• WAAS 5.1 provides many enhancements for better compression, throughput

and capacity

WAAS ICA-AO with DRE Compression

ICA Connection

ICA MSG

• WAAS further accelerates performance by better processing of CGP ACKs

ICA MSG

ICA MSG

CGP ACK

WAAS 5.1

Dec 2012

98


WAAS Deployment

Virtual Blades - Overview

• WAAS Virtual Blade is a guest virtual machine running inside a WAVE on top of WAAS

• Enterprise and Virtual Blade licenses required

• Available on WAVE’s 294, 594 and 694

• Preservation of Virtual Machine state on WAAS reboot

• Dedicated disk partition and memory per VB

• Virtual Blades currently being supported (* = Fully TAC Supported)

‒ MS Windows 2003/2008) Server print and directory services. Windows Server 2008 available pre-installed (WoW VB)*

‒ Cisco Application and Content Networking System (ACNS VB)*

‒ Cisco Enterprise Content Delivery System (ECDS VB)*

‒ Cisco Network Analysis Module (NAM VB)*

‒ Customer supplied services

Cisco Linux

Kernel Virtual Machine (KVM)

VB Space

Windows On

WAAS (WOW)

ECDS Virtual Blade

NAM Virtual Blade

Virtual Blade

Storage

Ethernet Network

I/O

WAVE

99


Interface Bridge

ECDS VB1 WoW VB2

WAAS interface Gi 2/0 no ip address

WAAS interface Gi 1/0

ip address B.1/24

LAN ip address A.2/24

Subnet A/24

Gi 1/0 Gi 2/0

interface Gi 1/0 ip address A.1/24

Interface Bridge

ECDS VB1 WoW VB2

interface Gi 2/0 channel-group 1

interface Gi 1/0 channel-group 1

LAN ip address A.3/24

interface Gi 1/0 ip address A.2/24

WAAS interface PortChannel 1

ip address A.1/24

Interface Bridge

Subnet A/24

Gi 1/0

Gi 2/0

LAN-1 LAN-2

LAN-1 LAN-2

virtual-blade X

description VB Shared Port Channel

interface 1 bridge PortChannel 1

virtual-blade X

description Dedicated VB Network

interface 1 bridge GigabitEthernet 2/0

B/24

61

80

61

80

WAAS Deployment

Virtual Blades – Interface Configuration Options

62 62 WCCP WCCP

WAVE WAVE

Dedicated WAVE Interfaces

Shared WAVE Interfaces

100


WAAS Deployment

Virtual Blades – Software Installation

• Copy the ISO image to WAVE from local DVD or using FTP

• Allocate disk, memory, network resources using WAAS CLI or WAAS CM GUI

• Run the virtual blade, booting from emulated CD

• Use VNC to continue the installation where appropriate (WOW)

‒ VNC to WAVE IP-ADDRESS:VB#

br1-wae1#pwd

/local1/vbs

br1-wae1#dir

size time of last change name

-------------- ------------------------- -----------

2634078208 Wed Jun 18 16:08:59 2008 en_windows_server_2008.iso

178952192 Sat May 4 12:35:30 2002 winboot2.0.116qd.iso

101


WAAS Deployment

Virtual Blades - Windows on WAAS Example

102


WAAS Deployment

Virtual Blades – NAM VB Integration w/ WAAS

Showing End User Response Time Report before and after enabling WAAS

Improved Reporting with WAAS NAM VB

103


WAAS Deployment

Ask for the Dedicated NAM VB Presentation

• I have prepared a special NAM VB slide deck (60 slides) which is available to you on

request. Send the request to [email protected].

104

Deploying WAAS devices

into the Network


WAAS Network Deployment

Inline • Simple Plug-and-Play Deployment

‒ Physical in-path deployment between switch and router

‒ Mechanical fail-to-wire

• High Availability

‒ Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing

• Seamless Transparent Integration

‒ Transparency and automatic discovery

‒ 802.1q VLAN trunk support

‒ Supported on all WAVE appliance models

WAVE-INLN-GE-4T WAVE-INLN-GE-8T

WAVE-INLN-GE-4SX WAVE-10GE-2SFP

WAN

106



Serial Inline HA Cluster

• Simple High Availability for small to medium sized Data Centers

• HA supported by other local WAVE

• Not meant to be used for scaling, only HA

• Design needs 4 Inline Groups (8 ports) per WAVE

‒ Use WAVE-INLN-GE-8T

• Color coded or number-labeled cabling recommended…

• Interception ACL supported

‒ Bypass for non-relevant traffic

• Need to turn off optimization between local WAVE’s

‒ No peering between local neighbors

WAN2 WAN1

HA

WAVE-INLN-GE-4T WAVE-INLN-GE-8T

WAVE-INLN-GE-4SX WAVE-10GE-2SFP

107



Off-path Interception

• WCCPv2 Interception (recommended)

‒ Transparent network integration

‒ Part of IOS

‒ Hardware accelerated on modern IOS Routers and Switches

‒ Active/active clustering supports up to 32 WAVEs and 32 Routers with automatic load-balancing, load redistribution, fail-over and fail-through operation

‒ Automatic device capability discovery

‒ Near-linear scalability and performance improvement when adding devices

• Policy-Based Routing Interception

‒ Next hop routing

‒ Part of IOS

‒ HA only, no load balancing

‒ HA provided using IP SLA as a tracking mechanism

WAN

WCCP Cluster

108



WCCP Functions

• Intercept – Identify TCP packets on Router/Switch for WAAS processing

• Assign – Select target WAVE device

• Redirect – Router/Switch sends the flow to WAVE for optimization

• Return – WAVE sends the initial packet back to the router. For flows not able to be

optimized by the assigned WAVE, subsequent packets from same flow will not be

redirected anymore

• Egress Method – Flow forwarding mechanism back to the network after being processed

by a WAVE. Method is negotiated between WAVE and IOS device and WCCP process

may overrule configuration (HW/SW capability conflict)

WAVE(S)

Intercept

Assign

Redirect

Return/Egress Intercept takes place in

both directions for WAAS

109



WCCP - Redirect, Return and Egress Methods

• WCCP specifics are configured on WAVE

• Configuration depends on NW design and Router/Switch capabilities

• L2 setup (preferred) means L2 adjacency between Switch and WAVE

• WCCP Return to Router/Switch

‒ WCCP GRE - GRE Packet returned Router

‒ WCCP Layer 2 - Frame rewritten to Switch MAC

• WCCP Redirect to WAVE

‒ GRE - Entire packet inside GRE tunnel to WAVE (default)

‒ Layer 2 - Frame MAC address rewritten to WAVE MAC

• WAVE Egress Method

‒ IP Forward – WAVE ARPs for configured Default Gateway (default)

‒ WCCP negotiated – Flow sent back inside WCCP GRE tunnel to Router preventing

interception loop

‒ Generic GRE – Flow sent back inside preconfigured Generic GRE tunnel to Switch (specific

for HW assisted interception on Catalyst 6500) 110



WCCP - Platform OS Recommendations (Dec 2012)

WCCP Function

Nx 7000

ISR & 7200 ASR 1000 Cat 6500/7600 Sup720/32

Cat 6500 Sup2T

Cat 4500 Cat 3750

Assign Mask Hash or Mask Mask Hash or Mask Hash or Mask Mask Mask

Redirect L2 GRE or L2 L2 GRE or L2 GRE or L2 L2 only L2 only

Redirect List L3/L4 ACL Ext. ACL Ext. ACL Ext. ACL Ext. ACL No Ext. ACL (no deny)

Direction In or Out In or Out In In or Out In or Out In In

Return L2 GRE or L2 L2 Gen. GRE or L2

Gen. GRE or L2

L2 L2

VRFs Supported Supported Planned Planned Supported N/A N/A

IOS 4.2(1)

5.1(5)

12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;

ISR G2 15.2(3)T L2/Mask

7200

15.0(1)M

XE3.1.0S

IOS 15.0(1)S

6500

12.2(33)SXH4

12.2(33)SXI

12.2(18)SXF

15.1(1)SY

7600

12.2(18)SXF

15.1(1)SY

<Sup6

12.2(54)SG1

Sup6

15.0(2)SG

Sup7

15.1(1)SG

12.2(37)SE

This list is dynamic over time, see platform release notes for latest information

111



WCCP - Branch Configuration Example

WAN 62

g0 s0

61 61

g0 s0

62 SiSiSiSiSiSi

WAN

SRE Module

sm1/0

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0

ip wccp 61 redirect in

interface serial0


WAVE

wccp router-list 1 10.1.1.254

wccp tcp-promiscuous router-list-num 1

egress-method negotiated-return intercept-method wccp

Hash

Router

ip wccp version 2

ip wccp 61

ip wccp 62

interface gigabit0


interface serial0


WAVE

wccp router-list 1 10.1.1.254

wccp tcp promiscuous router-list 1 l2-redirect mask-assign

wccp tcp-promiscuous mask src-ip-mask 0x1

Mask

Looped Intercept Risk!

112



WCCP – DC Cluster options for Distribution Layer

• WAVE with Standby Interface ‒ Registration – r1/r2 interface IP

‒ Assignment – Mask

‒ Redirect – WCCP GRE

‒ Return/Egress - IP Forward, Generic GRE (6500) or WCCP GRE (ASR)

‒ Network - Engines on shared subnet between r1 and r2

- VLAN inter-core link with no WCCP

WCCP Registration

r1 r2

WAN

e2 e3 e4 e1

SiSiSiSiSiSi SiSiSiSiSiSi

61 61

62 62

WAVE with Single Interface or EtherChannel - Registration – Loopback IP

- Assignment – Mask

- Redirect – WCCP GRE

- Return/Egress - IP Forward or generic GRE (

- Network - Engines on dedicated subnet (no standby interface)

- Routed link (r1-r2) with no WCCP

r1 r2 e1

e2

e3

e4 SiSiSiSiSiSi SiSiSiSiSiSi

61 61

62 62

WAN

113



WCCP – Twin DC Options

• WAVE cross registers with WAN edge or

distribution routers in both data centers • WAVE in server farm

• Distribution with WCCP or vPath

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi

61

61 61

62

62

62

62

62 62

61 61

61

62 62

114



WCCP – Configuration Best Practices • Registration

‒ Do NOT use a virtual gateway address (HSRP, VRRP, GLBP)

‒ Use interface IP address if L2 adjacent to WCCP router

‒ Use highest loopback address if not L2 adjacent to WCCP router

‒ Do not configure large MTU (>1500 bytes) on WCCP client interfaces

• Software Platforms ‒ GRE WCCP (Default)

‒ Hash Assignment (Default)

‒ Inbound Interception

‒ "ip wccp redirect exclude in" on WCCP client interface (outbound interception only)

‒ WAAS Egress Methods: IP Forwarding, Negotiated Return

• Hardware Platforms ‒ L2 WCCP

‒ Mask Assignment. Use small mask (0x1, 0x3, 0x7, 0xF etc) due to TCAM limits on certain platforms (e.g. Cat6k)

‒ Inbound Interception

‒ WAAS Egress Methods: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)

115


VMware ESX Server 1

vWAAS1

1

1 1

VMware ESXi Server 2

2

Nexus 1000v VSM

vCenter Server

vCM

VEM: Virtual Ethernet Module

VSM: Virtual Supervisor Module

VSN: Virtual Service Node

Web-Server 1 Web-Server 3 DBServer App Server Web-Server 2 VSN

FC Array

SAN

Non Opt Port-Profile

vWAAS Port-Profile

Optimized Port-Profile

for WAAS 1

Optimized Port-Profile

for WAAS 2

1

2

vPATH

vWAAS2

Nexus 1000v VEM

Nexus 1000v VEM

VSN


vPATH on Nexus 1000v

116


vWAAS Network Deployment

VPATH configuration example on Nexus VSM

port-profile type vethernet DC-vWAAS

vmware port-group

switchport mode access

switchport access vlan 40

no shutdown

state enabled

port-profile type vethernet server-3

vmware port-group

switchport mode access

switchport access vlan 40

vn-service ip-address 10.42.40.210 vlan 40 fail open

no shutdown

state enabled

117


WAAS Deployment

vWAAS - More Information

• Due to the limited time available for this session I haven’t included much information on

Nexus1000v and vPath configuration.

• I have prepared a special slide deck (50 slides) with all information which is available for

you on request. Send the request to [email protected]

118

WAAS AppNav Deployment


Data Center


AppNav Functionality

Data Center

AppNav Cluster

Interception

Lo

ad

Dis

trib

ution

Optimization

Redirection

Asymmetric Traffic and HA

Pre-5.x 5.x

Virtualization technology that pools WAN optimization resources into a cluster with

business-driven rules and elastic provisioning.

120



Inpath

With AppNav

WAN

• Investment protection • Plug in AppNav IOM • Simple to configure • Flexible to deploy • Scalable • Native HA solution • Asymmetric solution

WAN

Until Today

Distribution

Scalability

HA & Asymmetry

Interception

• Less Scalable • High Availability solution • Asymmetric solution

121



Pre-AppNav Off Path Deployment Challenges

Mask Value Result

00:00:03:00 00:00:00:00 WAE-1

00:00:03:00 00:00:01:00 WAE-2

00:00:03:00 00:00:02:00 WAE-3

Redirect ACL

TCA

M E

ntr

ies

CP

U/S

UP

uti

lizat

ion

• Undeterministic Branch to DC mapping

• Single WAAS overload due to skewed load balancing:

– Farm capacity not fully utilized

– Suboptimal DRE cache

• Large mask bits may cause high CPU/SUP utilization

• Mask values + new redirect ACL = more TCAM usage

• Software maintenance creates cluster imbalance, specific device startup sequence required…

WAN

Branch office1 Branch Office2 Branch Office3

122


WAAS Deployments

OffPath

WAN

• Investment protection • Plug in AppNav IOM • Light WCCP interception • Scalable • Non-disruptive capacity expansion and reduction • Native High Availability • Native Asymetric handling

Until Today Light WCCP on Core Switch • Single ServiceGroup • Simple mask 0x01

Interception

Distribution

Scalability

HA & Asymmetry

WAN

With AppNav

• Scalable • High Availability solution • Asymetric solution

123



AppNav Terminology

AppNav Controllers (ANC)

WAAS Nodes (WN)

AppNav Controller Groups (ANCG)

WAAS Node Groups (WNG)

AppNav Cluster

Service Context

Flo

w D

istr

ibu

tio

n P

olicy

Interception, redirection, load

distribution

Optimization

Scalability, high availability and

asymmetric traffic handling

124



AppNav Intelligent Flow Distribution

Site A HTTP and SSL

• Site affinity:

– Using Branch WAVE ID or site IP subnet

– Reserve optimization capacity for critical sites

– Improves compression performance through DRE

• Application affinity:

– Using source/dest IP addresses and ports

– Reserve optimization capacity for applications

– Consolidates application-specific optimization options

• Site + Application (combination)

MAPI and All

Other Sites

Site A

125



AppNav Elastic Provisioning of WAN Optimization Resources

Site A

• Interception/redirection/flow distribution resources can be added gracefully without disruption, as data center scales when adding applications, customers, or raw traffic volume

HTTP and SSL MAPI and All Other

Sites

Site A

• Optimization resources can be added gracefully without disruption, as farms with business driven bindings (branch, application, etc.) scale

126



AppNav Cluster HA and Asymmetric Traffic Handling

• Health probes between ANCs and WNs:

– AO Health and load included in reply.

– WNs enter and exit the cluster gracefully.

• Heartbeats between ANCs synchronize cluster state

– Flow distribution tables, WN reachability, and WN load are shared

– ANCs enter and exit the cluster gracefully without impacting traffic flows

– Asymmetric traffic is distributed consistently

Site A HTTP and SSL MAPI and all

other Sites

127



Aivailable AppNav Modules

• AppNav modules are available for DC WAVE devices only

‒ WAVE 694, 7541, 7571 and 8541

Available AppNav I/O Modules: 12 x 1G Copper or 12 x 1G SFP

‒ Exception is the WAVE 594 AppNav bundle with 4 x 10G interfaces

– Can only be used as AppNav Controller with WCCP

– This bundle cannot be used as a WAAS Accellerator

AppNav Module

12 x 1G Copper

128



AppNav Sizing Guidelines

• Up to 1 Million Optimized TCP Connections

‒ Concurrent with 1 million Pass-through connections

• Throughput up to 12 Gbps

• Max 8 AppNav Controllers per Cluster

• Up to 32 AppNav Nodes per Cluster

129



Use of AppNav Wizard is highly recommended...

• Use the WAAS setup script for basic device configuration

• Choose AppNav Controller as Device Mode

‒ Required to recognize the AppNav I/O Module

‒ Intermediate reboot is required

• WAVE with AppNav module can still participate as cluster accelerator

• After CMS registration do save configuration

• Reboot WAVE Device

• AppNav configuration using the Cluster Wizard within the WAAS CM

is Highly Recommended

‒ Too error-prone when doing conf using CLI

‒ Over 100 lines to configure...

‒ AppNav is fully manageable via the WAAS CM

130



AppNav Wizard – Cluster Configuration Steps

131



AppNav Wizard – Cluster Configuration Steps (continued)

132



AppNav Wizard – Cluster Configuration Steps (continued)

133

WAAS Sizing Guidelines



• WAAS devices are normally selected based on

‒ Number of users (count 5 – 20 connections per user)

‒ Target WAN Bandwidth

‒ Number of Video Streams (1 per user)

‒ Number of VB’s if any

‒ Router integrated device or not

• We have sized our WAAS devices based on real live assumptions about traffic patterns,

usage patterns, applications, protocols, specific platforms and storage

• Peak level performance not limited by a license. Max loading a WAAS device will cause

new connections to be put in Pass Through until load falls below the rated capacity again

• Plan for peak levels and future growth

• Ask your SE for the WAAS sizing guide and calculator

• Cisco Professional Services are also able to help when needed

135



WAVE - Platform Performance (5.0)

SR

E-7

X0

-S

SR

E 7

X0

-M

SR

E-9

X0

-S

SR

E-9

X0

-M

SR

E-9

X0

-L

294

-4G

294

-8G

594

-6G

594-1

2G

694-1

6G

694-2

4G

7541

7571

8541

WAN Bandwidth (Mbps) 20 20 50 50 50 10 20 50 100 200 200 500 1000 2000

Optimized TCP Connections

200 500 200 500 1000 200 400 750 1300 2500 6000 18k 60k 150k

Optimized LAN Throughput (Mbps)

200 500 200 300 1000 100 150 250 300 450 500 1000 2000 4000

Total Disk Capacity (GB) 500 500 500 500 500 250 250 500 500 600 600 2250 3150 4200

DRE Disk Capacity (GB) 80 80 120 120 120 40 55 80 120 120 200 500 1000 2000

CIFS Disk Capacity (GB) 57 57 95 95 95 75 75 100 100 100 100 225 225 300

Maximum LAN Video Streams

40 150 40 150 300 40 80 150 300 400 1000 1000 1000 1000

Virtual Blades Supported 2 2 2 4 4 6

Total Virtual Blade Disk Capacity

60 60 175 175 180 180

Peer Fan Out 50 100 150 300 700 1400 2800

CM Managed Devices 250 250 1000 1000 2000 2000

136



vWAAS - Platform Performance (5.0)

vW

AA

S-2

00

vW

AA

S-7

50

vW

AA

S-6

000

vW

AA

S-1

2000

vW

AA

S-5

0000

vC

M-1

00N

vC

M-2

000N

Number of vCPU 1 2 4 4 8 2 4

Virtaul Memory (GB) 2 4 8 12 48 2 8

Virtual Disk Datastore (GB) 160 250 500 750 1500 250 600

Target WAN Bandwidth (Mbps) 10 50 200 310 1000

Optimized TCP Connections 200 750 6000 12000 50000

Optimized LAN Throughput (Mbps) 100 250 500 1000 2000

Peer Fan-out 50 300 1400 2800

DRE Disk Capacity 50 95 320 450 1000

CIFS Disk Capacity 75 95 95 175 175

Max LAN Video Streams 40 150 1000 1000 2000

CM Managed Devices 100 2000

137



WAAS Express – Platform Performance (2.0)

Required

DRAM

Maximum

WAN

Bandwidth

Maximum

LAN

Bandwidth

Recommended

Number of

Users

Max TCP

Connections DRE Capacity

88x 768 M 1,5 Mpbs 3 Mbps 1-10 75 512 M

89x 768 M 2 Mbps 4 Mbps 1-10 75 512 M

1921 512 M 512 kbps 1 Mbps 1-5 50

1941 2,5 G 4 Mbps 8 Mbps 15-20 150 2

2901 2.5 G 6 Mbps 12 Mbps 15-20 150 2

2911 2.5 G 6 Mbps 12 Mbps 25 200 2

2921 2.5 G 6 Mbps 12 Mbps 25 200 2

2951 4 G 6 Mbps 12 Mbps 25 200 2

3925 4 G 10 Mbps 20 Mbps 50 500 3

3945 4 G 10 Mbps 20 Mbps 50 500 3

138

Closure


Recommended Reading for BRKAPP-2005 For Your Reference

140


WAAS Home Page on cisco.com

• For more information on specific WAAS topics or to follow WAAS developments please

visit the WAAS Home Page at: www.cisco.com/go/waas

For Your Reference

141

http://www.cisco.com/go/waas


Closure

Guidelines to remember

• Remember...

‒ Use CM Configuration Groups

‒ Fix Line-rate and Duplex on Fast Ethernet ports

‒ Beware of Routing Loops with WCCP

‒ Beware of Asymmetric Routing with WCCP

‒ Monitor Router/Switch CPU load after implementing WCCP

‒ Follow recommended order of operations

‒ Use of Port-Fast where appropriate

‒ Usage of DNS and NTP is recommended

‒ For in-depth deployment and design help, contact your Cisco Sales team for Advanced

Services help!!!

‒ Ask for specific deployment presentations (send me an email)

(vWAAS, WAAS on SRE, WAAS NAM VB etc.)

• Please don’t forget to complete your online session evaluation...

142


Call to Action

• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action

• Get hands-on experience attending one of the Walk-in Labs

• Schedule face to face meeting with one of Cisco’s engineers

at the Meet the Engineer center

• Discuss your project’s challenges at the Technical Solutions Clinics

143

BRKAPP-2005

Documents

Transcript of BRKAPP-2005