CWAAS20S03

Network Design,
Interception, and
Interoperability
Implementation, Integration, and Management
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-1

Inline Interception Deployment Modes
In-Path, Single Cisco WAE, Single WAN Connection
MGMT
WAN
Cisco WAE1
In-Path Cluster, Single WAN Connection
MGMT
WAN
Cisco WAE1 Cisco WAE2

Inline Interception Deployment Modes (Cont.)
In-Path, Single Cisco WAE, Redundant WAN
Links
WAN
MGMT
WAN
Cisco WAE1
In-Path Cluster, Redundant WAN Links

WAN
MGMT
WAN
Cisco WAE1 Cisco WAE2

In-Path Cisco WAE Configurations
Cisco WAE Inline Adapter
IP
Network
IP
Network
Router LAN
Interface
LAN
LAN

In-Path Cisco WAE Configurations (Cont.)
IP IP
Network Network
IP Cisco WAE Inline Adapter
Network
Router LAN Router LAN
IP Interface Interface
Network

IP
Network
Cisco WAE
Inline Adapter
Router LAN
Interface
Cisco WAE
Inline Adapter
LAN

IP Router LAN
Network Interface
IP Router LAN
Network Cisco WAE
Interface Inline Adapter
Cisco WAE
Inline Adapter

Hierarchical Network Placement
The core layer is typically
reserved for high- Core
performance forwarding.
The distribution layer

provides an optimal Distribution
deployment location for
Cisco WAAS.
The access layer can be

used for Cisco WAAS, but it
is too contained for use with Access
large-scale optimizations.

Hierarchical Network Placement: In-Path
Distribution

Cisco WAE Placement with Firewalls
If the firewall is providing VPN tunnel termination:
WAN
Cisco WAE Firewall
If the firewall is providing security services but no VPN tunnels:
WAN
Firewall Cisco WAE

Egress IP Forwarding in Cisco WAAS
 Legacy Cisco WAAS versions (prior to 4.0.13) support only IP
forwarding of egress traffic:
– Send to default gateway configured on WAE
 If the Cisco WAE is attached to the same segment as the
interface performing redirection, this creates a routing loop:
– The Cisco WAE primary interface must be attached to a
separate segment.
– A separate physical or logical interface requires additional
router configuration.
PBR or WCCPv2
IP
Network
Infinite Loop
Cisco WAE
Device
IP Forwarding Off-Path Deployment Options
PBR or
Tertiary Interface WCCPv2
IP
Network
Fa0/0
Fa1/0
Redirect Cisco WAE

Exclude Device
PBR or
WCCPv2
Subinterface
Fa0/0.10 IP
Network
Fa0/0.20
Redirect
Exclude
Cisco WAE
Device
Two-Router HSRP/VRRP with Cisco NME-
WAE in One of the Routers
 Cisco NME-WAE placed in

one of the routers WAN
 Internal connection to
Active Standby
active router Router Router
 External connection to
standby router
Si Si

Hierarchical Network Placement: Off-Path
Distribution

Introduction to WCCPv2
WCCPv2 tells the network which packets to redirect to the Cisco WAE.
Up to 32 Cisco WAEs: Up to 32 routers:

 Act as service group clients  Act as service group servers
 Perform traffic optimization  Perform traffic inspection and redirection
Cisco WAE1
R1
Traffic Flow
Cisco WAE2 R2
IP
Network R32
Cisco WAE32

WCCPv2 Interception
Service group servers monitor interfaces based on interception
configuration criteria to identify traffic to be redirected to a
service group client:
 Ingress redirection (inbound): When this is applied to an interface, the
router monitors traffic entering an interface to see if it matches criteria
for any of the running service groups.
 Egress redirection (outbound): When this is applied to an interface, the
router monitors traffic leaving an interface to see if it matches criteria for
any of the running service groups.
FastEthernet0/0 Serial0
Redirect In Redirect Out
Router

WCCPv2 Load Balancing
 WCCPv2 allows for load balancing based on a number

of parameters, including source or destination
information (IP address, subnet, or port).
 Cisco WAE devices running Cisco WAAS use two
service groups that request redirection of TCP traffic:
– Service group 61: All TCP traffic, load-balance on source IP
– Service group 62: All TCP traffic, load-balance on destination IP
 These service groups ensure that traffic is redirected to
the same Cisco WAE for both directions of packet flow.

WCCPv2 Redirection
Service group servers (routers) can use one of two
methods to redirect traffic to a Cisco WAE:
 GRE: This is the most commonly used method. The entire packet
is encapsulated into a new IP packet that is destined for the Cisco
WAE.
 Layer 2 redirect: This method is less frequently used but is
common with LAN switches. The original frame header is
rewritten with the Cisco WAE MAC address as the destination
and then forwarded to the Cisco WAE.
Interception monitors for Redirection forwards the

traffic that matches traffic to a service group client
configured service groups. using GRE or Layer 2 redirect.
Cisco WAE Device

WCCP Redirect and Egress Method
 Router redirection (router to Cisco WAE):
– GRE: Entire packet GRE tunneled to the engine
– Layer 2: Frame MAC address rewritten to engine MAC
 Egress method (Cisco WAE to router)
– IP forward: Engine issues ARP for default gateway.
– WCCP GRE: Packet statefully returned to router (as of Cisco WAAS
Release 4.0.13).
– Generic GRE: Packet statefully returned in hardware to Cisco Catalyst 6500
Sup720/32 (as of Cisco WAAS Release 4.1).
 Assign, redirect, and return configuration depends on capabilities of the Cisco WAE and
the router.
Src Balance 61 62 Dst Balance
r1
A
A B
C
Cisco WAE1 Cisco
B WAE2 Cisco WAE1 and Cisco
WAE2 default route to r1
r2

WCCPv2 and Cisco WAAS Egress Methods
 Cisco WAAS provides deployment flexibility when using
WCCPv2 as the redirection method:
– Configurable egress methods for WCCPv2 interception
 Egress method support overcomes the limitations and topology
requirements of IP forwarding:
– The Cisco WAE can reside on the host subnet.
– There is support for redundant router topologies—network
path affinity.
 Relevant only to one-arm, off-path deployments that employ
WCCPv2 redirection mechanism to send traffic to the Cisco
WAE:
– Not applicable to inline interception
– Separate subnet still required for the Cisco NME-WAE

Cisco WAAS Egress Methods: Negotiated
Return
 Cisco WAAS egress method can be configured to use the return
method that WCCP has negotiated for bypass traffic:
– Based on intercept method
 The default is IP forwarding if the egress method is not configured
or supported.
WAE(Config)# egress-method negotiated-return intercept-method wccp
WCCP
Interception and
Redirection
Bypass Traffic
Return Method GRE Tunnel
Negotiated = GRE
Determine what WCCP has
Ingress Egress negotiated for bypass return and
use that for egress.
© 2008 Cisco Systems, Inc. All rights reserved.

Cisco WAE CWAAS v2.0—3-21
Cisco WAAS Egress Methods: Generic New
GRE In
4.1
 Designed for Catalyst 6500 Series Switches (Supervisor 32 and Supervisor 720):
– Because they support hardware acceleration processing of GRE packets
– Deployments where multiple Catalyst 6500s govern multiple entry/exit points with a mix of
Layer 2/non-Layer 2-adjacent Cisco WAEs—must use GRE return, but too CPU intensive
 Like WCCP GRE return, except for the following:
– Generic GRE overcomes limitations of WCCP GRE return (WCCP GRE packets are
processed in software, causing high CPU utilization).
– Egress packet sent to explicitly configured GRE tunnel interface on router.
WAE(Config)# egress-method generic-gre intercept-method wccp
WCCP
Interception and
Redirection
Ingress GRE Tunnel
Egress
Cisco WAE

Cisco WAAS Egress Method: Central
Manager GUI Configuration
The Central Manager GUI can

be used to configure the egress
method for a device or device
group.

WCCP Catalyst 6500 Generic GRE
Return Configuration
Router Configuration WAE Configuration
interface loopback1
! WCCP router ID wccp router-list 1 10.1.1.1
ip address 10.3.1.1 255.255.255.0 wccp tcp promiscuous router-list 1
interface vlan812 mask-assign
! Local WAE subnet
ip address 10.1.1.1 255.255.255.0 wccp tcp-promiscuous mask src-ip-
! --------------------- mask < 0xF | 0xF00 | 0xF0000 >
interface Tunnel1 wccp version 2
! Multipoint tunnel to vlan812
ip address 10.2.1.1 255.255.255.0 interface GigabitEthernet 1/0
tunnel source vlan812 ip address 10.1.1.10
no ip redirects 255.255.255.0
tunnel mode gre multipoint
! ------- OR ---------- exit
interface Tunnel1
! p2p unnumbered tunnel to
vlan812
ip unnumbered interface vlan812
tunnel source interface vlan812
! WAE IP tunnel destination
tunnel destination 10.1.1.10
no ip redirects
tunnel mode gre ip

Cisco WAAS Egress Method Behaviors
IP forwarding: Negotiated return:
1. Host request intercepted by 1. Host request intercepted by
interception mechanism WCCPv2 service group
(WCCPv2 or PBR) 2. Host request redirected to Cisco
2. Host request redirected to Cisco WAE for optimization
WAE for optimization 3. Negotiated return method used for
3. Cisco WAE default gateway used Cisco WAE egress traffic
for Cisco WAE egress traffic
Default
1 Gateway 1
2
3
3
2
GRE Tunnel
Cisco WAE Cisco WAE

Cisco WAAS Egress Method Behaviors
(Cont.)
Generic GRE:
1. Host request intercepted by WCCPv2 only
2. Host request redirected to Cisco WAE for
optimization
3. Generic GRE tunnel Cisco WAE egress traffic
Default
Gateway
1
Cisco WAE

WCCP: Return Method
Cisco WAAS leverages the bypass capability of WCCP to forward
nonbypass traffic:
 The return method negotiated for WCCP bypass traffic can be used as an
alternative to IP forwarding for egress traffic.
 Cisco WAAS can be configured to use negotiated return for nonbypass traffic:
– Optimized flows
– Pass-through traffic
 Cisco WAAS pass-through traffic is not bypass traffic.

WCCP: Bypass Traffic
 WCCP provides a mechanism to mirror traffic back to an
intercepting router from a Cisco WAE—due to overload or policy
configured on receiving device.
 Return method is negotiated entirely by WCCP; Layer 2 or GRE.
Intercepted—Redirected
Bypass Traffic GRE
Bypass
Cisco WAE

Network Path Affinity
 Multiple routers or multiple paths pose challenges in Cisco WAAS deployments.
 Cisco WAE can return frames to a router other than the one that intercepted and
redirected frames to the Cisco WAE:
– Multiple paths to destination
– GLBP, HSRP, and environments
1
WAN
WAN
2
WCCP Platform Recommendations
Function Software ASR 1000 Catalyst 6500 Cat 6500 Catalyst Catalyst
Support / ISR and Supervisor 720 or Supervisor 2 4500 3750
Recommend 7200 32
Assignment Hash only Mask only Mask or hash/ Mask or hash/ Mask only Mask only
mask mask
Forwarding GRE only Layer 2 or Layer 2 or Layer 2 or Layer 2 only Layer 2 only
GRE/Layer 2 GRE/Layer 2 or GRE/Layer 2
or GRE GRE
Forwarding Full Full Full extended Full extended No redirect Extended
Redirect List extended extended ACL ACL list support ACL (no
ACL ACL deny)
Direction In or out/in In only In or out/in In or out/in In only In only
Return IP forward IP forward, GRE, nGRE, IP forward or IP forward IP forward
or GRE Layer 2, Layer 2, and IP Layer 2/IP or Layer or Layer 2/
WCCP GRE, forward/no GRE forward 2/IP forward IP forward
or generic
GRE
Cisco IOS 12.1(14); Planned 12.2(18)SXF13 12.1(27)E; 12.2(31)SG 12.2(44)SE
Software 12.2(26); 12.2(33)SXH 12.2(18)SXF1
Release 12.3(13); 3
12.4(10);
12.1(3)T;
12.2(14)T;
12.3(14)T5;
12.4(9)T1
GRE Return on Cisco Platforms
 For Cisco 3745 Multiservice Access Routers, and Cisco 3825
and 3845 ISRs configured with GRE return and Cisco IOS
Firewall, the minimum recommended Cisco IOS Software
release is 12.4(11)T3.
 GRE return is not recommended on the Cisco Catalyst 6000
Series Switch because of performance considerations.
 GRE return is not supported for specified products under these
conditions:
– For Cisco 2600 and 3600 Multiservice Platforms, and Cisco
Catalyst 3750 and 4000 Series Switches
– For any Cisco ISR, if NAT is enabled
– For Cisco 3725 Multiservice Access Routers, and Cisco
2821 and 2851 ISRs, if Cisco IOS Firewall is enabled

Egress Method Verification
Defaults to IP
forwarding if
not configured

Egress Method Verification (Cont.)
Egress method
configuration
per service

WCCPv2 Interception Considerations
 Cisco WAAS uses service groups 61 and 62 for traffic interception
and redirection:
– Service group 61: Hash bucket assignment based on source IP
address of the packet (example: response from server)
– Service group 62: Hash bucket assignment based on destination IP
address of the packet (example: data to server)
 One service group needs to be in the path of traffic for each direction of
traffic flow:
– Ingress interception (preferred): Analyze, intercept, and redirect as
packets enter an interface (example: lower CPU utilization)
– Egress interception: Analyze, intercept, and redirect as packets
prepare to exit an interface (example: higher CPU utilization)
Do not overlook placement of the services.

WCCP Router Configuration
c1 g0 s0 s0 g0
61 62 WAN 61 62
g1 g1
c2 e1
e1
ip wccp 61 ip wccp 61
ip wccp 62 ip wccp 62
interface g0 interface s0
*** Hash source IP *** *** Hash source IP ***
ip wccp 61 redirect in
interface g0
interface s0
*** Hash destination IP ***
*** Hash destination IP ***
Client Router Configuration Data Center Router Configuration

Summary
 The physical inline interception card provides fail-through

operation, serial clustering, and IEEE 802.1Q support and allows
integration of Cisco WAAS in environments where in-path
deployment is preferred or off-path deployment is not possible.
 Cisco WAE appliances can be deployed either as in-path devices
or as off-path nodes on the network, typically in the distribution
layer.
 WCCPv2 is an out-of-path interception mechanism. With
WCCPv2, the traffic load is automatically balanced across
available nodes.
 GRE is the WCCPv2 egress method most commonly used with
routers and firewalls, while Layer 2 redirection is more effective
with LAN switches.
 Cisco WAAS uses service groups 61 and 62 for traffic
interception
and redirection.
Configuring Traffic
Interception

Inline Card Configuration
EDGE1#conf t WCCPv2 must be disabled for

EDGE1(config)#no wccp version 2 inline interfaces to be configured
EDGE1(config)#interface ? and operational.
FibreChannel Select a fibre channel interface to configure
GigabitEthernet Select a gigabit ethernet interface to configure
InlineGroup Select an inline group interface to configure
InlinePort Select an inline port interface to configure
PortChannel Ethernet Channel of interfaces
Standby Standby groups
EDGE1(config)#interface inlinegroup ?
Used to configure a Used to configure the
<1-4>/ Slot number specific port within group of inline ports
EDGE1(config)#interface inlinegroup 1/? an inline group
<0-1> Group number
EDGE1(config)#interface inlinegroup 1/0
EDGE1(config-if)#ip address 10.10.31.230 255.255.255.0

Inline Group Configuration
EDGE1(config)#interface inlinegroup 1/0
EDGE1(config-if)#?
exit Exit from this submode
failover Modify failover parameters
inline Enable or Disable inline interception
no Negate a command or set its defaults
shutdown Put the inline interface in passthrough mode
EDGE1(config-if)#inline ? Specify which VLANs to perform
vlan Specify vlan list inline interception against; default
<cr> is all VLANs.
EDGE1(config-if)#inline vlan ?
all All vlans
native Native vlan
WORD Comma separated list of vlan id ranges
Specify the amount of time
EDGE1(config-if)#inline vlan all
before fail-to-wire is engaged
EDGE1(config-if)#failover ?
upon detection of a failure;
timeout Specify time to transition to fail-to-wire
default is 3 seconds.
EDGE1(config-if)#failover timeout ?
<1-1> 1 second Assigns IP address for
<3-3> 3 seconds management and enables
<5-5> 5 seconds the inline interface group.
EDGE1(config-if)#failover timeout 3 Enables interception.
EDGE1(config-if)#ip address 10.10.100.20 255.255.255.0
EDGE1(config-if)#no shutdown
Inline Port Configuration
EDGE1(config)#interface inlinegoup 1/0

EDGE1(config-if)#?
autosense Interface autosense
bandwidth Interface bandwidth
exit Exit from this submode
full-duplex Interface fullduplex
half-duplex Interface halfduplex
no Negate a command or set its defaults
Specify bandwidth and duplex Specify which interface in

settings for the interface; the inline group to configure:
default is autosense. LAN versus WAN.

Verify Inline Interception
EDGE1#sh interface inlinegroup 1/0 Verify inline interception

Interface is in intercept operating mode. intercept or bypass
Standard NIC mode is off. operating modes.
Disable bypass mode is off.
Watchdog timer is enabled.
Timer frequency: 3200 ms. Examine watchdog timer
Autoreset frequency 1500 ms. statistics.
The watchdog timer will expire in 2054 ms.
EDGE1#sh int inlineport 1/0/LAN Device name is helpful in case

Device name: eth4. Bypass master interface. the use of tethereal or tcpdump
Packet counters: 2701 received 867 intercepted 1834 bridged with interface filtering is
678 forwarded 0 dropped. required.
0 inline pkt received on native.
0 flows enter through this interface.
EDGE1#sh int inlineport 1/0/WAN
Device name: eth5. Bypass slave interface.
Validate that packets
Packet counters: 11345 received 6791 intercepted 4553 bridged
are traversing the
11416 forwarded 1 dropped.
inline group and are
0 inline pkt received on native.
being intercepted or
42 flows enter through this interface.
bridged.

Verify Inline Interception (Cont.)
WAN1 LAN1 WAN0 LAN0
LEDs State Description

On The interface is receiving power.
Link/Activity
Blinking The interface is receiving and transmitting data.
100 On The speed of the interface is set to 100 Mb/s.
1000 On The speed of the interface is set to 1000 Mb/s.
The interface pair is operating in bypass (fail-to-
Bypass 100 and 1000 On
wire) mode.

Accelerator Network Module Configuration
 Bring Central Manager on line.

 Bring Cisco NME-WAEs on line: insert network module into router.
 Register Cisco NME-WAEs with CM:
1. Configure network module internal interfaces on the router.
2. Connect to network module via router console.
3. Complete CLI setup script.

Cisco NME-WAE Router Verification
After the Cisco NME-WAE is inserted into the router, verify that the device is online and ready (note: it might
take up to 5 minutes for Cisco WAAS to boot)
R2821-WAE-EDGE#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
…
Cisco 2821 (revision 53.51) with 243712K/18432K bytes of memory.
Processor board ID FTX1010C45Q
2 Gigabit Ethernet interfaces
1 terminal line
1 Cisco Integrated Service Engine(s)
Cisco Wide Area Application Services Software 4.1.0 in slot 1
R2821-WAE-EDGE#service-module integrated-Service-Engine 1/0 status

Service Module is Cisco Integrated-Service-Engine1/0 TTY line is used for
Service Module supports session via TTY line 66 reverse telnet (session
Service Module is in Steady state from router to module).
Getting status from the Service Module, please wait..
Cisco Wide Area Application Services Software 4.1.0
Restarted at Mon May 8 21:13:47 2006

Cisco NME-WAE Internal Architecture
Cisco Integrated Services Router
LAN WAN IP
I/F I/F Network
Router Internal Interface

Integrated-Services-Engine(slot)/0 Integrated
ip address 10.10.100.1 255.255.255.0 ip wccp Services Engine
redirect exclude in I/F
Cisco NME-WAE default gateway
Router Interface Service Module

Integrated-Services-Engine(slot)/0 I/F
service-module ip address 10.10.100.2
255.255.255.0
service-module ip default-gateway 10.10.100.1
Cisco WAE Interface

GigabitEthernet0/0
ip address 10.10.100.2 255.255.255.0
Cisco NME-WAE Network Module

Cisco NME-WAE Management Commands
The following commands are used to manage, configure, monitor,

and access the Cisco NME-WAE when installed within the Cisco
Integrated Services Router chassis.
R2821-WAE# service-module integrated-Service-Engine 1/0 ?

default-boot Set/Clear Default Boot for the next reboot
reload Reload service module
reset Hardware reset of Service Module
session Service module session
shutdown Shutdown service module
statistics Service Module Statistics
status Service Module Information

Attaching to Cisco NME-WAE from Router
pod2-br-rtr#service-module integrated-Service-Engine 1/0 session
Trying 10.10.22.1, 2066 ... Open
Cisco Wide Area Application Engine Console
Username:

WCCPv2 Configuration Overview
Gi0/0.10 (subinterface) (ingress interface) Serial0 (WAN interface)

redirect in/service group 61 Redirect in/service group 62
10.10.10.0/24
IP
Network
Gi0/0.11
TCP promiscuous
register with Router1

Configuring WCCPv2
 The Cisco WAE configuration process involves the following steps:
– Enable WCCPv2
– Define the list of routers to register against
– Register with the routers as a TCP promiscuous device
 The router configuration process involves the following steps:
– Enable Cisco Express Forwarding (optional)
– Enable WCCPv2
– Specify the service groups to support
– Configure redirection on the appropriate interfaces

WCCPv2 Configuration: Cisco WAE
Enables WCCPv2.
Version 2 is required to support the TCP
promiscuous service groups.
WAE# config t
WAE(config)# wccp version 2
WAE(config)# wccp router-list 1 1.1.1.1

WAE(config)# wccp router-list 1 2.2.2.2
WAE(config)# wccp tcp-promiscuous router-list 1
Specifies the Cisco WAE should register as a Specifies a router list with an
TCP promiscuous device with each router listed identifier of 1, defining the IP addresses of
in router list number 1. TCP promiscuous each of the routers that are referenced by
represents WCCPv2 service groups 61 and 62. the list. You can specify up to 6 routers
per line. All routers must be reachable via
the Cisco WAE optimization interface.

WCCPv2 Configuration: Router
Enables Cisco Express Forwarding. It is
recommended to enable Cisco Express
Forwarding on any router that has
WCCPv2 configured.
2811# config term
2811(config)# ip cef
2811(config)# ip wccp version 2
2811(config)# ip wccp 61
2811(config)# ip wccp 62
Enables support for service group 61 and 62, Enables WCCP version 2.
which are the service group numbers used by TCP Version 2 is required to support
promiscuous service groups on the Cisco WAE: the TCP promiscuous service
61: All TCP traffic, balanced by src-ip groups used by Cisco WAAS.
62: All TCP traffic, balanced by dst-ip

WCCPv2 Configuration: Router (Cont.)
Specifies that inbound

redirection for service group 61 is to
be applied to the user access VLAN.
2811(config)# interface GigabitEthernet0/0.10
2811(config-if)# ip wccp 61 redirect in
2811(config-if)# interface Serial0
2811(config-if)# ip wccp 62 redirect in
Specifies that inbound redirection

for service group 62 is to be applied
to the WAN interface.

WCCPv2 Configuration: Router (Cont.)
 Redirection configuration using inbound redirection is the most common
setting and is also recommended.
 In cases where outbound redirection is required, an additional statement
must be applied to the interface or subinterface where the Cisco WAE is
connected.
2811(config-if)# interface GigabitEthernet0/0.11
2811(config-if)# ip wccp redirect exclude in
Configure these elements on the router Cisco WAE VLAN interface.

These commands specify that any packets received on this interface
are not candidates for redirection when leaving another interface.

Cisco WAE Interface Channeling
 Interfaces can be bundled into a PortChannel for load

balancing and high availability.
 Interface channeling requires identical interface configurations
on both physical interfaces.
 IP addresses are defined on the PortChannel interface.
WAE(config)# interface PortChannel 1

WAE(config-if)# no shut
WAE(config-if)# ip address 10.10.10.5 255.255.255.0

Cisco WAE Interface Channeling (Cont.)
WAE(config)# interface gigabitEthernet 1/0

WAE(config-if)# channel-group 1
WAE(config-if)# exit
WAE(config)# interface gigabitEthernet 2/0
WAE(config-if)# channel-group 1

Cisco WAE Standby Interface
Configuration
 A logical standby group of two or more interfaces can be created
for Layer 2 redundancy.
 There must be a Layer 2 path between the two NICs.
 Higher priority selects initial primary interface; default priority is 100.
WAE(config)#primary-interface Standby 1
WAE(config)#interface Standby 1
WAE(config-if)#ip address 10.1.2.100 255.255.255.0
WAE(config-if)#exit
WAE(config)#interface GigabitEthernet 1/0
WAE(config-if)#standby 1 priority 105
WAE(config-if)#exit
WAE(config)#interface GigabitEthernet 2/0
WAE(config-if)#standby 1
WAE(config-if)#exit

View Interface Statistics
WAE#sh int gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AA:2B:1A
Internet address:10.10.10.10
Broadcast address:10.10.10.255
Netmask:255.255.255.0
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 26603
Input Errors: 0
These elements identify Layer 2 and Layer 3
Input Packets Dropped: 0
addresses, the network mask, and MTU.
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 18662 These elements identify the operational
Output Errors: 0 state, mode, and speed.
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000 Collisions can indicate a
Collisions: 0 duplex mismatch.
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: full-duplex, 100baseTX
View PortChannel Statistics
WAE#sh int portChannel 1
Interface PortChannel 1 (1 physical interface(s)):

GigabitEthernet 2/0 (active)
---------------------
Type:Ethernet
Ethernet address:00:11:25:AA:2B:1B
These statistics show physical
Internet address:10.10.10.10 interfaces and interface state.
Broadcast address:10.10.10.255
Netmask:255.255.255.0
Metric:1
Packets Received: 0
Input Errors: 0
Input Packets Overruns: 0 These statistics show Layer 2 and Layer 3
Input Packets Frames: 0 addresses, the network mask, and MTU.
Packet Sent: 0
Output Errors: 0
Output Queue Length:0
Collisions: 0
Flags:UP BROADCAST RUNNING MASTER MULTICAST

Summary
 Inline interception is configured within the Cisco WAE in global

configuration mode; only one inline card can be installed in a
Cisco WAE.
 The Cisco NME-WAE service modules can be installed as
application accelerators in Cisco 2811, 2821, 3825, and 3845
ISRs, with a minimum Cisco IOS Software Release 12.4(9)T1.
 Enabling WCCPv2 requires configuration changes to the network
boundary router or switch, as well as to the Cisco WAE.
 Cisco WAE interfaces can be bundled into a PortChannel for load
balancing and high availability.

Implementing
Cisco WAAS
Central Management

Cisco WAAS Central Manager
The Cisco WAAS Central Manager is a powerful,

scalable, and secure central management tool.
The Central Manager provides policy configuration and
distribution functions, as well as system-wide statistics,
device statistics, and application statistics.
The Central Manager is available at:
 https://(Central_Manager_IP):8443
Default credentials for the Central Manager are:
 Username = admin
 Password = default

Central Manager Login Window

Central Manager Home Page

New, Customizable System Dashboard
New
In
4.1
System-wide
optimization statistics
Export chart data to

spreadsheet
Navigation bar to
access
functionality
Increase chart space by

hiding the navigation bar Network-wide notification,
capture, and acknowledge

Customized Dashboard Charts
Save User
Preferences

Flexible Chart Drawing
Resize, minimize,
maximize, and iconize
capabilities for individual
charts

Network Monitoring: Traffic Summary

Network Monitoring: Traffic Application Mix
Built-in reports
include reports for new
AOs.

Network Monitoring: Pass-Through Traffic Information

Reporting Capabilities
 User created and predefined

 Customized reports (device/group/all)
 Flexible data queries
 Exported to file or e-mail, saved on web server
 Reports generated and archived on the Central Manager, accessible
via URL

Reporting Capabilities: Manage Reports
Schedule report
generation
Create custom
reports
Choose device or
group, schedule, and
deliver via e-mail

Reporting Capability: Scheduled Reports
Note which reports

are scheduled

Central Manager Configuration
Print server, drivers,

and repository
configuration
Platform-specific VLAN
and group configuration

Activating an Individual Cisco WAE
With the new feature of

automatic activation,
the only time activation
is used is after the
device has been
manually deactivated.

Devices Pending Activation

Device Groups
Legend
Device
Group
1
WAN
Device
Group
2
Device
Group
3

Device Groups (Cont.)
Application policy can be managed per device, but it is
recommended that application accelerators be joined to a
device group, with the application policy configured at the
group level to ensure consistency.

Creating a Device Group

Adding Devices to a Device Group
After the device group has
been created, click Assign
Devices to add devices.
Click the blue x next to the

device you want to add to
the group.

Explicit Policy Configuration

Use Device Groups for Time Zones
 Use Central Manager Device Groups to scale time zone configuration if there
are multiple devices per time zone:
 Group name should be timezone-<country>-zone:
– timezone-us-eastern
– timezone-us-pacific
 Hide all configuration
pages except:
– Assign Devices
– Configure > Date/Time > Time Zone
– Configure > Date/Time > NTP

Device Group Best Practices and
Configuration Guidelines
 Configure device groups for file time zones, geography, services,
acceleration, and platform. Use these groups to establish
common configurations across all Cisco WAEs.
 Avoid using device-specific configurations. Use group
configurations to simplify administration.
 Create and enforce device group naming policy.
 Remember that the last group or device configuration applied to
a Cisco WAE always determines policy. In cases where a Cisco
WAE is a member of multiple groups, specify the group from
which policy is inherited.

Managing Cisco WAEs from Central Manager
 Central Manager provides configuration capabilities for each
Cisco WAE that is registered.
 To edit a device, click the Edit icon located next to the Cisco WAE
Device Name field.
Edit icons

Managing and Monitoring Cisco WAEs
View reports from

dashboard display
Dashboard menu Device activation
Monitoring Cisco WAEs
Real-Time Connection Monitoring

Central Manager Dashboard Alarm Panel
Sort by alarm
Mouseover for
troubleshooting
options
Highlight the alarm information field to view a menu that allows the
administrator to:
 Edit or monitor the device
 Telnet to the device
 View the device log
 Run show commands against the device
Acknowledging Alarms
Acknowledge alarms and describe status or document actions taken.

Creating and Managing Central Manager Users
Central Manager users can be created and managed from
the Admin > AAA > Users panel:
Click Create to
add new users

Creating Central Manager Users

Managing Roles
Green box—Read only
Click Create to Checked—Full

add a new role read/write capability
Empty—Option does
not appear and is not
accessible

Managing Domains
Click Create to add

a new domain
Managing Domains: Entity Management
Click the blue x to assign a

device group to the domain

Assigning a User to Roles and Domains
Click the blue x to

assign a user to a
role and domain

External User Groups

TACACS Authentication Configuration
To integrate the Central Manager GUI for centralized
authentication, click the Edit icon.
Edit icon

Centralized Authentication and Central
Manager Users

TACACS Integration

Managing Software Versions
There is an important order to upgrading Cisco WAAS:
1. Upgrade the secondary Central Manager first.
2. Upgrade the primary Central Manager second.
New
In
4.1
3. Upgrade the Cisco WAEs.

Managing Software Versions (Cont.)
 Software images are not stored on Central Manager, and only
download locations are defined. Many software versions can be
stored concurrently.
 To edit a software URL, click the Edit icon. To add a new software
URL, click the Create icon.

Adding Software Images
Populate the fields on the Software File Settings page and click the
Validate Software File Settings button to verify your settings.

Applying Software Images
Choose the device or device group to be upgraded, and choose

Jobs > Software Update. Choose the software file URL and click
Submit to start the upgrade.

Monitoring Software Installation Status
Software installation status can be viewed from the Software Update
page.

Device Downgrade Process
If you want to revert to the previous version that was

installed on the devices, follow these steps:
1. Downgrade the Cisco WAEs first.
2. Downgrade the standby Central Manager next.
New
In
4.1
3. Downgrade the primary Central Manager last.

Device Downgrade Process (Cont.)
The restore rollback command is used to downgrade
the Cisco WAAS software to the version that was used
before the last upgrade.
DC-WAE#restore ?
factory-default Reset configuration and data on the device to factory
default
rollback Rollback to last good software and configuration
DC-WAE#restore rollback ?
<cr>
DC-WAE#restore rollback

Central Manager High Availability
 One or more Cisco WAEs can be configured as standby

Central Managers.
 Configuration is replicated from the primary Central Manager
to the standby Central Managers every five minutes, based on
the datafeed.pollRate setting.
 Information is exchanged using the same Central Manager-to-
Cisco WAE communication that occurs between every Cisco
WAE and the Central Manager.

Configuring a Standby Central Manager
Configuring a standby Central Manager Cisco WAE

requires the following designations:
 Specify the device mode of Central-Manager
 Specify the Central Manager role of standby
 Enable the Central Manager service

Central Manager Failover and Failback
Failover and failback are manual processes that must be
initiated on the Cisco WAE by the administrator.
 To demote a primary Central Manager to standby, use the
following command:
– WAE(config)# central-manager role standby
 To promote a standby Central Manager to primary, use the
following command:
– WAE(config)# central-manager role primary

Central Manager Backup
 The Central Manager database can be backed up from the primary
Central Manager or the standby Central Manager Cisco WAE using
the cms database backup command.
 The resulting database dump file is then copied from the Central
Manager Cisco WAE to another location on the network using FTP.
waas-cm#cms database backup

Creating database backup file cms-db-03-13-2006-05-07.dump
Backup file local1/cms-db-03-13-2006-05-07.dump is ready.
Please use `copy' commands to move the backup file to a remote host.

Central Manager Backup (Cont.)
waas-cm#copy disk ftp 10.10.10.100 / cms-db-03-13-2006-05-07.dump

/local1/acn$
Enter username for remote ftp server: administrator
Enter password for remote ftp server:
Initiating FTP upload...
Sending: USER administrator
Microsoft FTP Service
Password required for administrator.
Sending: PASS ***********
User administrator logged in.
Sending: TYPE I
Type set to I.
Sending: PASV
Entering Passive Mode (10,10,10,100,128,149).
Sending: CWD /
CWD command successful.
Sending PASV
Sending: STOR cms-db-03-13-2006-05-07.dump
Data connection already open; Transfer starting.
Transfer complete.
Sent 146747 bytes

Central Manager Restore
 Before restoring the Central Manager database, first
disable CMS services:
– no cms enable
 Next, copy the Central Manager database, if necessary,

from the network to a location on the Central Manager
Cisco WAE disk:
– copy ftp disk {ipaddr} ({ftp_dir} {filename}
{local filename}
 Finally, restore the database:

– cms database restore {dir/filename}

Central Manager System Settings

Cisco WAE Device Recovery
Deactivate
Check the
Replaceable check
box and click Submit

Cisco WAE Device Recovery (Cont.)
 After the Cisco WAE is marked as deactivated and replaceable,
use the following command from the Cisco WAE CLI to recover
its identity:
– wae#cms recover identity default
 After recovery, the Cisco WAE must be reactivated from
within Central Manager:
For Cisco WAAS to successfully recover, the following must be

configured:
 Original hostname
 IP and default gateway
 Central Manager IP address

Fast Device Offline Detection
Configuration settings for Fast

WAE offline detection is a
global setting that affects all
Cisco WAEs.

Summary
 Central Manager provides a robust, scalable, and secure single
point of management for a Cisco WAAS topology.
 Devices must register with Central Manager and be activated
before they can participate as application accelerators. Cisco
WAEs that are registered with Central Manager via the setup
process are automatically activated.
 Device groups provide an easy way for administrators to simplify
configuration of application policy and other acceleration features.
Groups can be configured to classify Cisco WAEs based on their
geographic deployment, topology, or connectivity.
 Central Manager supports Cisco WAE device-specific
configurations in a manner similar to the process of configuring
device groups.

Summary (Cont.)
 The Central Manager allows for the definition of administrative
users and associated roles. Role-based access control facilitates
the definition of the features, management pages, devices, and
device groups that a user can access.
 The Central Manager can be used to automate the distribution
and installation of device software to Cisco WAEs within a
topology.
 A second Cisco WAE can be configured as a standby Central
Manager to the Cisco WAE that is operating as the primary
Central Manager in environments where high availability for
management, monitoring, and configuration is critical.
 The Central Manager data feed poll rate located in the dashboard
system settings governs the timing and frequency of
communications between Cisco WAEs configured as application
accelerators and Cisco WAEs configured as Central Managers.

Configuring
Application Traffic
Policies

Functional Components of Application Traffic
Policies
Application
Definition
Traffic Policy
Classifier Map

Application Definition
 The application definition

provides a logical grouping of
traffic types. Application
 Statistics from traffic Definition
classifiers mapped to an
application through a policy
map report through the
application definition. Traffic Policy
Classifier Map
 Monitoring is enabled per
application definition.
 Applications are assigned to
devices or device groups.

Traffic Classifier
Application
Definition
 The traffic classifier is used to
identify a connection as a
specific type.
 Actions are taken against the Policy
classifier based on the
Traffic Map
configured policy map. Classifier

 Statistics count toward the
Valid match conditions:
application definition that the  Source IP address
classifier is assigned to via the  Source IP subnet
policy map.  Destination IP address
 Destination IP subnet
 Classification is based on  Source TCP port or range

source or destination Layer 3 
Destination TCP port or range
Layer 7 End Point Mapper
and Layer 4 parameters. (EPM)
 All traffic

Policy Map Application
Definition
 A policy map has two primary

functions:
Traffic
– It associates a traffic Classifier Policy
classifier to an application Map
definition for reporting
purposes. Policy map actions:
 Pass-through
– It assigns an action to be  Optimize
taken against traffic that – TFO
– TFO + LZ
matches a traffic classifier. – TFO + DRE
– Full (TFO + DRE + LZ)
 Policy maps are applied based  Accelerate
on their ordering within Central –
–
CIFS
Windows Printing
Manager or on the device itself. – NFS
– HTTP
– Video
– MAPI
 DSCP Marking

Default Application Policy Logic
Example Action Logic Example
Small packets but Full DRE is a good fit because the data is HTTP
repeatable probably repeatable.
Compressed and Full DRE is effective because the sequences Video streams
repeatable are likely to be repeated.
Encrypted with Full Encryption will not change, therefore DRE SSL with session
fixed keys is effective across multiple sessions. key on each client
Transient compressible TFO+LZ DRE is not effective because the data Telnet
data being transferred is small and probably
not repeatable.
Encrypted with time and Full Encryption process is controlled by SSL with WAAS
session key is known WAAS, session keys are known so full SSL AO
optimization is possible.
Encrypted with time and TFO Encryption will change, DRE is probably SSL without WAAS
session and session key not effective. SSL AO
is not known
Anything using DRE LZ DRE signatures are compressible with LZ.

Default Application Policy Acceleration
Application Policy Action Accelerator
CIFS Full CIFS-AO
NFS Full NFS-AO
HTTP Full HTTP-AO
Windows Media Technologies

TFO+LZ Video-AO
Live Video
Microsoft Exchange E-mail Full MAPI-AO
SSL SSL-AO
EPM TFO EPM-AO

Enabling the Default Policy

Creating Application Policies
Edit the
AllDeviceGroup

Creating Application Policies (Cont.)
Click Create to
add a new
application policy

Click New Application to

create a new application
definition

Fill in the name of

the new application.
Custom DSCP marking can

be defined for this application.

Click New
Classifier to
create a new
application
classification

Fill in the name for

the application
classifier and click
Submit
Click Create to
create a new
match condition
Initial TCP 3-way

handshake used
by WAAS
autodiscovery to
determine
optimization and
acceleration.
This is an example of a web

application that is being classified
as Other traffic due to the unique
port number. It will not be
accelerated with the HTTP AO.
HTTP Get request on port 8808.

Fill in the appropriate

fields for your
application and click
Update Classifier

Match conditions are shown below

the classifier name. Click Submit to
complete the classifier configuration.
If applicable, choose the acceleration

method for your application

By default, new
application policies are
placed at position 1.

Managing Policy Priority
Priority of the new application can be moved up or

down within the priority list for each device group.

Monitoring Connections
TFO
The HR application being optimized with TFO,
DRE DRE, and LZ and accelerated with the HTTP AO
LZ
HTTP AO
TFO Connection Summary
To view all optimized and pass-through connections, use the show
stat connection all command:
wae# show stat connection all
D:DRE,L:LZ,T:TCP Optimization,
C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,V:VIDEO
ConnID Source IP:Port Dest IP:Port PeerID Accelerator

18 10.10.20.10:1188 10.10.100.242:8443 0:14:5e:95:a7:a3 T
16 10.10.20.10:1186 10.10.100.242:8443 0:14:5e:95:a7:a3 T
17 10.10.20.10:1187 10.10.100.242:8443 0:14:5e:95:a7:a3 T
14 10.10.20.10:1185 10.10.100.100:8808 0:14:5e:95:a7:a3 T,D,L,H
9 10.10.20.10:1184 10.10.100.100:80 0:14:5e:95:a7:a3 T,D,L,H
10 10.10.20.10:1183 10.10.100.100:80 0:14:5e:95:a7:a3 T,D,L,H
7 10.10.20.10:1182 10.10.100.100:80 0:14:5e:95:a7:a3 T,D,L,H

Connection Details
Click the View icon

from the connection
statistics screen to
see the connection
details of a
connection

Optimizations Applied to Connections
wae# show stat connection conn-id 14
Connection Id: 14
Peer Id: 00:14:5e:95:a7:a3
Connection Type: EXTERNAL CLIENT
Start Time: Wed Aug 6 10:18:22 2008
Source IP Address: 10.10.20.10
Source Port Number: 1103
Destination IP Address: 10.10.100.100
Destination Port Number: 8808
Application Name: HR-Web
Classifier Name: HR-App
Map Name: basic
Directed Mode: FALSE
Configured Policy: TCP_OPTIMIZE + DRE + LZ
Derived Policy: TCP_OPTIMIZE + DRE + LZ
Peer Policy: TCP_OPTIMIZE + DRE + LZ
Negotiated Policy: TCP_OPTIMIZE + DRE + LZ
Accelerators: HTTP
Original Optimized
-------------------- --------------------
Bytes Read: 0 2547
Bytes Written: 0 517
****Continued on Next slide

Optimizations Applied to Connections:
HTTP AO
***Continued***
****
TFO statistics are not available for AO + TCP only optimized connections
****
HTTP : 14
Time Statistics were Last Reset/Cleared: Wed Aug 6 10:18:22

2008
Total Bytes Read: 799674167
Total Bytes Written: 799674167
Total Bytes Buffered: 00
Total Internal Bytes Read: 16
Total Internal Bytes Written: 12
Bit Flags for I/O state: 0
Internal object pointer: 134651176
Fast connections: 1

Optimizations Applied to Connections: DRE
***Continued***
----------------- Flow 14 dre stats -----------------
Conn-ID: 14 10.10.20.10:1091 -- 10.10.100.100:8808 Peer No: 0 Status: Closed

------------------------------------------------------------------------------
Open at 08/06/2008 10:18:22, Close at 08/06/2008 10:18:29, Duration: 7 secs
Encode:
Overall: msg: 4, in: 811 B, out: 402 B, ratio: 50.43%
DRE: msg: 3, in: 799 B, out: 475 B, ratio: 40.55%
DRE Bypass: msg: 3, in: 12 B
LZ: msg: 2, in: 493 B, out: 389 B, ratio: 21.10%
LZ Bypass: msg: 2, in: 0 B
Avg latency: 0.092 ms Delayed msg: 0
Encode th-put: 2146 KB/s
Message size distribution:
0-1K=100% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg: 19, in: 4585 B, out: 658 KB, ratio: 99.32%
DRE: msg: 19, in: 8290 B, out: 658 KB, ratio: 98.77%
DRE Bypass: msg: 4, in: 10 B
LZ: msg: 5, in: 1049 B, out: 4754 B, ratio: 77.93%
LZ Bypass: msg: 14, in: 3536 B
Avg latency: 0.214 ms
Decode th-put: 157 MB/s
Message size distribution:
0-1K=26% 1K-5K=5% 5K-15K=5% 15K-25K=5% 25K-40K=5% >40K=52%

Optimizations Applied to Connections: TFO
***Continued***
----------------- Flow 14 tfo stats -----------------
Conn-ID: 14 10.10.20.10:1091 -- 10.10.100.100:8808 Peer No: 0 Status: Closed

------------------------------------------------------------------------------
Open at 08/06/2008 10:18:22, Close at 08/06/2008 10:18:29, Duration: 7 secs
Conn-Type: EXTCLIENT Policy: DRE+LZ

EOT state:
Write: req: Y, ack: Y, Read: req: Y, ack: Y
Orig-bytes: local: 674184, remote: 674184
Socket states
AO : read-shut: Y, write-shut: Y, close: Y, fd: 84
read-inKQ: N, write-inKQ: N, choke: N, envoy: Y
WAN: read-shut: Y, write-shut: Y, close: Y, fd: 85
read-inKQ: N, write-inKQ: N, choke: N, envoy: N
DRE hints:
local : latency: 2 plz-off: 0, lz-off: 0, dre-off: 0
remote : latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
active : latency: 2 plz-off: 0, lz-off: 0, dre-off: 0
Scheduler: class_id: 0 dscp: 0

Optimizations for a Specific Application
wae#show statistics application HR-Web
Application Inbound Outbound

---------------------- ----------------------
HR-Web
Opt TCP Plus:
Bytes 1376656 114947
Packets 2000 1674
Orig TCP Plus:
Bytes 273204 19811222
Packets 5683 13940
Opt Preposition:
Bytes 0 0
Packets 0 0
Orig Preposition:
Bytes 0 0
Packets 0 0
Opt TCP Only:
Bytes 0 0
Packets 0 0
Orig TCP Only:
Bytes 0 0
Packets 0 0
***Continued on next page

Optimizations for a Specific Application (Cont.)
Continued from previous page
Internal Client:
Bytes 0 0
Packets 0 0
Internal Server:
Bytes 0 0
Packets 0 0
PT Client:
Bytes 0
Packets 0
PT Server:
Bytes 0
Packets 0
Active Completed
---------------------- ----------------------
Opt TCP Plus 0 114
Preposition Look for PT No Peer 0 0
Opt TCP Only when having acceleration 0 0
Internal Client challenges 0 0
Internal Server 0 0
PT No Peer 0 0
PT Config 0 0
PT Intermediate 0 0
PT_Other 0 0

Savings for a Specific Application
To view savings for one or all applications on a Cisco WAE,
use the show statistics application saving command:
wae# show statistics application saving HR-Web
Application Inbound Outbound
---------------------- ----------------------
HR-Web
TCP Plus:
Bytes 18434566 158257
Packets 11940 4009
Compression Ratio 14:1 2:1
Preposition:
Bytes 0 0
Packets 0 0
TCP Only:
Bytes 0 0
Packets 0 0
Overall: Overall bytes
Bytes 18434566 158257
Packets 11940 4009 saved across
Compression Ratio 14:1 2:1 the WAN

Summary
 Application traffic policies define the behavior of Cisco WAEs in
the network and dictate which optimizations are applied when
traffic of a specific type is encountered.
 The default traffic policy can be used for simple optimization
configurations and includes policies for more than 160 classifiers.
 Application definitions are considered to be top-level objects used
for reporting statistics for all associated classifiers and
optimizations.
 Cisco WAAS allows you to set the priority of application policies
within a priority list for each Cisco WAE device group.
 Connection and application optimization information is available
through Central Manager GUI and Cisco WAE device CLI to
assist you in the management and troubleshooting of application
traffic policies.

Summary (Cont.)
 Traffic classifiers are used to specify the qualifiers to look for
before associating a traffic flow with a specific application.
 Traffic policies are commonly configured from Central Manager
for synchronization and simplicity. They can also be configured on
each Cisco WAE using the CLI.
 Application policies are used for applications that require
optimization through TFO, DRE, and LZ acceleration through
AOs.

Configuring
Virtualization

New
In
Virtualization Overview 4.1
 A virtual blade is like having a generic PC inside Cisco WAAS.

 This generic PC has the following components:
– Hardware: one or more CPUs, memory, host bridge, VGA, one or more NICs,
disk controller, disk, CD drive, serial port, etc.
 Software configuration of the virtual blade allows control of some of these items:
– Amount of memory
– Size of the disk
 The Cisco WAE-674 supports virtual blades.
 Different operating systems can be installed on the virtual blades:
– Windows 2008
– Windows 2003 SP2 or SP3
 Virtualization support is provided directly by Cisco.

 The Windows 2008 OEM ISO image is supported by Cisco.
 Any Windows images or operating systems from other vendors are
supported by the manufacturer.

New
In
Virtualization Overview (Cont.) 4.1
Virtualization allows for local hosting of applications.
Flexible, Optimized Branch IT Data Center

Cisco WAAS
Centralize
Host services locally applications
(Windows Server) on with Cisco
Cisco WAAS WAAS
WAN
Users Business and
Communication Apps
Cisco WAE-674
Router Storage Backup
Cisco WAAS Virtual Blade Technology

Providing Best Mix of Distributed and Centralized IT Services
Validated by Microsoft for Windows Services
Virtual Blade with Windows on Cisco WAAS
 Cisco supports Windows 2008 Server core services:
– Printing
– Directory services
– DNS
– DHCP
 You can order the Cisco WAVE 274, 474, and 574 appliances
with Windows 2008 Server preinstalled.
 Windows runs on Cisco WAAS:
– Cisco WAAS controls memory, disk, CPU, and the stopping or
starting of the virtual blades.
 Each virtual blade is a Linux process with one thread per virtual
CPU.

Virtual Blade with Windows on Cisco WAAS
(Cont.)
 Linux process provides an emulated hardware
environment.
 Network services are through the Linux TAP (Network
TAP) facility.
 Disk and CD images in the virtual blade use file
storage on the physical disk.
 Windows on Cisco WAAS requires Enterprise and
Virtualization licenses.
 It also requires a separate Windows license.

Microsoft and Cisco Solution
Microsoft Windows Cisco WAAS
Server 2008 Server Core with Virtualization
Branch optimized IT services:  Complete WAN optimization

 Read-only domain controller and application acceleration
 Print services  Ability to host Windows
 DNS and DHCP services services locally
Cisco WAAS with prepackaged Windows Server 2008 services

 Jointly developed
architecture
 Joint customer
support

Disk Space Utilization
There is a partition for virtual blade storage named /vbspace:
 All virtual blade storage is contained in this partition. User-visible items (such
as CD images) reside in the directory /local1/vbs, which is a symbolic link to
/vbspace/vbs:
– This is not present on systems that do not support virtual blades.
– This is not present on Cisco 674, 7341, and 7371 systems until they have
enabled virtual blade support.
 Enabling virtual blade support on the Cisco WAE causes the disk space to be
repartitioned.
– The DRE cache is cleared in the process.
 After the disk has been repartitioned on a Cisco WAE, it cannot be reversed
except by reinstalling Cisco WAAS from the rescue CD.

Virtual Blade Network Usage
There are several ways to use the network connectivity
provided to the virtual blade:
 An unused Ethernet interface can be used to attach the virtual
blade to an arbitrary network.
 Cisco WAAS and the virtual blade can have an IP address on
the same subnet, and both operate over the same interface.
 The virtual blade software could expect VLAN tagged frames
and share a physical Ethernet with Cisco WAAS (which must
use untagged frames).

Accelerating Cisco Virtual Blade Network
Traffic: Inline

Traffic: WCCP

Traffic: WCCP GRE

Cisco Virtual Blade Operating System
Installation
 Allocate disk, memory, and network resources

 Copy an ISO CD or DVD image to the system
 Start the virtual blade
 Use VNC to guide the Windows installation

Virtualization Setup
Start the Virtualization setup by enabling the

Guest Resources and clicking Submit.
You must reboot the Cisco WAE to enable the
Cisco virtual blade.

Transferring ISO Image to Virtual Blade
WAE#
copy ftp disk <host> <source directory> <source filename>
vbs/<destination filename>
 Transfers the CD ISO image of the operating system
WAE# copy ftp disk 10.10.100.100 software 2008-server.iso vbs/2008-server.iso
Enter username for remote ftp server: administrator

Enter password for remote ftp server:
Initiating FTP download...
Sending: USER administrator
Microsoft FTP Service
Password required for administrator.
Sending: PASS *****
User administrator logged in.
Sending: TYPE I
Type set to I.
Sending: PASV
Sending: CWD software
CWD command successful.
Sending PASV
--- Output Ommitted ----

Virtual Blade Configuration
Click Create to
create a virtual
blade.

Virtual Blade Configuration (Cont.)
Fill in the appropriate

information for the new
virtual blade and click Add
to add a virtual interface to
the virtual blade.
Creating a Virtual Blade
The virtual blade requires

a virtual interface to be
tied to a Gigabit Ethernet Enter the interface number,
or PortChannel interface choose the Cisco WAE interface
on the Cisco WAE. to associate with the virtual
blade, and click Generate to
generate a MAC address for the
virtual blade. Click Add to List.

Creating a Virtual Blade (Cont.)
Virtual Blade with Virtual

Interface Configured
Click Submit to create

the virtual blade.
Verifying the Virtual Blade
Configured Virtual
Blades

Starting the Virtual Blade
When the Transfer is finished, click Start Virtual

Blade to start the installation of the ISO image.

Accessing the Virtual Blade for ISO Install
Use VNC to attach to virtual

blade VGA emulation and
finish operating system
installation.
IP Address of Cisco WAE

External Interface: vb#

Accessing the Virtual Blade for ISO Install
(Cont.)
Finish the operating

system installation
according to your
needs and design.
Windows 2008 is
an example of an
operating system
that can be
installed on a
virtual blade.

Virtual Blade Monitoring
virtual-blade 1
config: If installing the OS
description 2k8 blade
memory 150
for the first time,
disk 100 verify that Boot
no boot fd-image
boot cd-image disk /local1/vbs/Wow66.iso from CD-ROM is
boot from cd-rom
interface 1 bridge GigabitEthernet 1/0 mac-address selected.
00:16:3E:35:4D:98
device cpu qemu64
device nic rtl8139
device disk IDE
autostart
state: Look for the
running
serial console session inactive
state of the
vnc client connected
current cd /local1/vbs/Wow66.iso
virtual blade.
current floppy [not inserted]

Virtual Blade Monitoring (Cont.)
WAE#
show virtual-blade <1-3> interface <1-2>
 Displays virtual blade interface statistics
pod2-br-wae# show virtual-blade 1 interface 1
Type:Ethernet
Metric:1
Packets Received: 5
Input Errors: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 44164
Output Errors: 0
Output Queue Length:500
Collisions: 0
Flags:UP BROADCAST RUNNING MULTICAST
Virtual Blade Monitoring (Cont.)
WAE#
show virtual-blade <1-3> blockio
 Displays virtual blade CD and disk statistics
pod2-br-wae# show virtual-blade 1 blockio

device read_bytes read_ops write_bytes write_ops
cd 1995264 975 0 0
disk 1 1024 2 0 0
fd 0 0 0 0

Virtual Blade Troubleshooting
WAE#
show virtual-blade vmstats
 Displays virtual blade activity
pod2-br-wae# show virtual-blade vmstat
item cumulative 1-sec
efer_reload 0 0
exits 3743664131 436647
fpu_reload 1666158727 177335
halt_exits 1662815805 177312
halt_wakeup 0 0
host_state_reload 1666168655 177336
hypercalls 0 0
insn_emulation 1840109443 403705
insn_emulation_fail 0 0
invlpg 0 0
io_exits 1161435 18
irq_exits 35319842 563
irq_window 0 0
largepages 0 0
mmio_exits 21160 0
mmu_cache_miss 1569 0
(continues on next page…)
Virtual Blade Troubleshooting (Cont.)
(Continued…)
mmu_flooded 0 0
mmu_pde_zapped 0 0
mmu_pte_updated 0 0
mmu_pte_write 0 0
mmu_recycled 0 0
mmu_shadow_zapped 3613 0
pf_fixed 0 0
pf_guest 0 0
remote_tlb_flush 18 0
request_irq 0 0
signal_exits 1 0

Virtual Blade Troubleshooting (Cont.)
WAE#
show tech-support
 Displays bridge configuration
WAE# show tech-support

<snip>
------------------ Bridge Information -------------------
Bridge for GigabitEthernet 1 0
, id 8000.001a64c30ca0, contains:
GigabitEthernet 1 0
virtual-blade 1 interface 1
virtual-blade 2 interface 1

Summary
 Virtualization allows installation of operating system partitions
on a Cisco WAVE 274, 474, and 574 and the Cisco WAE-674.
Cisco WAAS manages the memory and disk utilization for the
virtual blades.
 Cisco virtual blades support Windows Server 2003 SP2 and
SP3, and Windows Server 2008.
 Virtualization must be enabled prior to the allocation of resources
and installation of the operating system on the Cisco WAE.
When configured correctly, virtual blade traffic is accelerated by
Cisco WAAS optimizations.
 The Cisco WAVE 274, 474, and 574 can be ordered with
Windows 2008 preinstalled.

Module Summary
 Cisco WAE appliances can be deployed either as in-path devices or as

off-path nodes on the network, typically in the distribution layer. WCCPv2
is an out-of-path interception mechanism. With WCCPv2, the traffic load
is automatically balanced across available nodes.
 Inline interception is configured within the Cisco WAE in global
configuration mode; only one inline card can be installed in a Cisco WAE.
 Central Manager provides a single point of management for a Cisco
WAAS topology. Devices must register with Central Manager and be
activated before they can participate as application accelerators. Cisco
WAEs that are registered with Central Manager via the setup process are
automatically activated.
 Application traffic policies define the behavior of Cisco WAEs in the
network and dictate which optimizations are applied when traffic of a
specific type is encountered.
 Virtualization allows the installation of up to three local operating system
partitions on a Cisco WAE 674. Virtualization must be enabled prior to
allocation of resources and installation of the OS on the Cisco WAE.

CWAAS20S03

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CWAAS20S03

Uploaded by

Copyright:

Available Formats

Network Design,

Implementation, Integration, and Management

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-1

In-Path, Single Cisco WAE, Single WAN Connection

In-Path Cluster, Single WAN Connection

Cisco WAE1 Cisco WAE2

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-2

In-Path Cluster, Redundant WAN Links

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-3

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-4

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-5

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-6

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-7

The distribution layer

The access layer can be

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-8

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-9

If the firewall is providing VPN tunnel termination:

Cisco WAE Firewall

If the firewall is providing security services but no VPN tunnels:

Firewall Cisco WAE

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-10

Redirect Cisco WAE

 Cisco NME-WAE placed in

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-13

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-14

Up to 32 Cisco WAEs: Up to 32 routers:

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-15

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-16

 WCCPv2 allows for load balancing based on a number

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-17

Interception monitors for Redirection forwards the

Cisco WAE Device

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-19

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-20

© 2008 Cisco Systems, Inc. All rights reserved.

WAE(Config)# egress-method generic-gre intercept-method wccp

Ingress GRE Tunnel

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-22

The Central Manager GUI can

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-23

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-24

Cisco WAE Cisco WAE

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-25

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-26

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-27

Bypass Traffic GRE

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-28

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-31

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-32

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-33

Do not overlook placement of the services.

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-34

Client Router Configuration Data Center Router Configuration

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-35

 The physical inline interception card provides fail-through

Implementation, Integration, and Management

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-38

EDGE1#conf t WCCPv2 must be disabled for

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-39

EDGE1(config)#interface inlinegoup 1/0

Specify bandwidth and duplex Specify which interface in

© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-41

EDGE1#sh interface inlinegroup 1/0 Verify inline interception