Professional Documents
Culture Documents
Interception, and
Interoperability
MGMT
WAN
Cisco WAE1
MGMT
WAN
WAN
Cisco WAE1
WAN
Cisco WAE1 Cisco WAE2
IP
Network
IP
Network
Router LAN
Interface
LAN
LAN
IP IP
Network Network
IP Cisco WAE Inline Adapter
Network
Router LAN Router LAN
IP Interface Interface
Network
Cisco WAE
Inline Adapter
Router LAN
Interface
Cisco WAE
Inline Adapter
LAN
IP Router LAN
Network Cisco WAE
Interface Inline Adapter
Cisco WAE
Inline Adapter
Distribution
WAN
WAN
IP
Network
Infinite Loop
Cisco WAE
Device
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-11
IP Forwarding Off-Path Deployment Options
PBR or
Tertiary Interface WCCPv2
IP
Network
Fa0/0
Fa1/0
PBR or
WCCPv2
Subinterface
Fa0/0.10 IP
Network
Fa0/0.20
Redirect
Exclude
Cisco WAE
Device
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-12
Two-Router HSRP/VRRP with Cisco NME-
WAE in One of the Routers
Internal connection to
Active Standby
active router Router Router
External connection to
standby router
Si Si
Distribution
Cisco WAE1
R1
Traffic Flow
Cisco WAE2 R2
IP
Network R32
Cisco WAE32
FastEthernet0/0 Serial0
Redirect In Redirect Out
Router
A
A B
C
Cisco WAE1 Cisco
B WAE2 Cisco WAE1 and Cisco
WAE2 default route to r1
r2
Interception and
Redirection
Bypass Traffic
Return Method GRE Tunnel
Negotiated = GRE
Determine what WCCP has
Ingress Egress negotiated for bypass return and
use that for egress.
GRE In
4.1
Designed for Catalyst 6500 Series Switches (Supervisor 32 and Supervisor 720):
– Because they support hardware acceleration processing of GRE packets
– Deployments where multiple Catalyst 6500s govern multiple entry/exit points with a mix of
Layer 2/non-Layer 2-adjacent Cisco WAEs—must use GRE return, but too CPU intensive
Like WCCP GRE return, except for the following:
– Generic GRE overcomes limitations of WCCP GRE return (WCCP GRE packets are
processed in software, causing high CPU utilization).
– Egress packet sent to explicitly configured GRE tunnel interface on router.
WCCP
Interception and
Redirection
Egress
Cisco WAE
2
3
3
2
GRE Tunnel
Cisco WAE
Intercepted—Redirected
Bypass
Cisco WAE
1
WAN
WAN
2
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-29
WCCP Platform Recommendations
Function Software ASR 1000 Catalyst 6500 Cat 6500 Catalyst Catalyst
Support / ISR and Supervisor 720 or Supervisor 2 4500 3750
Recommend 7200 32
Assignment Hash only Mask only Mask or hash/ Mask or hash/ Mask only Mask only
mask mask
Forwarding GRE only Layer 2 or Layer 2 or Layer 2 or Layer 2 only Layer 2 only
GRE/Layer 2 GRE/Layer 2 or GRE/Layer 2
or GRE GRE
Forwarding Full Full Full extended Full extended No redirect Extended
Redirect List extended extended ACL ACL list support ACL (no
ACL ACL deny)
Direction In or out/in In only In or out/in In or out/in In only In only
Return IP forward IP forward, GRE, nGRE, IP forward or IP forward IP forward
or GRE Layer 2, Layer 2, and IP Layer 2/IP or Layer or Layer 2/
WCCP GRE, forward/no GRE forward 2/IP forward IP forward
or generic
GRE
Cisco IOS 12.1(14); Planned 12.2(18)SXF13 12.1(27)E; 12.2(31)SG 12.2(44)SE
Software 12.2(26); 12.2(33)SXH 12.2(18)SXF1
Release 12.3(13); 3
12.4(10);
12.1(3)T;
12.2(14)T;
12.3(14)T5;
12.4(9)T1
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-30
GRE Return on Cisco Platforms
For Cisco 3745 Multiservice Access Routers, and Cisco 3825
and 3845 ISRs configured with GRE return and Cisco IOS
Firewall, the minimum recommended Cisco IOS Software
release is 12.4(11)T3.
GRE return is not recommended on the Cisco Catalyst 6000
Series Switch because of performance considerations.
GRE return is not supported for specified products under these
conditions:
– For Cisco 2600 and 3600 Multiservice Platforms, and Cisco
Catalyst 3750 and 4000 Series Switches
– For any Cisco ISR, if NAT is enabled
– For Cisco 3725 Multiservice Access Routers, and Cisco
2821 and 2851 ISRs, if Cisco IOS Firewall is enabled
Defaults to IP
forwarding if
not configured
Egress method
configuration
per service
ip wccp 61 ip wccp 61
ip wccp 62 ip wccp 62
interface g0 interface s0
*** Hash source IP *** *** Hash source IP ***
ip wccp 61 redirect in
ip wccp 61 redirect in
interface g0
interface s0
*** Hash destination IP ***
*** Hash destination IP ***
ip wccp 62 redirect in
ip wccp 62 redirect in
R2821-WAE-EDGE#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ENTBASEK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
…
Cisco 2821 (revision 53.51) with 243712K/18432K bytes of memory.
Processor board ID FTX1010C45Q
2 Gigabit Ethernet interfaces
1 terminal line
1 Cisco Integrated Service Engine(s)
Cisco Wide Area Application Services Software 4.1.0 in slot 1
LAN WAN IP
I/F I/F Network
Username:
10.10.10.0/24
IP
Network
Gi0/0.11
TCP promiscuous
register with Router1
Enables WCCPv2.
Version 2 is required to support the TCP
promiscuous service groups.
WAE# config t
WAE(config)# wccp version 2
Specifies the Cisco WAE should register as a Specifies a router list with an
TCP promiscuous device with each router listed identifier of 1, defining the IP addresses of
in router list number 1. TCP promiscuous each of the routers that are referenced by
represents WCCPv2 service groups 61 and 62. the list. You can specify up to 6 routers
per line. All routers must be reachable via
the Cisco WAE optimization interface.
2811(config)# ip cef
2811(config)# ip wccp 61
2811(config)# ip wccp 62
Enables support for service group 61 and 62, Enables WCCP version 2.
which are the service group numbers used by TCP Version 2 is required to support
promiscuous service groups on the Cisco WAE: the TCP promiscuous service
61: All TCP traffic, balanced by src-ip groups used by Cisco WAAS.
62: All TCP traffic, balanced by dst-ip
WAE(config)#primary-interface Standby 1
WAE(config)#interface Standby 1
WAE(config-if)#ip address 10.1.2.100 255.255.255.0
WAE(config-if)#exit
WAE(config)#interface GigabitEthernet 1/0
WAE(config-if)#standby 1 priority 105
WAE(config-if)#exit
WAE(config)#interface GigabitEthernet 2/0
WAE(config-if)#standby 1
WAE(config-if)#exit
System-wide
optimization statistics
Save User
Preferences
Resize, minimize,
maximize, and iconize
capabilities for individual
charts
Built-in reports
include reports for new
AOs.
Schedule report
generation
Create custom
reports
Choose device or
group, schedule, and
deliver via e-mail
Platform-specific VLAN
and group configuration
Legend
Device
Group
1
WAN
Device
Group
2
Device
Group
3
Edit icons
Sort by alarm
Mouseover for
troubleshooting
options
Highlight the alarm information field to view a menu that allows the
administrator to:
Edit or monitor the device
Telnet to the device
View the device log
Run show commands against the device
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-88
Acknowledging Alarms
Acknowledge alarms and describe status or document actions taken.
Click Create to
add new users
Empty—Option does
not appear and is not
accessible
Edit icon
DC-WAE#restore ?
factory-default Reset configuration and data on the device to factory
default
rollback Rollback to last good software and configuration
DC-WAE#restore rollback ?
<cr>
DC-WAE#restore rollback
Deactivate
Check the
Replaceable check
box and click Submit
Application
Definition
Traffic Policy
Classifier Map
SSL SSL-AO
Edit the
AllDeviceGroup
Click Create to
add a new
application policy
Click New
Classifier to
create a new
application
classification
Click Create to
create a new
match condition
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-133
Creating Application Policies (Cont.)
By default, new
application policies are
placed at position 1.
TFO
The HR application being optimized with TFO,
DRE DRE, and LZ and accelerated with the HTTP AO
LZ
HTTP AO
© 2008 Cisco Systems, Inc. All rights reserved. CWAAS v2.0—3-140
TFO Connection Summary
To view all optimized and pass-through connections, use the show
stat connection all command:
wae# show stat connection all
D:DRE,L:LZ,T:TCP Optimization,
C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,V:VIDEO
Connection Id: 14
Peer Id: 00:14:5e:95:a7:a3
Connection Type: EXTERNAL CLIENT
Start Time: Wed Aug 6 10:18:22 2008
Source IP Address: 10.10.20.10
Source Port Number: 1103
Destination IP Address: 10.10.100.100
Destination Port Number: 8808
Application Name: HR-Web
Classifier Name: HR-App
Map Name: basic
Directed Mode: FALSE
Configured Policy: TCP_OPTIMIZE + DRE + LZ
Derived Policy: TCP_OPTIMIZE + DRE + LZ
Peer Policy: TCP_OPTIMIZE + DRE + LZ
Negotiated Policy: TCP_OPTIMIZE + DRE + LZ
Accelerators: HTTP
Original Optimized
-------------------- --------------------
Bytes Read: 0 2547
Bytes Written: 0 517
HTTP : 14
HR-Web
Opt TCP Plus:
Bytes 1376656 114947
Packets 2000 1674
Orig TCP Plus:
Bytes 273204 19811222
Packets 5683 13940
Opt Preposition:
Bytes 0 0
Packets 0 0
Orig Preposition:
Bytes 0 0
Packets 0 0
Opt TCP Only:
Bytes 0 0
Packets 0 0
Orig TCP Only:
Bytes 0 0
Packets 0 0
Internal Client:
Bytes 0 0
Packets 0 0
Internal Server:
Bytes 0 0
Packets 0 0
PT Client:
Bytes 0
Packets 0
PT Server:
Bytes 0
Packets 0
Active Completed
---------------------- ----------------------
Opt TCP Plus 0 114
Preposition Look for PT No Peer 0 0
Opt TCP Only when having acceleration 0 0
Internal Client challenges 0 0
Internal Server 0 0
PT No Peer 0 0
PT Config 0 0
PT Intermediate 0 0
PT_Other 0 0
HR-Web
TCP Plus:
Bytes 18434566 158257
Packets 11940 4009
Compression Ratio 14:1 2:1
Preposition:
Bytes 0 0
Packets 0 0
Compression Ratio 1:1 1:1
TCP Only:
Bytes 0 0
Packets 0 0
Compression Ratio 1:1 1:1
Overall: Overall bytes
Bytes 18434566 158257
Packets 11940 4009 saved across
Compression Ratio 14:1 2:1 the WAN
WAN
Users Business and
Communication Apps
Cisco WAE-674
Click Create to
create a virtual
blade.
Configured Virtual
Blades
virtual-blade 1
config: If installing the OS
description 2k8 blade
memory 150
for the first time,
disk 100 verify that Boot
no boot fd-image
boot cd-image disk /local1/vbs/Wow66.iso from CD-ROM is
boot from cd-rom
interface 1 bridge GigabitEthernet 1/0 mac-address selected.
00:16:3E:35:4D:98
device cpu qemu64
device nic rtl8139
device disk IDE
autostart
state: Look for the
running
serial console session inactive
state of the
vnc client connected
current cd /local1/vbs/Wow66.iso
virtual blade.
current floppy [not inserted]
virtual-blade 1 interface 1
virtual-blade 2 interface 1