Deploying Cisco Wide Area Application Services (WAAS)

Transcription

1 Deploying Cisco Wide Area Application Services (WAAS) BRKAPP

2 Agenda WAAS Overview WAAS Installation and Configuration Network Interception WAAS Application Optimiser (AO) Deployments WAAS Sizing Guidelines 2

3 WAAS Overview

4 WAAS Helps To Accelerate Top-of-mind CIO Initiatives VDI & BYOD Video Cloud App Rollouts WAN Refresh Single box solution addresses VoD, Live Streaming Solutions for Private and Public Cloud Industry leading app performance with NEW appliances 100% ISR G2s ship WAASready SRE provides flexible options 4

5 Application Delivery Challenges LAN Connectivity High bandwidth Round Trip Time ~ 0ms Low latency Reliability Client LAN Switch Server WAN Connectivity Latency Low bandwidth Round Trip Time ~ Many milliseconds Congestion Packet Loss Client LAN Switch WAN LAN switch Server 5

6 Cisco WAAS: WAN Optimisation Solution Virtual Private Cloud vwaas WAE Server VMs Branch Office WAAS Express Nexus 1000v vpath VMware ESXi Server Nexus 1000v VSM UCS /x86 Server Branch Office Branch Office WAAS Services Ready Engine WAAS Appliance WAN Data Centre or Private Cloud WAAS Appliances FC SAN Server VMs Regional Office WAAS Appliance WAAS CMs VMware ESXi vwaas Appliances 6

7 WAAS Product Portfolio vwaas vwaas-200 vwaas-750 vwaas-6000 vwaas WAAS Appliances WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541 WAAS ISR Modules WAAS Express WAAS Mobile 890 WAAS Mobile SM-SRE-7X0 SM-SRE-9X0 1941/ xx 39xx Tele Worker Small Branch Medium Branch Large Branch Small-Medium Data Centre Data Centre & Campus 7

8 Next Generation WAVE Appliances Purpose built hardware Optional I/O modules including Optical and 10Gbps Ethernet Up to 2 Gbps optimised throughput Up to 8 Virtual Blades (WAVE-694) 8

9 WAAS Context Aware Cache Architecture App Aware Cache Manager Optimises cache behaviour based upon traffic directionality Per Peer Signatures- provides fault isolation, prevents branch starvation and enables lowest latency data store access Signatures (in memory) Peer 1 SIGNATURE SIGNATURE SIGNATURE SIGNATURE SIGNATURE Peer 2 SIGNATURE SIGNATURE SIGNATURE SIGNATURE SIGNATURE Peer n SIGNATURE SIGNATURE SIGNATURE SIGNATURE SIGNATURE Data Store (Disk) CIFS Object Cache Includes File Pre-positioning Ideal for High latency / Low BW links WAAS 4.4 Adaptive DRE Cache Unified Data Store- Single store for all peers App Policy Controlled: Uni-Directional Traffic- only written to destination cache. No cache consumption at source Bi-Directional Traffic- written to both caches 9

10 Citrix XenApp and XenDesktop Support Zero-touch deployment, auto-interoperability with ICA encryption & compression High Performance virtual desktops WAAS 4.5 No changes to clients No changes to servers WAN Transparent Handshake Branch Office Data Centre Cisco WAAS is jointly tested, validated, supported and verified as a Citrix Ready solution 10

11 Session and Transport Layer Optimisation Client Application Presentation Session Transport WAAS Application Policy defines: L4: basic optimisation L5-7: latency mitigation WAAS 1 Application Optimiser (AO) TFO WAAS 2 Application Optimiser (AO) TFO Host Application Presentation Session Transport Network Network Network Network Data Link Physical Data Link Physical Data Link Origin Optimised Origin Physical Data Link Physical WAN BRKAPP _05_2008_c1 11

12 TFO vs Regular TCP in the WAN Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations cwnd TFO TCP Slow Start Congestion Avoidance Time (RTT) TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP 12

13 Advanced Compression Data Redundancy Elimination (DRE) Persistent LZ Compression Application-agnostic compression Up to 100:1 compression WAAS 4.4: Context Aware DRE Benefits Session-based Application-agnostic compression compression Up Up to to 10:1 100:1 compression compression Works WAAS even 4.4: during Context cold Aware DRE DRE cache LZ WAN LZ DRE Synchronised Compression History DRE 13

14 Application-Specific Acceleration Application/Protocol Awareness - Latency mitigation LAN-like Performance Application Optimisers (AOs) CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI Licensed, developed and validated with application vendors Remote Office WAN Data Centre LAN-like Performance Object Cache Verification Security and Control WAN Optimisation WAN Bandwidth Savings Server Safely Offloaded Fewer Servers Needed Power/Cooling Savings 14

15 Network Transparency A/24 WAN B/24 C/24 D/24 E/24 Packets between each network are routed as normal. WAAS auto-discovery will find WAVEs in path WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting Security functions (ACLs, firewall policies) 15

16 Auto Discovery - Two WAVE Configuration In-band signalling with TCP option 0x21 WAE B closest to client (A) and WAVE (C) closest to server (B) Connection optimised between WAVE (B) and (C) WAVE shifts optimised TCP SEQ number by 2 billion If a WAVE that was optimising fails: Hosts will see segments with SEQ/ACK numbers that are out of range Host will reset (RST) connection Client will re-establish a new TCP connection A B C D A:D SYN D:A SYN/ACK Origin Connection A:D SYN(OPT) D:A SYN/ACK(OPT) Optimised Connection A:D SYN(OPT) D:A SYN/ACK Origin Connection 16

17 Auto-Discovery Multi WAVE Configuration Optimised connection established between WAVE (B) and WAVE (D) Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT) Each WAVE supports 10X optimised connection limit for Pass Through connections A B C D E A:E SYN A:E SYN(OPT) A:E SYN(OPT) A:E SYN(OPT) E:A SYN/ACK E:A SYN/ACK(OPT) E:A SYN/ACK(OPT) E:A SYN/ACK A:E ACK A:E ACK(OPT) A:E ACK(OPT) A:E ACK Optimised Origin Connection Connection Origin Connection 17

18 WAAS Sizing Guidelines

19 SRE-7X0-S SRE 7X0-M SRE-9X0-S SRE-9X0-M SRE-9X0-L 294-4G 294-8G 594-6G G G G WAVE - Platform Performance (4.5) WAN Bandwidth (Mbps) Optimised TCP Connections Optimised LAN Throughput (Mbps) k 60k 150k Total Disk Capacity (GB) DRE Disk Capacity (GB) CIFS Disk Capacity (GB) Maximum LAN Video Streams Virtual Blades Supported Total Virtual Blade Disk Capacity Peer Fan Out CM Managed Devices

20 vwaas-200 vwaas-750 vwaas-6000 vwaas vcm-100n vcm-2000n vwaas - Platform Performance (4.5) Number of vcpu Virtaul Memory (GB) Virtual Disk Datastore (GB) Target WAN Bandwidth (Mbps) Optimised TCP Connections Optimised LAN Throughput (Mbps) Peer Fan-out DRE Disk Capacity CIFS Disk Capacity Max LAN Video Streams CM Managed Devices

21 WAAS Deployment Installation and Configuration

22 WAAS Deployment Overview 1. Initial setup is done using Console CLI Setup Script recommended 2. License configuration is required 3. Always bring up the Central Manager (CM) first New WAAS devices are auto-registered to WAAS CM and become a member of AllWAASGroup When creating an AccelerationGroup make sure you apply the correct application policies (e.g. set default one) and auto-membership for this group is enabled 4. Next bring up all Application Accelerators 5. Configure traffic interception (inline, WCCP etc) Start traffic interception on Core or Central devices followed by Remote Devices 6. Further configuration should be done from within the CM 23

23 WAAS Setup Script Prompted on boot of factory default box to run setup script or execute setup Script prompts for configuration to communicate, network integrate, manage, and license the WAE WAVE default mode is Accelerator. Change to CM requires reboot Optional Proactive Diagnostics 24

24 Deploying WAAS Central Manager

25 Central Management System (CMS) CMS process runs on all WAVEs Bidirectional configuration synchronisation between CM and accelerators All management communication uses HTTPS (self signed device specific certificates and keys) Bidirectional config sync between CM and Accelerator Central Manager collects health and monitoring data to every 5 min by default CMS provides means to backup and restore configuration sre700#sho cms info Device registration information : Device ID=11506 Device registered as = WAAS Application Engine Current WAAS Central Manager = Registered with WAAS Central Manager = Status = Online Time of last config-sync = Thu Dec 29 17:56: CMS services information : Service cms_ce is running 26

26 CM Configuration Device located in Data Centre Setup script recommended Non-default configuration Device mode Hostname Primary-interface IP configuration Date/time configuration Configuration Management System (CMS) CMS must be enabled to access the CM GUI Reload required (role change) Optionally use standby interface to dualhome to two switches device mode central-manager hostname dc1-cm1 license add Enterprise primary-interface GigabitEthernet 1/0 interface GigabitEthernet 1/0 ip address exit ip default-gateway ip name-server clock timezone AEST 10 0 ntp server ntp.foo.com cms enable copy run start 27

27 WAAS CM Dashboard 28

28 Group Configuration Best Practices EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent AllWAASGroup DNS SNMP Date/Time > NTP Server Time Zone Login Access Control > SSH MoD Exec Timeout Authentication System Log Settings Storage > Disk Error Handling AccelerationGroup Application Policies (Optional) SSLDevicesGroup SSL Acceleration 29

29 WAAS Monitoring Dashboard Aggregate Statistics Optimisation Summary Connection Trending Application Acceleration HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI 30

30 Deploying Physical Appliance WAE/WAVE

31 Basic Configuration Accelerator Default configuration Hostname Primary-interface IP configuration CMS enable CMS required to register with CM Use of hostname for CM recommended Interface HA Modes Standby Interface PortChannel Interface hostname branch1-wave primary-interface GigabitEthernet 0/0 interface GigabitEthernet 0/0 ip address ! Optionally configure speed and duplex exit ip default-gateway ip name-server ! Implement DNS for CM mobility central-manager address cm1.foo.com cms enable copy run start 32

32 WAVE Port Allocation Onboard Ports GigabitEthernet 0/0 GigabitEthernet 0/1 I/O Modules GigabitEthernet1/0, 1/1 1/7 (Standalone mode) InlineGroup1/0, 1/1, 1/2, 1/3 (Inline mode) TenGigabitEthernet 1/0, 1/1 WAVE-INLN-GE-4T WAVE-INLN-GE-4SX WAVE-INLN-GE-8T WAVE-10GE-2SFP 33

33 Standby Interface Must be layer 2 path between the two WAVE ethernet ports MAC only on in-use interface Primary preempts Gratuitous ARPs on failover WAVE(config)#interface Standby 1 WAVE(config-if)#ip address WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/0 WAVE(config-if)#standby 1 primary WAVE(config-if)#exit WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#standby 1 WAVE(config-if)#exit WAVE(config)#primary-interface standby 1 Gi 0/0 Gi 0/1 WAVE#show interface standby 1 Interface Standby 1 (2 physical interface(s)): GigabitEthernet 0/0 (active)(primary)(in use) GigabitEthernet 0/1 (active) 34

34 PortChannel Interface IP Address defined on PortChannel interface Default Load Balance Method Source-Destination IP and Port LACP is not currently supported. Hard Code Speed/Duplex WAVE(config)# interface PortChannel 1 WAVE(config-if)#no shut WAVE(config-if)#ip address WAVE(config)# interface GigabitEthernet 0/0 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1 WAVE(config)#interface GigabitEthernet 0/1 WAVE(config-if)#speed 1000 WAVE(config-if)#duplex full WAVE(config-if)#no shutdown WAVE(config-if)#channel-group 1 Gi 0/0 Gi 0/1 Gi 0/0 Gi 0/1 Interface Configs MUST MATCH 35

35 CM Management 36

36 Device Group Assignment New WAAS devices are automatically added to AllWAASGroup Add the new device to other (e.g. Edge, SSL etc) groups where necessary 37

37 Deploying Virtual Appliance vwaas

38 vwaas Overview Target Use Cases Private Cloud (Enterprise DC) Virtual Private Cloud Hybrid Cloud Interception Methods Supported Traditional methods such as WCCP Nexus 1000v w/ vpath Storage used by vwaas Direct Attached Storage (DAS) FibreChannel SAN iscsi SAN NAS not currently supported vwaas is a virtualised WAAS offering on top of ESX/ESXi running on UCS/x86 servers vwaas VMWare ESX/ESXi UCS /x86 Servers 39

39 vwaas Interception Options WAN vwaas vwaas vwaas VMWare ESX/ESXi WCCP Interception Multiple vwaas VMs can exist in same WCCP cluster Cat6K/N7K WCCP UCS /x86 Server vpath Interception Based on port-profile policy configured in Nexus 1000v Bidirectional Interception - (no IN/OUT configuration) Nexus 2K/5K Pass-through traffic automatic bypass Nexus 1000V /VN-Link vpath ESX/ESXi with N1000v UCS Compute/ Virtualised Servers UCS /x86 Server 40

40 vwaas Installation vwaas Virtual Appliance (OVF) preconfigured with disk, memory, CPU, NIC s and other VMWare configuration settings vwaas-200, 750, 6000, 12000, EVAL vcm-100n, 2000N System Requirements VMware vsphere 4.x/5.x ESXi Hypervisor VMware vcenter server & vsphere client 4.x/5.x Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL Ensure Intel VT is enabled in the host s BIOS Thick provisioned storage vpath (optional) requires Nexus 1000v v4.2(1)sv1(4) or later 41

41 vwaas Installation 42

42 vwaas Installation 43

43 vwaas Installation 44

44 vwaas Installation 45

45 vwaas Configuration vwaas configuration is the same as for WAVE Connect to the Console through vcenter Use of Setup Script is recommended Some differences you will notice Interface virtual 1/0 Interception other (for vpath) 46

46 Network Interception Inline Mode

47 Inline Interception Overview Simple Plug-and-Play Deployment Physical in-path deployment between switch and router Mechanical fail-to-wire High Availability Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing Serial in-path clustering with fail-over Seamless Transparent Integration Transparency and automatic discovery 802.1q VLAN trunking support Supported on all WAVE appliance models WAN WAVE-INLN-GE-4T WAVE-INLN-GE-8T WAVE-INLN-GE-4SX WAVE-10GE-2SFP 48

48 Serial Inline Cluster Simple High Availability Design for Small to Medium Data Centres HA supported by secondary WAVE Not intended for scaling, only HA Design requires 4 inline groups (8 ports) per WAVE Configure and manage via CM Auto peer configuration Location based reporting Interception Access List supported Bypass for non-relevant traffic WAN1 WAN2 HA WAVE-INLN-GE-4T WAVE-INLN-GE-8T WAVE-INLN-GE-4SX WAVE-10GE-2SFP 49

49 Inline Non-Redundant Branch Router Crossover cable from router to engine Fix speed and duplex settings for Fast Ethernet connections Ensure the router and switch have matching speed and duplex Switch Straight through cable from engine to switch Ensure the router and switch have matching speed and duplex Implement portfast for faster recovery WAVE One Inline port group Ports fail-to-wire upon hardware, software, or power failure Support for interception 802.1q trunks Use Gi0/0 primary interface WAN 50

50 Network Interception WCCP Mode

51 Transparent Off-path Interception WCCPv2 Interception Transparent network integration Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation Near-linear scalability and performance improvement when adding devices WCCP Cluster Policy-Based Routing (PBR) Interception Routing of flows to be optimised through a Cisco WAVE as a next-hop router Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism HA only, no load balancing WAN 52

52 WCCP Functions Intercept Assign Redirect WAVE Cluster Return/Egress Intercept takes place in both directions for WAAS INTERCEPT Identify packets for WCCP processing (in or out) ASSIGN Select the target WAVE REDIRECT Router/switch sends the packet to the WAVE RETURN For unprocessed traffic, WAVE returns the packet to the router EGRESS For processed/optimised traffic, WAVE egresses the packet back to the router 53

53 WCCP Redirect-List Matches traffic for interception Permit all applications but deny specific protocols Avoid redirection of management traffic with a universal ACL Apply bidirectional ACL to service groups 61 and 62 Create the redirect ACL before enabling WCCP service groups 61 and 62 Do not enable logging on WCCP redirect ACL (performance) Optionally permit specific IP subnets ip access-list extended waas-redirect remark WAAS WCCP Redirect List deny tcp any any eq telnet deny tcp any any eq 22 deny tcp any any eq 161 deny tcp any any eq 162 deny tcp any any eq 123 deny tcp any any eq bgp deny tcp any any eq tacacs deny tcp any any eq 2000! Reverse Direction deny tcp any eq telnet any deny tcp any eq 22 any deny tcp any eq 161 any deny tcp any eq 162 any deny tcp any eq 123 any deny tcp any eq bgp any deny tcp any eq tacacs any deny tcp any eq 2000 any! permit tcp any <<branch subnet>> permit tcp <<branch subnet>> any! Implicit DENY ALL Optimise ACL to minimise TCAM usage 54

54 WCCP Redirection Default Service Groups 61 and 62 (Multiple SGs now supported) Redirect 61 FROM Clients (balance on Src IP) Redirect 62 FROM Servers (balance on Dst IP) Always use Redirect IN wherever possible Never use Redirect OUT on Catalyst switch Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design Avoid WCCP LOOPS! (more on this later) WAN

55 WCCP Assignment Hash or Mask Router uses assignment method to determine which WAVE to redirect traffic to Hash Assignment Byte level XOR computation divided into 256 buckets Default for SW based routing platforms (eg ISR/ISR G2) All buckets allocated evenly across WAVEs (by default) Mask Assignment Mask - Bit level AND divided up to 128 buckets (7 bits) Optimised for hardware based routing platforms (eg Nexus, Catalyst) Always keep Mask size as small as possible Number of buckets (and size of mask) based on number of WAVEs in cluster 2 WAVEs 1 bit mask eg 0x1 8 WAVEs 3 bit mask eg 0x

56 Hash Assignment Hash applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions Src Dest WAN Src WAVE-A WAVE-B Src Dest WAN Dst WAVE-A WAVE-B

57 Mask Assignment Mask applied to Source OR Destination IP based on Service Group (61/62) Assignment matches in both directions Src Dest WAN eg Four WAVEs Mask 0x3 (2 bits) Src WAVE-A WAVE-B WAVE-C WAVE-D Src Dest WAN eg Four WAVEs Mask 0x3 (2 bits) Dst WAVE-A WAVE-B WAVE-C WAVE-D

58 Mask Assignment Examples Branch ISR G2 - Hash or Mask supported (Hash more efficient in SW) Use Hash or keep Mask small (typically only one or two bits) If balancing across multiple engines with Mask, set mask to match host bits Src/Dst IP (Dec) = Src/Dst IP (Bin) = 0000: : : :0001 Mask 0x3 = 0000: : : :0011 Result Data Centre Assuming /24 allocation per site (or per subnet) Two WAVE Cluster 01 WAVE-B Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00 Src/Dst IP (Dec) = Src/Dst IP (Bin) = 0000: : : :0001 Mask 0x700 = 0000: : : :0000 Result 001 Eight WAVE Cluster WAVE-B 59

59 Redirect, Return and Egress Methods WCCP specifics are configured on WAVE (WCCP Client) MUST match WCCP router capabilities WCCP Redirect Methods WCCP GRE - Entire packet inside GRE tunnel to WAVE (default) Layer 2 - Frame Destination MAC address rewritten to WAVE MAC WCCP Return Methods WCCP GRE - GRE Packet returned Router WCCP Layer 2 - Frame rewritten to Router MAC WCCP Egress Methods IP Forward WAVE ARPs for configured Default Gateway (default) WCCP negotiated Flow sent back inside WCCP GRE tunnel to Router Generic GRE Flow sent back inside preconfigured Generic GRE tunnel to Switch (specific for HW assisted interception on Catalyst 6500) 60

60 Layer 2 Methods WAVE must be L2 adjacent to router L2 Redirect Rewrite frame dest MAC to WAVE MAC address Transmit frame towards WAVE L2 Return Rewrite frame dest MAC to Router MAC address Transmit frame towards router L2 Egress Rewrite frame dest MAC to Router MAC address Transmit frame towards redirecting router IP Forwarding Egress WAVE ARPs for default gateway Forward frame as IP packet to gateway address Redirect: L2 Redirect: L2 Today Return: L2 Egress: IP FWD WAAS v5.0 (Future) Return: L2 Egress: L2 61

61 Layer 3 or GRE Methods WAVE must be L3 reachable WCCP GRE Redirect (default) Encapsulate frame in GRE header Transmit GRE packet to WAVE (Source: Router-ID IP) WCCP GRE Return (negotiated) Encapsulate frame in GRE header Transmit GRE packet to redirecting router Destination IP: Router-ID WCCP GRE Egress Encapsulate frame in GRE header Transmit GRE packet to redirecting router Destination IP: Router-ID MUST USE Alternative Generic GRE on Catalyst 6500 Redirect: GRE Router/Switch Return: GRE Egress: GRE Router-ID defaults to loopback or highest IP. Configurable with ip wccp sourceaddress command in ASR 62

62 WCCP Loop Avoidance Common Loop Scenarios Cause: Default Egress Method is IP FWD Solution: Configure WCCP GRE Egress Redirect Loop WAN Cause: Redirect OUT configured Solution: Reconfigure to Redirect IN Redirect Loop WAN Cause: Redirect OUT configured Solution A: Reconfigure to Redirect IN Solution B: Configure Redirect-Exclude IN Redirect Loop 61 WAN 62 ip wccp redirect exclude in 63

63 WCCP Function WAAS Network Deployment WCCP - Platform Recommendations Nexus 7000 ISR & 7200 ASR 1000 Cat 6500 Cat 7600 Sup720/32 Cat 6500 Sup2T Cat 4500 Cat 3750 Assign Mask Hash or Mask Mask Hash or Mask (Hash*) or Mask Mask Mask Redirect L2 GRE or L2 GRE or L2 GRE or L2 GRE or L2 L2 only L2 only Redirect List L3/L4 ACL Extended ACL Extended ACL Extended ACL Extended ACL No Extended ACL (no deny) Direction In or Out In or Out In or Out In or Out In (or Out*) In In Return L2 GRE or L2 L2 Generic GRE or L2 Generic GRE VRFs Supported Supported Planned Planned Supported N/A N/A IOS 4.2(1) 5.1(5) 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8; ISR G2 15.0(1)M use L2/Mask XE3.1.0S IOS 15.0(1)S (33)SXH (18)SXF or L2 15.0(1)SY L2 <Sup6 12.2(50)SG1 Sup6 15.0(2)SG Sup7 15.1(1)SG L2 12.2(37)SE This list is dynamic over time, see release notes for latest information 64

64 WAAS Configuration Example Enable GRE Egress Turn on WCCP AFTER configuration wccp router-list wccp tcp-promiscuous router-list-num 1 egress-method negotiated-return intercept-method wccp wccp version 2 65

65 WCCP Router Configuration Router Global Configuration Router(config)# ip cef Router(config)# ip wccp 61 <optional-redirect-list acl-name> Router(config)# ip wccp 62 <optional-redirect-list acl-name> Router(config)# ip wccp version 2 Router Interface Configuration Router(config-if)# ip wccp 61 redirect <in out> Router(config-if)# ip wccp 62 redirect <in out> Router(config-if)# ip wccp redirect exclude in Determined by topology WAN

66 Branch WCCP Configuration Example 61 g0 s0 62 WAN 61 g0 s0 62 Si sm1/0 WAN Looped Intercept Risk! SRE-700 Router ip wccp version 2 ip wccp 61 ip wccp 62 Hash Router ip wccp version 2 ip wccp 61 ip wccp 62 Mask interface gigabit0 ip wccp 61 redirect in interface serial0 ip wccp 62 redirect in interface gigabit0 ip wccp 61 redirect in interface serial0 ip wccp 62 redirect in WAVE wccp router-list wccp tcp-promiscuous router-list-num 1 egress-method negotiated-return interceptmethod wccp wccp version 2 WAVE wccp router-list wccp tcp promiscuous router-list 1 l2- redirect mask-assign wccp tcp-promiscuous mask src-ip-mask 0x1 wccp version 2 67

67 Data Centre Example Single DC WCCP at WAN Edge WAVE or vwaas Deployed WAVE Registration Loopback IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect WCCP GRE Return/Egress WCCP GRE Variable WCCP timers configured for fast convergence Network WAVEs on dedicated or shared VLAN WAVEs could be vpc connected to Nexus access layer Routed edge link with no WCCP High Availability via WCCP Maintains Symmetric Traffic Flows WAVE/vWAAS WAN WAVE/vWAAS ASR 1000 ASR 1000 WCCP Registration 68

68 Data Centre Example Multiple DC WCCP at WAN Edge WAVE or vwaas Deployed WAVE Registration Loopback IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to all edge routers (full mesh) Assignment Mask (0x300 or 0x700 for growth) Redirect WCCP GRE Return/Egress WCCP GRE Variable WCCP timers configured Network WAVEs on dedicated or shared VLAN WAVEs could be vpc connected to Nexus access layer Routed edge link with no WCCP High Availability via WCCP Maintains Symmetric Traffic Flows WAVE/ vwaas ASR 1000 WAVE/ vwaas WCCP Registration not displayed 69 ASR 1000 WAN WAVE/ vwaas ASR 1000 WAVE/ vwaas ASR 1000

69 Data Centre Example Single DC WCCP at Aggregation Layer WAVE or vwaas Deployed WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to both routers Assignment Mask Redirect Layer 2 Return/Egress Layer 2/IP FWD (L2 Egress in WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vpc connected to Nexus access layer L2 between Aggregation Switches High Availability via WCCP Maintains Symmetric Traffic Flows WAVE/vWAAS WAN WCCP Registration WAVE/vWAAS Nexus 7000 Nexus 7000 ASR 1000 ASR 1000 L3 Routed 70

70 Data Centre Example Multiple DC WCCP at Aggregation Layer WAVE or vwaas Deployed WAVE Registration Interface IP of router ASR Router-ID Configured Loopback IP Single WCCP cluster each WAVE to all agg switches (full mesh) WAVE/v WAAS Assignment Mask (0x300 or 0x700 for growth) Redirect Layer 2 Return/Egress Layer 2/IP FWD (L2 Egress in WAAS v5.0) Network WAVEs on dedicated VLAN no redirect All server VLAN SVIs 62 Redirect IN WAVEs could be vpc connected L2 between Aggregation Switches Routed edge link High Availability via WCCP Maintains Symmetric Traffic Flows Nexus 7000 ASR 1000 WAVE/v WAAS Nexus 7000 WAVE/v WAAS WCCP Registration not displayed 71 ASR 1000 L2 Trunk L3 Routed WAN Nexus 7000 ASR 1000 WAVE/v WAAS Nexus 7000 ASR 1000

71 WAAS WCCP Deployment Configuration Best Practices Registration Do NOT use a virtual gateway address (HSRP, VRRP, GLBP) Use interface IP address if L2 adjacent to WCCP router Use highest loopback address if not L2 adjacent to WCCP router Software Platforms ISR, ISR G2 GRE Redirect (Default) Hash Assignment (Default) Inbound Interception "ip wccp redirect exclude in" on WCCP client interface (outbound interception only) WAAS Egress Method: IP Forwarding Hardware Platform ASR, Nexus 7000, Catalyst 6500, 4500 L2 Nexus 7000, Catalyst 6500, 4500, ASR WCCP GRE Redirect Catalyst 6500, ASR if required for design Mask Assignment keep mask small Inbound Interception Do not use "ip wccp redirect exclude in Catalyst 6500 WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only) 72

72 Network Interception vpath Mode

73 vpath Overview FC Array VSN vwaas1 1 SAN Web-Server 1 DBServer Web-Server 2 Web-Server 3 VSN vwaas2 App Server vcm vpath Nexus 1000v VEM VMware ESX Server 1 Nexus 1000v VEM VMware ESXi Server 2 VEM: Virtual Ethernet Module VSM: Virtual Supervisor Module VSN: Virtual Service Node Nexus 1000v VSM vcenter Server Optimised Port-Profile for WAAS 1 Optimised Port-Profile for WAAS 2 Non Opt Port-Profile vwaas Port-Profile

74 vpath Configuration Example port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled port-profile type vethernet server-3 vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address vlan 40 fail open no shutdown state enabled 75

75 vwaas vpath Deployment Port-Profile Configuration Network Admin view Port-Profile Port-group vpath interception Nexus 1000v VSM Server Admin view vsphere client Attach Opt-port-profile to server VMs 76

76 Deploying WAAS AOs Secure Application Optimisers

77 SSL AO Overview Central WAVE acts as a Trusted Intermediary Node for SSL requests by client Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE Central WAVE participates in SSL Handshake to derive the Session Key Central WAVE securely sends the session key in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session Edge WAVE Send session key Central WAVE Client Secure Channel SSL Handshake SSL Handshake WAN Original Data - Encrypted Optimised & Encrypted Original Data - Encrypted Server SSL Session Client to Core WAE (WAAS) SSL Session Central WAVE to Server 78

78 SSL Secure Store CM secure store keeps all imported host and accelerated SSL certificates and private keys Certificates and private keys encrypted with user pass-phrase: When secure store is being initialised first time (initialisation) After CM device reloads to open secure store (opening) CM secure store must be open to synchronise configuration between SSL capable CM and WAVEs Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised 79

79 E-MAPI AO Overview New in WAAS v5.0 June 2012 Preserves end-to-end security with Kerberos Operational consistency with MS infrastructure Consistent across version changes of MS Exchange Kerberos/NTLM Branch WAE Send session key Transparent Secure Channel Kerberos/NTLM DC WAE KDC/AD/DC Kerberos/NTLM WAN Outlook Client Original Data Encrypted/Signed Optimised & Encrypted/Signed Original Data Encrypted/Signed Exchange Server 80

80 E-MAPI AO Operation Grant WAE Workstation account Key permission Kerberos session key allows access to Encrypt/Read/Sign Data Encrypted MAPI Request Branch WAAS Securely transfer key to remote branch. WAN WAN-Secure Core WAAS Active Directory Controller (Kerberos KDC) Outlook Client Application Data: Encrypted Authentication: Kerberos Application Data: Optimised, Encrypted Authentication: Kerberos Application Data: Encrypted Authentication: Kerberos Exchange Server 81

81 E-MAPI Active Directory Integration POC and Commercial Deployment Work Flow with Admin Account Set Time, DNS and Domain info Enter User in WAE Ready! Enterprise Deployment Work Flow Workstation Account Set Time, DNS and Domain info User Account Set Time, DNS and Domain info Join WAE to Domain Create User in AD Grant WAVE Key Permission Grant WAVE Key Permission Require Active Directory team involvement Set WAVE to Use M/A Enter User in WAVE Ready! Ready! 82

82 E-MAPI AO Configuration Requirements WAVE requires DNS configuration to resolve AD domain queries. All WAVEs should be NTP Time Synchronised with the AD domain AD Provisioning User account identity - account created in the AD domain and provisioned on the WAVE Machine account identity - WAVE to join the AD domain. Domain Controller to delegate read only access for the root of the AD DB to the WAVE identity account CM Configuration Enable E-MAPI AO through CM 83

83 Citrix ICA AO Overview ICA Optimisation enabled by default No changes to client configurations No changes to server-side configurations WAN Virtual Desktops Branch Clients WAAS WAAS Citrix Hosting Infrastructure HDX Mediastream HDX with ICA CGP / Session Reliability 84

84 Citrix ICA AO Deployment Guidelines Disable CGP unless needed for lossy links such as satellite Use Client Side Rendering for HDX Mediastream for flash where possible for optimal end user experience Use Direct Print where possible for optimal print performance When using Redirected Print Mode, ensure Printer Redirection bandwidth and printer redirection bandwidth percentage settings are set to default (0) DRE Caching is more effective with greater number of users 85

85 Q & A

86 Complete Your Online Session Evaluation Complete your session evaluation: Directly from your mobile device by visiting and login by entering your username and password Visit one of the Cisco Live internet stations located throughout the venue Open a browser on your own computer to access the Cisco Live onsite portal Don t forget to activate your Cisco Live Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit 87

87 88