deploying waas -...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Deploying WAAS BRKAPP-2005
1
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Agenda
WAAS Overview
WAAS Installation and Configuration
Network Interception
WAAS Application Optimizer (AO) Deployments
WAAS Sizing Guidelines
2
WAAS Overview
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Helps To Accelerate Top-of-mind CIO Initiatives
VDI & BYOD Video Cloud App Rollouts WAN Refresh
Single box
solution
addresses
VoD, Live
Streaming
Solutions for
Private and
Public Cloud
Industry
leading app
performance
with NEW
appliances
100% ISR G2s
ship WAAS-
ready
SRE provides
flexible
options
4
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Application Delivery Challenges
LAN Connectivity
‒High bandwidth
‒Low latency
‒Reliability
WAN Connectivity
‒Latency
‒Low bandwidth
‒Congestion
‒Packet Loss
Server LAN
Switch
Client
Round Trip Time ~ 0ms
LAN
Switch Server LAN
switch Client WAN
Round Trip Time ~ Many milliseconds
5
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Cisco WAAS: WAN Optimization Solution
Branch Office
WAAS
Services Ready
Engine WAN
Branch Office WAAS
Express
Branch Office
WAAS
Appliance
Regional Office
WAAS
Appliance
Data Center or
Private Cloud WAAS
Appliances
VMware ESXi vWAAS
Appliances
Server VMs
vWAAS
WAE
Server
VMs
VMware ESXi Server
Nexus 1000v vPATH
UCS /x86 Server
FC SAN
Nexus 1000v VSM
Virtual Private
Cloud
WAAS CMs
6
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Data Centre & Campus
Large Branch
Medium Branch
Small Branch
Tele Worker
Small-Medium
Data Centre
SM-SRE-7X0 SM-SRE-9X0
1941/2901 29xx 39xx
WAAS
Appliances
WAAS ISR
Modules
WAAS
Express
vWAAS vWAAS-750 vWAAS-6000
WAAS
Mobile WAAS Mobile
vWAAS-12000
WAAS Product Portfolio
WAVE-294 WAVE-594 WAVE-694 WAVE-7541 WAVE-7571 WAVE-8541
890
vWAAS-200 vWAAS-50000
WAAS
5.0
7
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Next Generation WAVE Appliances
Up to 2 Gbps optimized throughput
Optional I/O modules including Optical and 10Gbps Ethernet
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Application Optimizer
(AO)
TFO
Network
Data Link
Physical
Client
Application
Presentation
Session
Transport
Network
Data Link
Physical
WAAS 2 Application Optimizer
(AO)
TFO
Network
Data Link
Physical
WAAS 1
Host
Application
Presentation
Session
Transport
Network
Data Link
Physical Origin Optimized Origin
WAN
BRKAPP-2005
14633_05_2008_c1
Session and Transport Layer Optimisation
WAAS Application Policy defines: L4: basic optimization L5-7: latency mitigation
9
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Time (RTT) Slow Start Congestion Avoidance
cwnd
TCP
TFO
Cisco TFO Provides Significant Throughput Improvements over Standard TCP Implementations
TFO is using RFC2018, RFC1323, RFC3390 and BIC-TCP
http://netsrv.csc.ncsu.edu/export/bitcp.pdf
TFO vs Regular TCP in the WAN
10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Advanced Compression
Synchronized
Compression
History
DRE
LZ LZ
DRE
Data Redundancy Elimination
(DRE)
•Application-agnostic compression
•Up to 100:1 compression
•WAAS 4.4: Context Aware DRE
WAN
Benefits
• Application-agnostic compression
• Up to 100:1 compression
• WAAS 4.4: Context Aware DRE
•Session-based compression
•Up to 10:1 compression
•Works even during cold DRE cache
Persistent LZ Compression
11
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Context Aware Cache Architecture
App Aware Cache Manager Optimizes cache behavior based upon
traffic directionality
Per Peer Signatures- provides fault
isolation, prevents branch starvation and
enables lowest latency data store access
CIFS Object Cache Includes File Pre-positioning
Ideal for High latency / Low BW links
Data Store (Disk)
Signatures (in memory)
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer 1
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer 2
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE
SIGNATURE Peer n
Adaptive DRE Cache Unified Data Store- Single store for all peers
App Policy Controlled:
Uni-Directional Traffic- only written to destination cache.
No cache consumption at source
Bi-Directional Traffic- written to both caches
WAAS
4.4
12
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Application-Specific Acceleration
Remote Office Data Center
• Object Cache Verification
• Security and Control
• WAN Optimisation
•WAN Bandwidth Savings
• Server Safely Offloaded
• Fewer Servers Needed
• Power/Cooling Savings • LAN-like Performance
WAN
Application/Protocol Awareness - Latency mitigation
LAN-like Performance
Application Optimizers (AOs) –CIFS, NFS, MAPI, Video, HTTP, SSL, Windows Printing, Citrix ICA, E-MAPI, SMBv2
Licensed, developed and validated with application vendors
13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAN
Network Transparency
Packets between each network are routed as normal.
WAAS auto-discovery will find WAVEs in path
WAAS Network Transparency (same L3/L4 headers) allows application acceleration components to maintain compliance with existing network features
‒ Quality of Service (QoS), NBAR, NetFlow, monitoring, reporting
‒ Security functions (ACLs, firewall policies)
B/24
C/24
D/24
E/24
A/24
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Auto-Discovery - Two WAVE Configuration
In-band signaling with TCP option 0x21
WAE B closest to client (A) and WAVE (C) closest to server (B)
Connection optimized between WAVE (B) and (C)
WAVE shifts optimized TCP SEQ number by 2 billion
If a WAVE that was optimizing fails:
Hosts will see segments with SEQ/ACK numbers that are out of range
Host will reset (RST) connection
Client will re-establish a new TCP connection
A B C D
A:D SYN A:D SYN(OPT) A:D SYN(OPT)
D:A SYN/ACK D:A SYN/ACK(OPT) D:A SYN/ACK
Origin Connection Origin Connection optimized
Connection
15
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Auto-Discovery – Multiple WAVE Configuration
optimized connection established between WAVE (B) and WAVE (D)
Intermediate WAVE (C) sees TCP option in both directions and switches to Pass Through (PT)
Each WAVE supports 10X optimized connection limit for Pass Through connections
A:E SYN A:E SYN(OPT) A:E SYN(OPT) A:E SYN(OPT)
E:A SYN/ACK E:A SYN/ACK(OPT) E:A SYN/ACK(OPT)
E:A SYN/ACK
A:E ACK A:E ACK(OPT)
A:E ACK(OPT) A:E ACK
A B C D E
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Overview Intermediate Firewall Support Options
Tunnel through Firewall Not managed by WAAS
Firewall unable to perform stateful L3/L4 packet filtering
Permit TCP options and disable sequence number checking on firewall Allowing WAAS TFO Autodiscovery
Firewall implementing stateless L3/L4 filters
WAAS Directed Mode Permit TCP options and UDP 4050 tunnel
Traffic optimized by WAAS using auto-discovery but then tunneled between WAE’s
Firewall cannot perform stateful inspection
Cisco firewall with WAAS awareness Traffic transparently optimized by WAAS using auto-
discovery
Cisco firewall preserves L3/L4 stateful inspection by permitting TCP options and statefully tracking TCP sequence number shift
A B D
Origin Connection Origin Connection Optimized Connection No Connection Layer Security
E C
17
WAAS Installation and Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Deployment Overview
1. Initial setup is done using Console CLI – Setup Script recommended
2. License configuration is required
3. Always bring up the Central Manager (CM) first
– New WAAS devices are auto-registered to WAAS CM and become a member of
AllWAASGroup
– When creating an AccelerationGroup make sure you apply the correct application policies (e.g.
set default one) and auto-membership for this group is enabled
4. Next bring up all Application Accelerators
5. Configure traffic interception (AppNav, inline, WCCP etc)
– Start traffic interception on Core or Central devices followed by Remote Devices
6. Further configuration should be done from within the CM
19
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Setup Script
Prompted on boot of factory default box to run setup script or execute ‘setup’
Script prompts for configuration to communicate, network integrate, manage, and license the WAE
WAVE default mode is Accelerator. Change to CM requires reboot
Optional Proactive Diagnostics
20
Deploying WAAS Central Manager
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Central Management System (CMS)
CMS process runs on all WAVEs
Bidirectional configuration synchronization between CM and accelerators
All management communication uses HTTPS (self signed device specific certificates
and keys)
Bidirectional config sync between CM and Accelerator
Central Manager collects health and monitoring data to every 5 min by default
CMS provides means to backup and restore configuration
sre700#sho cms info
Device registration information :
Device ID=11506
Device registered as = WAAS Application Engine
Current WAAS Central Manager = 10.42.40.1
Registered with WAAS Central Manager = 10.42.40.1
Status = Online
Time of last config-sync = Thu Dec 29 17:56:19 2011
CMS services information :
Service cms_ce is running
22
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS CM Dashboard
https://cm-ipaddress:8443
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
CM Configuration device mode central-manager
hostname dc1-cm1
license add Enterprise
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address 10.1.1.31 255.255.255.0
exit
ip default-gateway 10.1.1.254
ip name-server 10.1.1.21
clock timezone AEST 10 0
ntp server ntp.foo.com
cms enable
copy run start
Device located in Data Center
Setup script recommended
Non-default configuration ‒ Device mode
‒ Hostname
‒ Primary-interface
‒ IP configuration
‒ Date/time configuration
‒ Configuration Management System (CMS)
CMS must be enabled to access the CM GUI
Reload required (role change)
Optionally use standby interface to dual-home to two switches
24
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Group Configuration Best Practices
AllWAASGroup DNS SNMP Date/Time > NTP Server | Time Zone Login Access Control > SSH | MoD | Exec Timeout Authentication System Log Settings Storage > Disk Error Handling
SSLDevicesGroup SSL Acceleration
EdgeDevicesGroup Transaction logs Prepositioning Disk encryption Flow Agent
AccelerationGroup Application Policies (Optional)
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Monitoring
Dashboard Aggregate Statistics
Optimisation Summary
Connection Trending
Application Acceleration
‒ HTTP, CIFS, NFS, MAPI, Video, SSL, Print, Citrix ICA, E-MAPI
26
Deploying Physical Appliance
WAE/WAVE
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Basic Configuration – Accelerator
hostname branch1-wave
primary-interface GigabitEthernet 0/0
interface GigabitEthernet 0/0
ip address 10.1.100.101 255.255.255.0
! Optionally configure speed and duplex
exit
ip default-gateway 10.1.100.254
ip name-server 10.1.1.21
ntp server ntp.foo.com
central-manager address cm1.foo.com
cms enable
copy run start
Basic configuration – Manual or Setup
‒ Hostname
‒ Primary-interface
‒ IP configuration
‒ NTP
‒ CMS enable
CMS required to register with CM
Use of hostname for CM recommended
Interface HA Modes
‒ Standby Interface
‒ PortChannel Interface
28
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAVE Port Allocation
Onboard Ports
‒ GigabitEthernet 0/0
‒ GigabitEthernet 0/1
I/O Modules
‒ GigabitEthernet 1/0, 1/1… 1/7
(Standalone mode)
‒ InlineGroup 1/0, 1/1, 1/2, 1/3
(Inline mode)
‒ TenGigabitEthernet 1/0, 1/1
WAVE-INLN-
GE-4SX
WAVE-INLN-
GE-4T
WAVE-
10GE-2SFP
WAVE-
INLN-GE-8T
29
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Standby Interface
Must be layer 2 path between the two WAVE ethernet ports
MAC only on in-use interface
Primary preempts
Gratuitous ARPs on failover
Gi 0/0 Gi 0/1
WAVE(config)#interface Standby 1
WAVE(config-if)#ip address 10.1.2.100 255.255.255.0
WAVE(config-if)#exit
WAVE(config)#interface GigabitEthernet 0/0
WAVE(config-if)#standby 1 primary
WAVE(config-if)#exit
WAVE(config)#interface GigabitEthernet 0/1
WAVE(config-if)#standby 1
WAVE(config-if)#exit
WAVE(config)#primary-interface standby 1
WAVE#show interface standby 1
Interface Standby 1 (2 physical interface(s)):
GigabitEthernet 0/0 (active)(primary)(in
use)
GigabitEthernet 0/1 (active)
30
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAVE(config)# interface PortChannel 1
WAVE(config-if)#no shut
WAVE(config-if)#ip address 10.1.1.31
255.255.255.0
WAVE(config)# interface GigabitEthernet 0/0
WAVE(config-if)#speed 1000
WAVE(config-if)#duplex full
WAVE(config-if)#no shutdown
WAVE(config-if)#channel-group 1
WAVE(config)#interface GigabitEthernet 0/1
WAVE(config-if)#speed 1000
WAVE(config-if)#duplex full
WAVE(config-if)#no shutdown
WAVE(config-if)#channel-group 1
PortChannel Interface
IP Address defined on PortChannel
interface
Default Load Balance Method
‒ Source-Destination IP and Port
LACP is not currently supported.
Hard Code Speed/Duplex
Interface Configs MUST MATCH Gi 0/0 Gi 0/1 Gi 0/0
Gi 0/1
31
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
CM Management
32
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Device Group Assignment
New WAAS devices are automatically added to AllWAASGroup
Add the new device to other (e.g. Edge, SSL etc) groups where
necessary
33
Deploying Virtual Appliance
vWAAS
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Overview
Target Use Cases ‒ Enterprise DC
‒ Virtual Private Cloud
‒ Remote virtual platform
Interception Methods Supported ‒ Traditional methods such as WCCP
‒ Nexus 1000v w/ vPath
Storage used by vWAAS ‒ Direct Attached Storage (DAS)
‒ FibreChannel SAN
‒ iSCSI SAN
‒ NAS not currently supported
vWAAS is a virtualised WAAS appliance on vSphere ESXi running on UCS/x86 servers
UCS /x86 Servers
vWAAS
VMWare ESX/ESXi
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAN
UCS Compute/ Virtualised Servers
Nexus 2K/5K
Cat6K/N7K
Nexus 1000V vPATH
ESXi with N1000v
UCS /x86 Server
WCCP UCS /x86 Server
vWAAS vWAAS vWAAS
VMWare ESX/ESXi
vWAAS Interception Options
WCCP Interception
Multiple vWAAS VMs can exist in
same WCCP cluster
vPath Interception
Based on port-profile policy configured
in Nexus 1000v
Bidirectional Interception - (no IN/OUT
configuration)
Pass-through traffic automatic bypass
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Installation
vWAAS Virtual Appliance (OVF) preconfigured with disk,
memory, CPU, NIC’s and other VMWare configuration settings
‒ vWAAS-200, 750, 6000, 12000, 50000 EVAL
‒ vCM-100N, 2000N
System Requirements
‒ VMware vSphere 4.x/5.x ESXi Hypervisor
‒ VMware vCenter server & vSphere client 4.x/5.x
‒ Cisco UCS or other x86 Server w/ 64 bit CPU on VMware HCL
‒ Ensure Intel VT is enabled in the host’s BIOS
‒ Thick provisioned storage
vPath (optional) requires Nexus 1000v v4.2(1)SV1(4) or later`
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Installation
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Installation
39
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Installation
40
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Installation
41
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS Configuration
vWAAS configuration is the same as for WAVE
Connect to the Console through vCenter
Use of Setup Script is recommended
Some differences you will notice
‒ Interface “virtual 1/0”
‒ Interception “other” (for vPATH)
42
Network Interception
Inline Mode
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Inline Interception Overview
Simple Plug-and-Play Deployment
‒ Physical in-path deployment between switch and router
‒ Mechanical fail-to-wire
High Availability
‒ Two 2-port fail-to-wire groups with support for redundant network paths and asymmetric routing
‒ Serial in-path clustering with fail-over
Seamless Transparent Integration
‒ Transparency and automatic discovery
‒ 802.1q VLAN trunking support
‒ Supported on all WAVE appliance models
WAN
WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAVE-INLN-GE-4SX WAVE-INLN-GE-4T WAVE-10GE-2SFP WAVE-INLN-GE-8T
Serial Inline Cluster
WAN2 WAN1
HA
Simple High Availability Design for Small to Medium Data Centres
HA supported by secondary WAVE
Not intended for scaling, only HA
Design requires 4 inline groups (8 ports) per WAVE
Configure and manage via CM
Auto peer configuration
Location based reporting
Interception Access List supported
Bypass for non-relevant traffic
45
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Inline Non-Redundant Branch
Router ‒ Crossover cable from router to engine
‒ Fix speed and duplex settings for Fast Ethernet connections
‒ Ensure the router and switch have matching speed and duplex
Switch ‒ Straight through cable from engine to switch
‒ Ensure the router and switch have matching speed and duplex
‒ Implement portfast for faster recovery
WAVE ‒ One Inline port group
‒ Ports fail-to-wire upon hardware, software, or power failure
‒ Support for interception 802.1q trunks
‒ Use Gi0/0 primary interface
WAN
46
Network Interception
WCCP Mode
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Transparent Off-path Interception
WCCPv2 Interception
‒ Transparent network integration
‒ Active/active clustering supports up to 32 WAVEs and 32 routers with automatic load-balancing, load redistribution, fail-over, and fail-through operation
‒ Near-linear scalability and performance improvement when adding devices
Policy-Based Routing (PBR) Interception
‒ Routing of flows to be optimized through a Cisco WAVE as a next-hop router
‒ Active/passive clustering provides high availability and failover using IP SLA as a tracking mechanism
‒ HA only, no load balancing
WAN
WCCP Cluster
48
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WCCP Functions
INTERCEPT – Identify packets for WCCP processing (in or out)
ASSIGN – Select the target WAVE
REDIRECT – Router/switch sends the packet to the WAVE
RETURN – For unprocessed traffic, WAVE returns the packet to the router
EGRESS – For processed/optimized traffic, WAVE egresses the packet back to
the router
WAVE Cluster
Intercept
Assign
Redirect
Return/Egress Intercept takes place in
both directions for WAAS
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
ip access-list extended waas-redirect
remark WAAS WCCP Redirect List
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq bgp
deny tcp any any eq tacacs
deny tcp any any eq 2000
! Reverse Direction
deny tcp any eq telnet any
deny tcp any eq 22 any
deny tcp any eq 161 any
deny tcp any eq 162 any
deny tcp any eq 123 any
deny tcp any eq bgp any
deny tcp any eq tacacs any
deny tcp any eq 2000 any
!
permit tcp any <<branch subnet>>
permit tcp <<branch subnet>> any
! Implicit DENY ALL
WCCP Interception Traffic Selection
Redirect-list matches traffic for interception
Permit all applications but deny specific protocols
‒ Avoid redirection of management traffic with a universal ACL
‒ Apply bidirectional ACL to service groups 61 and 62
‒ Create the redirect ACL before enabling WCCP service groups 61 and 62
‒ Do not enable logging on WCCP redirect ACL (performance)
Optionally permit specific IP subnets
Optimize ACL to minimize TCAM usage
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Default Service Groups 61 and 62 (Multiple SGs now supported)
Redirect 61 FROM Clients (balance on Src IP)
Redirect 62 FROM Servers (balance on Dst IP)
Always use Redirect IN wherever possible
Never use Redirect OUT on Catalyst switch
Redirect OUT can be used on ISR/ISR G2, ASR, Nexus 7000 if required by design
Avoid WCCP LOOPS! (more on this later)
WCCP Interception
WAN 62 61 62 61
51
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WCCP Assignment – Hash or Mask Router uses assignment method to determine which WAVE to redirect traffic to
Hash Assignment
‒ Byte level XOR computation divided into 256 buckets
‒ Default for SW based routing platforms (eg ISR/ISR G2)
‒ All buckets allocated evenly across WAVEs (by default)
Mask Assignment
‒ Mask - Bit level AND divided up to 128 buckets (7 bits)
‒ optimized for hardware based routing platforms (eg Nexus, Catalyst)
‒ Always keep Mask size as small as possible (Default was 0x1741, now 0xF00)
‒ Number of buckets (and size of mask) based on number of WAVEs in cluster
2 WAVEs – 1 bit mask eg 0x1
8 WAVEs – 3 bit mask eg 0x7
0 1
000 001 010 011 100 101 110 111
52
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Hash Assignment
Hash applied to Source OR Destination IP based on Service Group (61/62)
Assignment matches in both directions
WAVE-B
61 62
Src 10.1.1.1 Dest 20.1.1.1
Src 10.1.1.1
0-
127
128-
255
61 62
Src 20.1.1.1 Dest 10.1.1.1
Dst 10.1.1.1
WAN
0-
127
128-
255
WAVE-A
WAVE-B
WAN
WAVE-A
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Mask Assignment
Mask applied to Source OR Destination IP based on Service Group (61/62)
Assignment matches in both directions
61 62
Src 10.1.1.1 Dest 20.1.1.1
Src 10.1.1.1
00
01
61 62
Src 20.1.1.1 Dest 10.1.1.1
Dst 10.1.1.1
WAN
00
01
WAN
10
11
10
11
eg Four WAVEs
Mask 0x3 (2 bits)
eg Four WAVEs
Mask 0x3 (2 bits)
WAVE-A
WAVE-B
WAVE-A
WAVE-B
WAVE-C
WAVE-D
WAVE-C
WAVE-D
54
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Mask Assignment Examples
Branch
‒ ISR G2 - Hash or Mask supported (Hash more efficient in SW)
‒ Use Hash or keep Mask small (typically only one or two bits)
‒ If balancing across multiple engines with Mask, set mask to match host bits
Data Center
‒ Assuming /24 allocation per site (or per subnet)
‒ Set mask to match third octet (subnet) with mask range 0x100 to 0x7F00
Mask 0x3 = 0000:0000.0000:0000.0000:0000.0000:0011 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1
Result 01 WAVE-B
Mask 0x700 = 0000:0000.0000:0000.0000:0111.0000:0000 Src/Dst IP (Bin) = 0000:1010.0000:0001.0000:0001.0000:0001 Src/Dst IP (Dec) = 10. 1. 1. 1
Result 001
Two WAVE Cluster
WAVE-B
Eight WAVE Cluster
55
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Redirect, Return and Egress Methods
WCCP specifics are configured on WAVE (WCCP Client)
MUST match WCCP router capabilities
WCCP Redirect Methods
‒ WCCP GRE - Entire packet inside GRE tunnel to WAVE (default)
‒ Layer 2 - Frame Destination MAC address rewritten to WAVE MAC
WCCP Return Methods
‒ WCCP GRE - GRE Packet returned Router (negotiated)
‒ WCCP Layer 2 - Frame rewritten to Router MAC
WCCP Egress Methods
‒ IP Forward – WAVE ARPs for configured Default Gateway (default)
‒ WCCP negotiated – Flow sent back inside WCCP GRE tunnel to Router
‒ Generic GRE – Flow sent back inside preconfigured Generic GRE tunnel to Switch
(specific for HW assisted interception on Catalyst 6500)
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Layer 2 Methods WAVE must be L2 adjacent to router
L2 Redirect
‒ Rewrite frame dest MAC to WAVE MAC address
‒ Transmit frame towards WAVE
L2 Return
‒ Rewrite frame dest MAC to Router MAC address
‒ Transmit frame towards router
L2 Egress
‒ Rewrite frame dest MAC to Router MAC address
‒ Transmit frame towards redirecting router
IP Forwarding Egress
‒ WAVE ARPs for default gateway
‒ Forward frame as IP packet to gateway address
Redirect: L2 Return: L2
Egress: IP FWD
Redirect: L2 Return: L2
Egress: L2
Default
WAAS v5.0
57
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Layer 3 or GRE Methods WAVE must be L3 reachable
WCCP GRE Redirect (default)
‒ Encapsulate frame in GRE header
‒ Transmit GRE packet to WAVE (Source: Router-ID IP)
WCCP GRE Return (negotiated)
‒ Encapsulate frame in GRE header
‒ Transmit GRE packet to redirecting router
‒ Destination IP: Router-ID
WCCP GRE Egress
‒ Encapsulate frame in GRE header
‒ Transmit GRE packet to redirecting router
‒ Destination IP: Router-ID
‒ MUST USE Alternative Generic GRE on Catalyst 6500
Redirect: GRE Return: GRE
Egress: GRE
Router/Switch
Router-ID defaults to loopback or
highest IP.
Configurable with “ip wccp source-
address” command in ASR
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WCCP Loop Avoidance Common Loop Scenarios
WAN 62 61
WAN
62
61
WAN
62
61
Redirect Loop
Cause: Default Egress Method is IP FWD
Solution: Configure WCCP GRE Egress
Cause: Redirect OUT configured
Solution: Reconfigure to Redirect IN w/ GRE
Cause: Redirect OUT configured
Solution A: Reconfigure to Redirect IN
Solution B: Configure Redirect-Exclude IN
Redirect Loop
Redirect Loop ip wccp redirect exclude in
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Network Deployment WCCP - Platform Recommendations
This list is dynamic over time, see release notes for latest information
WCCP Function
Nexus 7000
ISR & 7200 ASR 1000 Cat 6500 Cat 7600
Sup720/32
Cat 6500
Sup2T
Cat 4500
Cat 3750
Assign Mask Hash or Mask Mask Hash or Mask (Hash*) or Mask Mask Mask
Redirect L2 GRE or L2 GRE or L2 GRE or L2 GRE or L2 L2 only L2 only
Redirect List L3/L4 ACL Extended ACL Extended ACL Extended ACL Extended ACL No Extended ACL (no deny)
Direction In or Out In or Out In or Out In or Out In (or Out*) In In
Return L2 GRE or L2 L2 Generic GRE
or L2
Generic GRE
or L2
L2 L2
VRFs Supported Supported Planned N/A Supported N/A N/A
IOS 4.2(1)
5.1(5)
12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;
ISR G2 15.0(1)M use L2/Mask
XE3.1.0S
IOS 15.0(1)S
6500
12.2(33)SXH
7600
12.2(18)SXF
15.0(1)SY <Sup6
12.2(50)SG1
Sup6
15.0(2)SG
Sup7
15.1(1)SG
12.2(37)SE
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Network Deployment WCCP – Feature Enhancements
WCCP Configurable Timers
Supports 9 second failure discovery (30 sec default)
Supported in WAAS (v4.4 onwards)
Requires router support
ISR G2 – Support in 15.2(3)T
ASR – Support in IOS XE 3.2.0S
Nexus 7000 – Support in 5.1(1)
Catalyst 6500 – Support coming MA2 (Q3CY12)
Configurable Router-ID
Allows control of router-id for WCCP GRE
Router support as above
61
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WCCP Router Configuration
Router Global Configuration
Router Interface Configuration
Router(config)# ip cef
Router(config)# ip wccp version 2
Router(config)# ip wccp 61 <optional-redirect-list acl-name>
Router(config)# ip wccp 62 <optional-redirect-list acl-name>
Router(config-if)# ip wccp 61 redirect <in|out>
Router(config-if)# ip wccp 62 redirect <in|out>
Router(config-if)# ip wccp redirect exclude in
Determined by
topology
WAN 62 61 62 61
62
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS Configuration Example
wccp router-list 1 192.168.254.2
wccp tcp-promiscuous router-list-num 1
egress-method negotiated-return intercept-method wccp
wccp version 2
Turn on WCCP
AFTER configuration
Enable GRE Egress
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Branch WCCP Configuration Example
WAN 62 g0 s0
61 61
g0 s0 62
SiSiSiSiSiSiWAN
SRE-700
sm1/0
Router
ip wccp version 2
ip wccp 61
ip wccp 62
interface gigabit0
ip wccp 61 redirect in
interface serial0
ip wccp 62 redirect in
WAVE
wccp router-list 1 10.1.1.254
wccp tcp-promiscuous router-list-num 1
egress-method negotiated-return intercept-method wccp
wccp version 2
Hash
Router
ip wccp version 2
ip wccp 61
ip wccp 62
interface gigabit0
ip wccp 61 redirect in
interface serial0
ip wccp 62 redirect in
WAVE
wccp router-list 1 10.1.2.254
wccp tcp promiscuous router-list 1 l2-redirect mask-assign
wccp tcp-promiscuous mask src-ip-mask 0x1
wccp version 2
Mask
Looped Intercept Risk!
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Data Centre Example – Single DC WCCP at WAN Edge
WAVE or vWAAS Deployed
‒ WAVE Registration – Loopback IP of router
‒ ASR Router-ID Configured – Loopback IP
‒ Single WCCP cluster – each WAVE to both routers
‒ Assignment – Mask
‒ Redirect – WCCP GRE
‒ Return/Egress – WCCP GRE
‒ Variable WCCP timers configured for fast convergence
‒ Network
WAVEs on dedicated or shared VLAN
WAVEs could be vPC connected to Nexus access layer
Routed edge link with no WCCP
High Availability via WCCP
Maintains Symmetric Traffic Flows WAN
WAVE/vWAAS WAVE/vWAAS
ASR 1000 ASR 1000
WCCP Registration
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Data Centre Example – Multiple DC WCCP at WAN Edge
WAVE or vWAAS Deployed
‒ WAVE Registration – Loopback IP of router
‒ ASR Router-ID Configured – Loopback IP
‒ Single WCCP cluster – each WAVE to all edge routers (full mesh)
‒ Assignment – Mask (0x300 or 0x700 for growth)
‒ Redirect – WCCP GRE
‒ Return/Egress – WCCP GRE
‒ Variable WCCP timers configured
‒ Network
WAVEs on dedicated or shared VLAN
WAVEs could be vPC connected to Nexus access layer
Routed edge link with no WCCP
High Availability via WCCP
Maintains Symmetric Traffic Flows WCCP Registration not displayed
WAN
WAVE/vWAA
S
WAVE/vWAA
S
ASR 1000
ASR 1000
WAVE/vWAA
S
WAVE/vWAA
S
ASR 1000
ASR 1000
66
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Data Centre Example – Single DC WCCP at Aggregation Layer
WAVE or vWAAS Deployed
‒ WAVE Registration – Interface IP of router
‒ ASR Router-ID Configured – Loopback IP
‒ Single WCCP cluster – each WAVE to both routers
‒ Assignment – Mask
‒ Redirect – Layer 2
‒ Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)
‒ Network
WAVEs on dedicated VLAN – no redirect
All server VLAN SVIs – 62 Redirect IN
WAVEs could be vPC connected to Nexus access layer
L2 between Aggregation Switches
High Availability via WCCP
Maintains Symmetric Traffic Flows
WCCP Registration
WAN
WAVE/vWAAS WAVE/vWAAS
ASR 1000 ASR 1000
Nexus 7000 Nexus 7000
L3 Routed
67
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Data Centre Example – Multiple DC WCCP at Aggregation Layer
WAVE or vWAAS Deployed
‒ WAVE Registration – Interface IP of router
‒ ASR Router-ID Configured – Loopback IP
‒ Single WCCP cluster – each WAVE to all agg switches (full mesh)
‒ Assignment – Mask (0x300 or 0x700 for growth)
‒ Redirect – Layer 2
‒ Return/Egress – Layer 2/IP FWD (L2 Egress in WAAS v5.0)
‒ Network
WAVEs on dedicated VLAN – no redirect
All server VLAN SVIs – 62 Redirect IN
WAVEs could be vPC connected
L2 between Aggregation Switches
Routed edge link
High Availability via WCCP
Maintains Symmetric Traffic Flows
WCCP Registration not displayed
WAN
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
Nexus 7000
Nexus 7000
WAVE/vWAAS
WAVE/vWAAS
ASR 1000
ASR 1000
Nexus 7000
Nexus 7000
L2 Trunk
L3 Routed
68
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS WCCP Deployment Configuration Best Practices Registration
‒ Do NOT use a virtual gateway address (HSRP, VRRP, GLBP)
‒ Use interface IP address if L2 adjacent to WCCP router
‒ Use highest loopback address if not L2 adjacent to WCCP router
Software Platforms – ISR, ISR G2
‒ GRE Redirect (Default)
‒ Hash Assignment (Default)
‒ Inbound Interception
‒ "ip wccp redirect exclude in" on WCCP client interface (outbound interception only)
‒ WAAS Egress Method: IP Forwarding
Hardware Platform – ASR, Nexus 7000, Catalyst 6500, 4500
‒ L2 – Nexus 7000, Catalyst 6500, 4500, ASR
‒ WCCP GRE Redirect – Catalyst 6500, ASR – if required for design
‒ Mask Assignment – keep mask small
‒ Inbound Interception
‒ Do not use "ip wccp redirect exclude in” – Catalyst 6500
‒ WAAS Egress Method: IP Forwarding, Generic GRE (Cat6k PFC-based systems only)
69
Network Interception
vPath Mode
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
VMware ESX Server 1
vWAAS1
1
1 1
VMware ESXi Server 2
2
Nexus 1000v VSM
vCenter Server
vCM
VEM: Virtual Ethernet Module
VSM: Virtual Supervisor Module
VSN: Virtual Service Node
Web-Server 1 Web-Server 3 DBServer App Server Web-Server 2 VSN
FC Array
SAN
Non Opt Port-Profile
vWAAS Port-Profile
Optimized Port-Profile
for WAAS 1
Optimized Port-Profile
for WAAS 2
1
2
vPATH
vWAAS2
Nexus 1000v VEM
Nexus 1000v VEM
VSN
vPATH Overview
71
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vPath Configuration Example
port-profile type vethernet DC-vWAAS vmware port-group switchport mode access switchport access vlan 40 no shutdown state enabled
port-profile type vethernet Exchange-Server vmware port-group switchport mode access switchport access vlan 40 vn-service ip-address 10.42.40.210 vlan 40 fail open no shutdown state enabled
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Nexus 1000v VSM
Network Admin view
vPATH interception
vSphere client
Server Admin view
Attach Opt-port-profile
to server VMs
Port-Profile Port-group
vWAAS vPath Deployment Port-Profile Configuration
73
Network Interception
AppNav
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS + AppNav:
Unmatched Performance and Scale
AppNav
• Massive Virtual Clusters
• Deploy Anywhere
• Application Affinity
• Load-Aware Distribution
• Content-Aware Policies
WAVE Appliances
• 150,000 Sessions
• 2Gbps Throughput
• Dynamic Status Reporting
Context-Aware DRE
• Highest Throughput
• Eliminates Disk Latency
• Application Aware
• Unified Datastore
75
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
What is Cisco AppNav?
AppNav gives the ability to Virtualize WAN optimization resources
into pools of elastic resources with business driven bindings
WAN
Exchange WEB Apps
Business Unit2 Business Unit1
WAN optimization Pools
vWAAS
WAVE WAE
vWAAS
76
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
What is Cisco AppNav?
AppNav is a next generation physical Input / Output Module (IOM) for
the latest generation of Cisco WAVE Appliances.
• The AppNav IOM contains its own network hardware, processing data independent of the WAVE Appliance.
• The host appliance for a AppNav module can still be used to optimize traffic.
• AppNav can scale up to 8 AppNav modules, along with 32 WAAS or vWAAS Appliances.
• AppNav can be deployed In-Path and Out-of-Path
77
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav Simplifies Service Insertion Easily Solve Deployment and Scalability Headaches
Deployment
Consideration In Path Off Path
AppNav
(In Path)
AppNav
(Off Path)
No Cable Insertion
Outage ✗ ✓ ✗ ✓
No Router / Switch
Code Dependency ✓ ✗ ✓ ✓
No Router / TCAM
Impact ✓ ✗ ✓ ✓
Load and
performance aware
flow distribution ✗ ✗ ✓ ✓
Asymmetric flow
support ✓ ✓ ✓ ✓
Inline Modes Parallel and Serial N/A Only Parallel
Required N/A
Ability to scale out /
add capacity
Constrained by
Inline Device
Constrained by
Router TCAM
Constrained by
Inline Device
10’s of Gbps /
Millions of
Connections
78
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav Has a Complete Understanding of The Network
AppNav High
Availability
WAAS Traffic Load
WAAS I/O Load
Application Persistence
Previous Path
Affinity Custom Affinity Rules
WAAS Device Status
WAAS Optimization
Load
WAAS High Availability
AppNav
Dynamic
Load-Aware
Distribution
79
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav Branch-Based Clustering and Affinity
Br1_WAAS
Br2_WAAS
Br3_WAAS
Branch1 Traffic
Branch2 Traffic
Branch3 Traffic
Data Center
Cisco
AppNav
AppNav’s powerful policy engine allows for easy separation of branch traffic at the Data Center. No knowledge of IP addresses or ACLs required.
Branch Office_1
Branch Office_3
Branch Office_2
WAN
80
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav Enables Application-Aware Affinity
Other Cluster
SSL Cluster
HTTP Cluster
Data Center
Cisco
AppNav
AppNav can simply split traffic into separate application clusters. This flexible deployment allows WAAS to easily adapt to application traffic increases and changes.
Branch Office
Branch Office
Branch Office
WAN
HTTP Traffic
SSL Traffic
Other Traffic
81
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS1 Cisco AppNav
AppNav Dynamic Status Reporting
Branch Office
Branch Office
Branch Office
WAN
STOP
GO
AppNav and WAAS communicate capacity and status for every optimization process per flow. This allows AppNav to easily route around failures and/or capacity problems.
WAAS2
?
WAAS cannot accept connections
WAAS can only accept pre-existing
connections
WAAS is optimizing normally
82
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS_1
WAAS_2
Data Center
WAAS_3
Cisco WAAS device failure
Branch Office
Branch Office
WAN
AppNav provides intelligent WAAS failure mitigation.
• On WAAS failure, AppNav maintain pre- existing TCP connections to other WAAS units
• AppNav Can also be configured with explicit backup HA units for critical devices.
• AppNav can also intelligently pass-through traffic if a failure would result in an overload condition for remaining units
WAAS High Availability
83
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav High Availability
Branch Office
• AppNav performs a per-flow state update between all AppNav devices.
• These states keep all devices aware of each other with information on how connections that are being handled.
• In the event of a failure, the remaining AppNav units can immediately handle all connections that were utilizing the failed AppNav
WAN
Data Center
84
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Simple Status: AppNav 360° Device View
• Graphical overview of AppNav deployment and configuration
• Quick, at-a-glance statistics and load information
• Data-driven tooltips and status indicators that give quick access to device health.
• Support for viewing 8 AppNav Controllers and 32 WAAS Nodes
85
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
AppNav Cluster Wizard: Simple, yet powerful
deployment Step by step configuration of AppNav
through the Cluster Wizard
Validation and feedback for
every step to prevent errors
and misconfigurations
86
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Complete AppNav Configuration
Configure cluster settings
Select cluster devices
Validate cluster interfaces
87
Deploying WAAS AOs Secure Application optimizers
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAN
SSL AO Overview
Central WAVE acts as a Trusted Intermediary Node for SSL requests by client
Server Private Key and Certificate are securely loaded from CM Secure Store to Central WAVE
Central WAVE participates in SSL Handshake to derive the “Session Key”
Central WAVE securely sends the “session key” in-band to the Edge WAVE enabling it to terminate (decrypt/encrypt) the Client SSL session
Send “session key”
SSL Session Central WAVE to Server SSL Session Client to Core WAE (WAAS)
Edge WAVE Central WAVE
Secure Channel
Original Data - Encrypted Optimized & Encrypted Original Data - Encrypted
SSL Handshake SSL Handshake Client Server
89
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
SSL Secure Store CM secure store keeps all imported host
and accelerated SSL certificates and private keys
Certificates and private keys encrypted with user pass-phrase:
‒ When secure store is being initialized first time (initialization)
‒ After CM device reloads to open secure store (opening)
CM secure store must be open to synchronize configuration between SSL capable CM and WAVEs
Upon reboot, if CM detects the secure store is initialized but not open, a critical alarm is raised
90
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAN
Branch WAE DC WAE
Transparent
Secure Channel
Original Data – Encrypted/Signed Optimized & Encrypted/Signed Original Data – Encrypted/Signed
Kerb
ero
s/N
TL
M
Kerberos/NTLM
KDC/AD/DC
Kerb
ero
s/N
TL
M
New in WAAS
v5.0
Preserves end-to-end security with Kerberos
Operational consistency with MS infrastructure
Consistent across version changes of MS Exchange
Send “session key”
Outlook
Client Exchange
Server
E-MAPI AO Overview
91
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Exchange Server
Active Directory
Controller
(Kerberos KDC)
Core WAAS Branch WAAS
Outlook Client
WAN
Encrypted MAPI Request
Securely transfer key to
remote branch.
Kerberos session key
allows access to
Encrypt/Read/Sign Data
Application Data:
Encrypted
Authentication:
Kerberos
Application Data:
Optimized, Encrypted
Authentication:
Kerberos
Application Data:
Encrypted
Authentication:
Kerberos
WAN-Secure
Grant WAE “Workstation”
account Key permission
E-MAPI AO Operation
92
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
E-MAPI Active Directory Integration
POC and Commercial Deployment Work Flow with
Admin Account
Set Time, DNS
and Domain info
Join WAE
to Domain Ready!
Workstation Account
User Account Set Time, DNS and
Domain info Ready!
Require Active Directory
team involvement
Ready! Set Time, DNS
and Domain info
Enter User in
WAE
Enterprise Deployment Work Flow
Enter User in
WAVE
Set WAVE
to Use M/A
Create User
in AD
Grant WAVE Key
Permission
Grant WAVE Key
Permission
93
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
E-MAPI AO Configuration
Requirements
WAVE requires DNS configuration to resolve AD domain queries.
All WAVEs should be NTP Time Synchronised with the AD domain
AD Provisioning
User account identity - account created in the AD domain and provisioned on the WAVE
Machine account identity - WAVE to join the AD domain.
Domain Controller to delegate read only access for the root of the AD DB to the WAVE
identity account
CM Configuration
Enable E-MAPI AO through CM
94
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Citrix XenApp and XenDesktop Support
Zero-touch deployment, auto-interoperability with ICA encryption & compression
High Performance virtual desktops
No changes
to clients No changes
to servers
Branch Office Data Centre
Transparent
Handshake
WAN
WAAS
4.5
Cisco WAAS 4.5.1 is jointly tested, validated,
supported and verified as a Citrix Ready™ solution
95
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAAS
Branch Clients Citrix Hosting Infrastructure
Virtual Desktops
WAAS
HDX Mediastream HDX with ICA CGP / Session Reliability
WAN
No changes to
client
configurations
ICA Optimization
enabled by default
No changes to
server-side
configurations
Citrix ICA AO Overview
96
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Citrix ICA AO Deployment Guidelines
Disable CGP unless needed for lossy links such as satellite
Use Client Side Rendering for HDX Mediastream for flash where possible for
optimal end user experience
Use Direct Print where possible for optimal print performance
When using Redirected Print Mode, ensure Printer Redirection bandwidth and
printer redirection bandwidth percentage settings are set to default (0)
DRE Caching is more effective with greater number of users
97
WAAS Sizing Guidelines
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
WAVE - Platform Performance (4.5)
SR
E-7
X0-S
SR
E 7
X0-M
SR
E-9
X0-S
SR
E-9
X0-M
SR
E-9
X0-L
294-4
G
294-8
G
594-6
G
594-1
2G
694-1
6G
694-2
4G
7541
7571
8541
WAN Bandwidth (Mbps) 20 20 50 50 50 10 20 50 100 200 200 500 1000 2000
Optimized TCP Connections
200 500 200 500 1000 200 400 750 1300 2500 6000 18k 60k 150k
Optimized LAN Throughput (Mbps)
200 200 300 300 300 100 150 250 300 450 500 1000 2000 4000
Total Disk Capacity (GB) 500 500 500 500 500 250 250 500 500 600 600 2250 3150 4200
DRE Disk Capacity (GB) 80 80 120 120 120 40 55 80 120 120 200 500 1000 2000
CIFS Disk Capacity (GB) 57 57 95 95 95 75 75 100 100 100 100 225 225 300
Maximum LAN Video Streams
40 150 40 150 300 40 80 150 300 400 1000 1000 1000 1000
Virtual Blades Supported 2 2 2 4 4 6
Total Virtual Blade Disk Capacity
60 60 175 175 180 180
Peer Fan Out 50 100 150 300 700 1400 2800
CM Managed Devices 250 250 1000 1000 2000 2000
99
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
vWAAS - Platform Performance (4.5)
vW
AA
S-2
00
vW
AA
S-7
50
vW
AA
S-6
000
vW
AA
S-1
200
0
vC
M-1
00N
vC
M-2
000N
Number of vCPU 1 2 4 4 2 4
Virtual Memory (GB) 2 4 8 12 2 8
Virtual Disk Datastore (GB) 160 250 500 750 250 600
Target WAN Bandwidth (Mbps) 10 50 200 310
Optimized TCP Connections 200 750 6000 12000
Optimized LAN Throughput (Mbps) 100 250 500 1000
Peer Fan-out 50 300 1400
DRE Disk Capacity 50 95 320 450
CIFS Disk Capacity 75 95 95 175
Max LAN Video Streams 40 150 1000 1000
CM Managed Devices 100 2000
100
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Ease of Enterprise-
Wide Deployment
Transparent Secure
Application Delivery
Secure and Seamless
Cloud Connectivity
Lower Footprint and TCO
Superior End-User
Experience
Wide Area Application Services
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
102
Don’t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKAPP-2005 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
1
0
3
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public