Wednesday, August 15, 2012

WAAS Post Number Two! WAAS Express

Hi Guys!

Hopefully in my last blog post, plus my video (http://www.youtube.com/watch?v=wHOw1E8Npmo) has convinced you that WAAS is great!

So you want to try WAAS yourself! But you don't have the WAE Appliances or the virtual image? You have two great options

1. If in Australia, Get in touch with me and I might be able to help!
2. Cisco WAAS Express

Cisco WAAS Express is a software based WAAS that you can enable on any 19XX, 29XX or 39XX series router!

There are some caveats that we will talk about, but for a quick and easy way to try out WAAS you can't look much further!

OK first of all let's talk about what you need.

You need the following Mandatory:
  •  A Cisco 19XX/29XX or 39XX at each end of a connection, with a recent IOS on it, check the feature navigator for exact version requirements.

The following is optional:

  • To support the best number of connections, you need as much RAM in your router as you can fit, if this is not possible, don't worry you can still run WAAS Express
  • A Cisco WAAS Central Manager would be nice too, but assuming your doing this for the first time, it really is not actually required
  • Let's say you have WAAS deployed at some locations in your network, you can have WAAS Express work with your WAE and this will give you the best possible performance, but again is not absolutely mandatory.
Ok! So now your ready to try out WAAS express, go to your router and find your WAN facing interface then issue this configuration:

testWAASEXPRESS(config)#int gi0/2
testWAASEXPRESS(config-if)#waas enable









you will be asked to accept a license, because this is a trial license, but afterwards you should see this message in your logs/console:

Aug 15 10:29:40.597: %WAAS-6-WAAS_ENABLED: WAAS is enabled on interface GigabitEthernet0/2


If you do this on both ends of the link.. WAAS express is enabled! Congratulations!

Is it really that easy? damn right it is, here is how to verify:

testWAASEXPRESS#show waas status

IOS Version: 15.1(4)M4
WAAS Express Version: 1.1.0

WAAS Enabled Interface        Policy Map                             
GigabitEthernet0/2            waas_global                            

WAAS Feature License
    License Type:                           Evaluation
    Evaluation total period:                8  weeks 4  days
    Evaluation period left:                 7  weeks 3  days

DRE Status                        : Enabled
LZ Status                         : Enabled + Entropy

Maximum Flows                     : 10Total Active connections          : 0
Total optimized connections       : 0

As you can see, WAAS is enabled and ready to go, you will notice i have highlighted a few sections, the WAAS enable command turns on the WAAS Temporary license for 8 weeks and 4 days. When your super happy with your WAAS express, all you need to do is purchase a permanent license and install it on the device.

I also highlighted another very important section, the maximum flows section, which on this platform is 10, this means that when WAAS express is enabled on this router, only 10 of the connections made through this router will be accelerated, the rest will simply be treated like normal (so it does NOT restrict you to only 10 flows through the router as a whole, just 10 connections ACCELERATED!)

The reason for this is this router has not been equipped with the maximum amount of memory as you increase the memory in the router, the maximum number of flows will increase. Here is a top gear top tip: Order the WAAS Express bundle when ordering your routers as the Memory is significantly cheaper that way rather than adding the memory in after!

Ok so now how do i actually prove this works? Easy Guys!

make a conenction between two hosts that will actually use TCP and will flow between each of the routers, then issue this command:

testWAASEXPRESS#show waas connection             
ConnID     Source IP:Port         Dest IP:Port           PeerID            Accel 

17         10.240.19.70   :1107   10.240.19.5    :445    442b.03d6.f270    TLD   
16         10.240.19.70   :1106   10.240.19.5    :524    0000.0000.0000    PROG  
19         10.240.19.70   :1109   10.240.19.5    :524    0000.0000.0000    PROG   



You can see that it is being accelerated!

Now, at this point it is worth mentioning that having two WAAS express routers connected and not a proper WAE appliance on at least one end does not offer all the three tech's used to make WAAS so good (That is, DRE LZ and TFO), infact only LZ and TFO are offered as per this very helpful Q&A for Cisco WAAS Express:

 
Q. Can I use another Cisco WAAS Express router as a headend?
A. No. A router enabled for Cisco WAAS Express cannot be used as a headend. However, two routers using Cisco WAAS Express can forward optimized traffic to each other. Traffic between two routers will be optimized using only TFO and Lempel-Ziv-Stac (LZS) compression.
 
Let's get a bit more detail shall we, and also see what a diffirence it makes:


Two WAAS Express Routers:

testWAASEXPRESS#show waas connection detailed

connection  ID:                         83
Peer Id:                                442b.03d6.f270
Connection Type:                        External
Start Time:                             10:58:30 UTC Aug 15 2012
Source IP Address:                      10.240.19.70
Source Port Number:                     1205
Destination IP Address:                 10.240.19.5
Destination Port Number:                59748
Application Name:                       waas-default
Classifier Name:                        waas-default
Peer Policy:                            TFO, LZ, DRE
Configured Policy:                      TFO, LZ, DRE
Negotiated Policy:                      TFO, LZ, DRE
Accelerators:                           TFO ONLY
Bytes Read Orig:                        0                  
Bytes Written Orig:                     1865693            
Bytes Read Opt:                         847612             
Bytes Written Opt:                      29325              
Auto-discovery information:
    Orig-St                             E
    Term-St                             EO
TFO information:
    TFO Frames Read:                    762                
    TFO Frames Written:                 0                  
LZ section
    Encode stats
        Bytes in                      0                  
        Bytes out                     0                  
        Bypass bytes                  0                  
        Compression gain              0%
        Avg Latency in Cef            0 usec    
        Avg Latency in Proc           0 usec    

    Decode stats
        Bytes in                      358911             
        Bytes out                     1387697            
        Bypass bytes                  481081             
        Compression gain              74%        Avg Latency in Cef            24 usec    
        Avg Latency in Proc           75 usec    
DRE section
    Encode stats
        Bytes in                      0                  
        Bytes out                     0                  
        Bypass bytes                  0                  
        Compression gain              0%
        Avg latency                   0 usec    

    Decode stats
        Bytes in                      0                  
        Bytes out                     0                  
        Bypass bytes                  1865693            
        Compression gain              0%        Avg latency                   147 usec    
Connection Status:
    WAN-LAN Status:                    
        Pending Data Read  : 0
        Last read notification (105) received 1136 ms ago
        Last write attempted 1136 ms ago
        Last window notification received 5536 ms ago
        Last attempted len : 4992
        Last error         : 0
        Last bytes accepted: 4992
    LAN-WAN Status:                    
        Pending Data Read  : 0
        Last read notification (0) received 612125932 ms ago
        Last write attempted 1136 ms ago
        Last window notification received 1304 ms ago
        Last attempted len : 51
        Last error         : 0
        Last bytes accepted: 51

 You can see from the above that WAAS express has not had any gains from DRE because DRE is not enabled (Compression gain under the DRE Section) but LZ has done it's bit (LZ Compression section)

Here is what the same troubleshooting command looks like with a proper WAE appliance at one end, and a WAAS express at the other:

 

testWAASEXPRESS#show waas connection detailed

connection  ID:                         97
Peer Id:                                5057.a865.7e41
Connection Type:                        External
Start Time:                             11:14:12 UTC Aug 15 2012
Source IP Address:                      10.240.19.70
Source Port Number:                     1240
Destination IP Address:                 10.240.19.5
Destination Port Number:                61023
Application Name:                       waas-default
Classifier Name:                        waas-default
Peer Policy:                            TFO, LZ, DRE
Configured Policy:                      TFO, LZ, DRE
Negotiated Policy:                      TFO, LZ, DRE
Accelerators:                           TFO ONLY
Bytes Read Orig:                        0                 
Bytes Written Orig:                     4816896           
Bytes Read Opt:                         159715            
Bytes Written Opt:                      4231              
Auto-discovery information:
    Orig-St                             E
    Term-St                             EO
TFO information:
    TFO Frames Read:                    78                
    TFO Frames Written:                 0                 
LZ section

    Encode stats
        Bytes in                      0                 
        Bytes out                     0                 
        Bypass bytes                  0                 
        Compression gain              0%
        Avg Latency in Cef            0 usec   
        Avg Latency in Proc           0 usec   

    Decode stats
        Bytes in                      22055             
        Bytes out                     21886             
        Bypass bytes                  136880            
        Compression gain              0%
        Avg Latency in Cef            1 usec   
        Avg Latency in Proc           2 usec   
DRE section
    Encode stats
        Bytes in                      0                 
        Bytes out                     0                 
        Bypass bytes                  0                 
        Compression gain              0%
        Avg latency                   0 usec   

    Decode stats
        Bytes in                      94138             
        Bytes out                     4816896           
        Bypass bytes                  0                 
        Compression gain              98%        Avg latency                   2222 usec   
Connection Status:
    WAN-LAN Status:                   
        Pending Data Read  : 0
        WAN frame completion pending (64628)
        Last read notification (1248) received 0 ms ago
        Last write attempted 16 ms ago
        Last window notification received 16 ms ago
        Last attempted len : 716
        Last error         : 0
        Last bytes accepted: 716
    LAN-WAN Status:                   
        Pending Data Read  : 0
        Last read notification (0) received 613053168 ms ago
        Last write attempted 24 ms ago
        Last window notification received 612 ms ago
        Last attempted len : 51
        Last error         : 0
        Last bytes accepted: 51
testWAASEXPRESS#



 As you can see from the highlighted section, much more of an improvement!


So my advice to anyone wanting to try WAAS express out is: go ahead and enable WAAS express between two routers if that is all you have, but it is only 10 percent of what WAAS can do for you, to really see the benefit you need a WAE appliance at one end, don't forget there IS a virtual WAAS engine available! So speak to Cisco or contact me (if within Australia) and I may be able to organise a demo through the company I work for.

If you would like to learn more about WAAS, Please check out the following great book on the topic:


IMPORTANT NOTE: the views in this blog post, and all past, present and future blog posts do NOT in any way reflect the opinions of my employer.


 I hope this helps someone out there!

Saturday, August 11, 2012

Cisco WAAS, My favorite Cisco Product




A guide on WCCP Interception

Hi Guys!

The Cisco WAAS is my favorite Cisco Product, there I said it. No it is true, I think it’s the best thing since sliced bread, it works INCREDIBLY well as evidenced by a video (http://www.youtube.com/watch?v=wHOw1E8Npmo) I made a while ago showing just how good this product is.

I am so disappointed that this product is not part of CCIE DC, because it is just an incredible product that deserves more attention!

Anyway, I am getting quite a few deployments of it recently and in order to enjoy the benefits of WAAS, it has to be able to intercept! In the article below I attempt to cover some of the common methods of interception. 

The Interception methods can be basically boiled down to three separate methods, I am not going to go through the full detail of every single one here, but hopefully a bit more than the actual Cisco Documentation itself! For the most definitive guide on WAAS I have ever seen, go ahead and get yourself these books (Please use my links below if you enjoy my blog as this way I will get a amazon gift card and can buy myself some more Drum stuff J)






Interception Methods:
  •       Inline Interception
  •      WCCP Interception
  •      Policy-based-routing interception
In this article I am going to assume you know the basics of these interception methods, this is more of a “gotcha’s” article to help explain some of the more difficult aspects.

Inline Interception

This method of interception is the simplest to deploy and is recommended whenever possible, it involves inserting the WAAS in the path between your WAN and LAN at an office (so for example, between the uplink of your switch to your router)

A few quick pointers that might help you with inline interception:
·        
  •  The link light for an inline interface (LAN or WAN) will NOT come up unless both the WAN and LAN links are plugged in.
  • ·         The inline interface supports full offline passthrough, so you really don’t have to worry about the device being a single point of failure.
  • ·         If you can’t see any inline interfaces, make sure you have set your interception method in your WAE with:
Interception-method inline
·         You can exclude particular VLAN’s from being intercepted with:
Int inlinegroup 1/0
 No Inline vlan 200 (or the ID of whichever VLAN you wish to exclude from interception)

Inline itself is fairly straight forward. Be careful to make sure that where possible the interface is gigabit, ensure that no duplexing errors are occurring otherwise you will actually receive WORSE performance!

WCCP Interception
WCCP Interception is by far the most potentially complicated, WCCP has a few restrictions that you should know about before continuing:
  • ·         ASA’s do NOT support WCCP for services 61 and 62, only for web-proxy, I found this out the hard way and it lead to lots of heart ache for me
WCCP allows you to place the WAE in an off-path location from the traffic being intercepted and allows you to support complicated topologies, this very strength however makes it a little complicated to configure.
There are three separate WCCP settings that you should know about as they will directly affect your use of WCCP

Let’s quickly chat about what exactly WCCP is doing for us: WCCP is a method of telling a device that as traffic arrives in to a particular interface, we want it to forward that traffic to another host instead of forwarding the traffic as per its routing table.
So how exactly can the router perform that action? How can the router redirect the traffic?

This is called the redirection method or forwarding method, and there are two basic ways the router can perform it:

L2 and GRE.


The first method, L2, simply says that as the packet comes in, I will rewrite the destination MAC to equal the MAC of the target WAE (or whatever other device is subscribed via WCCP).
This is the method you must use with hardware-based switching platforms like the 3750/3560 and infact is the only method supported.
The GRE Method can be used for more complicated topologies, in the GRE method the original packet is actually encapsulated inside a GRE packet and sent to the WAE Device, this allows the packet to traverse other hops and support more complicated topologies as you can imagine. This is the only method you can use if your WAE is not directly attached to the router or switch having WCCP interception performed on it (But we will get to that later with a super handy table J)
The picture below (from cisco.com) illustrates this concept further:


http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/images/chalktalk06200802.gif
OK, so now my packet has arrived at my WAE, I have inspected it and it looks wonderful, I have performed some optimization magic to the packet and am now ready to send it on to it’s actual target.
The method’s we can use are called the “return” methods.
The first method, L2 return simply changes the destination MAC of the frame back to the WCCPv2 router that sent it the traffic, the interface that the traffic is returned on must not be the same as the interface where redirection is being performed. This is the simplest method and works quite effectively, but the device must be directly connected to the router.

The second method, IP-Forwarding, uses the ip default gateway of the WAE module to forward the return traffic, the issue with this method is if your WAE is on the same subnet as the traffic being redirected, because as the traffic is returned, the router will look up the details in WCCP and re-forward the traffic back to the WAE Again, therefore this method is only suitable is the WAE is on it’s own dedicated subnet.

The third and final method is Generic GRE, or WCCP GRE Encapsulated traffic (The only difference between WCCP GRE and Generic GRE is that Generic GRE needs a bit more setup on the router, but is also done in hardware on SOME platforms, the table below will help illustrate when to use Generic GRE over WCCP GRE)

In this method, just like in the original forwarding GRE method, the traffic is encapsulated inside a GRE header, this method supports the most complicated topologies.

The final configuration item for WCCP is the use of an assignment method, WCCP Supports multiple devices attached to the same router in order to provide load balancing and redundancy, but this is beyond the scope of this document and will not be detailed here.  All you need to know in simpler deployments for WAAS is that some platforms only support MASK assignment if you want the load balancing done in hardware (which obviously you do)

Please note the terminology and syntax used here applies for WAAS version 5.0 and above
Device and Topology
Interception Method
assignment Method
Redirect Method
Return Method
Redirect Exclude in?
Service 61 and 62 Locations
WAE (Any WAE, vWAAS, WAE Module or Appliance)  is on own dedicated subnet which is directly connected to router, using a ISR Software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE or L2
Ip-forwarding or L2
NO (Unless using WAE Module)
61 on LAN IN, 62 on WAN IN
WAE (Any WAE, vWAAS, WAE Module or Appliance)  is on same subnet as end users/servers/accelerated traffic subnet, using a ISR Software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE
WCCP-GRE
No
(Unless using WAE Module)
61 on WAN OUT, 62 on WAN IN
WAE (Any WAE, vWAAS, WAE Module or Appliance) is on a dedicated subnet, more than a hop away from Clients being accelerated and the actual router being configured for WCCP is more than a hop away, using a software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE
WCCP-GRE
No
(Unless using WAE Module)
62 on WAN in, 61 on LAN in
Any WAE on same subnet as traffic being accelerated with a hardware-based Router (ASR1000 for example) or a catalyst 3750/4500 Switch
NOT SUPPORTED
N/A
N/A
N/A
N/A

Any WAE on dedicated subnet, directly connected to same router that is performing WCCP redirection with a hardware-based router (ASR 1000)
WCCP
Mask ONLY
L2
IP forwarding
No
61 on LAN in 62 On WAN In
Any WAE on dedicated subnet directly connected to same switch that is performing WCCP Redirection with a hardware based Switch (Catalyst 3750
WCCP
Mask ONLY
L2
IP forwarding
No
61 on LAN in 62 On WAN In

For more esoteric based configurations, see the helpful document from Cisco below:


Policy Based Routing
So let’s say for some reason you cannot do WCCP or inline, your only remaining option is policy based routing, policy-based routing has a few restrictions but will work as an absolute last resort.
You must ensure that your WAE is directly connected to the device you are performing the next hop manipulation on.  The WAE must be on a dedicated subnet it cannot be on the same subnet as the users you are accelerating
To configure policy based routing, you would do something like:
Access-list redirect permit tcp any any
Route-map redirect permit 50
 Match ip address redirect
Set ip next-hop
!
Int fa0/1
 LAN LINK
 Ip policy route-map redirect
!
Int fa0/0
WAN LINK
Ip policy route-map redirect
!
The configuration above will get the traffic to redirect to your WAE, the WAE will then return the traffic via it’s default gateway.

I hope these tables and configuration options help someone out there!


Again, I Cannot recommend the WAAS book by Cisco Press enough!