ASK THE EXPERT - APPLICATION INTELLIGENCE IN THE BRANCH WAN

Unanswered Question
Nov 2nd, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get tips for performing Route Optimization with Performance Routing for Cisco IOS and WAN Optimization using Cisco ISRs and WAAS network modules with Aamer Akhter. Aamer, joined Cisco Systems, Inc. in 1998 after graduating from Georgia Tech with a Bachelor's of Science in electrical engineering. After initially working in the Technical Assistance Center (TAC), he then moved on to various capacities within Cisco supporting large service provider and enterprise customers, as well as testing, designing and deploying several large Layer 2 and MPLS/VPN networks. Aamer is currently working as a technical marketing engineer in the areas of Network Virtualization, Wan-Optimization and router instrumentation.

Remember to use the rating system to let Aamer know if you have received an adequate response.

Aamer might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 16, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.8 (4 ratings)
Loading.
aakhter Sun, 11/04/2007 - 09:12

Ajeet,

The Catalyst line of cisco switches have a great variety of form factors and features that your cisco sales team will be able to best guide you through.

This forum is regarding application intelligence (cisco features that enhance the network application experience: QoS, NBAR, WAAS, PfR etc) on the WAN edge.

cfolkerts Tue, 11/06/2007 - 09:13

A customer of mine is currently dual homed to one single provider with multiple local routers. We are load sharing using local preference in BGP.

I was reading about Optimized Edge Routing (PfR) and would like to solicit some input regarding this technology. From what I have gathered with PfR, you must define a master controller and define policies for your application traffic. If your traffic remains within the policies, you will utilize the best path determined by the routing protocol. If your traffic falls out of policy, the master controller will inject routes or PBR entries to utilize the secondary link until all traffic falls back within the defined policy. Depending on your traffic patterns and your defined policies, the primary link could be used 100% of the time with the secondary link being idle if all traffic falls within the policies.

I understand that this may work well for real time applications like voice and video but I do not see the benefit for my customer. With the current setup, we are utilizing both links all the time.

Has anyone deployed this technology and can you provide some benefits it has over other traditional load sharing techniques?

Regards

aakhter Tue, 11/06/2007 - 19:50

Yes,in fact, many customers have deployed PfR for a variety of reasons including the 'best' path for certain classes of traffic (eg low latency for voice) as well as for load-balancing, the detection of packet loss on a path, and many more. All these policies can even be active at the same time.

For example, we can match the voice traffic and create a policy for sending that traffic down the lowest latency path.

The remaining traffic can be load-balanced between the exit links. There is a kind of statistical load-balancing today with CEF and equal-cost routes and even unequal cost routes (eg MPLS-TE and EIGRP), however it is very possible that 3 50mb flows map to the same hash-bucket and get sent out the same exit link. If that link is 100MB of bandwidth-there will definitely be dropped packets. The packets are getting dropped due to localized congestion on one link even though the site may have multiple 100MB exit links. PfR can measure these flows and assign them at a very granular level (this is where PBR comes in) to specific exits enabling maximal use of the site's bandwidth. Additionally, if some of the links have a metered pricing scheme, PfR can take that into account as well and try to make the most of the bandwidth with $$ cost minimization.

Finally, a routing protocol may be advertising reachability to a prefix that is actually not there, or the path itself is suffering form of intermittent packet loss. PfR can detect these packet losses (via IP SLA or TCP seq # tracking) and divert traffic away from the misperforming link.

davidjkent Tue, 11/06/2007 - 09:51

Hi Aamer

Im looking at implementing WAAS to improve network performance on our remote sites. Our remote sites are connected to a central site across the internet via Lan to Lan IPSEC VPN's which terminate on PIX firewalls running 6.3 at the remote sites and an ASA running 7.22 at the central site. I spoke with a consultant CCIE who says that WAAS doesn't work through VPN tunnels with firewalls positioned at the edge of the network due to the randomisation of TCP session numbers.

I thought the ASA was WAAS aware. As for the PIX's they could be upgraded.

When I asked the consultant if WAAS would work if we had ASA's at both ends of the link he reply saying it's not a hardware but a tunneling issue.

Please can you shed some light on this ?

Many thanks

David

aakhter Tue, 11/06/2007 - 20:31

David,

As long as the WAAS is working on the packets inside the IPsec tunnel then it can be effective as it can properly intercept the TCP sessions and do usefull work with respect to caching, compression and TCP optimization.

WAE--ASA===Internet===PIX-WAE

Now the second part of the question, ASA is very much WAAS aware:

• PIX 7.2(3) software can automatically detect the WAAS flows and allow them thru with the 'inspect waas' command.

• FWSM v3.2.1 adds the 'inspect waas' command

• IOS Zone based FW 12.4(11)T2 adds the 'inspect waas enable' command

Hi,

What tools are available from Cisco for Packet shapping+Route optimization+Traffic Priortization? Just to give you the history, we used to use Packet Shaper (from Packeteer) for some time, and were having some issues with the accuracy of the rules. Recently we deployed WAAS as our test bench for Regional HQ, and Branch, but unfortunately could not get it to a succeful status (even along with the help of Cisco guys, and their premiere partners).

Just for your information, we have been planning to deploy some sort of appliance which should be deployed in parallel to our routing/switching chain, instead of getting it inline (bewteen) the chain, like some sort of hardware based port mirroring , but question is, that is that possible using any Cisco appliance, and at the same time, getting that appliance do the packet shapping as well?

My next question, is that how usefull is NBAR as compared to other expansive applainces/engines? Do you have any URL link which could guide me towards the usefulness/bottlenecks of NBAR? I am bit hesitant to deploy NBAR just because i am not much aware of the risk involved in doing that...

I don't know if this last question relates to you or not, but here it goes.. How can we find out the difference between SNMP/Flows traffic generated by the IOS based Netflow as compared to NM-NAM based SNMP/Flows traffic? I mean if i want to extract a report of how much bandwidth i saved using NM-NAM, how can i do that?

so, summary is

1. Tools (PFR / WAAS / ?? )

2. Design issues ??

3. NBAR comparison and analysis ??

4. Netflow traffic vs. NM-NAM traffic

aakhter Thu, 11/08/2007 - 19:08

Hi Mohsin,

I'll try to break up the answers into the 4 parts you've outlined.

1. Tools: PfR and WAAS

Cisco IOS has very powerful built in QoS functionality for shaping as well as traffic prioritization. The QoS matching can infact use the application identification information provided by NBAR. In the near future PfR will be able to make sure of the NBAR classification of flows for its own use.

WAAS works on the packet payload and can improve the effects of high-latency, reduce bandwidth consumption on the WAN as well as offload some services (print, CIFS etc).

PfR on the other hand, does not touch the packet payload but finds the best WAN path for a particular kind of traffic and directs _that_ traffic to that path. It has very granular traffic controls and can even load-balance links on a per flow basis.

I'm afraid I don't follow the traffic-shaping in parallel with the routing chain thread, as traffic-shaping would have to act inline with the data forwarding path (unlike application profiling which could be done via port-mirroring).

aakhter Thu, 11/08/2007 - 20:09

NBAR performance

There are several classification options available depending on your needs as well as platform.

NBAR is an IOS based classification system and has traditionally been run in software using the same CPU as routing and forwarding. As you can imagine, this does raise some concerns regarding performance impact. There is a performance study located here:

http://www.cisco.com/en/US/products/ps6616/products_white_paper0900aecd8031b712.shtml

Additionally, the performance really depends on:

Things that you control (configuration):

• Number of protocols being matched

• Number of regexes being matched

• Complexity of packet inspection required (ie are you matching against HTTP, or a specific URL)

External factors (ie traffic profile):

• Number of flows

• Duration of flows (longer flows are less expensive)

• Kind of protocol match (ie stateful vs non-stateful)

Importantly, things that do not impact NBAR performance:

• What you do with the classification (ie drop, shape etc)

• Link speed (although higher link speeds will generally have more flows)

• NBAR on multiple interfaces (classification is cached, but multiple interfaces also generally means more flows)

• Inbound vs outbound on router interfaces

Recently, there has been the capability to offload the NBAR function on the cat6500 sup32 to the PISA daughterboard. Obviously this does increase the NBAR performance quite a bit.

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_qanda_item0900aecd805a0e95.shtml

There is also an external appliance, the Service Control Engine, that can do traffic analysis, classification modifications and much more:

http://www.cisco.com/en/US/products/ps6151/

christiandupont Thu, 11/08/2007 - 13:17

Hi Aamer,

i have a question that will probably appear insignificant to you but i can't find an answer anywhere.

I need to know how to identify the mac address of all the workstations plugged into our cisco switch here at work. Is there a command or a software to visually or else see the mac address of our 100 workstations associated to each port on our cisco switch?

Thank you!

Chritian

aakhter Thu, 11/08/2007 - 18:45

Chritian,

You're looking for the 'show mac-address-table...' command:

http://cco/en/US/partner/docs/switches/lan/catalyst4500/12.1/12.1e/command/reference/show1.html#wpxref65396

This information is also available in SNMP via the BRIDGE-MIB:

http://www.cisco.com/warp/public/477/SNMP/cam_snmp.shtml

This forum is regarding application intelligence (cisco features that enhance the network application experience: QoS, NBAR, WAAS, PfR etc) on the WAN edge.

sflores99 Fri, 11/09/2007 - 03:04

aakhter,

my question is regarding DHCP/DNS but in a WAAS environnement. Can a wae 512 with inline card be a DHCP and DNS server for the branch office ?

Or even an AD domain server for authenticating user on the branch site ?

thanks

aakhter Fri, 11/09/2007 - 16:50

DHCP as well as limited DNS server (very basic server as well as caching proxy server) capabilities are available in IOS software today.

cisco IOS DHCP server

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/easyip2.htm

DNS

http://cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c/ch15/hipdnsrw.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t9/htspldns.htm

With respect to the WAE inline card and and DHCP/DNS: the WAE will transparently forward the DHCP and DNS traffic without touching it and these services will continue working as normal.

We are actively looking at expanded capabilities, please feel free to contact me with your cisco account team.

cruzangel Fri, 11/09/2007 - 10:04

I just purchased a IBM T40 Laptop. I entered the WEP address to the software From my verizon gateway 327w modem.This laotop is for my sister who also has a verizon gateway modem.What do I have to do to change the software to use her wep address.I use Windows xp professional sp2.

aakhter Fri, 11/09/2007 - 17:07

cruzangel,

This forum is regarding application intelligence (cisco features that enhance the network application experience: QoS, NBAR, WAAS, PfR etc) on the WAN edge.

best of luck (I struggle with WEP myself)

cruzangel Sun, 11/11/2007 - 17:26

where could I find out the answer to my question since I have a cisco wireless lan mini pci adapter card in my laptop.

Danilo Dy Fri, 11/09/2007 - 21:35

Hi,

We are currently doing POC for WAAS - at least the devices mounted and connected to the network but currently pass-thru because other sites Cisco not able to deliver the devices yet.

I noticed when the deployment people setup the WAAS some apps are corrupted. When they tried to reinstall it using the DVD/CD that comes with the device it also becomes corrupted. But using FTP everything works fine. The image comes from the same source (CD). Took them 1 hour just to properly load the image :(

Question 1: Is there a known problem loading the image using the WAAS DVD/CD?

Question 2: Thus WAAS dependent on CMS or can we create profile/policy without CMS?

Thanks,

Dandy

aakhter Sat, 11/10/2007 - 09:19

Dandy,

The WAAS is not dependent on the CMS for configuration via the CMS GUI. The operator can configure policies etc individually via the CLI.

However, the CMS gui is needed for CIFS configuration/pre-positioning and it makes management of a large number of devices much more easier.

With respect to some components being corrupted on the WAAS. This does not sound familiar but it does sound like something we should investigate.

I would highly recommend contacting your local sales team as well as the cisco TAC.

hardiklodhia Sun, 11/11/2007 - 05:49

Hi Aakhter,

i have two remote offices connected to one branch office.branch office is connected to main office via 1 mb leased line.i am planning to put NME WAE 502 at each two remote and one WAE 612 at branch and one at main office with enterprise license.my question is regarding main office WAE.1, can it work as control manager and WAE WAAS without any performance issue? 2, if yes then do we need both enterprise and control manager license at main office ?

thanks in advance.

aakhter Sun, 11/11/2007 - 09:00

Hardiklodhia,

The CM function and the WAAS function need to be run on two different WAEs.

That said, the CM is optional depending on what you're wanting to do (see previous post regarding where the CM would add functionality).

Regards,

lewilson Wed, 11/14/2007 - 09:05

Hello,

We have noticed degradation of throughput when adding services to the ISR platform. How does the WX affect perfomance. Can you provide data sheet?

Thank You

aakhter Wed, 11/14/2007 - 17:49

Lewilson,

The cisco ISR series of routers are software based for the actual routing. There are some features that have hardware assist (eg encryption, voice encoding, L2 switching when using the switch module etc), but many other features will bring down the highest pps (packets per second) rate one can forward thru the router. I've listed two such features below (NetFlow and NBAR), but many others (eg ACLs etc) exist. There are many varieties of CPU types the ISRs are built with that provide varying amounts of performance. The biggest thing to consider is the WAN uplink speed as that will be your limiting factor in trying to pick the ISR.

As far as how the WAAS affects the ISRs performance, here are a couple of things to consider:

• The WAAS can be deployed as a module inside the ISR as well as an appliance.

• In both cases, the actual optimization work is not done by the ISR's CPU but by the WAAS

• Deploying WAAS with WCCP will cause traffic to traverse the router multiple times (redirect to WAAS, then back from WAAS) and will bring down the overall PPS capacity of the ISR. However, keep in mind usually the PPS capacity is more limited by the WAN link-so it is possible you may not hit the actual ISR's limit.

• Deploying as an inline (more common with appliance, but also technically possible using the external interface of the WAAS ISR module) will cause the traffic to only hit the ISR once, so the pps rate the ISR has to deal with could actually be lower (depends on compression rates etc).

• We've found that as the WAAS increases the 'virtual bandwidth' on the WAN people will make more use of the increased throughput as well as lower latency transaction-of course this will increase the load on the ISR. But that might a good thing overall

I hope that this has been helpful and as you can see there are many different variables in effect.

NetFlow

http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb9.shtml

NBAR

http://www.cisco.com/en/US/products/ps6616/products_white_paper0900aecd8031b712.shtml

Data Sheets

c2800

http://cco/en/US/partner/products/ps5854/products_data_sheets_list.html

c3800

http://cco/en/US/partner/products/ps5855/products_data_sheets_list.html

Actions

This Discussion