Do I need "ip inspect WAAS enable" when WAE directly connected to ISR?

Answered Question
Sep 17th, 2010

I have a 3800 ISR with Gig0/0 connected to LAN, Serial0/0 connected to WAN, and Gig1/0 connected directly to a WAE-674. I'm using WCCP between the ISR and WAE. The ISR also does IP inspection and call manager express functions.

The "ip inspect in" is configured on the router LAN interface Gi0/0. There is no ip inspect configured for the port connected to WAE or the WAN interface. In this case, do I still need to configure "ip inspect WAAS enable" globally?

One other question: should I also configure "ip inspect" for the router port connected to WAE, as a good practice?

Thanks

Gary

I have this problem too.
0 votes
Correct Answer by Bhavin Yadav about 6 years 2 months ago

Hi Gary,

The purpose of adding ip inspect command to interface is to allow the auto-discovery option that goes with initial SYN packet to carry all the way to other side WAE unit during initial 3-way TCP handshake. This command tells the IOS not to strip-off Auto-discovery option.

Hence you really do not need that on LAN side / interface connected to WAE. Once WAE receives the packet with this option, it identifies the peer and start optimizing from that point onwards.

On the other side, having this command on those interfaces will not hurt, too.

But, you need ip inspect waas command only if the WAEs across the WAN are not recognizing each other due to zone based firewall policy or any other security appliances. Otherwise you are good without this command.

More details can be found here: Configuring Directed Mode

Hope this helps.

Regards.

PS: Please mark this as Answered, if this answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Bhavin Yadav Fri, 09/17/2010 - 15:56

Hi Gary,

The purpose of adding ip inspect command to interface is to allow the auto-discovery option that goes with initial SYN packet to carry all the way to other side WAE unit during initial 3-way TCP handshake. This command tells the IOS not to strip-off Auto-discovery option.

Hence you really do not need that on LAN side / interface connected to WAE. Once WAE receives the packet with this option, it identifies the peer and start optimizing from that point onwards.

On the other side, having this command on those interfaces will not hurt, too.

But, you need ip inspect waas command only if the WAEs across the WAN are not recognizing each other due to zone based firewall policy or any other security appliances. Otherwise you are good without this command.

More details can be found here: Configuring Directed Mode

Hope this helps.

Regards.

PS: Please mark this as Answered, if this answers your question.

Actions

This Discussion