09-17-2010 10:51 AM
I have a 3800 ISR with Gig0/0 connected to LAN, Serial0/0 connected to WAN, and Gig1/0 connected directly to a WAE-674. I'm using WCCP between the ISR and WAE. The ISR also does IP inspection and call manager express functions.
The "ip inspect in" is configured on the router LAN interface Gi0/0. There is no ip inspect configured for the port connected to WAE or the WAN interface. In this case, do I still need to configure "ip inspect WAAS enable" globally?
One other question: should I also configure "ip inspect" for the router port connected to WAE, as a good practice?
Thanks
Gary
Solved! Go to Solution.
09-17-2010 03:56 PM
Hi Gary,
The purpose of adding ip inspect command to interface is to allow the auto-discovery option that goes with initial SYN packet to carry all the way to other side WAE unit during initial 3-way TCP handshake. This command tells the IOS not to strip-off Auto-discovery option.
Hence you really do not need that on LAN side / interface connected to WAE. Once WAE receives the packet with this option, it identifies the peer and start optimizing from that point onwards.
On the other side, having this command on those interfaces will not hurt, too.
But, you need ip inspect waas command only if the WAEs across the WAN are not recognizing each other due to zone based firewall policy or any other security appliances. Otherwise you are good without this command.
More details can be found here: Configuring Directed Mode
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question.
09-17-2010 03:56 PM
Hi Gary,
The purpose of adding ip inspect command to interface is to allow the auto-discovery option that goes with initial SYN packet to carry all the way to other side WAE unit during initial 3-way TCP handshake. This command tells the IOS not to strip-off Auto-discovery option.
Hence you really do not need that on LAN side / interface connected to WAE. Once WAE receives the packet with this option, it identifies the peer and start optimizing from that point onwards.
On the other side, having this command on those interfaces will not hurt, too.
But, you need ip inspect waas command only if the WAEs across the WAN are not recognizing each other due to zone based firewall policy or any other security appliances. Otherwise you are good without this command.
More details can be found here: Configuring Directed Mode
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide