Okay, here is what I have. I know that this may be under-spec'd, but it is what we have to try and make this work:
(1) 512 for Central Manager
(1) 512 as Core WAE
Here's the deal. All branch sites are connected over a Site-to-site VPN tunnel between ASAs. So, what we have to do on the branch side, is have the Cisco router with the WAE module sit behind the ASA so that the tunnel is already terminated.
My question is regarding the main site (datacenter). If the connection comes into our 3845s and then the tunnel terminates on the ASA, where should the Core-WAE sit? I've attached a Visio of the main site and need to know where it will sit, and where to configure WCCP to act as the Core-router.
I don't see the attachement but are you sure you need WCCP for the one Core WAE? In-path is an option and the Core WAE would be on the unencrypted network interface that leads to the application servers/rest of the network.
If there are routes on your 4500 for the remote sites via the ASA's best place for the WAE would be to hang it off a dedicated subnet on the 4500's. Setup WCCP on the 4500 to redirect traffic for the remote locations to the Cache.
You will need to configure WAAS inspection on both of the ASAs so they don't drop marked packets.
If your 4500 is only bridging, you will have to setup wccp on the core ASAs.
My 4500 is layer 3. So I can hang the Core WAE off this device and configure WCCP on it? Must I upgrade the code to advanced ip services? I believe it is running ip base and does not support those commands.
the software advisor says wccpv2 works with ip base. Youd better check with your type of supervisor.
Looks like we are running a Supe6G and I can't seem to find this on the Software Advisor. Also, it looks as if the ASA doesn't have any wccp global commands. I'm hoping that I can find away around using the ASA and that the 4500 will support this.
If not, would it be possible to add another router to the equation on the inside that will act as the default gateway after the tunnel has been terminated? This way we can configure the wccp here?
Just trying to get a handle on how I can accomplish this with the equipment provided..
The sup6 should support wccp. it's probably just not in the software advisor yet.
From memory, wccp support was added to the ASA in version 7.2 and i think waas inspection in 7.2.2.
Regardless of where you run WCCP, you will NEED to enable waas inspection on the ASAs.
Okay, it looks like I've found documentation on certain 4500 software supporting WCCPv2, but the current code we have on our Supervisor 6-E definitely doesn't have it right now.
I will try and see if we can upgrade and enable WAAS inspection on the ASAs.
I appreciate the help very much.
Last thing, if I get all this figured out: I can just hang the Core-WAE off the 4500 on a different subnet/VLAN from where the normal data comes in? I'm just kind of confused still as to where it should be located. And I know this is key for performance.
The WAE can reside on either a dedicated subnet (where redirection is not enabled) or on the subnet that has redirection enabled.
If it is on the same subnet that already has redirection enabled, you will need to use GRE return to a loopback on the 4500 to circumvent redirection loops. This gets a bit tricky and its not a painless as it sounds.
If it is on it's own subnet, you don't have to worry about the redirect and return methods.
The performance hit comes from either L2 (mac address rewrite) redirection or L3 (GRE encapsulated) redirection. Obviously L2 puts a smaller load on the process but not all machines support it. The WAE can negotiate through WCCP how it will best redirect packets and its best to let it do just that.
So, apparently, the Supervisor 6 will NOT support WCCP at all. Not even a downgraded image. They only run a new LAN based image anyway and it doesn't support WCCP.
So I'm going to advise that they purchase an Inline Adapter for the WAE 512 that is at the Core site.
Will the inline adapter sit in between the ASA and the main L3 switch to intercept traffic? Will this cause any throughput issues for all traffic??