Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get information on WAAS design best practices in the data center and branch offices with Cisco expert Zach Seils.  Zach Seils is a technical leader in the Application Delivery group at Cisco, focused on the architecture and network integration of Cisco's next-generation WAN optimization and application acceleration platforms. He frequently engages with partners and Cisco engineers on the design, implementation, and troubleshooting of Cisco Wide Area Application Services (Cisco WAAS). He also collaborates with other Cisco groups on product enhancements, testing, and application services architectures. Previously Zach was in the Cisco Advanced Services Data Center Networking Practice, where he served as a a technical leader in application networking services for Cisco's largest customers. He is coauthor of Deploying Cisco Wide Area Application Services (Cisco Press). Prior to joining Cisco, Zach spent six years in senior technical roles at a managed service provider. He holds CCIE certification #7861.

Remember to use the rating system to let Zach know if you have received an adequate response.

Zach might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

24 REPLIES
New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hi Zach,

I have already seen white papers from Oracle/Cisco using Cisco WAAS with Oracle Data Guard from site to site data replication (Active/DR).

However, I would like to know whether Oracle Streams which is another Oracle product used for data replication across sites etc is supported by Cisco WAAS or not.

Oracle Data Guard and Oracle Streams use the same TCP port for replication.

Regards.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hi Dedra,

I can;t find any specific test results for WAAS with Oracle Streams.  Is it possible for you to provide a sample packet capture that we can test with in the lab?

Thanks,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hi Zach,

I could only send it via email as it is Production.

If possible please let me know your email id.

Thanks.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

My email address is seils@cisco.com.

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Do you want our questions posted in here or under another

thread?

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Ryan,

You can post the questions here.

Thanks,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

I hope this formats everything how is is laid out on my page.

Question #1 - WCCP 61 and WCCP 62 in a full mesh environment.

service group 61 hashes on the source IP

service group 62 hashes on the destination IP

We have a simple deployment today of 3 remote WAAS boxes, connecting back to a core data center with 2 WAAS boxes.

During our initial setup our Cisco SE noted it is best to align the service groups based on the direction traffic is flowing.

Example:

Remote Site LAN 61 - IN  would hit a Data Center WAN 61 - IN

Data Center LAN 62 - IN  would hit a Remote Site WAN 62 - IN

Design:

The WAAS is located in the same subnet with the users

We use "WCCP Negotiated Return" on all WAAS systems

We do not have a WCCP OUT set on any router interfaces.

Data Center         Development Center     Remote Site   

LAN (62)               LAN (62)                         LAN (61)

WAN (61)             WAN (61)                       WAN (62)

We are deploying 11 new WAVE boxes to multiple data centers and remote sites.  All remote sites need to peer with the data centers.  The Data Centers also need to peer with one another.

How will we be affected by not aligning the WCCP service group 61 and 62 to match the direction of our traffic flow?

Data Center-A     Data Center-B     Data Center-C     Data Center-D

LAN (62)             LAN (62)             LAN (62)             LAN (62)

WAN (61)           WAN (61)            WAN (61)           WAN (61)

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hi Ryan,

I would recommend that you configure service group 61 to intercept connections originating from your largest number of clients across all sites.  For example, if the total number of clients across all of your remote sites is 5x the number of clients located across all of your data center locations, you're most likely to get the best distribution of hosts by using service group 61 (which hashes on the source IP) to intercept the client --> server traffic.

Regads,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

All Branch Offices have been configured to use Service Group 61 on the LAN Interface.  The Branch Office LAN interface is the "Client" interface.  On the Data Center side, Service Group 61 is on the WAN interface, servicing ingress "Client" connectivity.  This is our desired setup when configuring WCCP Service Groups between the Branch Office to Data Center peering.

Branch Office      <== PEERS==>      Data Center-A, B, C, D

LAN = Service Group 61 IN                   WAN = Service Group 61 IN  ===> Desired alignment of Service Group 61 for ingress traffic

WAN = Service Group 62 IN                  LAN = Service Group 62 IN    <=== Desired alignment of Service Group 62 for egress traffic

What I did not see answered above was; What the repercussions are when Data Center to Data Center peering WCCP Service groups can not align in the desired configuration depicted above?  See below to illustrate the issue.

Data Center-A      <== PEERS==>       Data Center-B

LAN = Service Group 62 IN                    WAN = Service Group 61 IN  ====> Ingress Service Groups do not align

WAN = Service Group 61 IN                   LAN = Service Group 62 IN    <==== Egress Service Groups do not align

Within the Service Group layout depicted above, the Data Centers being peered can not align their WCCP Service Groups;

The Data Center LAN Ethernet Interface is always 62, WAN 61

The Branch Office LAN Ethernet Interface is always 61, WAN 62

Will configuring misaligned Service Groups, for ingress and egress traffic flows in the "Data Center--to--Data Center" peers, cause an issue?  If so I need to architect a solutions around it.

Further detail of Hub & Spoke topology

40% of our traffic across the MPLS WAN will be Data Center to Data Center, 60% will be Branch Office to Data Center

Data Center A = 1500+ employees with ALL local LAN applications (70% of LAN Servers)

Data Center B = 300+ employees with partial local LAN applications (20% of LAN Servers)

Data Center C = 200+ employees with partial local LAN applications (10% of LAN Servers)

Branch Offices A - Z = 1200+ employees all come to Data Center A, B, or C for LAN applications depending on geographic location or LAN application availability.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hi Ryan,

Everything will work in the configuration you've described.  The only difference in behavior between the Branch <-> Data Center and Data Center <-> Data Center traffic is load distribution.  For your Branch <-> Data Center traffic, the WAAS device chosen to handle the traffic at a given location is based on the client IP address.  Since the largest number of unique IP addresses traversing the WAN is from your branch clients, this should yeild the best possible distribution across a cluster of WAAS devices.

For the Data Center <-> Data Center traffic, it depends on the location of the client (i.e. the initiator of the TCP connection).  In the example you provided, a connection sourced from Data Center A will choose a WAAS device in Data Center A based on the destination IP address.  This means that all traffic leaving Data Center A destination to that server will use the same WASS device.  When the traffic for that connection enters Data Center B, it will choose a WAAS device based on the source IP address.  So basically connections initiated from your Data Centers will use the destination (i.e. server IP address) for load distribution in the local WAAS cluster.

This isn't t say there is some negative affect to all of this.  It's just something to keep in mind as you monitor the load of your Data Center WAAS devices.  If the load distribution becomes an issue, there are some ways to design around this, but it requires a closer look at your design and a more complex configuration.

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Perfect answer.  That gives me exactly what I need.

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Can you please explain the usage of service 61 and 62?

The Cisco documentation says to put "61 in" on the LAN interface and put "62 in" on the WAN interface.

Why does Ryans' configuration above seem to use the 61/62 services differently between the data center and the remote sites? Or am I missreading Ryan's posting?

orion8301 wrote:

Branch Office      <== PEERS==>      Data Center-A, B, C, D

LAN = Service Group 61 IN                   WAN = Service Group 61 IN  ===> Desired alignment of Service Group 61 for ingress traffic

WAN = Service Group 62 IN                  LAN = Service Group 62 IN    <=== Desired alignment of Service Group 62 for egress traffic


New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

From what I have learned working with my SE.

You want to line up the Service Groups in the direction of a traffic flow.

Scenario:

Remote office desktop sends a packet destined for your data center.  The first Interface the packet hits on the on-site router is the LAN interface.  Service Group 61 receives an inbound packet on that interface.  The traffic is then forwarded to WAAS, optimized, and forwarded back to the router.  The router forwards the packet out over the WAN and the first interface the Data Center router receives the same packet over is the WAN Interface, which also uses Service Group 61.  This service group looks for the source address of the host making the request and load balances using that address to forward traffic to one of your WAAS cluster members (if you have a cluster).  It will keep that one host bound to that WAAS for the TCP session he has open. If you are familiar with Load Balancers it is similar to Soure Address-Affinity or Source-Sticky.

The same is true for the outbound traffic, but in the reverse order.  The Data Center reply will hit the Data Center LAN interface on Service Group 62 IN, it will redirect to a WAAS based on the Destination Address.  If you are familiar with Load Balancers it is similar to Destination Address-Affinity or Dest-Sticky.  Since the source address in Service Group 61 and destination address in Service Group 62 are the same address for this TCP session (mapped via the random local source port the user initiated his traffic over).  The Routers and WAAS are able to keep that single TCP transaction bound to one WAAS cluster member. This allows you to see both sides of the conversation under the monitor section of your Central Manager in the "Connection Statistics".

Remote Office To Data Center (Inbound Request)

Service Group 61 (LAN Remote Router)

Service Group 61 (WAN Data Center Router)

Data Center back to Remote Office (Outbound Response)

Service Group 62 (LAN Data Center Router)

Service Group 62 (WAN Remote Router)

==========> Traffic IN

  61                61

(X)       (X)

  62                62

<=========  Traffic OUT

The experts may have more to add. This was the reason for my concern above. My architecture did not lend itself well to a Multi-Data Center model.  Branch Office to Data Center Service Groups line up perfectly, however Data Center to Data Center did not.  I am not sure if I will have solid reporting of traffic optimization under the monitor section of Central Manager.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Good summary, Ryan.

I'm not sure I understand your reporting concern.  Can you please elaborate?

Thanks,

Zach

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

These two service groups, collectively known as the tcp-promiscuous service, intercept/redirect all TCP traffic.  The only difference between the two services is that 61 looks at the source IP address and 62 looks at the destination IP address for deterining how to distribute traffic across a cluster of multiple WAAS devices at a site.

Since it is possible to place the services in both directions (in/out) on an interface, a better way to think about their use is that service 61 should intercept client-to-server traffic and service 62 should intercept server-to-client traffic.  On a branch router, this could result in the following configuration options:

  • 61 in on LAN interface, 62 in on WAN interface
  • 61 in on LAN interface, 62 out on LAN interface
  • 61 out on WAN interface, 62 in on WAN interface

The recommendation to have the load distribution happen based on the client IP address is based on the assumption that there are more clients than servers and that the majority of the connections are initiated from the clients.  This makes it statistically more likely that you will get a better distribution of clients across your cluster.  This scheme works out well when you have clients in remote locations and the servers/applications they access hosted in separate locations (without clients).  The challenge, as seen with Ryan's post, is when you have a number of sites with a combination of both clients and servers.  In these cases, you basically have to choose which community of clients (those in sites by themselves or those co-located with servers) you are going to tune the load distribution for.  In my experience, you generally still have a larger number of clients outside of your data center locations, and that's what you would tune the load distribution for.

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

It sounds like you are saying that an in/out directionality mismatch doesn't break acceleration.  But, it works "better" when they line up.

We have 2 data center sites and 100 branch sites.  Do you suggest tha the 2 data center sites get the "opposite" in/out directionality from the branches?

e.g.

Data center:  62 in on LAN interface, 61 in on WAN interface

Branches: 61 in on LAN interface, 62 in on WAN interface

Then if there are a few people at the data center site accessing data from a branch, it will still be accelerated, just not as clean.  The vast majority of the people are at branches accessing the data center.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Yes, that's correct.  It doesn't break acceleration, it just affects load distribution across the cluster.  In the example you provided, I would definately tune the deployment for the best load distribution for the branch clients (i.e. use service 61 to intercept client --> server traffic).

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Any performance gain between waas version 4.1.3b and 4.1.7? What specific version do you recommend for a demo on a customer (more stable and with with less Bugs)?

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

I would recommend using 4.1(7) for demos, pilots, and new deployments.  There are a number of important defects resolved between 4.1(3b) and 4.1(7).

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hello Zach Seils,

I have a couple of questions here for my WAAS HA implementation.

1 - What cables should i use between Firewall ( ASA 5500 ) and WAAS on the LAN side and on the WAN side to the Switch ( WS-C6509-E ) using inline deployment so as if i put the WAAS under passthrough ( Shutdown ) mode it works ?

2 - In order to have High Availability using 2 x WAAS 7341 and inline card, i need to connect the WAAS devices like the attached file "WAAS HA Inline Cabling.vsd" ?

3 - I've configured the inlinegroup 1/0 and 1/1 of each WAAS with failover timeout 3 so how can i force it to failover through CLI ? if possible.

3 - Do i need to configure direct mode on a WAAS that is after the firewall ? We don't have WAAS on the remote sites. Check attached file "Topology.vsd"

Thanks a lot for any help

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Here are the answers for your questions:

1 - What cables should i use between Firewall ( ASA 5500 ) and WAAS  on the LAN side and on the WAN side to the Switch ( WS-C6509-E ) using  inline deployment so as if i put the WAAS under passthrough ( Shutdown )  mode it works ?

See Table 3 in the following guide:


Installing the Cisco WAE Inline Network Adapter

You can treat the firewall as a "router" for purposes of this guide.

2 - In order to have High Availability using 2 x WAAS 7341  and inline card, i need to connect the WAAS devices like the attached  file "WAAS HA Inline Cabling.vsd" ?

The result of this physical cabling scheme is that one WAE will handle traffic for one switch-to-firewall link and the other WAE will handle traffic for the other.  Is that your intended result?

3 - I've configured the inlinegroup  1/0 and 1/1 of each WAAS with failover timeout 3 so how can i force it  to failover through CLI ? if possible.

You can force an inline group into bypass operating mode by shutting down (i.e. shutdown) the inline group in interface configuration mode.

4 - Do i need to configure direct  mode on a WAAS that is after the firewall ? We don't have WAAS on the  remote sites. Check attached file "Topology.vsd"

Not based on this diagram.  The firewalls are on the "LAN" side of WAAS, so they will see the unoptimized traffic.

Please let us know if you have any more questions.

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hello Zach,

Some additional questions:

1 - The Firewall and switch are using FastEthernet Ports so to the Switch side i should use Straight-through and to the Firewall i should use Crossover right ? I've used the Table 4 of the link you provided.

2 - Yes that is exactly what i want as one pair of switch-to-firewall link will be in use at a time. Just to double check if the first WAAS fail the second one will assume the optimization based on that layout ? I've just added the failover timeout 3 on each one of the inlinegroup on both devices.

3 - Thanks a lot for your answer as i was very confused if shutting down the interface will address any failover test as on the WAAS it will put that in bypass mode.

4 - Thanks to confirm that.

Cisco Employee

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

1 - The Firewall and switch are using FastEthernet Ports so to the  Switch side i should use Straight-through and to the Firewall i should  use Crossover right ? I've used the Table 4 of the link you provided.

This is correct.

2 - Yes  that is exactly what i want as one pair of switch-to-firewall link will  be in use at a time. Just to double check if the first WAAS fail the  second one will assume the optimization based on that layout ? I've just  added the failover timeout 3 on each one of the inlinegroup on  both devices.

Typically I have seen the devices cabled like this:

Just looking at it, I think what you are proposing will work.  Let me think about it today and post another update.

Regards,

Zach

New Member

Re: ASK THE EXPERTS - WIDE AREA APPLICATION SERVICES

Hello Zach,

Each one of the inline cards are for different WAAS so my ideia was to connect each pair of Firewall-Switch to diferrent device ( Card ).

i'm going to implement this design on Wednesday.

2786
Views
5
Helpful
24
Replies