PDF - Complete Book

PDF - Complete Book
INDEX
passthrough
Numerics
TFO only
10 Gigabit Ethernet interfaces
modifying
13-53
13-53
TFO with DRE (Adaptive Cache)
6-7
13-53
TFO with DRE (Bidirectional Cache)
13-53
TFO with DRE (Unidirectional Cache)
TFO with LZ compression
A
types
configuring
AAA-based management systems
charts
default
1-6
TCP adaptive buffering settings
TCP settings
7-4
for WAEs
13-62
7-2
local database description
13-60
overview of
accelerators
enabling
7-12
TACACS+ overview
13-55
7-14
Windows domain overview
accounts
creating
alarm overload detection, enabling
8-2
system dashboard window
8-2
roles-based
device reporting
alerts
8-8
17-3
17-4
17-5
application acceleration
ACL
interception
10-23
alarms
8-2
8-1
viewing
7-26
alarm panel
8-6
local CLI
7-17
administrative login authentication failover
8-4
creation process
deleting
7-6
7-1
RADIUS overview
13-3
accelerator threshold
types
17-13
administrative login authentication and authorization
1-6, 13-1
features
13-62
adding
2-26, 7-2
acceleration
about
16-34
adaptive buffering, TFO
7-31
13-53
13-53
activating devices
AAA accounting
13-53
about
5-28
enabling
See also IP ACL
13-3
application classifiers
action
full optimization (adaptive cache)
1-6, 13-1
creating
13-53
full optimization (bidirectional cache)
full optimization (unidirectional cache)
13-53
13-53
13-50
match condition
restoring
13-52
13-57
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-1
Index
application definition
creating
devices to more than one device group
audit trail logs
13-49
application list, viewing
viewing
13-55
application policy
creating
default feature values
13-50
restoring defaults
13-57
configuring
7-12, 7-14
authorization
default feature values
applications
monitoring
7-2
authentication servers
13-58
13-48
autodiscover
13-57, 17-2
AppNav
7-4
1-20
autoregistration
adding and removing devices
AppNav Cluster
DHCP server requirements
4-30
4-1
AppNav Controller Group
B
4-2
appnav-controller interception
5-56
AppNav Controller Interface Modules
class maps
4-3
WAE devices
4-14
configuring class maps
4-19
configuring policy rules
connecting tracing
4-37
controller settings
4-28
deployment models
interface wizard
4-22
16-9
16-10
cms database
16-9
virtual blade
14-11
banners
configuring
BIC TCP
4-2
7-10
1-6
BMC
4-17
monitoring cluster
enabling IPMI over LAN
4-34
enabling IPMI SoL
4-5
firmware update
4-4
WAAS Node
11-6
backup and restore
4-1, 4-10
service context
configuration files
WAAS Central Manager
4-26
cluster wizard
configuring
backing up
4-4
cluster settings
2-8
4-2
AppNav Controller
policy
7-4
authentication databases, types of
13-48
preparation tasks
policies
7-33, 17-57
authentication
creation process
position
3-7
bootflags
4-2
10-25
16-21
assigning physical interface
4-2
creating
WAAS node group settings
WAAS node settings
10-27
bridge group
4-2
WAAS Node Group
10-26
4-30
6-18
bridge virtual interface
4-29
creating
assigning
6-19
browser support
devices to a preposition directive
devices to device groups
6-19
2-10
12-16
3-5
Cisco Wide Area Application Services Configuration Guide
IN-2
OL-26579-01
Index
coherency
C
age-based validation
CDP
compression, about
configuring
6-26
cdp enable command
cdp run command
1-6
conditions
5-40
modifying or deleting from IP ACLs
5-40
congestion windows, about
Central Manager. See WAAS Central Manager
6-23
viewing TCP connections
adding
17-13
Connections Statistics report
customizing
17-10
connection tracing
descriptions
17-14
controlled shutdown
settings
17-14
core WAE, about
ports used
2-6
preparing for
12-7
16-35
16-9
1-9
recovering from
12-19
16-18
creating
CIFS accelerator
enabling
17-40
corrupted system images
using SMB accelerator for
configuring
17-40
4-37
copy disk ftp command
12-1
accounts
12-8
8-4
application classifier
13-3
13-50
application definition
CifsAO WAE Device Manager option
CIFS configuration process
11-19
application policy
12-8
local user
Cisco.com
16-3
13-49
13-50
8-4
match condition
obtaining software files from
13-52
new software file
16-3
Cisco Discovery Protocol. See CDP
preposition directive
12-11
classifier, creating
preposition schedule
12-17
13-50
classifier report, viewing
13-56
clear statistics all command
current software version
7-25
determining
clear statistics authentication command
7-25
D
CLI user
8-4
dashboard
clock
setting
16-3
7-25
clear statistics windows-domain command
creating
9-6
connections
charts
CIFS
12-4
customizing
10-5
clustering in inline mode
5-53
cms database
device
17-8
system
17-1
database backup
backup and restore procedure
16-9
17-10
16-9
data coherency, about
cms database backup command
16-9
data concurrency, about
cms database restore command
16-10
data migration
12-3
12-5
2-28
data redundancy elimination, about
1-6
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-3
Index
debug command
impact of assigning to multiple groups
17-60
default status, restoring
overriding device group settings
16-11
deleting
accounts
8-6
device groups
locations
roles
16-34
topology
17-40
viewing group assignments
3-6
viewing information for
3-10
Devices window
8-13
software files
user groups
interface-level
17-4
rebooting
diagnostic tests
16-34
configuring
recovering from
3-5
disk encryption
3-4
creation process
configuring extended object cache
monitoring
3-7
Disks report
3-6
17-42
3-8
6-26
domains
Device Home window. See Device Dashboard window
about
device locations
adding entities
8-14
8-15
assigning to user accounts
3-9
creating
3-10
assigning to user groups
deleting
3-10
creating
8-14
deleting
8-16
17-58
device registration information
modifying and deleting
viewing
16-23
devices
downgrading
activating
16-32
17-42
DNS, configuring
3-7
setting configuration precedence
device logs, viewing
16-31
disks
3-7
force group settings
overriding settings
16-30
configuring error-handling methods
3-2
3-6
enabling overlap
16-22
disk handling
3-3
recovering
5-16
disk-based software, missing
adding and removing devices
about
2-8
6-28
disabling WCCP flow redirection
3-1
deleting
2-9
17-59
directed mode
17-8
device groups
creating
2-8
requirements for autoregistration
10-5
Device Dashboard window
about
6-14
DHCP server
1-20
clock setting
17-6, 17-36, 17-40
configuring interfaces for
8-20
autodiscovery
3-6
17-6
for autoregistration
alarms
3-8
DHCP
16-8
device
list
restarting
3-9
DRE, about
16-34
adding to device groups
8-19
8-16
8-17
16-3
1-6
DRE settings
3-5
adding to multiple device groups
8-15
3-7
configuring
13-7
Cisco Wide Area Application Services Configuration Guide
IN-4
OL-26579-01
Index
DSCP
13-54
F
global default
13-57
failover, for administrative login authentication
dynamic shares
creating for CIFS accelerator
12-9
creating for SMB accelerator
12-19
fast offline detection
about
10-22
configuring
10-21
file locking, about
E
12-5
File Server Rename utility
edge WAE, about
supported
egress methods
file services
5-29
email server settings for reports
enable command
about
10-24
12-8
1-8
1-8
preparing for
optimization and accelerators
12-7
SMB configuration process
13-3
firewall, configuring for
18-13
SNMP agent
virtual blade
corrupted
13-49
6-28
16-18
flow monitoring
14-3
WCCP flow redirection
configuring
5-16
17-48
force group settings
encryption
3-7
full optimization (adaptive cache) action
16-30
enabling secure store
10-10
13-53
full optimization (bidirectional cache) action
full optimization (unidirectional cache) action
entities
adding to domains
enabling
13-53
13-53
8-15
EPM accelerator
G
13-3
generic GRE egress method
errors
disk drives
configuring
Gigabit Ethernet interfaces
modifying
6-10
6-7
GRE encapsulation
Exec timeout
configuring
5-29
generic routing encapsulation. See GRE encapsulation
16-31
EtherChannel
5-15
GRE tunnel, configuring on router
5-31
groups. See user groups
6-23
extended object cache
5-14, 5-15
GRE packet forwarding
7-11
explicit congestion notification
about
12-19
flash memory
18-11
traffic statistic collection
disk
12-7
features
7-15
enabling
SNMP
11-19
file servers
1-9
configuring
7-26
16-32
H
hardware clock
10-5
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-5
Index
hardware devices supported
high bandwidth WAN link
IP access control lists. See IP ACL
2-10
IP ACL
2-7
HTTP accelerator
configuring
enabling
13-7
adding conditions to
9-3
applying to interface
9-6
associating with application
13-3
HTTPS settings
conditions, modifying or deleting
13-7
configuration constraints
creating new
I
deleting
ICA accelerator
configuring
13-27
increased buffering
inline mode
1-5
interface settings
serial clustering
9-7
2-25
on WAEs
2-25
overview
9-1
about
5-52
2-9
10-24
enabling
5-45
10-27
IP routes
16-11
intelligent message prediction
10-26
enabling SoL
5-42
installing system software
configuring
1-6
6-25
ip wccp command
interception
appnav-controller
5-10
5-33
5-55
K
5-11
kernel debugger
5-28
enabling
interface
assigning to bridge group
17-59
6-19
interface-level DHCP
description
5-9
ip web-cache redirect command
5-42
interception ACL
5-10
ip wccp redirect-list command
5-56
policy-based routing
L
2-9
2-8
Layer 2 redirection
interface module inline mode
5-42
5-16
LDAP server signing
interfaces
11-11, 11-13
configuring on a Microsoft server
configuring
6-6
IPMI over LAN
inline network adapter card
note
9-3
on routers
static
5-53
VLAN ID check
WCCP
9-2
multiple, configuring on single interface
5-51
5-46
VLAN configuration
VPATH
9-6
IP addresses
5-42
configuring IP address
inline
9-6
6-1
configuring virtual
configuring on a WAE
6-14
disabling on a WAE
manually configuring for DHCP
WAAS Express optimization
6-14
overview of
7-24
7-24
7-25
7-23
6-16
Cisco Wide Area Application Services Configuration Guide
IN-6
OL-26579-01
Index
licenses
match condition, creating
10-3
line console carrier detection
configuring
load balancing
maximum segment size
viewing
1-22, 5-12, 6-13
local CLI accounts, about
configuring
8-4
7-10
MIBs
supported
3-9
creating
3-10
deleting
3-10
viewing
18-4
MIB traps
configuring using the WAE Device Manager
location tree
migration, data
2-28
recovering from
configuring system logging
message priority levels
transaction log format
transaction logging
viewing device logs
applications
17-53
13-57, 17-2
chart descriptions
chart settings
17-53
17-14
17-14
creating custom reports
17-57
disk information
17-58
viewing system messages
16-22
monitoring
17-51
B-1
viewing audit trail log
predefined reports
WAE Device Manager
17-48
17-35
resource utilization
11-1
login access
system status
17-44
17-42
flows with NetQoS
17-56
login
controlling
17-42
17-5
using the WAE Device Manager
7-7
login authentication
with SNMP
18-1
configuring on single interfaces
logs
severity levels in the WAE Device Manager
viewing in the WAE Device Manager
lost administrator passwords
16-21
LZ compression, about
11-27
N
NAM
1-6
15-1
NAS appliances
1-20
10-2
NAT configuration
M
NetBIOS
MAPI accelerator
configuring
enabling
10-2
6-6
11-28
NAT address
management IP address
11-23
multiple IP addresses
2-26, 7-1
recovering
11-9
missing disk-based software
3-11
logging
about
17-56
message of the day settings
8-2
locations
about
13-61
message logs
7-11
local user, creating
13-52
10-2
10-2
NetQoS monitoring
17-48
network
13-11
13-3
viewing information for
17-1
Network Analysis Module integration
15-1
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-7
Index
Network Time Protocol. See NTP
network traffic analyzer tool
ports
139
17-60
NFS accelerator
enabling
bypassing
445
13-3
notification settings
for alerts
2-6
position, application policy
power failure
10-24
NTP, configuring
2-7
2-6
used in CIFS
11-15
for reports
2-6
13-58
16-18
preposition
10-5
about
O
obtaining software files
12-5
checking status of
12-18
creating directive
12-11
scheduling
16-3
operation prediction and batching
12-17
viewing in the WAE Device Manager
1-6
print accelerator
optimization
configuring on WAAS Express interfaces
enabling global features
6-16
11-20
1-9
print services
about
13-3
1-9
priority levels
17-53
P
R
packet forwarding method
Layer 2 redirection
Layer 3 GRE
packet return
5-14
RADIUS
5-16
authentication overview
5-15
configuring server
5-15
passthrough action
database
13-53
changing account
RAID
8-6, 8-7
recovering administrator
PBR, about
7-2
rebooting devices
1-21
13-61
recovering
configuration of interception
5-33
policy report, viewing
5-39
assigning physical interfaces
lost administrator passwords
system software
13-56
redirection methods
port channel interfaces
6-12
6-10
load balancing
device registration information
16-23
from missing disk-based software
2-21
verifying next-hop availability
configuring
10-4
16-34
receive buffer size
1-21
overview of
7-4
1-22
RCP services, enabling
16-21
policy-based routing
about
7-12
default configuration
passwords
7-12
6-13
16-22
16-21
16-18
5-1
registering
WAAS Express device
10-27
WAEs in the WAE Device Manager
reinstalling system software
11-6
16-11
Cisco Wide Area Application Services Configuration Guide
IN-8
OL-26579-01
Index
remote login
router
controlling access
configuring WCCP transparent redirection on
7-7
5-6
reports
configuring email server settings
Connections Statistics
creating custom
customizing
editing
17-40
17-44
preposition
reports
17-35
Topology
17-42
host keys
17-40
17-45
rescue system image
configuring
disabling
17-42
16-34
application policies
13-57
WAE devices
10-12
disk encryption
11-7
10-13
16-30
enabling secure store
16-9
16-10
16-11
retransmit time multiplier
10-10
selective acknowledgement
send buffer size
WAE to default condition
10-13
security
13-57
WAAS Central Manager
1-5
13-61
send TCP keepalive
13-60
serial clustering in inline mode
6-23
service context, AppNav
roles
5-53
4-2
service password
8-9
configuring
assigning to user accounts
assigning to user groups
creating and managing
deleting
8-12
8-18
8-10
8-13
roles-based accounts
set ip next-hop verify-availability command
shadow copy for shared folders
5-41
12-6
5-40
show command utility
8-13
read-only access to services
viewing settings
5-10
show cdp neighbors command
8-13
modifying and deleting
about
10-17
enabling on standby Central Manager
application classifiers
viewing
10-10
enabling on WAE
configuration files
10-15
enabling on Central Manager
restoring
about
7-8
changing key and password
5-1
16-18
resource utilization report
about
7-7
secure store
request redirection methods
restarting devices
17-46
configuring
17-46
viewing custom
12-17
secure shell
resource utilization
scheduling
1-5
scheduling
17-43
predefined
S
SACK, about
17-10
17-45
managing
10-24
8-10
for troubleshooting
17-61
show version command
16-20
shutting down WCCP
8-13
5-26
Simple Network Management Protocol. See SNMP
site and network planning
2-4
8-2, 8-3
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-9
Index
SMB accelerator
standby Central Manager
configuring
SNMP
switching to primary
12-19
standby groups
1-23
asset tag setting
of interfaces
18-24
community settings
assigning physical interfaces
18-12
configuring using the WAE Device Manager
contact settings
enabling
configuring
11-8
static IP addresses
18-13
enabling SNMP agent
11-5
2-9
static IP routes
18-11
enabling traps
18-14
configuring
group settings
18-21
statistics, collecting
host settings
6-6
starting WAE components
18-16
6-25
13-49
stopping WAE components
18-18
manager
11-5
system configuration settings
creating
preparation
viewing system-wide information
18-1
security models and security levels
versions supported
viewing log
18-24
recovering
18-3
17-56
system software
10-5
recovering
software files
obtaining from Cisco.com
16-3
16-11
software upgrades
16-3
for multiple devices
monitoring
16-7
16-1
17-5
T
TACACS+
software version
determining
16-18
system status
10-3
software recovery
16-18
17-51
viewing
16-18
software licenses
17-56
system message log
18-20
using
software clock
authentication and authorization, overview of
16-3
SSL
database
13-28
7-14
7-2
default configuration
configuring
17-53
system image
software
recovering
17-51
message priority levels
18-22
view settings
configuring
18-4
18-4
trap source settings
user settings
17-1
system event logging
18-13
supported MIBs
10-17
system dashboard
18-3
monitoring with
6-6
6-3
priimary interface
18-24
defining custom traps
6-3
standby interfaces
18-19
configuration process
process
16-28
7-4
enable password attribute
7-15
Cisco Wide Area Application Services Configuration Guide
IN-10
OL-26579-01
Index
TACACS+ server
configuring
taskbar icons
traceroute
track command
7-14
5-41
traffic statistics collection, enabling
1-15
TCP
traffic statistics report
congestion windows
parameter settings
retransmit timer
slow start
transaction logging
6-23
configuring
6-21
log format
6-23
viewing connections
17-54
B-1
defining SNMP
17-60
enabling
1-5
TCP promiscuous mode service
5-6
18-16
18-14
triggers
defining SNMP
2-24
Telnet services
enabling
17-53
traps
17-40
TCP initial window size, about
overview of
17-14
transparent redirection, configuring on a router
6-24
tcpdump command
13-49
17-2
chart descriptions
6-23
explicit congestion notification
18-16
troubleshooting
CLI commands
7-9
Ten Gigabit Ethernet interfaces
modifying
tethereal command
with TCPdump
17-60
with Tethereal
17-60
1-4
TFO adaptive buffering
BIC TCP
1-6
compression
13-53
17-60
17-61
Troubleshooting Devices window
17-5
U
1-6
2-10
upgrading
increased buffering
1-5
device groups
selective acknowledgement
1-5
process
TCP initial window size maximization
TFO only action
1-5
16-7
16-1
WAAS Central Manager device
1-5
13-53
adding domain entities
13-53
TFO with DRE (Bidirectional Cache) action
TFO with DRE (Unidirectional Cache) action
time zones
assigning to domains
13-53
13-53
8-15
8-15
audit trail logs
viewing
7-33, 17-57
changing passwords
location abbreviations
10-7
creating
parameter settings for
10-5
creation process
17-40
16-5
user accounts
TFO with DRE (Adaptive Cache) action
Topology report
17-60
with WAAS TCP Traceroute
Unicode support
Windows scaling
17-59
13-62
TFO and LZ compression action
1-4
17-61
with Central Manager diagnostic tests
TFO
TFO features
17-60
using show command utility
6-7
test command for troubleshooting
about
17-61
deleting
8-6, 8-7
8-4
8-2
8-6
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-11
Index
deleting domains
domains
starting and stopping
8-16
virtual interfaces
8-14
managing
modifying
8-7
modifying and deleting
VLAN ID check
assigning to
creating
5-44
VPATH interception
8-10
viewing
5-45
VLAN support
8-12
modifying and deleting
virtual interface configuration
VPATH interception
8-8
user groups
8-17
8-18
assigning to domains
W
benefits
8-19
1-19
interfaces
creating
8-18
deleting
8-20
backing up
viewing
8-20
restoring
UTC offsets
10-8
upgrading
1-10
WAAS Central Manager
See also GMT offsets
16-9
16-9
16-5
WAAS Central Manager GUI
about
1-10
accessing
V
1-11
components
version of software
taskbar icons
16-3
video accelerator
WAAS CLI, about
1-12
1-15
1-18
WAAS Express
13-22
configuring a device certificate
13-3
viewing
configuring an NTP server
application list
configuring a user
13-55
classifier report
policy report
role settings
10-32
10-33
10-30
configuring optimization on interfaces
13-56
logs in the WAE device manager
11-27
enabling HTTP secure server
installing a license
8-13
configuring
14-11
14-1, 14-4
copying disk image to
14-10
10-31
10-33
registering with the Central Manager
backing up and restoring
6-16
10-32
importing Central Manager certificate
13-56
virtual blade
enabling
5-55
WAAS
assigning roles to
enabling
6-14
8-17
user authentication. See login authentication
configuring
5-55
vWAAS
8-13
8-13
viewing domains
about
6-14
virtualization. See virtual blade
8-6
roles
viewing
14-8
registration process overview
10-34
10-27
reimporting a certificate to the Central
Manager 10-34
14-3
Cisco Wide Area Application Services Configuration Guide
IN-12
OL-26579-01
Index
WAAS interfaces
CLI
WCCP-based routing
advanced configuration for a router
1-18
WAAS Central Manager GUI
WAE Device Manager GUI
advantages and disadvantages
1-10
configuration guidelines
1-17
WAAS networks
network planning for
WAAS services, about
configuring
2-11
2-10
Windows Authentication
2-18
checking the status in the WAE Device
Manager 11-13
1-4
WAAS TCP Traceroute
17-61
configuring in the Central Manager
WAE Device Manager
7-17
configuring using the WAE Device Manager
1-17, 11-1
Configuration option
Windows domain server settings
11-8
Control option for the WAE
Windows name services
11-4
11-3
Notifier tab
11-15
Windows scaling, about
11-10
7-17
6-27
Windows print accelerator, about
logging out
1-9
1-5
11-2
Utilities option
workflow
5-4
10-20
web browser support
2-1
traffic redirection methods
quick tour
2-20
web application filter
and IOP interoperability
about
5-6
11-17
11-3
WAE devices
backing up
16-10
controlled shutdown
16-35
modifying configuration properties
restoring
16-10
supported
2-10
WAE packet return
10-1
5-15
WAFS. See CIFS
WAFS Cache Cleanup utility
WAVE devices supported
11-18
2-10
WCCP
about
1-21, 5-3, 5-11
Cisco Express Forwarding (CEF)
configuring interception on SCs
5-15
5-22
configuring interception on WAEs
5-17
flow redirection, enabling and disabling
GRE packet return
ports used
5-16
5-29
2-6
shutting down
5-26
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
IN-13
Index
Cisco Wide Area Application Services Configuration Guide
IN-14
OL-26579-01
Preface
This preface describes who should read the Cisco Wide Area Application Services Configuration Guide,
how it is organized, and its document conventions. It contains the following sections:
•
Audience, page 21
•
Document Organization, page 21
•
Document Conventions, page 23
•
Related Documentation, page 24
•
Obtaining Documentation and Submitting a Service Request, page 24
Audience
This guide is for experienced network administrators who are responsible for configuring and
maintaining the Cisco Wide Area Application Services (WAAS) network.
You should be familiar with the basic concepts and terminology used in internetworking, and understand
your network topology and the protocols that the devices in your network can use. You should also have
a working knowledge of the operating systems on which you are running your WAAS network, such as
Microsoft Windows, Linux, or Solaris.
Document Organization
This guide is organized as follows:
Chapter
Title
Description
Chapter 1
Introduction to Cisco WAAS
Provides an overview of the WAAS product
and its features.
Chapter 2
Planning Your WAAS Network
Provides general guidelines and preparation
information you should read before installing
the WAAS product in your network.
Chapter 3
Using Device Groups and Device
Locations
Describes how to create groups that make it
easier to manage and configure multiple
devices at the same time This chapter also
covers device locations.
Cisco Wide Area Application Services Configuration Guide
OL-23593-01
xix
Preface
Chapter
Title
Description
Chapter 4
Configuring AppNav
Describes how to configure your WAAS
network using the AppNav deployment model.
Chapter 5
Configuring Traffic Interception
Describes the WAAS software support for
intercepting all TCP traffic in an IP-based
network.
Chapter 6
Configuring Network Settings
Describes how to configure interfaces and
basic network settings like DNS and CDP.
Chapter 7
Configuring Administrative Login
Authentication, Authorization, and
Accounting
Describes how to centrally configure
administrative login authentication,
authorization, and accounting for WAEs in
your WAAS network.
Chapter 8
Creating and Managing Administrator Describes how to create device-based CLI
User Accounts and Groups
accounts and roles-based accounts from the
WAAS Central Manager GUI.
Chapter 9
Creating and Managing IP Access
Control Lists for WAAS Devices
Describes how to centrally create and manage
Internet Protocol (IP) access control lists
(ACLs) for your WAEs.
Chapter 10
Configuring Other System Settings
Describes how to perform various other system
configuration tasks such as specifying an NTP
server and setting the time zone on a device.
Chapter 11
Using the WAE Device Manager GUI Describes how to use the WAE Device
Manager GUI to configure and manage
individual WAEs in your network.
Chapter 12
Configuring File Services
Chapter 13
Configuring Application Acceleration Describes how to configure the application
policies on your WAAS system that determine
the types of application traffic that is
accelerated over your WAN.
Chapter 14
Configuring Virtual Blades
Describes how to configure virtual blades,
which emulate another computer in your
WAAS device.
Chapter 15
Configuring the Network Analysis
Module
Describes how to configure and use the Cisco
Network Analysis Module (NAM) in the
WAAS Central Manager.
Chapter 16
Maintaining Your WAAS System
Describes the tasks you may need to perform to
maintain your WAAS system.
Chapter 17
Monitoring and Troubleshooting Your Describes the monitoring and troubleshooting
WAAS Network
tools available in the WAAS Central Manager
GUI that can help you identify and resolve
issues with your WAAS system.
Describes how to configure Common Internet
File System (CIFS) acceleration, which allows
branch office users to more efficiently access
data stored at centralized data centers.
Cisco Wide Area Application Services Configuration Guide
xxii
OL-23593-01
Preface
Chapter
Title
Description
Chapter 18
Configuring SNMP Monitoring
Describes how to configure SNMP traps,
recipients, community strings and group
associations, user security model groups, and
user access permissions.
Appendix A
Predefined Optimization Policy
Lists the predefined applications and classifiers
that WAAS will either optimize or pass through
based on the policies that are provided with the
system.
Appendix B
Transaction Log Format
Describes the transaction log format.
Document Conventions
Command descriptions use these conventions:
boldface font
Commands and keywords are in boldface.
italic font
Arguments for which you supply values are in italics.
[ ]
Elements in square brackets are optional.
[x|y|z]
Optional alternative keywords are grouped in brackets and separated by
vertical bars.
Screen examples use these conventions:
screen font
Terminal sessions and information the switch displays are in screen font.
boldface screen font
Information you must enter is in boldface screen font.
italic screen font
Arguments for which you supply values are in italic screen font.
< >
Nonprinting characters, such as passwords, are in angle brackets.
[ ]
Default responses to system prompts are in square brackets.
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
This document uses the following conventions:
Note
Caution
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Cisco Wide Area Application Services Configuration Guide
OL-23593-01
xxi
Preface
Tip
Means the following information will help you solve a problem. Tips might not be troubleshooting or
even an action, but could help you save time.
Related Documentation
For additional information on the Cisco WAAS software and hardware, see the following documentation:
•
Release Note for Cisco Wide Area Application Services
•
Cisco Wide Area Application Services Upgrade Guide
•
Cisco Wide Area Application Services Command Reference
•
Cisco Wide Area Application Services Quick Configuration Guide
•
Cisco Wide Area Application Services Configuration Guide (this manual)
•
Cisco Wide Area Application Services API Reference
•
Cisco WAAS Troubleshooting Guide for Release 4.1.3 and Later
•
Cisco Wide Area Application Services Monitoring Guide
•
Cisco Wide Area Application Services vWAAS Installation and Configuration Guide
•
Cisco WAAS Installation and Configuration Guide for Windows on a Virtual Blade
•
Configuring WAAS Express
•
Cisco WAAS on Service Modules for Cisco Access Routers
•
Cisco SRE Service Module Configuration and Installation Guide
•
Configuring Cisco WAAS Network Modules for Cisco Access Routers
•
WAAS Enhanced Network Modules
•
Regulatory Compliance and Safety Information for the Cisco Wide Area Virtualization Engines
•
Cisco Wide Area Virtualization Engine 294 Hardware Installation Guide
•
Cisco Wide Area Virtualization Engine 594 and 694 Hardware Installation Guide
•
Cisco Wide Area Virtualization Engine 7541, 7571, and 8541 Hardware Installation Guide
•
Cisco Wide Area Virtualization Engine 274 and 474 Hardware Installation Guide
•
Cisco Wide Area Virtualization Engine 574 Hardware Installation Guide
•
Regulatory Compliance and Safety Information for the Cisco Content Networking Product Series
•
Cisco Wide Area Application Engine 7341, 7371, and 674 Hardware Installation Guide
•
Installing the Cisco WAE Inline Network Adapter
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco Wide Area Application Services Configuration Guide
xxii
OL-23593-01
Preface
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Cisco Wide Area Application Services Configuration Guide
OL-23593-01
xxi
Preface
Cisco Wide Area Application Services Configuration Guide
xxii
OL-23593-01
CH A P T E R
1
Introduction to Cisco WAAS
This chapter provides an overview of the Cisco WAAS solution and describes the main features that
enable WAAS to overcome the most common challenges in transporting data over a wide area network.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, WAE
Network Modules (the NME-WAE family of devices), SM-SRE modules running WAAS, and vWAAS
instances.
This chapter contains the following sections:
•
About Cisco WAAS, page 1-1
•
Key Services of Cisco WAAS, page 1-4
•
Overview of the WAAS Interfaces, page 1-10
•
Benefits of Cisco WAAS, page 1-19
About Cisco WAAS
The WAAS system consists of a set of devices called wide area application engines (WAEs) that work
together to optimize TCP traffic over your network. When client and server applications attempt to
communicate with each other, the network intercepts and redirects this traffic to the WAEs so that they
can act on behalf of the client application and the destination server. The WAEs examine the traffic and
use built-in optimization policies to determine whether to optimize the traffic or allow it to pass through
your network unoptimized.
WAAS version 5.0 introduces a new AppNav deployment model that greatly reduces dependency on the
intercepting switch or router by taking the responsibility of distributing traffic among WAAS devices for
optimization. WAAS appliances with AppNav Controller Interface Modules operate in a special AppNav
Controller mode with AppNav policies controlling traffic flow to WAAS devices doing optimization.
The AppNav model is well suited to data center deployments and addresses many of the challenges of
WAN optimization in this environment.
You can deploy WAAS in the new AppNav model or in the traditional model without using AppNav
Controllers.
You use the WAAS Central Manager GUI to centrally configure and monitor the WAEs and optimization
policies in your network. You can also use the WAAS Central Manager GUI to create new optimization
policy rules so that the WAAS system can optimize custom applications and less common applications.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-1
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Cisco WAAS helps enterprises meet the following objectives:
•
Provide branch office employees with LAN-like access to information and applications across a
geographically distributed network.
•
Migrate application and file servers from branch offices into centrally managed data centers.
•
Minimize unnecessary WAN bandwidth consumption through the use of advanced compression
algorithms.
•
Virtualize print and other local services to branch office users. Cisco WAAS allows you to configure
a WAE with Windows in a virtual blade so that you do not need to deploy a dedicated system to
provide local services such as Print Services, Active Directory Services, DNS, and DHCP services.
•
Improve application performance over the WAN by addressing the following common issues:
– Low data rates (constrained bandwidth)
– Slow delivery of frames (high network latency)
– Higher rates of packet loss (low reliability)
Note
A WAAS Express device, which is a Cisco router with WAAS Express functionality enabled, can
interoperate with WAE devices. A WAAS Express device provides basic WAN optimization and some
application optimization but no virtualization. For more information on WAAS Express, see Configuring
WAAS Express.
A virtual WAAS (vWAAS) instance is a virtual WAAS appliance running on a VMware virtual machine
and providing all of the same features as a WAAS appliance. A WAAS Central Manager can manage
WAEs, WAAS Express devices, and vWAAS instances all in the same WAAS network. For more
information on vWAAS, see the Cisco Wide Area Application Services vWAAS Installation and
Configuration Guide.
This section contains the following topics:
•
Cisco WAAS Overcomes Common WAN Challenges, page 1-2
•
Traffic Optimization Process, page 1-3
Cisco WAAS Overcomes Common WAN Challenges
Table 1-1 describes how Cisco WAAS uses a combination of TCP optimization techniques and
application acceleration features to overcome the most common challenges associated with transporting
traffic over a WAN.
Table 1-1
Cisco WAAS Solution
WAN Issue
WAAS Solution
High network latency
Intelligent protocol adapters reduce the number of roundtrip
responses common with chatty application protocols.
Constrained bandwidth
Data caching provided with the file services feature and data
compression reduce the amount of data sent over the WAN, which
increases data transfer rates. These solutions improve application
response time on congested links by reducing the amount of data
sent across the WAN.
Cisco Wide Area Application Services Configuration Guide
1-2
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Table 1-1
Cisco WAAS Solution (continued)
WAN Issue
WAAS Solution
Poor link utilization
TCP optimization features improve network throughput by reducing
the number of TCP errors sent over the WAN and maximizing the
TCP window size that determines the amount of data that a client
can receive at one time.
Packet loss
Optimized TCP stack in WAAS overcomes the issues associated
with high packet loss and protects communicating end points from
the state of the WAN.
Traffic Optimization Process
Figure 1-1 shows the process that Cisco WAAS follows to optimize application traffic.
Figure 1-1
Traffic Optimization Process
1
WAN
4
5
2
6
154635
3
The following steps describe how your WAAS network optimizes a connection between a branch office
client and a destination server:
1.
A branch office client attempts to connect to the destination server over the native application port.
2.
The WAAS network uses WCCP or PBR to intercept the client request, or if deployed on an inline
WAE, WAAS can intercept the request directly using inline mode. For more information on inline
mode, see the “Using Inline Mode Interception” section on page 5-42.
3.
The branch WAE performs the following actions:
•
Examines the parameters in the traffic’s TCP headers and then refers to the optimization policies to
determine if the intercepted traffic should be optimized. Information in the TCP header, such as the
source and destination IP address and port, allows the branch WAE to match the traffic to an
optimization policy rule. For a list of predefined policy rules, see Appendix A, “Predefined
Optimization Policy.”
•
If the branch WAE determines that the traffic should be optimized, it adds information to the TCP
header that informs the next WAE in the network path to optimize the traffic.
4.
The branch WAE passes along the client request through the network to its original destination
server.
5.
The data center WAE performs the following actions:
•
Intercepts the traffic going to the destination server.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-3
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
•
Establishes an optimized connection with the branch WAE. If the data center WAE has optimization
disabled, then an optimized connection will not be established and the traffic passes over the
network unoptimized.
In an AppNav deployment, an AppNav Controller intercepts the traffic in the data center and
distributes it to a WAAS node that establishes an optimized connection with the branch WAE. For
more information on an AppNav deployment, see Chapter 4, “Configuring AppNav.”
6.
WAAS optimizes subsequent traffic between the branch WAE and data center WAE for this
connection.
Cisco WAAS does not optimize traffic in the following situations:
Note
•
The WAE intercepts non-TCP traffic (such as UDP or ICMP).
•
The WAE is overloaded and does not have the resources to optimize the traffic.
•
The intercepted traffic matches an optimization or AppNav policy rule that specifies to pass the
traffic through unoptimized.
If unoptimized traffic reaches a WAE, the WAE forwards the traffic in pass-through mode without
affecting the performance of the application using the passed-through connection.
Key Services of Cisco WAAS
Cisco WAAS contains the following services that help optimize traffic over your wide area network:
Note
•
TFO Optimization, page 1-4
•
Compression, page 1-6
•
Application-Specific Acceleration, page 1-6
•
File Services for Desktop Applications, page 1-8
•
WAAS Print Services, page 1-9
•
Virtualization, page 1-10
WAAS Express devices provide basic optimization and compression services and some application
acceleration.
TFO Optimization
Cisco WAAS uses a variety of transport flow optimization (TFO) features to optimize TCP traffic
intercepted by the WAAS devices. TFO protects communicating clients and servers from negative WAN
conditions, such as bandwidth constraints, packet loss, congestion, and retransmission.
TFO includes the following optimization features:
•
Windows Scaling, page 1-5
•
TCP Initial Window Size Maximization, page 1-5
•
Increased Buffering, page 1-5
•
Selective Acknowledgment, page 1-5
Cisco Wide Area Application Services Configuration Guide
1-4
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
•
BIC TCP, page 1-6
Windows Scaling
Windows scaling allows the receiver of a TCP packet to advertise that its TCP receive window can
exceed 64 KB. The receive window size determines the amount of space that the receiver has available
for unacknowledged data. By default, TCP headers limit the receive window size to 64 KB, but Windows
scaling allows the TCP header to specify receive windows of up to 1 GB.
Windows scaling allows TCP endpoints to take advantage of available bandwidth in your network and
not be limited to the default window size specified in the TCP header.
For more information about Windows scaling, refer to RFC 1323.
TCP Initial Window Size Maximization
WAAS increases the upper bound limit for TCP’s initial window from one or two segments to two to four
segments (approximately 4 KB). Increasing TCP’s initial window size provides the following
advantages:
•
When the initial TCP window is only one segment, a receiver that uses delayed ACKs is forced to
wait for a timeout before generating an ACK response. With an initial window of at least two
segments, the receiver generates an ACK response after the second data segment arrives, eliminating
the wait on the timeout.
•
For connections that transmit only a small amount of data, a larger initial window reduces the
transmission time. For many e-mail (SMTP) and web page (HTTP) transfers that are less than 4 KB,
the larger initial window reduces the data transfer time to a single round trip time (RTT).
•
For connections that use large congestion windows, the larger initial window eliminates up to three
RTTs and a delayed ACK timeout during the initial slow-start phase.
For more information about this optimization feature, see RFC 3390.
Increased Buffering
Cisco WAAS enhances the buffering algorithm used by the TCP kernel so that WAEs can more
aggressively pull data from branch office clients and remote servers. This increased buffer helps the two
WAEs participating in the connection keep the link between them full, increasing link utilization.
Selective Acknowledgment
Selective Acknowledgement (SACK) is an efficient packet loss recovery and retransmission feature that
allows clients to recover from packet losses more quickly than the default recovery mechanism used by
TCP.
By default, TCP uses a cumulative acknowledgement scheme that forces the sender to either wait for a
roundtrip to learn if any packets were not received by the recipient or to unnecessarily retransmit
segments that may have been correctly received.
SACK allows the receiver to inform the sender about all segments that have arrived successfully, so the
sender only needs to retransmit the segments that have actually been lost.
For more information about SACK, see RFC 2018.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-5
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
BIC TCP
Binary Increase Congestion (BIC) TCP is a congestion management protocol that allows your network
to recover more quickly from packet loss events.
When your network experiences a packet loss event, BIC TCP reduces the receiver’s window size and
sets that reduced size as the new value for the minimum window. BIC TCP then sets the maximum
window size value to the size of the window just before the packet loss event occurred. Because packet
loss occurred at the maximum window size, the network can transfer traffic without dropping packets
whose size falls within the minimum and maximum window size values.
If BIC TCP does not register a packet loss event at the updated maximum window size, that window size
becomes the new minimum. If a packet loss event does occur, that window size becomes the new
maximum. This process continues until BIC TCP determines the new optimum minimum and maximum
window size values.
Compression
Cisco WAAS uses the following compression technologies to help reduce the size of data transmitted
over your WAN:
•
Data Redundancy Elimination (DRE)
•
LZ compression
These compression technologies reduce the size of transmitted data by removing redundant information
before sending the shortened data stream over the WAN. By reducing the amount of transferred data,
WAAS compression can reduce network utilization and application response times.
When a WAE uses compression to optimize TCP traffic, it replaces repeated data in the stream with a
much shorter reference, then sends the shortened data stream out across the WAN. The receiving WAE
uses its local redundancy library to reconstruct the data stream before passing it along to the destination
client or server.
The WAAS compression scheme is based on a shared cache architecture where each WAE involved in
compression and decompression shares the same redundancy library. When the cache that stores the
redundancy library on a WAE becomes full, WAAS uses a FIFO algorithm (first in, first out) to discard
old data and make room for new.
LZ compression operates on smaller data streams and keeps limited compression history. DRE operates
on significantly larger streams (typically tens to hundreds of bytes or more) and maintains a much larger
compression history. Large chunks of redundant data is common in file system operations when files are
incrementally changed from one version to another or when certain elements are common to many files,
such as file headers and logos.
Application-Specific Acceleration
In addition to the TCP optimization features that speed the flow of traffic over a WAN, Cisco WAAS
includes these application acceleration features:
•
Operation prediction and batching—Allows a WAAS device to transform a command sequence into
a shorter sequence over the WAN to reduce roundtrips.
•
Intelligent message suppression—Decreases the response time of remote applications. Even though
TFO optimizes traffic over a WAN, protocol messages between branch office clients and remote
servers can still cause slow application response time. To resolve this issue, each WAAS device
Cisco Wide Area Application Services Configuration Guide
1-6
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
contains application proxies that can respond to messages locally so that the client does not have to
wait for a response from the remote server. The application proxies use a variety of techniques
including caching, command batching, prediction, and resource prefetch to decrease the response
time of remote applications.
•
CIFS caching—Allows a WAAS device to reply to client requests using locally cached data instead
of retrieving this data from remote file and application servers.
•
Preposition—Allows a WAAS device to prefetch resource data and metadata in anticipation of a
future client request. (Only the CIFS accelerator supports prepositioning.)
Cisco WAAS uses application-intelligent software modules to apply these acceleration features.
In a typical Common Internet File System (CIFS) application use case, the client sends a large number
of synchronous requests that require the client to wait for a response before sending the next request.
Compressing the data over the WAN is not sufficient for acceptable response time.
For example, when you open a 5 MB Word document, about 700 CIFS requests (550 read requests plus
150 other requests) are produced. If all these requests are sent over a 100 ms round-trip WAN, the
response time is at least 70 seconds (700 x 0.1 seconds).
WAAS application acceleration minimizes the synchronous effect of the CIFS protocol, which reduces
application response time. Each WAAS device uses optimization policies to match specific types of the
traffic to an application and to determine whether that application traffic should be optimized and
accelerated.
The following WAAS application accelerators are available:
•
SMB—Accelerates CIFS traffic exchanged with a remote file server. Supports the SMB 1.0, 2.0, and
2.1 protocols for CIFS traffic and signed SMB traffic. For more information, see the “File Services
for Desktop Applications” section on page 1-8.
•
CIFS—Accelerates CIFS traffic exchanged with a remote file server. Supports the SMB 1.0 protocol
for CIFS traffic. For more information, see the “File Services for Desktop Applications” section on
page 1-8.
Note
The SMB and CIFS application accelerators both handle CIFS traffic but have slightly different
features. You must choose one or the other to operate on WAAS peer devices because they
cannot operate simultaneously on the same device and both peers must use the same accelerator.
•
NFS—Accelerates Network File System (NFS) version 3 traffic exchanged with a remote file server.
Secure NFS traffic is not accelerated.
•
ICA—Accelerates Independent Computing Architecture (ICA) traffic that is used to access a virtual
desktop infrastructure (VDI).
•
HTTP—Accelerates HTTP and HTTPS traffic.
•
SSL—Accelerates encrypted Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
traffic. The SSL accelerator provides traffic encryption and decryption within WAAS to enable
end-to-end traffic optimization. The SSL accelerator also provides secure management of the
encryption certificates and keys.
•
MAPI—Accelerates Microsoft Outlook Exchange traffic that uses the Messaging Application
Programming Interface (MAPI) protocol. Microsoft Outlook 2000–2010 clients are supported.
Secure connections that use message authentication (signing) or encryption are accelerated. MAPI
over HTTP is not accelerated.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-7
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Note
•
Video—Accelerates Windows Media live video broadcasts that use RTSP over TCP. The video
accelerator automatically splits one source video stream from the WAN into multiple streams to
serve multiple clients on the LAN. The video accelerator automatically causes a client requesting a
UDP stream to do a protocol rollover to use TCP (if both the client and server allow TCP).
•
Windows Print—Accelerates print traffic between clients and a Windows print server located in the
data center. Signed Server Message Block (SMB) traffic is optimized by transport level
optimizations (TFO, DRE, and LZ). The Windows print accelerator supports Windows 2000,
Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 print servers. It
supports clients running Windows 2000, Windows XP, Windows Vista, and Windows 7. The
Windows Print accelerator operates only when the CIFS application accelerator is enabled.
WAAS Express devices provide application acceleration for CIFS/SMB, HTTP, and SSL traffic.
To enable or disable application accelerators, see the “Enabling and Disabling the Global Optimization
Features” section on page 13-3.
You must enable the accelerator on both of the peer WAEs at either end of a WAN link for all application
accelerators to operate.
File Services for Desktop Applications
The file services (SMB and CIFS accelerators) feature allows a WAE to more quickly fulfill a client’s
requests instead of sending every request over the WAN to the file server. By fulfilling the client’s
requests locally, the WAE minimizes the traffic sent over the WAN and reduces the time it takes branch
office users to access files and many desktop applications, allowing enterprises to consolidate their
important information into data centers.
For more information, see Chapter 12, “Configuring File Services.”
Note
Legacy mode WAFS is no longer supported. Legacy WAFS users must migrate to the SMB or CIFS
accelerators.
This section contains the following topics:
•
File Services Features, page 1-8
•
Role of the Edge WAE, page 1-9
•
Role of the Core WAE, page 1-9
File Services Features
File Services include the following features:
•
Data coherency and concurrency—Ensures data integrity across the WAAS system by managing the
freshness of the data (coherency) and controlling the access to the data by multiple clients
(concurrency).
•
Automatic discovery—Allows you to use file services without having to register individual file
servers in the WAAS Central Manager. With the automatic discovery feature, the WAAS device will
automatically discover and connect to a new file server when a CIFS request is received.
Cisco Wide Area Application Services Configuration Guide
1-8
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
•
Prepositioning—Allows system administrators to proactively “push” frequently used files from the
central file server into the cache of selected WAEs, which provides users with faster first-time file
access, and makes more efficient use of available bandwidth. Prepositioning is supported only by
the CIFS application accelerator.
Role of the Edge WAE
The Edge WAE is a client-side, file-caching device that serves client requests at remote sites and branch
offices. The device is deployed at each branch office or remote campus, replacing file and print servers
and giving local clients fast, near-LAN read and write access to a cached view of the centralized storage.
By caching the data most likely to be used at these sites, Edge WAEs greatly reduce the number of
requests and the volume of data that must be transferred over the WAN between the data center and the
edge.
When requests for data that is not located in the cache are received, the Edge WAE encapsulates the
original CIFS request using a TCP/IP-based protocol, compresses it, and sends it over the WAN to the
Core WAE. Data returned from the data center is distributed by the Edge WAE to the end user who
requested it.
Role of the Core WAE
The Core WAE is a server-side component that resides at the data center and connects directly to one or
more file servers or network-attached storage (NAS). Core WAEs are placed between the file servers at
the data center and the WAN connecting the data center to the enterprise’s remote sites and branch
offices. Requests received from Edge WAEs over the WAN are translated by the Core WAE into its
original file server protocol and forwarded to the appropriate file server. The data center Core WAEs can
provide load balancing and failover support.
When the data is received from the file server, the Core WAE encapsulates and compresses it before
sending it over the WAN back to the Edge WAE that requested it. Core WAEs can be arranged in logical
clusters to provide scalability and automatic failover capabilities for high-availability environments.
WAAS Print Services
The WAAS software includes the following print services options:
•
Windows print accelerator—Use this option when you have a print server in a data center and branch
clients are printing to local or remote printers. This service accelerates print traffic between clients
and a Windows print server located in the data center. This option requires no configuration but does
require that both the CIFS application accelerator and Windows print acceleration be enabled. For
more information, see the “Enabling and Disabling the Global Optimization Features” section on
page 13-3.
•
Virtual blade based print server—Use this option when you want to deploy a local print server in the
branch office but without installing separate print server hardware. You can install a Windows print
server in a virtual blade on the branch WAE, which allows you to manage printing by using standard
Windows print server functionality. For more information, see Chapter 14, “Configuring Virtual
Blades.”
Note
The legacy print services feature is no longer supported. Legacy print services users must
migrate to another print services option.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-9
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
These services eliminate the need for a separate hardware print server in the branch office. WAAS print
services are available for Windows clients and work with any IP-based network printer.
Virtualization
The WAAS software allows you to configure a virtual blade, which allows you to add services running
in their own operating environments to your WAAS system. For example, you could configure a virtual
blade in a WAE device to run Windows services such as Print Services, Active Directory Services, DNS,
and DHCP services.
A WAAS virtual blade provides an emulated hardware environment within your WAE device that acts
as a generic computer. You can install an operating system and applications to work with your WAAS
system and provide additional services for the users on your network. For more information, see
Chapter 14, “Configuring Virtual Blades.”
Overview of the WAAS Interfaces
The WAAS software provides the following interfaces to help you manage, configure, and monitor the
various elements of your WAAS network:
•
WAAS Central Manager GUI, page 1-10
•
WAAS Central Manager Monitoring API, page 1-17
•
WAE Device Manager GUI, page 1-17
•
WAAS CLI, page 1-18
•
WAAS CLI, page 1-18
WAAS Central Manager GUI
Every WAAS network must have one primary WAAS Central Manager device that is responsible for
managing the other WAAS devices in your network. The WAAS Central Manager devices hosts the
WAAS Central Manager GUI, a Web-based interface that allows you to configure, manage, and monitor
the WAAS devices in your network. The WAAS Central Manager resides on a dedicated WAE device.
The WAAS Central Manager GUI allows administrators to perform the following tasks:
•
Configure system and network settings for an individual WAAS device, vWAAS device, WAAS
Express device, device group, AppNav Controller, and AppNav Cluster.
•
Create and edit optimization policies that determine the action that a WAAS device performs when
it intercepts specific types of traffic.
•
Create and edit AppNav policies that determine how AppNav Controllers distribute traffic to
optimizing WAAS nodes.
•
Configure file services and set up file preposition policies (preposition works only with the CIFS
application accelerator).
•
Create device groups that help you manage and configure multiple WAEs at the same time.
•
View detailed reports about the optimized traffic in your WAAS network.
Cisco Wide Area Application Services Configuration Guide
1-10
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Note
You cannot enable optimization and application acceleration services on a WAE that has been configured
as a WAAS Central Manager. The purpose of the WAAS Central Manager is to configure, monitor, and
manage the WAEs in your network.
This section contains the following topics:
•
Accessing the WAAS Central Manager GUI, page 1-11
•
Components of the WAAS Central Manager GUI, page 1-12
•
WAAS Central Manager Menus, page 1-14
•
WAAS Central Manager Taskbar Icons, page 1-15
Accessing the WAAS Central Manager GUI
To access the WAAS Central Manager GUI, enter the following URL in your web browser:
https://WAE_Address:8443/
The WAE_Address value is the IP address or hostname of the WAAS Central Manager device.
The default administrator username is admin and the password is default. For information on creating
accounts and changing passwords, see Chapter 8, “Creating and Managing Administrator User Accounts
and Groups.”
Ensure that your web browser is set to use Unicode (UTF-8) character encoding.
Note
When using Internet Explorer to access the Central Manager GUI, you may see a “Choose a digital
certificate” dialog. Click Cancel to proceed to the Central Manager login screen.
You may also see a browser security warning that there is a problem with the website’s security
certificate. This happens because the Central Manager uses a self-signed certificate. Click on the link
Continue to this website (not recommended). You can permanently install the certificate to avoid this
error in the future. To install the certificate in Internet Explorer 8, click the red Certificate Error button
in the address bar and choose View Certificates. Click Install Certificate, then click Next. Select
Automatically select the certificate store based on the type of certificate and click Next, click Finish,
then click Yes on the security warning, click OK on the acknowledgement, and click OK on the
Certificate dialog. The certificate installation procedure differs depending on the browser.
If you are using Internet Explorer to access the Central Manager GUI, we strongly recommend that you
install the Google Chrome Frame plug-in to provide better performance. When you log into the Central
Manager the first time, you are prompted to install Google Chrome Frame. Choose a language, click Get
Google Chrome Frame, and follow the prompts to download and install the plug-in. If you do not want
to install the plugin, click the link to continue without installing Google Chrome Frame.
You can configure the WAAS Central Manager GUI to limit the number of concurrent sessions permitted
for a user. The number of concurrent sessions is unlimited by default. To change the number of permitted
concurrent sessions, set the System.security.maxSimultaneousLogins property, as described in the
“Modifying the Default System Configuration Properties” section on page 10-17.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-11
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Note
A user must log off the Central Manager to end a session. If a user closes the browser or connection
without logging off, the session is not closed until after it times out (in 10 minutes by default, up to a
possible maximum of 120 minutes). If the number of concurrent sessions permitted also is exceeded for
that user, there is no way for that user to regain access to the Central Manager GUI until after the timeout
expires.
Note
After an upgrade, downgrade, or new installation, you must first clear the cache in your browser, close
the browser, and restart the browser session to the WAAS Central Manager.
Components of the WAAS Central Manager GUI
Figure 1-2 shows the main components of the WAAS Central Manager GUI.
Figure 1-2
Components of the WAAS Central Manager GUI
The WAAS Central Manager GUI includes the following main components:
•
Page title—Displays the title of the page being viewed and breadcrumb links to ease navigation back
to previous levels in the hierarchy. (Breadcrumb links are shown in Figure 1-3.)
Cisco Wide Area Application Services Configuration Guide
1-12
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
•
Menu bar—The top level contains menus that allow you to choose the context. The lower level
contains menus that group the WAAS Central Manager functions available within the chosen
context. For more information, see the “WAAS Central Manager Menus” section on page 1-14.
•
Taskbar—Contains labeled icons that perform various functions depending on the content shown in
the dashboard. For more information, see the “WAAS Central Manager Taskbar Icons” section on
page 1-15.
•
Dashboard—Displays the main content, which changes depending on the function that is chosen in
the menu.
•
Administrative links—Includes these navigation links:
– Logout—Logs out the current user from the WAAS Central Manager.
– Help—Opens a separate window with the WAAS context sensitive help.
– About—Displays the WAAS About screen that shows the Central Manager version number.
•
Alarms—Opens the alarm panel, which displays alarms in your WAAS network.
The top level of the menu bar allows you to choose one of the five contexts available in the WAAS
Central Manager GUI:
•
Home—Click to go to the global context, with no particular device group, device, AppNav Cluster,
or location chosen.
•
Device Groups—Choose a device group from this menu to enter the device group context. The page
title and the first menu on the lower level displays the name of the chosen device group.
•
Devices—Choose a device from this menu to enter the device context. The page title and the first
menu on the lower level displays the name of the chosen device, as shown in Figure 1-3.
•
AppNav Clusters—Choose an AppNav Cluster from this menu to enter the AppNav Cluster context.
The page title and the first menu on the lower level displays the name of the chosen AppNav Cluster.
•
Locations—Choose a location from this menu to enter the location context. The page title and the
first menu on the lower level displays the name of the chosen location.
Figure 1-3
WAAS Central Manager Device Context
The WAAS Central Manager GUI includes the following items to help you navigate:
•
Breadcrumbs to current location—Displays the path to your current location in the menu structure.
You can click the Devices link to return to the All Devices page. If you are in the device group
context, this link is named Device Groups and it returns you to the All Device Groups page. If you
are in the AppNav Cluster context, this link is named AppNav Clusters and it returns you to the All
AppNav Clusters page. If you are in the location context, this link is named Locations and it returns
you to the All Locations page.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-13
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
•
Entity name—The first menu in the lower level of the menu bar shows the name of the chosen device
group, device, AppNav Cluster, or location.
•
Context menus—The top level of the menu bar contains menus that allow you to switch easily to
any entity in any context. You can search for an item by entering part of its name in the search box
at the top and clicking the magnifying glass icon or pressing Enter. The list is filtered to include
only entities that contain the search string. The top entry in each menu is All Entities, which takes
you to a full window that lists all entities of the selected type, has more advanced search functions,
and has taskbar icons that perform functions appropriate to the entity group. You can also click the
context menu name to go to the listing window.
In the Devices and AppNav Clusters menus, a small target icon appears when you hover over a
device or cluster name. Place your cursor over the target icon to open a pop-up that shows the device
or cluster status (see Figure 1-4).
Figure 1-4
Devices Context Menu
WAAS Central Manager Menus
The WAAS Central Manager menu bar contains two levels of menus:
•
Top level—Contains menus that allow you to switch to any entity in any context.
•
Lower level—Contains menus that group the WAAS Central Manager functions available within the
chosen context. Table 1-2 describes the menus in the lower menu bar.
Menus contain different functions when a particular device, device group, AppNav Cluster, or location
is selected than when you are in the global context.
Some menu options contain submenus. Hover over the triangle to the right of the menu option name to
open the submenu.
Note
The functions available for WAAS Express devices are a subset of those available for other WAAS
devices; some functions are not available on WAAS Express devices.
Cisco Wide Area Application Services Configuration Guide
1-14
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Table 1-2
Menu Descriptions
Menu
Description
Dashboard
or
Device, Device
group, AppNav
Cluster, or Location
name
In the global context, allows you to go to the dashboard for your WAAS
network.
Configure
Allows you to configure WAAS services and settings.
Monitor
Allows you to see network traffic and other charts and reports to monitor the
health and performance of your WAAS network. Allows you to manage and
schedule reports for your WAAS network. Contains troubleshooting tools.
Admin
Allows you to manage user accounts, passwords, secure store, licenses, and
virtual blades, update the WAAS software, and view system logs and messages.
In a context other than global, this menu is named with the entity name and
allows you to activate devices, view users, assign groups or devices, or view
the dashboard or home screen of the entity.
WAAS Central Manager Taskbar Icons
Table 1-3 describes the taskbar icons in the WAAS Central Manager GUI.
Table 1-3
Taskbar Icon Descriptions (continued)
Taskbar Icon
Function
Common icons
(Refresh)
Refreshes the current page of the WAAS Central Manager GUI.
(Delete)
Deletes a WAAS element, such as a device, and device group.
(Create or Add)
Creates a new WAAS element such as a report.
(Edit)
Edits a WAAS element such as interface settings.
(Advanced Search)
Filters the information in a table to make it easier to locate a
specific item.
(View All)
Displays all items in a table on a single page instead of displaying
those items over multiple pages.
(Print or Print Table)
Prints the information.
(PDF)
Creates a PDF of the information.
(Assign All)
Selects all valid items in a table. For example, if you are
distributing print drivers to a WAAS print server, you can click
this icon to select all drivers in the list that the print server should
download.
(Remove All)
Deselects all selected items in a table.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-15
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Table 1-3
Taskbar Icon Descriptions (continued)
Taskbar Icon
Function
Devices and Device Group Icons
(Activate All Inactive
Devices)
Activates all the inactive WAAS and WAAS Express devices in
your WAAS network. For more information, see the “Activating
All Inactive WAAS Devices” section on page 16-34.
(Force Update,
Request FullUpdate)
Reapplies the device configuration as seen in the WAAS Central
Manager GUI to the device. Normally, changes made in the
WAAS Central Manager GUI are applied to the device as soon as
the configuration is submitted. From time to time, however, a CLI
error or some other error on the device can cause the
configuration on the device to differ from what is seen in the
WAAS Central Manager GUI. The Force Full Database Update
icon applies the full configuration that the WAAS Central
Manager has for the device to be updated to the device and the
configuration reapplied.
When using the Request FullUpdate icon from the device group
window, the full device configuration is reapplied to each device
in the device group. Group settings do not overwrite
device-specific settings.
You can view device CLI errors in the System Message window
described in the “Viewing the System Message Log” section on
page 17-56.
The Force Full Database Update icon appears on the Device
Dashboard window, described in the “Device Dashboard
Window” section on page 17-8. The Request FullUpdate icon
appears on the Modifying Device Group window.
These functions do not apply to WAAS Express devices.
(Reload)
Reboots a WAE or device group depending on the location in the
WAAS Central Manager GUI. For more information, see the
“Rebooting a Device or Device Group” section on page 16-35.
Reload is not available for WAAS Express devices.
(Force Group Settings)
Forces the device group configuration across all devices in that
group. For more information, see the “Forcing Device Group
Settings on All Devices in the Group” section on page 3-7.
(Apply Defaults)
Applies the default settings to the fields on the window.
(Export Table)
Exports table information into a CSV file.
(Override Group Settings)
Allows you to specify device-specific settings that override the
group settings for the device. For more information, see the
“Overriding the Device Group Settings on a Device” section on
page 3-8.
(Deactivate Device)
Deactivates a WAAS or WAAS Express device.
(Update Application
Statistics)
Updates the application statistics.
Cisco Wide Area Application Services Configuration Guide
1-16
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Table 1-3
Taskbar Icon Descriptions (continued)
Taskbar Icon
Function
(Delete All)
Deletes all WAAS elements of a particular type, such as IP ACL
conditions.
(Display All Devices)
Displays all WAE devices or device groups.
(Configure Dashboard
Display)
Allows you choose which charts to display in the Device
Dashboard window.
(Copy Settings)
Copies interception settings to other devices (not available for
inline interception).
Acceleration Icons
(Restore Default Policies
and Classifiers)
Restores the default predefined optimization policy rules on the
device or device group. For more information, see the “Restoring
Optimization Policies and Class Maps” section on page 13-58.
(View Topology)
Displays the topology map that shows all the TFO connections
among your WAE devices. For more information, see the
“Topology Report” section on page 17-40.
(Navigate to Application
Configuration Page)
Displays the configuration page used to create applications. For
more information, see the “Viewing a List of Applications”
section on page 13-56.
System Message Log Icons
(Truncate Table)
Allows you to truncate the system message log based on size,
date, or message content. For more information, see the “Viewing
the System Message Log” section on page 17-56.
WAAS Central Manager Monitoring API
The WAAS Central Manager monitoring application programming interface (API), provides a
programmable interface for system developers to integrate with customized or third-party monitoring
and management applications. The Central Manager monitoring API communicates with the WAAS
Central Manager to retrieve status information and monitoring statistics.
The Central Manager monitoring API is a Web Service implementation. Web Service is defined by the
W3C standard as a software system designed to support interoperable machine-to-machine (client and
server) interaction over the network. The client and server communication follows the Simple Object
Access Protocol or Service Oriented Architecture Protocol (SOAP) standard.
For more information on the monitoring API, see the Cisco Wide Area Application Services API
Reference.
WAE Device Manager GUI
The WAE Device Manager is a web-based management interface that allows you to configure, manage,
and monitor an individual WAE device in your network. In some cases, the same device settings exist in
both the WAE Device Manager and the WAAS Central Manager GUI. For this reason, we recommend
that you always configure device settings from the WAAS Central Manager GUI when possible.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-17
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
In some situations, you might need to use the WAE Device Manager GUI to perform certain tasks. For
example, starting, stopping, and restarting the CIFS accelerator service can only be performed from the
WAE Device Manager GUI and not from the WAAS Central Manager GUI.
For more information about the tasks you can perform from the WAE Manager, see Chapter 11, “Using
the WAE Device Manager GUI.”
To access the WAE Device Manager for a specific device, go to the following URL:
https://Device IP Address:8443/mgr
Figure 1-5 shows an example of the WAE Device Manager window.
Figure 1-5
WAE Device Manager Window
WAAS CLI
The WAAS CLI allows you to configure, manage, and monitor WAEs on a per-device basis through a
console connection or a terminal emulation program. The WAAS CLI also allows you to configure
certain features that are supported only through the CLI (for example, configuring the Lightweight
Directory Access Protocol [LDAP] signing on a WAE). We strongly recommend that you use the WAAS
Central Manager GUI instead of the WAAS CLI, whenever possible.
Note
You must wait for approximately 10 minutes (two data feed poll cycles) after registering a WAE with the
WAAS Central Manager before making any CLI configuration changes on the WAE. Any CLI
configuration changes made sooner may be overwritten when the Central Manager updates the WAE. We
strongly recommend making all configuration changes by using the Central Manager GUI.
The WAAS CLI is organized into four command modes. Each command mode has its own set of
commands to use for the configuration, maintenance, and monitoring of a WAE. The commands that are
available to you depend on the mode you are in. When you enter a question mark (?) at the system
prompt, you can obtain a list of commands available for each command mode.
The four WAAS command modes are as follows:
Cisco Wide Area Application Services Configuration Guide
1-18
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
•
EXEC mode—For setting, viewing, and testing system operations. This mode is divided into two
access levels: user and privileged. To use the privileged access level, enter the enable command at
the user access level prompt, then enter the privileged EXEC password when you see the password
prompt.
•
Global configuration mode—For setting, viewing, and testing the configuration of WAAS software
features for the entire device. To use this mode, enter the configure command from the privileged
EXEC mode.
•
Interface configuration mode—For setting, viewing, and testing the configuration of a specific
interface. To use this mode, enter the interface command from the global configuration mode.
•
Feature-specific configuration mode—Some configuration modes are available from the global
configuration mode for managing specific features.
For information about using the CLI to configure a WAAS device, see the Cisco Wide Area Application
Services Command Reference and the Cisco Wide Area Application Services Quick Configuration Guide.
Benefits of Cisco WAAS
This section describes the benefits of Cisco WAAS and includes the following topics:
•
Preservation of Source TCP/IP Information, page 1-19
•
Autodiscovery of WAAS Devices, page 1-20
•
Centralized Network Monitoring and Management, page 1-20
•
Optimized Read and Write Caching, page 1-21
•
WCCP Support, page 1-21
•
PBR Support, page 1-21
•
Inline Interception Support, page 1-22
•
Failure Resiliency and Protection, page 1-22
•
RAID Compatibility, page 1-22
•
Streamlined Security, page 1-23
•
SNMP Support, page 1-23
Preservation of Source TCP/IP Information
Many optimization products create tunnels through routers and other networking devices, which result
in a loss of source TCP/IP information in the optimized data. This loss of TCP/IP information often
disrupts important network services (such as QoS and NBAR), and can disrupt proper operation of traffic
analysis tools such as NetFlow and security products and features such as ACLs and IP-based firewalls.
Unlike other optimization products, Cisco WAAS seamlessly integrates into your network and preserves
all TCP/IP header information in the traffic that it optimizes, so that your existing analysis tools and
security products are not compromised.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-19
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Autodiscovery of WAAS Devices
Cisco WAAS includes an autodiscovery feature that enables WAEs to automatically locate peer WAEs
on your network. After autodiscovering a peer device, the WAEs can terminate and separate the
LAN-to-WAN TCP connections and add a buffering layer to resolve the differing speeds. Once a WAE
establishes a connection to a peer WAE, the two devices can establish an optimized link for TCP traffic,
or pass the traffic through as unoptimized.
The autodiscovery of peer WAAS devices is achieved using proprietary TCP options. These TCP options
are only recognized and understood by WAAS devices and are ignored by non-WAAS devices.
Centralized Network Monitoring and Management
Cisco WAAS Web-based management tools (WAAS Central Manager and WAE Device Manager GUIs)
enable IT administrators to centrally define, monitor, and manage policies for each WAAS device, such
as usage quota, backups, disaster recovery, restores, access control, and security policies. IT
administrators can also perform the following tasks:
•
Remotely provision, configure, and monitor each WAAS device or device group.
•
Optimize system performance and utilization with comprehensive statistics, logs, and reporting.
•
Perform troubleshooting tasks using tools such as SNMP-based monitoring, traps and alerts, and
debug modes.
IT administrators benefit from the following features of Cisco WAAS:
•
Native protocol support—Provides complete end-to-end support for the underlying file system
protocol (Windows/CIFS) used by the enterprise. Security, concurrency, and coherency are
preserved between each client and file server.
•
Transparency—Is fully transparent to applications, file systems, and protocols, enabling seamless
integration with existing network infrastructures, including mixed environments. Cisco WAAS also
has no impact on any security technology currently deployed.
•
Branch office data protection—Increases data protection at branch offices. Its file cache appears on
the office’s LAN in the same way as a local file server. End users can map their personal document
folders onto the file cache using Windows or UNIX utilities. A cached copy of user data is stored
locally in the branch WAE for fast access. The master copy is stored centrally in the well-protected
data center.
•
Centralized backup—Consolidates data across the extended enterprise into a data center, which
makes it easy to apply centralized storage management procedures to branch office data. Backup and
restore operations become simpler, faster, and more reliable than when the data was decentralized.
In the event of data loss, backup files exist in the data center and can be quickly accessed for
recovery purposes. The amount of data loss is reduced because of the increased frequency of
backups performed on the centralized storage in the data center. This centralized storage backup
makes disaster recovery much more efficient and economical than working with standalone file
servers or NAS appliances.
•
Simplified storage management—Migrates storage from remote locations to a central data facility,
which reduces costs and simplifies storage management for the extended enterprise.
•
WAN adaptation—Provides remote users with near-LAN access to files located at the data center.
WAAS uses a proprietary protocol that optimizes the way traffic is forwarded between the WAEs.
Cisco Wide Area Application Services Configuration Guide
1-20
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Optimized Read and Write Caching
The common file services feature in Cisco WAAS maintains files locally, close to the clients. Changes
made to files are immediately stored in the local branch WAE, and then streamed to the central file
server. Files stored centrally appear as local files to branch users, which improves access performance.
CIFS caching includes the following features:
•
Local metadata handling and caching—Allows metadata such as file attributes and directory
information to be cached and served locally, optimizing user access.
•
Partial file caching—Propagates only the segments of the file that have been updated on write
requests rather than the entire file.
•
Write-back caching—Facilitates efficient write operations by allowing the data center WAE to
buffer writes from the branch WAE and to stream updates asynchronously to the file server without
risking data integrity.
•
Advance file read—Increases performance by allowing a WAE to read the file in advance of user
requests when an application is conducting a sequential file read.
•
Negative caching—Allows a WAE to store information about missing files to reduce round-trips
across the WAN.
•
Microsoft Remote Procedure Call (MSRPC) optimization—Uses local request and response caching
to reduce the round-trips across the WAN.
•
Signaling messages prediction and reduction—Uses algorithms that reduce round-trips over the
WAN without loss of semantics.
WCCP Support
The Web Cache Communication Protocol (WCCP) developed by Cisco Systems specifies interactions
between one or more routers (or Layer 3 switches) and one or more application appliances, web caches,
and caches of other application protocols. The purpose of the interaction is to establish and maintain the
transparent redirection of selected types of traffic flowing through a group of routers. The selected traffic
is redirected to a group of appliances. Any type of TCP traffic can be redirected.
The WCCP v2 protocol has a built-in set of beneficial features, for example, automatic failover and load
balancing. The router monitors the liveness of each WAE attached to it through the WCCP keepalive
messages, and if a WAE goes down, the router stops redirecting packets to the WAE. By using WCCP,
the branch WAE avoids becoming a single point of failure. The router can also load balance the traffic
among a number of branch WAEs.
Cisco WAAS supports transparent interception of TCP sessions through WCCP. Once WCCP is turned
on at both the router and the branch WAE, only new sessions are intercepted. Existing sessions are not
affected.
PBR Support
Policy-based routing (PBR) allows IT organizations to configure their network devices (a router or a
Layer 4 to Layer 6 switch) to selectively route traffic to the next hop based on the classification of the
traffic. WAAS administrators can use PBR to transparently integrate a WAE into their existing branch
office network and data centers. PBR can be used to establish a route that goes through a WAE for some
or all packets based on the defined policies.
For more information about PBR, see Chapter 5, “Configuring Traffic Interception.”
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-21
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Inline Interception Support
Direct inline traffic interception is supported on WAEs with a Cisco WAE Inline Network Adapter or
Interface Module installed. Inline interception of traffic simplifies deployment and avoids the
complexity of configuring WCCP or PBR on the routers.
An inline WAE transparently intercepts traffic flowing through it or bridges traffic that does not need to
be optimized. It also uses a mechanical fail-safe design that automatically bridges traffic if a power,
hardware, or unrecoverable software failure occurs.
Note
AppNav Controller Interface Modules do not support automatic bypass mode to continue traffic flow in
the event of a failure. For high availability, two or more AppNav Controller Interface Modules should
be deployed in an AppNav cluster. For more information on using inline mode with the AppNav solution,
see Chapter 4, “Configuring AppNav.”
You can configure the inline WAE to accept traffic only from certain VLANs; for all other VLANs,
traffic is bridged and not processed.
You can serially cluster inline WAE devices to provide higher availability in the event of a device failure.
If the current optimizing device fails, the second inline WAE device in the cluster provides the
optimization services. Deploying WAE devices in a serial inline cluster for the purposes of scaling or
load balancing is not supported.
For more information about inline mode, see the “Using Inline Mode Interception” section on page 5-42.
Failure Resiliency and Protection
Cisco WAAS provides a high-availability failover (and load-balancing) function that minimizes the
probability and duration of CIFS downtime.
If a WAE configured for CIFS fails, all peer WAEs configured to operate with it are redirected to work
with an alternate WAE. This operation maintains high availability without service interruption.
This change may not be transparent to users, which means that client connections are closed and require
CIFS clients to reestablish their connection. Whether such changes impact currently running
applications depends on the behavior of the application being used, and on the behavior of the specific
CIFS client. Typically, however, the transition is transparent to the client.
RAID Compatibility
Cisco WAAS provides the following Redundant Array of Independent Disks (RAID) capability for
increased storage capacity or increased reliability:
•
Logical Disk Handling with RAID-5–Logical disk handling with Redundant Array of Independent
Disks-5 (RAID-5) is implemented in WAAS as a hardware feature. RAID-5 devices can create a
single logical disk drive that may contain up to six physical hard disk drives, providing increased
logical disk capacity.
Systems with RAID-5 can continue operating if one of the physical drives fails or goes offline.
•
Logical Disk Handling with RAID-1—Logical disk handling with RAID-1 is implemented in
WAAS as a software feature. RAID-1 uses disk mirroring to write data redundantly to two or more
drives, providing increased reliability.
Cisco Wide Area Application Services Configuration Guide
1-22
OL-26579-01
Chapter 1
Introduction to Cisco WAAS
Benefits of Cisco WAAS
Because the software must perform each disk write operation against two disk drives, the filesystem
write performance may be affected.
•
Disk Hot-Swap Support—WAAS for RAID-1 allows you to hot-swap the disk hardware. RAID-5
also allows you to hot-swap the disk hardware after the RAID array is shut down. For the disk
removal and replacement procedures for RAID systems, see Chapter 16, “Maintaining Your WAAS
System.”
Streamlined Security
Cisco WAAS supports disk encryption, which addresses the need to securely protect sensitive
information that flows through deployed WAAS systems and that is stored in WAAS persistent storage.
Cisco WAAS does not introduce any additional maintenance overhead on already overburdened IT staffs.
Cisco WAAS avoids adding its own proprietary user management layer, and instead makes use of the
users, user credentials, and access control lists maintained by the file servers. All security-related
protocol commands are delegated directly to the source file servers and the source domain controllers.
Any user recognized on the domain and source file server are automatically recognized by Cisco WAAS
with the same security level, and all without additional configuration or management.
Cisco WAAS delegates access control and authentication decisions to the origin file server.
SNMP Support
Cisco WAAS supports Simple Network Management Protocol (SNMP) including SNMPv1, SNMPv2,
and SNMPv3. Cisco WAAS supports many of the most commonly used SNMP managers, such as HP
OpenView and IBM Tivoli NetView.
Most Cisco WAAS traps are also recorded in the logs displayed in the WAAS Central Manager GUI,
although some (such as exceeding the maximum number of sessions) are reported only to the SNMP
manager.
Cisco WAAS supports parameters based on SNMPv2, enabling it to integrate into a common SNMP
management system. These parameters enable system administrators to monitor the current state of the
WAAS network and its level of performance.
Exported parameters are divided into the following categories:
•
General parameters—Includes the version and build numbers and license information.
•
Management parameters—Includes the location of the Central Manager.
•
Data center WAE parameters—Includes the general parameters, network connectivity parameters,
and file servers being exported.
•
Branch WAE parameters—Includes the general parameters, network connectivity parameters, CIFS
statistics, and cache statistics.
For more information about SNMP and supported MIBs, see Chapter 18, “Configuring SNMP
Monitoring.”
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
1-23
Chapter 1
Introduction to Cisco WAAS
Overview of the WAAS Interfaces
Cisco Wide Area Application Services Configuration Guide
1-24
OL-26579-01
CH A P T E R
2
Planning Your WAAS Network
This chapter describes general guidelines, restrictions, and limitations that you should be aware of before
you set up your Wide Area Application Services (WAAS) network.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, WAE
Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS, and
vWAAS instances.
This chapter contains the following sections:
•
Checklist for Planning Your WAAS Network, page 2-1
•
Site and Network Planning, page 2-4
•
About Autoregistration and WAEs, page 2-8
•
Identifying and Resolving Interoperability Issues, page 2-10
•
WAAS Devices and Device Mode, page 2-15
•
Calculating the Number of WAAS Devices Needed, page 2-18
•
Supported Methods of Traffic Redirection, page 2-19
•
Access Lists on Routers and WAEs, page 2-25
•
WAAS Login Authentication and Authorization, page 2-26
•
Logically Grouping Your WAEs, page 2-27
•
Data Migration Process, page 2-28
Checklist for Planning Your WAAS Network
Cisco Wide Area Application Engines (WAEs) that are running the WAAS software can be used by
enterprises or service providers to optimize the application traffic flows between their branch offices and
data centers. You deploy WAE nodes at the WAN endpoints near the networked application clients and
their servers, where they intercept WAN-bounded application traffic and optimize it. You must insert
WAE nodes into the network flow at defined processing points.
WAAS software supports the following three typical network topologies:
•
Hub and spoke deployments—In a hub and spoke deployment servers are centralized and branch
offices host clients and a few local services only (for example, WAAS printing services).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-1
Chapter 2
Planning Your WAAS Network
Checklist for Planning Your WAAS Network
•
Mesh deployments—In a mesh deployment, any location may host both clients and servers and the
clients may access any number of local or remote servers.
•
Hierarchical deployments—In a hierarchical deployment, the servers are located in multiple
regional, national data centers and are accessed by the different clients. The connections between
the data centers are of higher bandwidth than the connections to the branch offices.
The deployments are characterized according to the WAAS element connections, which follow the
client-server access pattern and may differ from the physical network links. For more information, see
Chapter 1, “Introduction to Cisco WAAS.”
Planning Checklist
When you are planning your WAAS network, use the following checklist as a guideline. As the following
checklist indicates, you can break the planning phase into the following three main categories of
planning activities:
Note
•
Sizing phase
•
Planning for management
•
Planning for application optimization
Although there are some interdependencies, you do not need to complete all of the steps in a particular
planning phase before you start the next step.
To plan your network, follow these guidelines:
1.
Complete the sizing phase that includes the following tasks:
•
Determine which locations in your existing network require WAAS optimization (for example,
which branch offices and data centers).
•
Determine if you are going to use a traditional WAAS deployment model or the AppNav deployment
model. For more information on AppNav, see Chapter 4, “Configuring AppNav.”
•
Determine the number and models of the WAAS devices that are required for each location. Some
key factors in this selection process is the WAN bandwidth, the number of users, and the expected
use. Various hardware configurations are possible (for example, different hard disk models and
RAM size). Consider running a cluster of WAEs where additional scalability and or failover is
required. For more information, see the “Calculating the Number of WAAS Devices Needed”
section on page 2-18.
•
Verify that you have purchased sufficient licenses to cover your needs.
2.
Plan for management as follows:
•
Complete site and network planning (for example, obtain the IP and routing information including
IP addresses and subnets, routers and default gateway IP addresses, and the hostnames for the
devices). See the “Checklist of WAAS Network System Parameters” table in the Cisco Wide Area
Application Services Quick Configuration Guide.
•
Determine the login authentication and login authorization methods (for example, external
RADIUS, TACACS+, Windows domain servers) and accounting policies that you want your WAAS
Central Managers and WAEs to use. For more information, see Chapter 7, “Configuring
Administrative Login Authentication, Authorization, and Accounting.”
Cisco Wide Area Application Services Configuration Guide
2-2
OL-26579-01
Chapter 2
Planning Your WAAS Network
Checklist for Planning Your WAAS Network
•
For security purposes, plan to change the predefined password for the predefined superuser account
immediately after you have completed the initial configuration of a WAE. For more information, see
“WAAS Login Authentication and Authorization” section on page 2-26.
•
Determine if you need to create any additional administrative accounts for a WAAS device. For more
information, see Chapter 8, “Creating and Managing Administrator User Accounts and Groups.”
•
Determine if you should group your WAEs into logical groups. For more information, see the
“Logically Grouping Your WAEs” section on page 2-27.
•
Determine which management access method to use. By default, Telnet is used but SSH may be the
preferred method in certain deployments. For more information, see the “Configuring Login Access
Control Settings for WAAS Devices” section on page 7-7.
3.
Plan for application optimization as follows:
•
Determine and resolve router interoperability issues (for example, the supported hardware and
software versions, router performance with interception enabled). For more information, see the
“Site and Network Planning” section on page 2-4.
•
Determine the appropriate interception location when the data center or branch office is complex
(for example, if your existing network uses a hierarchical topology).
•
Determine which WAAS services to deploy. For more information about the different WAAS
services, see Chapter 1, “Introduction to Cisco WAAS.”
•
Determine which WAAS software licenses to install. Software licenses enable specific WAAS
services. For more information about installing software licenses, see the “Managing Software
Licenses” section on page 10-3.
•
Determine which traffic interception methods to use in your WAAS network (for example, inline
mode, WCCP Version 2, or policy-based routing (PBR)). For more information, see the “Supported
Methods of Traffic Redirection” section on page 2-19.
Note
•
If you plan to use the WCCP TCP promiscuous mode service as a traffic interception method,
determine whether you should use IP access control lists (ACLs) on your routers.
Note
•
WCCP works only with IPv4 networks.
IP ACLs that are defined on a router take precedence over the ACLs that are defined on the
WAE. For more information, see the “Access Lists on Routers and WAEs” section on
page 2-25.
Determine whether you need to define IP ACLs or interception ACLs on the WAEs. For more
information, see the “Access Lists on Routers and WAEs” section on page 2-25.
Note
ACLs that are defined on a WAE take precedence over the WAAS application definition
policies that are defined on the WAE.
•
If PBR is to be used, determine which PBR method to use to verify PBR next-hop availability for
your WAEs. For more information, see the “Methods of Verifying PBR Next-Hop Availability”
section on page 5-39.
•
Determine the major applications for your WAAS network. Verify whether the predefined
application definition policies cover these applications and whether you should add policies if your
applications are not covered by these predefined policies. For a list of the predefined application
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-3
Chapter 2
Planning Your WAAS Network
Site and Network Planning
definition policies, see Appendix A, “Predefined Optimization Policy.”
•
Consider day zero migration of file systems if file servers are to be centralized in the process. For
more information, see the “Data Migration Process” section on page 2-28.
After you complete the planning tasks, you are ready to perform a basic configuration of a WAAS
network as described in the Cisco Wide Area Application Services Quick Configuration Guide.
Site and Network Planning
Before you install and deploy WAAS devices in your network, you need to collect information about
your network to accommodate the integration of the WAAS devices.
In a typical distributed organizational layout, there are two types of networks where WAAS devices are
installed:
•
The data center (central office), where one or more colocated data center WAEs provide access to
the resident file and application servers. In data centers, you can deploy a WAE as a single device
or a pair of WAEs as a high-availability or load-sharing pairs. High-availability pairs are supported
if either WCCP Version 2 or PBR is being used for traffic redirection in the data center; load-sharing
pairs are only supported if WCCP Version 2 is being used for traffic redirection in the data center.
•
The branch offices, where branch WAEs enable users to access the file and application servers over
the WAN. In branch offices, you can deploy a WAE as a single device or a pair of WAEs as a
high-availability or load-sharing pairs. High-availability pairs are supported if either WCCP
Version 2 or PBR is being used for traffic redirection in the branch office; load-sharing pairs are only
supported if WCCP Version 2 is being used for traffic redirection in the branch office.
In collaborative networks, colocated data center WAEs and branch WAEs are deployed throughout the
network. These colocated WAEs are configured to share data in opposite directions (two cross-linked
servers).
The WAE attaches to the LAN as an appliance. A WAE relies on packet interception and redirection to
enable application acceleration and WAN optimization. Consequently, traffic interception and
redirection to a WAE must occur at each site where a WAE is deployed. Traffic interception and
redirection occurs in both directions of the packet flow. Because Layer 3 and Layer 4 headers are
preserved, you may need to ensure that you always connect a WAE to a tertiary interface (or a
subinterface) on the router to avoid routing loops between the WAE and WCCP or PBR-enabled router
that is redirecting traffic to it. For more information on this topic, see the “Using Tertiary Interfaces or
Subinterfaces to Connect WAEs to Routers” procedure on page 2-24.
Note
We strongly recommend that you do not use half-duplex connections on the WAE or on routers, switches,
or other devices. Half duplex impedes performance and should not be used. Check each Cisco WAE
interface and the port configuration on the adjacent device (router, switch, firewall, or WAE) to verify
that full duplex is configured.
Note
The data center WAE and branch WAE communicate with each other only if the firewall is open.
Note
WAAS versions 5.x and lower do not support timestamp (TSVAL) TCP option.
This section contains the following topics:
Cisco Wide Area Application Services Configuration Guide
2-4
OL-26579-01
Chapter 2
Planning Your WAAS Network
Site and Network Planning
•
Windows Network Integration, page 2-5
•
UNIX Network Integration, page 2-6
•
CIFS-Related Ports in a WAAS Environment, page 2-6
•
Firewalls and Directed Mode, page 2-7
•
Firewalls and Standby Central Managers, page 2-7
•
Performance Tuning for High WAN Bandwidth Branch Offices, page 2-7
Windows Network Integration
To successfully integrate WAAS devices into the Windows environment, you might need to make certain
preparations on both the data center WAE and branch WAE sides of the network. This section contains
the following topics:
•
Data Center WAE Integration, page 2-5
•
Branch WAE Integration, page 2-5
Data Center WAE Integration
Before the initial configuration of the data center WAE, you need to know the following parameters:
•
WINS server (if applicable).
•
DNS server and DNS domain (if applicable).
•
A browsing user with file-server directory traversal (read-only) privileges. This user, who is usually
set up as a domain or service user, is required for running preposition policies.
To successfully integrate Cisco WAAS into the Windows environment on the data center WAE side of a
network where DHCP is not being used, you must manually add the name and IP address of the data
center WAE to the DNS server. You should take this action before installing and deploying the WAAS
devices.
Note
User permissions are determined by the existing security infrastructure.
Branch WAE Integration
Before the initial configuration of the branch WAE, you need to know the following parameters:
•
DNS server and DNS domain
•
Windows Domain Name
•
WINS server (if applicable)
To successfully integrate Cisco WAAS into the Windows environment on the branch WAE side of the
network, you should take the following preliminary actions before installing and deploying the WAAS
devices in your network:
•
To enable all branch WAEs in the specified domain to appear in the Network Neighborhood of users
within the same domain, ensure that a Domain Master Browser or local Master Browser is active.
•
If DHCP is not used, you must manually add the name and IP address of the branch WAE to the DNS
server.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-5
Chapter 2
Planning Your WAAS Network
Site and Network Planning
UNIX Network Integration
Before the initial configuration of a WAAS device, you need to know the following parameters:
•
DNS server and DNS domain.
•
NIS server parameters (if applicable).
•
On the data center WAE side, a browsing UID or GID with file-server directory traversal (read-only)
privileges. This UID or GID, which is usually set up as a domain or service user, is required for
browsing when defining coherency policies.
To successfully integrate Cisco WAAS into the UNIX environment, you need to perform these actions
on both the data center WAE and branch WAE sides of the network:
Note
•
You must manually add the name and IP address of both the data center WAE and the branch WAE
to the DNS server.
•
When separate domains are used, UNIX users may be defined at the remote (branch) offices or on
the central servers. This situation may result in the same user name being defined in different
domains. A user may be defined differently in the branch and center or may be defined only on one
end and not on the other. You can ensure consistency in such cases by using NIS or by mapping
between the different domains, either manually or automatically. That is, users can be mapped from
the remote server to the central servers by translating their identities from the central office to the
remote offices.
To map users using automatic management, you must first configure the NIS server in both the data
center WAE (primary) and branch WAE (secondary).
CIFS-Related Ports in a WAAS Environment
This section describes the CIFS-related ports used between your clients, WAEs that are functioning as
file engines, and CIFS file servers. Most CIFS communication occurs between the branches and the
central office. This communication is encrypted and delivered through the organization’s VPN. No ports
on the firewall need to be opened because all communication is tunneled internally.
You only need to change the firewall setup if administrative or other maintenance work needs to be done
from a location outside the organization.
Ports 139 and 445
If you have only deployed CIFS services in your WAAS network, your WAAS network uses ports 139
and 445 to connect clients to a branch WAE and to connect a data center WAE to the associated file
servers. The port used depends on the configuration of your WAAS network.
If WCCP is enabled or inline mode is used, the branch WAE accepts client connections on ports 139 or
445. If neither WCCP nor inline mode are enabled, the branch WAE accepts connections only over port
139.
Your WAAS network always tries to use the same port to communicate end-to-end. Consequently, if a
client uses port 445 to connect to a branch WAE, the associated data center WAE will try to use the same
port to connect to the file server. If port 445 is unavailable, the data center WAE will try to use port 139.
Cisco Wide Area Application Services Configuration Guide
2-6
OL-26579-01
Chapter 2
Planning Your WAAS Network
Site and Network Planning
Some organizations close port 139 on their networks to minimize security risks associated with this port.
If your organization has closed port 139 for security reasons, you can configure your WAAS network to
bypass port 139. If this is the case in your organization, you need to perform the following task to bypass
port 139 and use port 445 in its place if you have only deployed the CIFS services in your WAAS
network:
•
Enable WCCP Version 2 on your routers and branch WAE, as described in the Cisco Wide Area
Application Services Quick Configuration Guide. Alternatively, you can use inline mode on a branch
WAE with a Cisco WAE Inline Network Adapter or Cisco Interface Module installed.
Ports 88 and 464
If you are using Windows Domain authentication with Kerberos enabled, the WAE uses ports 88 and 464
to authenticate clients with the domain controller.
Firewalls and Directed Mode
By default, WAAS transparently sets up new TCP connections to peer WAEs, which can cause firewall
traversal issues when a WAAS device tries to optimize the traffic. If a WAE device is behind a firewall
that prevents traffic optimization, you can use the directed mode of communicating to a peer WAE. In
directed mode, all TCP traffic that is sent to a peer WAE is encapsulated in UDP, which allows a firewall
to either bypass the traffic or inspect the traffic (by adding a UDP inspection rule).
Any firewall between two WAE peers must be configured to pass UDP traffic on port 4050, or whatever
custom port is configured for directed mode if a port other than the default is used.
If a WAE using directed mode is behind a NAT device, you must configure the NATed IP address on the
WAE.
For more information about configuring directed mode, see the “Configuring Directed Mode” section on
page 6-27.
Firewalls and Standby Central Managers
Primary and standby Central Managers communicate on port 8443. If your network includes a firewall
between primary and standby Central Managers, you must configure the firewall to allow traffic on port
8443 so that the Central Managers can communicate and stay synchronized.
Performance Tuning for High WAN Bandwidth Branch Offices
WAAS combines Layer-4 TCP optimizations with Layer-7 application accelerators for various protocols
including CIFS. For some branch offices with high WAN bandwidth (for example, above 50 Mbps), if
the native latency is low (for example, below 20 ms RTT), depending on the number of user sessions and
data patterns, applying Layer-4 optimizations alone may provide optimal levels of performance. In such
cases, we recommend measuring end-user response times under production load to determine the
appropriate operational state for the application accelerators and sizing.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-7
Chapter 2
Planning Your WAAS Network
About Autoregistration and WAEs
About Autoregistration and WAEs
Autoregistration automatically configures network settings and registers WAEs with the WAAS Central
Manager device. On startup, devices running WAAS software (with the exception of the WAAS Central
Manager device itself) automatically discover the WAAS Central Manager device and register with it.
You do not need to manually configure the device. This feature is useful for large scale automated
deployments of devices. Once a WAE is registered, you configure the device remotely using the WAAS
Central Manager GUI.
In the example configuration provided in the Cisco Wide Area Application Services Quick Configuration
Guide, the autoregistration feature is disabled on the WAEs when the setup utility is used to perform the
initial configuration of the device.
Autoregistration uses a form of Dynamic Host Configuration Protocol (DHCP). For autoregistration to
function, you must have a DHCP server that is configured with the hostname of the WAAS Central
Manager and that is capable of handling vendor class option 43.
Note
The form of DHCP used for autoregistration is not the same as the interface-level DHCP that is
configurable through the ip address dhcp interface configuration command. (For a description of the ip
address dhcp interface configuration command, see the Cisco Wide Area Application Services
Command Reference.)
The vendor class option (option 43) information needs to be sent to the WAAS device in the format for
encapsulated vendor-specific options as provided in RFC 2132. The relevant section of RFC 2132,
Section 8.4, is reproduced here as follows:
The encapsulated vendor-specific options field should be encoded as a sequence of
code/length/value fields of syntax identical to that of the DHCP options field with the following
exceptions:
a. There should not be a “magic cookie” field in the encapsulated vendor-specific extensions field.
b. Codes other than 0 or 255 may be redefined by the vendor within the encapsulated
vendor-specific extensions field but should conform to the tag-length-value syntax defined in
section 2.
c. Code 255 (END), if present, signifies the end of the encapsulated vendor extensions, not the end
of the vendor extensions field. If no code 255 is present, then the end of the enclosing
vendor-specific information field is taken as the end of the encapsulated vendor-specific
extensions field.
In accordance with the RFC standard, the DHCP server needs to send the WAAS Central Manager’s
hostname information in code/length/value format (code and length are single octets). The code for the
WAAS Central Manager’s hostname is 0x01. DHCP server management and configuration are not within
the scope of the autoregistration feature.
Note
The WAE sends “CISCOCDN” as the vendor class identifier in option 60 to facilitate your grouping of
WAEs into device groups.
Autoregistration DHCP also requires that the following options be present in the DHCP server’s offer to
be considered valid:
•
Subnet-mask (option 1)
•
Routers (option 3)
Cisco Wide Area Application Services Configuration Guide
2-8
OL-26579-01
Chapter 2
Planning Your WAAS Network
About Autoregistration and WAEs
•
Domain-name (option 15)
•
Domain-name-servers (option 6)
•
Host-name (option 12)
In contrast, interface-level DHCP requires only subnet-mask (option 1) and routers (option 3) for an
offer to be considered valid; domain-name (option 15), domain-name-servers (option 6), and host-name
(option 12) are optional. All of the above options, with the exception of domain-name-servers (option 6),
replace the existing configuration on the system. The domain-name-servers option is added to the
existing list of name servers with the restriction of a maximum of eight name servers.
Autoregistration is enabled by default on the first interface of the device. On an NME-WAE module,
autoregistration is enabled on the configured interface. On an SM-SRE module, autoregistration is
disabled by default.
Note
You must disable autoregistration when both device interfaces are configured as port-channel interfaces.
If you do not have a DHCP server, the device is unable to complete autoregistration and eventually times
out. You can disable autoregistration at any time after the device has booted and proceed with manual
setup and registration.
To disable autoregistration, or to configure autoregistration on a different interface, use the no
auto-register enable command in global configuration mode.
Note
Autoregistration is automatically disabled if a static IP address is configured or if interface-level DHCP
is configured on the same interface as autoregistration. (See the “Selecting Static IP Addresses or Using
Interface-Level DHCP” section on page 2-9.)
The following example disables autoregistration on the interface GigabitEthernet 1/0:
WAE(config)# no auto-register enable GigabitEthernet 1/0
Autoregistration status can be obtained by using the following show EXEC command:
WAE# show auto-register
Selecting Static IP Addresses or Using Interface-Level DHCP
During the initial configuration, you have the option of configuring a static IP address for the device or
choosing DHCP.
DHCP is a communications protocol that allows network administrators to manage their networks
centrally and automate the assignment of IP addresses in an organization’s network. When an
organization sets up its computer users with a connection to the network, an IP address must be assigned
to each device. Without DHCP, the IP address must be entered manually for each computer, and if
computers move to another location in another part of the network, the IP address must be changed
accordingly. DHCP automatically sends a new IP address when a computer is connected to a different
site in the network.
If you have a DHCP server configured, autoregistration will automatically configure the network settings
and register WAEs with the WAAS Central Manager device upon bootup.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-9
Chapter 2
Planning Your WAAS Network
Identifying and Resolving Interoperability Issues
If you do not have a DHCP server configured, or you have a DCHP server but do not want to use the
autoregistration feature, then manually configure the following network settings with the interactive
setup utility or CLI, then register the WAEs with the WAAS Central Manager device. Configure these
settings:
•
Ethernet interface
•
IP domain name
•
Hostname
•
IP name server
•
Default gateway
•
Primary interface
When a WAAS device boots, you are prompted to run the first-time setup utility (enter basic
configuration), which you use to set up the basic device network settings for the WAE.
Identifying and Resolving Interoperability Issues
This section describes how to identify and resolve interoperability issues. It contains the following
topics:
•
Interoperability and Support, page 2-10
•
WAAS and Cisco IOS Interoperability, page 2-11
•
WAAS Compatibility with other Cisco Appliances and Software, page 2-15
Interoperability and Support
This section contains the following topics:
•
Unicode Support for the WAAS GUI Interfaces, page 2-10
•
Unicode Support Limitations, page 2-11
For a list of the hardware, CIFS clients, and web browsers supported by the WAAS software, see the
Release Note for Cisco Wide Area Application Services.
Unicode Support for the WAAS GUI Interfaces
The WAAS software supports Unicode in the WAAS Central Manager and the WAE Device Manager
GUI interfaces.
In the WAAS Central Manager, you can create preposition policies that include Unicode characters. For
example, you can define a preposition policy for a directory that contains Unicode characters in its name.
Specifically, the following fields in the WAAS Central Manager GUI support Unicode:
•
The root directory and file pattern fields in the preposition policies
In the WAE Device Manager GUI, you can include Unicode characters in the name of the backup
configuration file. In addition, the logs included in the WAE Device Manager GUI can display Unicode
characters.
Cisco Wide Area Application Services Configuration Guide
2-10
OL-26579-01
Chapter 2
Planning Your WAAS Network
Identifying and Resolving Interoperability Issues
Unicode Support Limitations
The following are Unicode support limitations:
•
Usernames cannot contain Unicode characters.
•
When defining policies for coherency, and so on, you cannot use Unicode characters in the
Description field.
•
File server names cannot contain Unicode characters.
WAAS and Cisco IOS Interoperability
This section describes the interoperability of the WAAS software with the Cisco IOS features for a basic
WAAS deployment that uses WCCP-based interception and transparent transport and contains the
following topics:
Note
•
WAAS Support of the Cisco IOS QoS Classification Feature, page 2-11
•
WAAS Support of the Cisco IOS NBAR Feature, page 2-12
•
WAAS Support of the Cisco IOS Marking, page 2-13
•
WAAS Support of the Cisco IOS Queuing, page 2-13
•
WAAS Support of the Cisco IOS Congestion Avoidance, page 2-13
•
WAAS Support of the Cisco IOS Traffic Policing and Rate Limiting, page 2-13
•
WAAS Support of the Cisco IOS Signaling, page 2-13
•
WAAS Support of the Cisco IOS Link-Efficiency Operations, page 2-13
•
WAAS Support of the Cisco IOS Provisioning, Monitoring, and Management, page 2-14
•
WAAS and Management Instrumentation, page 2-14
•
WAAS and MPLS, page 2-15
The WAAS software does not support Cisco IOS IPv6 and Mobile IP.
We recommend that you use Cisco IOS Software Release 12.2 or later.
WAAS Support of the Cisco IOS QoS Classification Feature
You classify packets by using a policy filter (for example, using QPM) that is defined on the packets.
You may use the following policy filter properties:
•
Source IP address or hostname—Supported under WAAS because the source IP address is preserved
by the WAAS device.
•
Source TCP/UDP port (or port range)—Supported under WAAS because the source port is preserved
by the WAAS device.
•
Destination IP address or hostname—Supported under WAAS because the destination IP is
preserved by WAAS. WAAS relies on interception at the data center for redirecting traffic to the peer
WAAS device.
•
Destination TCP/UDP port (or port range)—Supported under WAAS because the destination IP is
preserved by WAAS. WAAS relies on interception at the data center for redirecting traffic to the peer
WAAS device.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-11
Chapter 2
Planning Your WAAS Network
Identifying and Resolving Interoperability Issues
•
DSCP/IP precedence (TOS)—Supported under WAAS because WAAS copies the settings of
incoming packets on to the outgoing packets from WAAS back to the router. If the packets are not
colored at connection establishment time (for TCP packets), there might be a delay in propagating
the settings because WAAS does not poll these settings periodically. The packets are eventually
colored properly. When packets are not colored they are left uncolored by the WAAS software.
WAAS software does not support IPv6 QoS, MPLS QoS, ATM QoS, Frame Relay QoS, and Layer 2
(VLAN) QoS.
WAAS Support of the Cisco IOS NBAR Feature
Unlike a traditional type of classification that is specified through a policy filter that is listed in the
“WAAS Support of the Cisco IOS QoS Classification Feature” section on page 2-11, Network-Based
Application Recognition (NBAR) classification needs to consider payload. The classification keeps
track of any interceptor that modifies the payload because this modification might cause NBAR to not
be able to classify the packets. However, the WAAS software does support NBAR.
The following is an example flow of how the WAAS software supports NBAR:
1.
A packet P1, which is part of a TCP stream S1, enters the router and is classified by NBAR on the
LAN interface of the router as belonging to class C1. If the classification of P1 does not involve
payload inspection (for example, only TCP/IP headers), no action needs to be taken because the
WAAS software preserves this information.
2.
If P1 classification requires payload inspection, P1 needs to be marked using the TOS/DSCP bits in
the packet (as opposed to using other internal marking mechanisms).
3.
P1 is then intercepted through WCCP Version 2 (still on the LAN interface, WCCP is processed after
NBAR) and is redirected to a WAE.
4.
WAAS applies any optimizations on the payload and copies the DCSP bits settings from the
incoming TCP stream, S1 onto the outgoing stream, S2 (which is established between the local
WAAS appliance and the remote WAAS appliance over the WAN). Because NBAR usually needs to
see some payload before doing the classification, it is unlikely that WAAS will have the proper bit
settings at connection-establishment time. Consequently, the WAAS software uses polling to inspect
the DSCP bits on the incoming TCP stream, then copies it over to the stream from the WAAS device
back to the router.
5.
When S2 reenters the router, NBAR will not classify S2 as belonging to C1 because the payload has
been changed or compressed. However, the DSCP settings have already marked these packets as
belonging to C1. Consequently, these packets will be treated properly as if they were classified
through NBAR.
As long as the flow is not identified, NBAR will continue to search for classification in the packets.
Because compressed packets will not be classified, this situation can unnecessarily burden the CPU
(doing packet inspection). Because of the potential degradation in performance and the slight
possibility of correctness issues, we strongly recommend that you use a subinterface or a separate
physical interface to connect the WAE to the router (as described in the “Using Tertiary Interfaces
or Subinterfaces to Connect WAEs to Routers” section on page 2-24). When you use a tertiary
interface or subinterface to connect the WAE to the router, both the performance and correctness
issues are addressed because each packet is processed only once.
6.
For dynamic classifications, NBAR maintains a per-flow state. Once certain flows are classified,
NBAR does not continue to perform deep packet inspection anymore. However, for other flows (for
example, Citrix), NBAR does look at packets continuously because the classification may change
dynamically in a flow. Therefore, in order to support all NBAR classifications, it is not sufficient to
only poll the DSCP settings of packets incoming to WAAS once per flow; you need to poll
Cisco Wide Area Application Services Configuration Guide
2-12
OL-26579-01
Chapter 2
Planning Your WAAS Network
Identifying and Resolving Interoperability Issues
periodically to identify flow changes. However, the WAAS system expects packets to appear in the
sequence of packets belonging to class C1, followed by a sequence of C2, and so forth, so that a
polling method is sufficient to track such dynamic changes.
Note
This dynamic classification support requires support for marking DSCP/ToS settings, as
specified in the “WAAS Support of the Cisco IOS QoS Classification Feature” section on
page 2-11, as well as the tracking of dynamic changes through polling.
Several router configurations need to be followed in order to ensure NBAR-WAAS compliance, and you
must ensure that the following router configurations are adhered to:
•
Ensure that classification is followed by proper DSCP marking.
•
Ensure that the router in general (IP access lists that are configured on the router) does not scrub
DSCP/TOS settings that are already marked on the packets on entry, and that NBAR does not
unmark marked packets.
WAAS Support of the Cisco IOS Marking
The Cisco IOS marking feature is supported by the WAAS software.
WAAS Support of the Cisco IOS Queuing
The Cisco IOS queuing feature for congestion management is supported by the WAAS software.
WAAS Support of the Cisco IOS Congestion Avoidance
The Cisco IOS congestion avoidance feature is supported by the WAAS software.
WAAS Support of the Cisco IOS Traffic Policing and Rate Limiting
The Cisco IOS traffic policing and rate-limiting feature is only partially supported by the WAAS
software. This Cisco IOS feature will work properly when enabled on an outbound interface. However,
when this feature is enabled on an inbound interface, it will see both compressed and uncompressed
traffic, and will result in inaccurate rate limiting.
WAAS Support of the Cisco IOS Signaling
The Cisco IOS signaling (RSVP) feature is typically implemented in MPLS networks. Because the
WAAS software does not interact with MPLS RSVP messages, the RSVP feature is supported.
WAAS Support of the Cisco IOS Link-Efficiency Operations
The Cisco IOS link-efficiency operations are supported by the WAAS software.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-13
Chapter 2
Planning Your WAAS Network
Identifying and Resolving Interoperability Issues
WAAS Support of the Cisco IOS Provisioning, Monitoring, and Management
The Cisco IOS AutoQoS feature is supported by the WAAS software but requires additional
configuration. This feature is closely connected with NBAR support because the AutoQoS feature uses
NBAR to discover the various flows on the network. However, because the Cisco IOS AutoQoS feature
is strictly on an outbound feature (for example, it cannot be enabled on the inbound side of an interface),
this situation could create a potential problem because enabling NBAR on the outbound interface is not
supported.
To avoid this potential problem, enable the trust option of the AutoQoS feature on the following
interfaces so that classification and queuing are performed based on the marked value (NBAR is not
enabled on the outbound interface using this solution):
•
On the LAN interface on which the input policy is created and on which the marking of the packets
should be performed according to the AutoQoS marking (for example, interactive video mark to
af41).
•
On the WAN outbound interface.
WAAS and Management Instrumentation
For management instrumentation use with the WAAS software, note the following:
•
When deployed in native (transparent) mode, WAAS maintains packet header information vital to
technologies such as NetFlow. NetFlow can be configured on adjacent devices and exports flow
record information in accordance with where NetFlow is configured in relation to the WAAS device.
For NetFlow configurations on the LAN side of a WAAS device, NetFlow exports records
containing information about original flows. For NetFlow configurations on the WAN side of a
WAAS device, NetFlow exports records containing information about optimized and pass-through
flows.
•
You may see statistics on optimized and unoptimized traffic.
•
IP Service Level Agreements (SLAs) are supported.
•
Full support of policies based on Layer 3 and Layer 4 is provided. Policies based on Layer 7 are
partially supported because the first few messages are unoptimized.
•
Intrusion Detection System (IDS) is partially supported. The first few messages are unoptimized to
allow IDS to detect the intrusive strings.
•
Cisco IOS security is partially supported with the exception of features that rely on Layer 5 and
above visibility.
•
IPsec and SSL VPN is supported.
•
Access control lists (ACLs) are supported. IP ACLs on the router take precedence over ACLs that
are defined on the WAE. For more information, see the “Access Lists on Routers and WAEs” section
on page 2-25.
•
VPN is supported if the VPN is deployed after WCCP interception occurs.
Note
A WAAS device does not encrypt WAN traffic. If you require additional security measures,
you should use a VPN. However, the VPN appliances must encrypt and decrypt traffic after
and before the WAAS devices so that the WAAS device only sees unencrypted traffic. The
WAAS device is unable to compress encrypted traffic and provides only limited TCP
optimization to it.
Cisco Wide Area Application Services Configuration Guide
2-14
OL-26579-01
Chapter 2
Planning Your WAAS Network
WAAS Devices and Device Mode
•
Network Address Translation (NAT) is supported. However, payload-based NAT is not supported.
WAAS and MPLS
MPLS is partially supported by the WAAS software. WCCP does not know how to operate with packets
that are tagged with MPLS labels. Consequently, inside the cloud, WCCP redirection will not function
(for example, WCCP redirection will not work for intermediate WAEs). However, as long as the
redirection occurs on interfaces that are outside the MPLS cloud, WAAS is supported.
WAAS Compatibility with other Cisco Appliances and Software
If a firewall is placed between the clients and the WAE on one side, and the router on the other side of
the firewall, default WCCP redirection does not work. However, if there is a router inside the firewall
and another router outside the firewall, default WCCP-based redirection does work and WAAS is
supported. You can also enable directed mode to avoid firewall traversal issues. For more information,
see the “Configuring Directed Mode” section on page 6-27.
Support for concatenating ACNS and WAAS devices in your network is supported. ACNS devices
optimize web protocols and can be used to serve content locally. WAAS devices optimize requests from
a Content Engine, which is an ACNS device that needs service from an upstream server or an upstream
Content Engine. The ability to concatenate ACNS and WAAS devices in a network has the following
benefits:
•
If you have already deployed ACNS in your network, you can also deploy WAAS.
•
If you have not already deployed ACNS in your network, but need certain ACNS features, you can
purchase ACNS and deploy it with WAAS.
WAAS Devices and Device Mode
You must deploy the WAAS Central Manager on a dedicated appliance. Although the WAAS Central
Manager device runs the WAAS software, its only purpose is to provide management functions. WAAS
Central Manager communicates with the WAEs, which are registered with it, in the network. Through
the WAAS Central Manager GUI, you can centrally manage the configuration of the WAEs individually
or in groups. WAAS Central Manager also gathers management statistics and logs for its registered
WAEs.
A WAE also runs the WAAS software, but its role is to act as an accelerator in the WAAS network.
In a WAAS network, you must deploy a WAAS device in one of the following device modes:
•
WAAS Central Manager mode—Mode that the WAAS Central Manager uses.
•
WAAS application accelerator mode—Mode that a WAAS Accelerator (data center WAEs and
branch WAEs that run the WAAS software) uses to optimize and accelerate traffic.
•
WAAS AppNav Controller mode—Mode for a WAAS device that is operating as an AppNav
Controller (ANC) that is intercepting and distributing traffic to other WAAS devices operating in
application accelerator mode.
The default device mode for a WAAS device is WAAS accelerator mode. The device mode global
configuration command allows you to change the device mode of a WAAS device.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-15
Chapter 2
Planning Your WAAS Network
WAAS Devices and Device Mode
For example, after you use the WAAS CLI to specify the basic network parameters for the designated
WAAS Central Manager (the WAAS device named waas-cm) and assign it a primary interface, you can
use the device mode configuration command to specify its device mode as central-manager.
waas-cm# configure
waas-cm(config)# primary-interface gigabitEthernet 1/0
waas-cm(config)# device mode central-manager
waas-cm(config)# exit
waas-cm# copy run start
waas-cm# reload
Proceed with reload?[confirm]yes
Shutting down all services, will timeout in 15 minutes.
reload in progress ..
For more information about how to initially configure a WAAS device, see the Cisco Wide Area
Application Services Quick Configuration Guide.
Note
You cannot configure a WAE network module in the NME-WAE or SM-SRE family of devices to operate
in WAAS Central Manager mode.
You can configure a WAE with a Cisco WAE Inline Network Adapter to operate in WAAS Central
Manager mode, but the inline interception functionality is not available.
Changing Device Mode
If you want to change the device mode of a device that is already registered with a Central Manager, you
must first deregister the device from the Central Manager, change the device mode, reload the device,
and then reenable CMS services.
The following steps show how to change the device mode from application-accelerator to
appnav-controller:
Step 1
Deregister the device from the Central Manager.
wae# cms deregister
Deregistering WAE device from Central Manager will result in loss of data on encrypted
file systems, imported certificate/private keys for SSL service and cifs/wafs preposition
credentials. If secure store is initialized and open, clear secure store and wait for one
datafeed poll rate to retain cifs/wafs preposition credentails.
Do you really want to continue (yes|no) [no]?yes
Disabling management service.
management services stopped
Sending de-registration request to CM
SSMGR RETURNING: 7 (Success)
Removing cms database tables.
Re-initializing SSL managed store and restarting SSL accelerator.Deregistration complete.
Save current cli configuration using 'copy running-config startup-config' command because
CMS service has been disabled.
Step 2
Change the device mode to appnav-controller.
wae# configure
wae(config)# device mode appnav-controller
The new configuration will take effect after reload.
Step 3
Save the configuration and reload.
Cisco Wide Area Application Services Configuration Guide
2-16
OL-26579-01
Chapter 2
Planning Your WAAS Network
WAAS Devices and Device Mode
wae(config)# exit
wae# copy run start
wae# reload
Proceed with reload?[confirm]yes
Proceed with clean WCCP shutdown?[confirm]yes
WCCP clean shutdown initiated
Waiting for shutdown ok (1 seconds) . Press ^C to skip waiting
WCCP clean shutdown wait time expired
Shutting down all services, will timeout in 15 minutes.
reload in progress ..
Step 4
Log into the WAE after it finished rebooting.
AppNav Controller
wae login: admin
Password:
System Initialization Finished.
wae#
Step 5
Reenable CMS services.
wae# config
wae(config)# cms enable
Registering WAAS AppNav Controller...
Sending device registration request to Central Manager with address 10.43.65.50
Please wait, initializing CMS tables
Successfully initialized CMS tables
Registration complete.
Please preserve running configuration using 'copy running-config startup-config'.
Otherwise management service will not be started on reload and node will be shown
'offline' in WAAS Central Manager UI.
management services enabled
Step 6
Save the configuration.
wae(config)# exit
wae# copy run start
Note
While using the AppNav IOM on the WAVE devices (7571 and 8541 only); and when the device mode
is AppNav Controller, the total TCP connection capacity for optimized traffic is reduced. This affects
only the local device hosting the AppNav Controller and not the connection capacity or the throughput
of the AppNav Controller itself. There is no impact on any other device that is a part of the AppNav
cluster.
The table shows the reduced number of connections on the AppNav Controller.
Platform
Application Accelerator
Appnav-mode
7571
60,000
50,000
8541
1,50,000
1,40,000
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-17
Chapter 2
Planning Your WAAS Network
Calculating the Number of WAAS Devices Needed
Calculating the Number of WAAS Devices Needed
When the threshold value of an operational system aspect is exceeded, Cisco WAAS may not meet its
expected service level. This situation might result in degraded performance.
The source of the limitation might originate from a specific Cisco WAAS device (WAAS
Central Manager, branch WAE, or data center WAE), the entire Cisco WAAS system, a hardware
constraint, or the network connecting the distributed software entities. In some cases, the limitation
might be resolved by adding more resources or by upgrading the hardware or software.
When planning your network, consider the operational capacity, such as the number of users it should
support, how many files it should support, and how much data it should cache.
When planning your WAAS network, refer to the following additional guidelines:
•
Number of WAAS Central Managers— All networks must have at least one WAAS Central
Manager. For larger networks, you should consider deploying two WAAS Central Managers for
active and standby back-up, high availability, and failover. A WAAS Central Manager is deployed
on a dedicated appliance.
•
Number of WAEs—A minimum of two WAEs are required for traffic optimization; one WAE is
required on either side of a network link (for example, one in the branch office and one in the data
center). A single site can have more than one WAE for redundancy purposes.
•
Number of branch WAEs—At least one branch WAE is required in each remote office. Larger offices
usually have multiple departments whose users work with different servers in the central office. In
this situation, you can manage your system easier by following the organizational structure with a
branch WAE for each department. In certain situations, multiple branch WAEs can be clustered and
configured using WCCP to provide failover capabilities. WCCP is the recommended method for
larger user populations.
•
Number of data center WAEs—Each organization must have at least one data center WAE.
•
Number of ANCs—If you are using the AppNav deployment model, at least one ANC is required.
When determining the number of the component types required by your organization, consider the
following factors:
•
Number of users connecting to the system—This number depends on the static and dynamic
capacities defined for the system:
– Static capacities—Defines the number of user sessions that can connect to the system before it
reaches its capacity.
– Dynamic capacities—Defines the amount of traffic handled by the servers, which means the
amount of work being performed on the network. For example, consider whether the users
currently connected to the system place a heavy or light load on it.
Note
•
You should calculate dynamic limits based on the specific load assumptions that are particular
to each customer.
Total number of users in all branches that connect to the file servers through the data center WAE—
When the number of users is more than one data center WAE can support, you must add one or more
additional data center WAEs to the network.
Cisco Wide Area Application Services Configuration Guide
2-18
OL-26579-01
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
Supported Methods of Traffic Redirection
In a WAAS network, traffic between the clients in the branch offices and the servers in the data center
can be redirected to WAEs for optimization, redundancy elimination, and compression. Traffic is
intercepted and redirected to WAEs based on policies that have been configured on the routers. The
network elements that transparently redirect requests to a local WAE can be a router using WCCP
version 2 or PBR to transparently redirect traffic to the local WAE or a Layer 4 to Layer 7 switch (for
example, the Catalyst 6500 series Content Switching Module [CSM] or Application Control Engine
[ACE]).
Alternately, a WAE that has the Cisco WAE Inline Network Adapter or Cisco Interface Module installed
can operate in inline mode and receive and optimize traffic directly before it passes through the router.
In an AppNav deployment, an AppNav Controller in the data center receives intercepted traffic through
WCCP, PBR, or inline mode and distributes it to WAAS nodes that optimize the traffic. For more
information on an AppNav deployment, see Chapter 4, “Configuring AppNav.”
This section contains the following topics:
•
Advantages and Disadvantages of Using Inline Interception, page 2-19
•
Advantages and Disadvantages of Using WCCP-Based Routing, page 2-20
•
Advantages and Disadvantages of Using PBR, page 2-21
•
Configuring WCCP or PBR Routing for WAAS Traffic, page 2-22
For detailed information about how to configure traffic interception for your WAAS network, see
Chapter 5, “Configuring Traffic Interception.”
Advantages and Disadvantages of Using Inline Interception
Inline interception requires using a WAE appliance that has the Cisco WAE Inline Network Adapter,
Cisco Interface Module, or Cisco AppNav Controller Interface Module installed. In inline mode, the
WAE can physically and transparently intercept traffic between the clients and the router. When using
this mode, you physically position the WAE device in the path of the traffic that you want to optimize,
typically between a switch and a router.
Because redirection of traffic is not necessary, inline interception simplifies deployment and avoids the
complexity of configuring WCCP or PBR on the routers.
The inline adapter or module contains one or more pairs of LAN/WAN Ethernet ports each grouped into
an inline or bridge group interface. If the inline adapter or module has multiple pairs of ports, it can
connect to multiple routers if the network topology requires it.
The inline or bridge group interface transparently intercepts traffic flowing through it or bridges traffic
that does not need to be optimized. It also uses a mechanical fail-safe design that automatically bridges
traffic if a power, hardware, or unrecoverable software failure occurs.
Note
AppNav Controller Interface Modules do not support automatic bypass mode to continue traffic flow in
the event of a failure. For high availability, two or more AppNav Controller Interface Modules should
be deployed in an AppNav cluster. For more information on using inline mode with the AppNav solution,
see Chapter 4, “Configuring AppNav.”
You can configure the inline or bridge group interface to accept traffic only from certain VLANs; for all
other VLANs, traffic is bridged and not processed.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-19
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
You can serially cluster WAE devices (not AppNav Controllers) in inline mode to provide higher
availability in the event of a device failure. If the current optimizing device fails, the second WAE device
in the cluster provides the optimization services. Deploying WAE devices in a serial inline cluster for
the purposes of scaling or load balancing is not supported.
Any combination of traffic interception mechanisms on peer WAEs is supported. For example, you can
use inline interception on the branch WAE and WCCP on the data center WAE. For complex data center
deployments, we recommend that you use hardware-accelerated WCCP interception or load balancing
with the Cisco Application Control Engine (ACE) and a WAAS AppNav deployment.
For more information on inline interception, see the “Using Inline Mode Interception” section on
page 5-42.
Three elements can help ease traffic interception in data centers without using a WCCP-based approach:
•
Multiple pairs of inline interfaces are available on certain WAE models:
– WAVE-294/594/694/7541/7571/8541 models support one installed Cisco Interface Module,
which can be configured with up to 16 inline ports in 8 inline groups, or one installed AppNav
Controller Interface Module, which can be configured with up to 12 inline ports in 5 bridge
groups.
– WAE-674/7341/7371 models support dual inline Cisco WAE Inline Network Adapters,
providing a total of 8 ports in 4 inline groups.
•
Serial inline clustering of two WAEs (not AppNav Controllers) to support high availability.
•
Interception ACLs to control what traffic is intercepted and what is passed through. For more
information on interception ACLs, see the “Configuring Interception Access Control Lists” section
on page 5-28.
Advantages and Disadvantages of Using WCCP-Based Routing
WCCP specifies interactions between one or more routers (or Layer 3 switches) and one or more
application appliances, web caches, and caches of other application protocols. The purpose of the
interaction is to establish and maintain the transparent redirection of selected types of traffic flowing
through a group of routers. The selected traffic is redirected to a group of appliances.
WCCP allows you to transparently redirect client requests to a WAE for processing. The WAAS software
supports transparent intercept of all TCP traffic.
To configure basic WCCP, you must enable the WCCP Version 2 service on the router and WAE or ANC
in the data center and the router and WAE in the branch office. You do not need to configure all of the
available WCCP features or services in order to get a WAE up and running.
Note
You must configure the routers and WAEs to use WCCP Version 2 instead of WCCP Version 1 because
WCCP Version 1 only supports web traffic (port 80).
WCCP is much simpler to configure than PBR. However, you need to have write access to the router in
order to configure WCCP on the router, which typically resides in the data center and on the edge of the
branch office. Another advantage of using WCCP is that you only need to perform a basic configuration
of WCCP on your routers and WAEs in order to get your WAE up and running.
The WCCP Version 2 protocol also has a set of useful features built-in, for example, automatic failover
and load balancing between multiple devices. The WCCP-enabled router monitors the liveliness of each
WAE or ANC that is attached to it through the WCCP keepalive messages. If a WAE goes down, the
Cisco Wide Area Application Services Configuration Guide
2-20
OL-26579-01
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
router stops redirecting packets to the WAE. When you use WCCP Version 2, the branch WAE is not
made a single point of failure for the WAAS services. The router or ANC can also load balance the traffic
among a number of branch WAEs.
You can use CLI commands to configure basic WCCP on both the routers and the WAEs, or you can use
CLI commands to configure the router for WCCP and use the WAAS Central Manager GUI to configure
basic WCCP on the WAEs.
We recommend that you use the WAAS CLI to complete the initial basic configuration of WCCP on your
first branch WAE and data center WAE, as described in the Cisco Wide Area Application Services Quick
Configuration Guide. After you have verified that WCCP transparent redirection is working properly,
you can use the WAAS Central Manager GUI to centrally modify this basic WCCP configuration or
configure additional WCCP settings (for example, load balancing) for a WAE (or group of WAEs). For
more information, see the “Configuring WCCP on WAEs” section on page 5-11. After you have
configured basic WCCP on the router, you can configure advanced WCCP features on the router, as
described in the “Configuring Advanced WCCP Features on Routers” section on page 5-6.
Advantages and Disadvantages of Using PBR
PBR allows IT organizations to configure their network devices (a router or a Layer 4 to Layer 6 switch)
to selectively route traffic to the next hop based on the classification of the traffic. WAAS administrators
can use PBR to transparently integrate a WAE into their existing branch office network and data centers.
PBR can be used to establish a route that goes through a WAE for some or all packets, based on the
defined policies.
To configure PBR, you must create a route map and then apply the route map to the router interface on
which you want the transparent traffic redirection to occur. Route maps reference access lists that contain
explicit permit or deny criteria. The access lists define the traffic that is “interesting” to the WAE (that
is, traffic that the network device should transparently intercept and redirect to the local WAE). Route
maps define how the network device should handle “interesting” traffic (for example, send the packet to
the next hop, which is the local WAE).
The following list summarizes the main advantages of using PBR instead of WCCP Version 2 to
transparently redirect IP/TCP traffic to a WAE:
•
PBR provides higher performance than WCCP Version 2 because there is no GRE overhead.
•
By default PBR uses CEF when CEF is enabled on the router (PBR using CEF for fast switching of
packets).
•
PBR can be implemented on any Cisco IOS-capable router or switch that is running an appropriate
version of the Cisco IOS software. We recommend that you use Cisco IOS Software Release 12.2
or later.
•
PBR provides failover if multiple next-hop addresses are defined.
The following list summarizes the main disadvantages of using PBR instead of WCCP Version 2 to
transparently redirect IP/TCP traffic to a WAE:
•
PBR does not support load balancing between equal cost routes. Consequently, PBR does not
provide scalability for the deployment location.
•
PBR is more difficult to configure than WCCP Version 2. For an example of how to configure PBR
for WAAS traffic, see the “Using Policy-Based Routing Interception” section on page 5-33.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-21
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
Configuring WCCP or PBR Routing for WAAS Traffic
The primary function of WAAS is to accelerate WAN traffic. In general, WAAS accelerates TCP traffic.
WAAS uses a symmetric approach for application optimization. A WAE that has application-specific and
network-specific intelligence is placed on each side of the WAN. These WAEs are deployed out of the
data path in both the branch office and the data center.
Traffic between the clients in the branch offices and the servers at the data center is transparently
redirected through the WAEs based on a set of configured policies with no tunneling. The routers use
WCCP Version 2 or PBR to transparently intercept and redirect traffic to the local WAE for optimization,
redundancy elimination, and compression. For example, Edge-Router1 uses PBR or WCCP Version 2 to
transparently redirect traffic to Edge-WAE1, the local WAE in the branch office. Core-Router1 uses PBR
or WCCP Version 2 to transparently redirect traffic to the Core-WAE1, the local WAE in the data center.
Note
In this sample deployment, the Edge-Router1 and Core-Router1 could be replaced with Layer 4 to Layer
7 switches, which are capable of redirecting traffic to the local WAE.
Figure 2-1 shows that the WAEs (Edge-WAE1 and Core-WAE1) must reside in an out-of-band network
that is separate from the traffic’s destination and source. For example, Edge-WAE1 is on a subnet
separate from the clients (the traffic source), and Core-WAE1 is on a subnet separate from the file servers
and application servers (the traffic destination). Additionally, you may need to use a tertiary interface (a
separate physical interface) or a subinterface to attach a WAE to the router, which redirects traffic to it,
to avoid an infinite routing loop between the WAE and the router. For more information on this topic,
see the “Using Tertiary Interfaces or Subinterfaces to Connect WAEs to Routers” section on page 2-24.
Example of Using PBR or WCCP Version 2 for Transparent Redirection of All TCP Traffic to WAEs
Data center (10.10.11.0/24)
Branch office (10.10.10.0/24)
Clients
C
A
File servers
and application
servers
PBR or
WCCP Version 2
PBR or
WCCP Version 2
WAN
Edge-Router1
B
D
F
Core-Router1
E
1.1.1.100
Edge-WAE1
2.2.2.100
Core-WAE1
WAAS Central
Manager
159088
Figure 2-1
Table 2-1 provides a summary of the router interfaces that you must configure to use PBR or WCCP
Version 2 to transparently redirect traffic to a WAE.
Cisco Wide Area Application Services Configuration Guide
2-22
OL-26579-01
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
Table 2-1
Router
interface
Router Interfaces for WCCP or PBR Traffic Redirection to WAEs
Description
Edge-Router1
A
Edge LAN interface (ingress interface) that performs redirection on the outbound traffic.
B
Tertiary interface (separate physical interface) or a subinterface off of the LAN port on Edge-Router1. Used to
attach Edge-WAE1 to Edge-Router1 in the branch office.
C
Edge WAN interface (egress interface) on Edge-Router1 that performs redirection on the inbound traffic.
Core-Router1
D
Core LAN interface (ingress interface) that performs redirection on outbound traffic.
E
Tertiary interface or subinterface off of the LAN port on Core-Router1. Used to attach Core-WAE1 to
Core-Router1 in the data center.
F
Core WAN interface (egress interface) on Core-Router1 that performs redirection on the inbound traffic.
This traffic redirection does not use tunneling; the full original quadruple (source IP address, source port
number, destination IP address, and destination port number) of the TCP traffic is preserved end to end.
The original payload of the TCP traffic is not preserved end to end because the primary function of
WAAS is to accelerate WAN traffic by reducing the data that is transferred across the WAN. This change
in payload can potentially impact features on the router (which is performing the WCCP or PBR
redirection) that needs to see the actual payload to perform its operation (for example, NBAR). For more
information on this topic, see the “WAAS and Cisco IOS Interoperability” section on page 2-11.
Using WCCP or PBR at both ends with no tunneling requires that traffic is intercepted and redirected
not only in the near-end router but also at the far-end router, which requires four interception points as
opposed to two interception points in a tunnel-based mode.
You can enable packet redirection on either an outbound interface or inbound interface of a
WCCP-enabled router. The terms outbound and inbound are defined from the perspective of the
interface. Inbound redirection specifies that traffic should be redirected as it is being received on a given
interface. Outbound redirection specifies that traffic should be redirected as it is leaving a given
interface.
If you are deploying WAN optimization in your WAAS network, then you must configure the router and
WAE for WCCP Version 2 and the TCP promiscuous mode service (WCCP Version 2 services 61 and
62 by default).
Note
Services 61 and 62 are always enabled together when configuring TCP promiscuous on the WAE.
Services 61 and 62 must be defined and configured separately when configuring TCP promiscuous on
the network device (router, switch, or other). Service 61 distributes traffic by source IP address, and
service 62 distributes traffic by destination IP address. The service IDs are configurable; 61 and 62 are
the defaults.
The TCP promiscuous mode service intercepts all TCP traffic that is destined for any TCP port and
transparently redirects it to the WAE. The WCCP-enabled router uses service IDs 61 and 62 to access
this service. The service IDs used on the router must match those on the WAE if different service IDs
than the defaults are configured.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-23
Chapter 2
Planning Your WAAS Network
Supported Methods of Traffic Redirection
By default, the IP Protocol 6 is specified for the TCP promiscuous mode service. Consequently, the
routers that have been configured to the TCP promiscuous mode service will intercept and redirect all
TCP traffic destined for any TCP port to the local WAE. Because the TCP promiscuous mode service is
configured on the WAE, the WAE will accept all of the TCP traffic that is transparently redirected to it
by specified WCCP routers (for example, Edge-WAE1 will accept all TCP traffic that Edge-Router1
redirects to it). In the branch office, you can intercept packets at the edge LAN and WAN interfaces on
the edge routers and redirect the TCP traffic to the local WAE (the branch WAE). In the data center, you
can intercept packets at the core LAN and WAN interfaces on the core routers and redirect the TCP
traffic to the local WAE (the data center WAE). For more information, see the “Configuring WAEs as
Promiscuous TCP Devices in a WAAS Network” section on page 2-24.
Configure packet redirection on inbound interfaces of branch software routers whenever possible.
Inbound traffic can be configured to use Cisco Express Forwarding (CEF), distributed Cisco Express
Forwarding (dCEF), fast forwarding, or process forwarding.
Note
CEF is required for WCCP and must be enabled on the router.
To enable packet redirection on a router’s outbound or inbound interface using WCCP, use the ip wccp
redirect interface configuration command.
Caution
The ip wccp redirect interface command has the potential to affect the ip wccp redirect exclude in
command. If you have ip wccp redirect exclude in set on an interface and you subsequently configure
the ip wccp redirect in command, the exclude in command is overridden. If you configure the exclude
in command, the redirect in command is overridden.
This section contains the following topics:
•
Configuring WAEs as Promiscuous TCP Devices in a WAAS Network, page 2-24
•
Using Tertiary Interfaces or Subinterfaces to Connect WAEs to Routers, page 2-24
Configuring WAEs as Promiscuous TCP Devices in a WAAS Network
In order for the WAE to function as a promiscuous TCP device for the TCP traffic that is transparently
redirected to it by the specified WCCP Version 2 routers, the WAE uses WCCP Version 2 services 61
and 62 by default, though the service IDs are configurable. The WCCP services are represented by the
canonical name tcp-promiscuous on the WAE CLI and TCP Promiscuous in the WAAS Central Manager
GUI. (See Figure 5-3.)
For instructions on how to perform a basic WCCP configuration for a WAAS network, see the Cisco
Wide Area Application Services Quick Configuration Guide. For instructions about how to use the
WAAS Central Manager GUI to modify the basic WCCP configuration for a WAE, see the “Configuring
WCCP on WAEs” section on page 5-11.
Using Tertiary Interfaces or Subinterfaces to Connect WAEs to Routers
If you plan to use WCCP Version 2 or PBR to transparently redirect TCP traffic to a WAE, make sure
that the WAE is not attached to the same segment as the router interface on which the traffic redirection
is to occur. Otherwise, an infinite routing loop between the router and the WAE will occur. These infinite
routing loops occur because there is no way to notify the router to bypass the interception and redirection
after it has redirected the traffic to the WAE the first time; the router will continuously redirect the same
intercepted traffic to the local WAE, creating the infinite routing loop.
Cisco Wide Area Application Services Configuration Guide
2-24
OL-26579-01
Chapter 2
Planning Your WAAS Network
Access Lists on Routers and WAEs
Note
The WCCP GRE return and generic GRE egress methods allow you to place WAEs on the same VLAN
or subnet as clients and servers. For information on configuring these egress methods, see the
“Configuring Egress Methods for WCCP Intercepted Connections” section on page 5-29.
For example, if you attach Edge-WAE 1 to the same segment (subnet) as the LAN router interface on
which the PBR or WCCP traffic redirection occurs in the branch office, there will be an infinite routing
loop between Edge-Router1 and Edge-WAE1. If you attach Core-WAE1 to the same segment (subnet)
as the LAN router interface on which the PBR or WCCP traffic redirection occurs in the data center,
there will be an infinite routing loop between Core-Router1 and Core-WAE1.
To avoid an infinite routing loop between the router and its local WAE, connect the WAE to the router
through a tertiary interface (a separate physical interface) or a subinterface (a different virtual
subinterface) from the router’s LAN port. By using a tertiary interface or a subinterface to connect a
WAE to the router that is performing the PBR or WCCP redirection, the WAE has its own separate
processing path that has no Cisco IOS features enabled on it. In addition, this approach simplifies the
process of integrating WAEs into an existing network. Because the WAEs are being connected to the
routers through a tertiary interface or subinterface that has no Cisco IOS features enabled on it, the
Cisco IOS features that are already enabled on your existing Cisco-enabled network elements (for
example, Edge-Router1 or Core-Router1) will generally not be affected when you connect WAEs to
these routers. For more information about WAAS and Cisco IOS interoperability, see the “WAAS and
Cisco IOS Interoperability” section on page 2-11.
See the Cisco Wide Area Application Services Quick Configuration Guide for an example of how to use
a subinterface to properly attach a local WAE to the router that is redirecting TCP traffic to it.
Access Lists on Routers and WAEs
You can optionally configure the router to redirect traffic from your WAE based on access lists that you
define on the router. These access lists are also referred to as redirect lists. For information about how
to configure access lists on routers that will be configured to transparently redirect traffic to a WAE, see
the “Configuring IP Access Lists on a Router” section on page 5-9.
Note
IP access lists on routers have the highest priority followed by IP ACLs that are defined on the WAEs,
and then interception ACLs that are defined on the WAEs.
This section contains the following topics:
•
IP ACLs on WAEs, page 2-25
•
Interception ACLs on WAEs, page 2-26
IP ACLs on WAEs
In a centrally managed WAAS network environment, administrators need to be able to prevent
unauthorized access to various devices and services. The WAAS software supports standard and
extended IP access control lists (ACLs) that allow you to restrict access to or through particular
interfaces on a WAAS device. For more information, see Chapter 9, “Creating and Managing IP Access
Control Lists for WAAS Devices.”
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-25
Chapter 2
Planning Your WAAS Network
WAAS Login Authentication and Authorization
Note
IP ACLs that are applied on interfaces, and WCCP ACLs, always take precedence over any interception
ACLs and WAAS application definitions that have been defined on the WAE.
Interception ACLs on WAEs
You can configure an interception ACL to control what incoming traffic across all interfaces is to be
intercepted by a WAE device. Packets that are permitted by the ACL are intercepted by the WAE and
packets that are denied by the ACL are passed through the WAE without processing. By configuring
interception ACLs on the WAE, you can control traffic interception without modifying the router
configuration.
An interception ACL can be used both with WCCP and inline interception.
Interception ACLs that are defined on a WAE always take precedence over any WAAS application
definitions that have been defined on the WAE, but they are applied after interface ACLs and WCCP
ACLs.
For information about how to configure an interception ACL for a WAE, see the “Configuring
Interception Access Control Lists” section on page 5-28.
WAAS Login Authentication and Authorization
In the WAAS network, administrative login authentication and authorization are used to control login
requests from administrators who want to access a WAAS device for configuring, monitoring, or
troubleshooting purposes.
Login authentication is the process by which WAAS devices verify whether the administrator who is
attempting to log in to the device has a valid username and password. The administrator who is logging
in must have a user account registered with the device. User account information serves to authorize the
user for administrative login and configuration privileges. The user account information is stored in an
AAA database, and the WAAS devices must be configured to access the particular authentication server
(or servers) where the AAA database is located. When the user attempts to log in to a device, the device
compares the person’s username, password, and privilege level to the user account information that is
stored in the database.
The WAAS software provides the following authentication, authorization, and accounting (AAA)
support for users who have external access servers (for example, RADIUS, TACACS+, or Windows
domain servers), and for users who need a local access database with AAA features:
•
Authentication (or login authentication) is the action of determining who the user is. It checks the
username and password.
•
Authorization (or configuration) is the action of determining what a user is allowed to do. It permits
or denies privileges for authenticated users in the network. Generally, authentication precedes
authorization. Both authentication and authorization are required for a user log in.
•
Accounting is the action of keeping track of administrative user activities for system accounting
purposes. In the WAAS software, AAA accounting through TACACS+ is supported.
For more information, see the “Configuring AAA Accounting for WAAS Devices” section on page 7-31.
Cisco Wide Area Application Services Configuration Guide
2-26
OL-26579-01
Chapter 2
Planning Your WAAS Network
Logically Grouping Your WAEs
WAAS Administrator Accounts
In a centrally managed WAAS network, administrator accounts can be created for access to the WAAS
Central Manager and, independently, for access to the WAEs that are registered with the WAAS
Central Manager. There are two distinct types of accounts for WAAS administrators:
Note
•
Role-based accounts—Allows users to access the WAAS Central Manager GUI, the WAAS Central
Manager CLI, and the WAE Device Manager GUI. The WAAS software has a default WAAS system
user account (username is admin and password is default) that is assigned the role of administrator.
•
Device-based CLI accounts—Allow users to access the WAAS CLI on a WAAS device. These
accounts are also referred to as local user accounts.
An administrator can log in to the WAAS Central Manager device through the console port or the WAAS
Central Manager GUI. An administrator can log in to a WAAS device that is functioning as a data center
or branch WAE through the console port or the WAE Device Manager GUI.
A WAAS device that is running WAAS software comes with a predefined superuser account that can be
used initially to access the device. When the system administrator logs in to a WAAS device before
authentication and authorization have been configured, the administrator can access the WAAS device
by using the predefined superuser account (the predefined username is admin and the predefined
password is default). When you log in to a WAAS device using this predefined superuser account, you
are granted access to all the WAAS services and entities in the WAAS system.
After you have initially configured your WAAS devices, we strongly recommend that you immediately
change the password for the predefined superuser account (the predefined username is admin, the
password is default, and the privilege level is superuser, privilege level 15) on each WAAS device. For
instructions on how to use the WAAS Central Manager GUI to change the password, see the “Changing
the Password for Your Own Account” section on page 8-6.
Logically Grouping Your WAEs
To streamline the configuration and maintenance of WAEs that are registered with a WAAS
Central Manager, you can create a logical group and then assign one or more of your WAEs to the group.
Groups not only save you time when configuring multiple WAEs, but they also ensure that configuration
settings are applied consistently across your WAAS network. For example, you can set up a WinAuth
group that defines the standard Windows authentication configuration that is wanted for all of the WAEs
in that group. After you define the WinAuth settings once, you can centrally apply those values to all of
the WAEs in the WinAuth group instead of defining these same settings individually on each WAE.
With the WAAS Central Manager GUI, you can easily organize your branch and data center WAEs into
device groups, which are a collection of WAEs that share common qualities and capabilities. Setting up
groups based on their authentication settings is an example of a device group.
When you create a device group, you need to identify the unique characteristics that distinguish that
group of WAEs from others in your network. For example, in larger WAAS deployments one set of
WAEs may need to be configured with authentication settings that are different from another set of
WAEs in your WAAS network. In this case, you would create two device groups that each contain
different authentication settings, and then assign your WAEs to the most appropriate group.
If you have WAEs that reside in different time zones, you can also create device groups based on
geographic regions so that the WAEs in one group can have a different time zone setting from the WAEs
in another group.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-27
Chapter 2
Planning Your WAAS Network
Data Migration Process
In smaller WAAS deployments where all WAEs can be configured with the same settings, you may only
need to create one general device group. This practice allows you to configure settings for the group,
then apply those settings consistently across all your WAEs.
Note
The AllWAASGroup and AllWAASExpressGroup are default device groups that automatically contain
all WAAS and WAAS Express devices. In these or any other device groups, you should configure only
the settings that you want to be consistent across all the devices in the group. Settings that apply to a
single device should be configured on that device only and not on the device group.
By default, WAAS Central Manager allows you to assign a device to multiple device groups. Before you
create a device group, make sure you understand the unique properties that you want the group to
contain.
WAAS Central Manager allows you to create locations that you can associate with a WAAS device. You
assign a device to a location when you first activate the device. The main purpose of assigning a WAAS
device to a location is to help you identify a WAAS device by the physical region in which it resides.
Locations are different from device groups because devices do not inherit settings from locations.
You assign a device to a location when you activate the device as described in the Cisco Wide Area
Application Services Quick Configuration Guide. For more information about logically grouping your
WAEs, see Chapter 3, “Using Device Groups and Device Locations.”
Data Migration Process
If you have an existing network, there are some steps to take before setting up your WAAS network. The
first step in the data migration process is to back up the data at the branch offices and restore it to the
data center.
After you back up data to the data center, you preload the cache (called preposition) with the files for
which you want to provide the fastest access. Set up the files from your branch office file server to the
WAEs that are also located in the same branch office. You can then remove the file servers from the
branch offices and point to the data center file server.
The final step in the data migration process is to set the CIFS policies.
When doing the data migration process, note the following restrictions:
•
Prepositioning only works in a CIFS environment with the CIFS accelerator (it is not supported by
the SMB accelerator).
•
The topology for the file server at the data center must be identical to the topology that existed on
the branch file server.
•
Resource credentials (such as ACLs) are not automatically migrated. Two options are available:
– You can use backup or restore software to restore an initial backup of the tree to the target server.
This practice allows both the creation of ACLs as well as the creation of the initial file set that
Rsync can take as an input for diff calculations. The replication inherits existing ACLs in that
tree.
– The other option is to perform a first run of Robocopy (including data and permissions), and
then continue with sync iterations using Rsync.
After replicating, use one of Microsoft’s tools for copying only ACLs (no data) onto the replicated
tree. You can use Robocopy.exe for copying directory tree or file ACLs and Permcopy.exe to copy
share permissions.
Cisco Wide Area Application Services Configuration Guide
2-28
OL-26579-01
Chapter 2
Planning Your WAAS Network
Data Migration Process
•
The migration size must be less than the cache size of the branch WAE.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
2-29
Chapter 2
Planning Your WAAS Network
Data Migration Process
Cisco Wide Area Application Services Configuration Guide
2-30
OL-26579-01
CH A P T E R
3
Using Device Groups and Device Locations
This chapter describes the types of device groups supported by the WAAS software and how to create
groups that make it easier to manage and configure multiple devices at the same time. This chapter also
discusses how to use device locations.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, WAE
Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
About Device Groups, page 3-1
•
Working with Device Groups, page 3-2
•
Working with Device Locations, page 3-9
About Device Groups
When you create a device group, you need to identify the unique characteristics that distinguish that
group of devices from others in your network. For example, in larger WAAS deployments, one set of
devices may need to be configured with authentication settings that are different from another set of
devices in your WAAS network. In this situation, you would create two device groups that each contain
different authentication settings, and then assign your devices to the most appropriate group.
If you have devices that reside in different time zones, you can also create device groups based on
geographic regions so that the devices in one group can have a different time zone setting from the
devices in another group.
In smaller WAAS deployments where all devices can be configured with the same settings, you may only
need to create one general device group. This setup allows you to configure settings for the group, and
then apply those settings consistently across all your WAAS devices.
Groups not only save you time when configuring multiple devices, but they also ensure that
configuration settings are applied consistently across your WAAS network.
There are two types of device groups: WAAS Device Groups and WAAS Express Device Groups. These
groups are explained in more detail in the “Creating a New Device Group” section on page 3-3.
When you register a WAAS device with the WAAS Central Manager, that device automatically joins the
AllWAASGroup, which is the default device group on the system for WAAS devices. If you create
additional device groups, you need to decide if you want your devices to belong to more than one group
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-1
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
(the default AllWAASGroup and the new device group you create). If you only want a device to belong
to a device group that you create, make sure that you remove the device from the default
AllWAASGroup. WAAS Express devices automatically join the default AllWAASExpressGroup device
group when they are registered with the Central Manager.
WAAS devices and WAAS Express devices cannot be mixed in the same device group. You choose the
device group type when you create the group and it cannot be changed. When you create a WAAS
Express type of device group, you can copy policies from an existing WAAS or WAAS Express group,
but policies cannot be copied after creation.
Working with Device Groups
This section contains the following topics:
•
Creating a Device Group, page 3-2
•
Deleting a Device Group, page 3-6
•
Viewing Device Group Assignments, page 3-6
•
Viewing the Device Groups List, page 3-6
•
Enabling or Disabling Device Group Overlap, page 3-7
•
Overriding Group Configuration Settings, page 3-7
•
Understanding the Impact of Assigning a Device to Multiple Device Groups, page 3-9
Creating a Device Group
This section contains the following topics:
•
Creating a New Device Group, page 3-3
•
Configuring the Settings for a Device Group, page 3-4
•
Assigning Devices to a Configuration Device Group, page 3-5
Table 3-1 describes the process for creating a new device group.
Table 3-1
Checklist for Creating a Device Group
Task
1. Create a new device group.
2.
Configure the settings of the
new device group.
Additional Information and Instructions
Defines general information about the new group, such as the
group name, group type, and whether all newly activated devices
are assigned to this group.
For more information, see the “Creating a New Device Group”
section on page 3-3.
Specifies the settings that are unique to this device group. All
devices that are a member of this group will automatically inherit
these settings.
For more information, see the “Configuring the Settings for a
Device Group” section on page 3-4.
Cisco Wide Area Application Services Configuration Guide
3-2
OL-26579-01
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
Table 3-1
Checklist for Creating a Device Group (continued)
Task
3. Assign devices to the device
group.
Additional Information and Instructions
Assigns devices to the group so they can inherit the group settings.
For more information, see the “Assigning Devices to a
Configuration Device Group” section on page 3-5.
Creating a New Device Group
Before you create a device group, make sure you understand the unique properties that you want the
group to contain. For example, you may want to set up two device groups that have different
authentication settings or different time zone settings.
To create a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > All Device Groups. The Device
Groups window appears.
From this window you can perform the following tasks:
•
Click the Edit icon next to the device group that you want to modify.
•
Create a new device group as described in the steps that follow.
Step 2
Click the Create New Device Group icon in the taskbar. The Creating New Device Group window
appears.
Step 3
In the Name field, enter the name of the device group.
The name must be unique and should be a name that is useful in distinguishing the device group from
others on your system. The name cannot contain characters other than letters, numbers, period, hyphen,
underscore, and space.
Step 4
Choose either WAAS or WAAS Express for the Configuration Group Type. This sets the type of devices
that the group can contain. A WAAS Express group can contain only WAAS Express devices. A WAAS
group can contain all types of devices except for WAAS Express devices.
Step 5
Check the Automatically assign all newly activated devices to this group check box to set this device
group as the default device group for all newly activated devices.
Step 6
If you chose the WAAS Express group type, you can copy policies from another existing group by
choosing the group in the Copy Policies from the device group drop-down list (only shown when creating
a WAAS Express group). If you copy policies from a WAAS group, only basic optimization policies are
copied, not application acceleration policies.
Step 7
(Optional) Enter comments about the group in the Comments field. The comments that you enter will
appear in the Device Group window.
Step 8
Click Submit.
The page refreshes with additional options.
Note
The Pages configured for this device group arrow lists the configuration windows in the WAAS
Central Manager GUI that have been configured for this device group. Because this is a new
device group, no pages will appear in this list.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-3
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
Step 9
(Optional) Customize the menu options for this device group by completing the following steps. Use this
feature to remove from view any configuration windows that you do not need for that particular device
group:
a.
Click the Select pages to hide from table of contents for this device group arrow.
A list of windows in the WAAS Central Manager GUI appears.
Step 10
b.
Check the windows that you want to hide for this device group. You can click the folder icon next
to a window to display its child windows.
c.
Click Submit.
Configure the settings for this device group as described in the “Configuring the Settings for a Device
Group” section.
Configuring the Settings for a Device Group
After creating a device group, you need to configure the settings that you want to be unique to this group.
If you have a general device group that contains all your WAAS devices of a specific type, configure
only the settings that you want to be consistent across all the devices of that type. Settings that apply to
a single device should be configured on that device only and not on the device group.
To configure settings for a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > device-group-name.
The Modifying Device Group window appears.
Step 2
Click the Pages configured for this device group arrow button to view which configuration windows
have already been configured for the group.
A list of pages that are configured for that device group appears. If this is a new device group or if there
are no pages configured for this device group, the list displays Null.
Step 3
Customize the menu options for this device group by completing the following steps:
a.
Click the Select pages to hide from table of contents of this device group arrow.
A list of windows in the WAAS Central Manager GUI appears.
b.
Step 4
Place a check next to the windows that you want to hide for this device group. Use this feature to
remove from view any configuration windows that you do not need for this particular device group.
Use the menu bar to choose each configuration option that you want to modify for this device group.
If the configuration option has not been configured for this device group, the message “There are
currently no settings for this group” appears at the top of the window.
Step 5
Make the necessary changes on the configuration option window, and click Submit when finished.
After a particular setting is configured, the configuration window is listed under Pages configured for
this device group in the Modifying Device Group window.
Step 6
Assign devices to this new group as described in the “Assigning Devices to a Configuration Device
Group” section on page 3-5.
Cisco Wide Area Application Services Configuration Guide
3-4
OL-26579-01
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
Assigning Devices to a Configuration Device Group
After you create a configuration device group, you need to assign devices to the group. The WAAS
Central Manager GUI provides two methods to assign devices to a configuration group. You can either
select the device first, then assign a group to the device, or you can select the device group first, then
assign devices to the group.
The procedures in this section describe how to assign devices to a group. To assign a group to a device,
choose Devices > device-name and choose Assign Device Groups from the device-name menu. You can
then assign a group to the device using the same method described in steps 4 and 5 below.
You cannot assign the WAAS Central Manager to a device group. You must configure the WAAS Central
Manager separately from other devices.
You cannot assign WAAS Express devices to a WAAS group and you cannot assign WAAS devices to a
WAAS Express group. Invalid devices are not shown in the device list when assigning devices to groups.
Note
By default, all devices automatically join either the AllWAASGroup or AllWAASExpressGroup when
they are activated. If you do not want a device to belong to two different device groups, you should
unassign the device from the All...Group before you assign the device to a custom device group.
Use care when you are assigning devices that have different WAAS software versions to a device group.
Some features configured for a device group may not be supported by all devices in the group or, in some
cases, devices may be prevented from joining the group if the group is configured with policies that they
cannot support. In such cases, we recommend that you upgrade all devices to the same software version
or create different device groups for devices with incompatible versions.
To assign a device to a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > device-group-name.
The Modifying Device Group window appears.
Step 2
Choose device-group-name > Assign Devices.
The WAE/WAAS Express Assignments window appears, displaying the devices assigned to various
locations. If you are editing a WAAS group, only WAAS devices are shown. If you are editing a WAAS
Express group, only WAAS Express devices are shown.
The assignments window lets you filter your view of the items in the list. Filtering allows you to find
items in the list that match the criteria that you set.
Step 3
Step 4
Assign a device to the device group by doing either of the following:
•
Click
in the taskbar to assign all available devices to the group.
•
Click
next to each device that you want to assign to the group. The icon changes to
selected.
when
Click Submit.
A green check mark appears next to the assigned devices.
Step 5
Click the Unassign icon (green check mark) next to the name of the device that you want to remove from
the device group. Alternatively, you can click the Remove all icon in the taskbar to remove all devices
from the selected device group. Click Submit.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-5
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
Deleting a Device Group
To delete a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > device-group-name. The Modifying
Device Group window appears.
Step 2
In the taskbar, click the Delete Device Group icon. You are prompted to confirm your decision to delete
the device group.
Step 3
To confirm your decision, click OK.
Viewing Device Group Assignments
The WAAS Central Manager GUI allows you to view the groups that a device belongs to, as well as the
devices that belong to a specific group. This section describes both of these procedures.
To view the groups that a device belongs to, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
The Device Dashboard window appears.
Step 2
In the Assignments field on the Device Dashboard window, click the link that displays the groups to
which the device is assigned.
The Device Group Assignments page appears, which shows all the device groups in your WAAS network
that match the device type (WAAS or WAAS Express). The device is assigned to the device groups with
a green check mark next to them.
You can also go to the Device Group Assignments window by choosing the Assign Device Groups option
in the menu bar.
To view the devices that are assigned to a specific group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > device-group-name.
The Modifying Device Group window appears.
Step 2
Choose device-group-name > Assign Devices.
The WAE/WAAS Express Assignments window appears, which shows all the WAAS or WAAS Express
devices on your WAAS network. The devices with a green check mark next to them are assigned to this
group.
Viewing the Device Groups List
The Device Groups window lists all the device groups that have been created in your WAAS network.
To view this list, choose Device Groups > All Device Groups in the WAAS Central Manager menu bar.
Cisco Wide Area Application Services Configuration Guide
3-6
OL-26579-01
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
This window displays the following information about each device group:
•
Type of device group (WAAS Configuration Group or WAAS Express Configuration Group).
•
Any comments that were entered when the device group was created.
From this window, you can perform the following tasks:
•
Create a new device group. For more information, see the “Creating a New Device Group” section
on page 3-3.
•
Modify the settings of a device group by clicking the Edit icon next to the group that you want to
edit.
Enabling or Disabling Device Group Overlap
By default, you can assign a device to multiple device groups. You can disable this functionality so a
device can only belong to one device group, which eliminates the possibility of a device inheriting
settings from more than one group.
To enable or disable device group overlap, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Global > System Properties.
The Config Properties window appears.
Step 2
Click the Edit icon next to the property name DeviceGroup.overlap.
The Modifying Config Property, DeviceGroup.overlap window appears.
Step 3
From the Value drop-down list, choose either true or false. (The default is true.)
When you disable device group overlap (set to false), existing overlapping device groups are retained
and continue to be handled as though overlap were enabled; however, any newly added groups do not
allow overlapping, and new devices cannot be added to the existing overlapping groups.
Step 4
Click Submit.
Overriding Group Configuration Settings
The WAAS Central Manager GUI provides the following methods to override the current group
configuration on a device:
•
Forcing Device Group Settings on All Devices in the Group, page 3-7
•
Selecting Device Group Precedence, page 3-8
•
Overriding the Device Group Settings on a Device, page 3-8
Forcing Device Group Settings on All Devices in the Group
To force a device group configuration across all devices in the group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Device Groups > device-group-name.
The Modifying Device Group window appears.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-7
Chapter 3
Using Device Groups and Device Locations
Working with Device Groups
Step 2
Click the Force Group Settings icon in the taskbar.
The WAAS Central Manager GUI displays the following message:
The action will apply all settings configured for this device group to all the WAEs/WAAS
Express assigned to it. Do you wish to continue?
Step 3
To force group settings across all devices in the device group, click OK.
Step 4
Click Submit.
Selecting Device Group Precedence
When a device belongs to multiple device groups that have conflicting settings, the device automatically
inherits the settings from the device group that was most recently changed. For a more detailed
description of how a device inherits settings when it belongs to multiple device groups, see the
“Understanding the Impact of Assigning a Device to Multiple Device Groups” section on page 3-9.
When a configuration conflict occurs, you can edit a device’s configuration on a page-by-page basis and
select which device group’s settings should take precedence.
To select the device group precedence, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
The Device Dashboard window appears.
Step 2
From the menu bar, choose the configuration option that contains the conflicting settings.
A drop-down list appears in the taskbar at the top of the window. This drop-down list allows you to select
the device group that you want this configuration window to inherit settings from. The device group that
is currently selected is the device group that has precedence.
Step 3
From the drop-down list, choose the device group that you want this configuration page to inherit
settings from, and click Submit.
The configuration window changes to reflect the settings associated with the selected device group.
Overriding the Device Group Settings on a Device
The WAAS Central Manager GUI allows you to override the device group settings and specify new
settings that are unique to that device.
To override the device group settings on a device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
The Device Dashboard window appears.
Step 2
From the menu bar, choose the configuration option that contains the device group settings you want to
override.
Step 3
Click the Override Group Settings icon in the taskbar.
The settings in the configuration window are enabled.
Cisco Wide Area Application Services Configuration Guide
3-8
OL-26579-01
Chapter 3
Using Device Groups and Device Locations
Working with Device Locations
Note
Step 4
The Override Group Settings icon only appears on configuration windows that have been
modified on the associated device group.
Make the necessary changes to the configuration window, and click Submit.
The device is now configured with settings that are different from the device group it belongs to.
Note
Step 5
The Force Settings on all Devices in Group icon appears in the device group view of an
overridden configuration window. You can click this icon to reapply the device group settings to
all devices in the device group.
To reapply the device groups settings to this configuration window, choose the device group from the
drop-down list in the taskbar, and click Submit.
Understanding the Impact of Assigning a Device to Multiple Device Groups
If a device belongs to multiple device groups, a configuration conflict might occur if the groups are not
configured exactly the same. In this case, the device will inherit the settings from the device group that
was most recently changed. In some cases, however, a device can retain settings from more than one
device group depending on how the changes were implemented.
The following scenario describes how a device can retain settings from multiple device groups:
Action 1: Device A is assigned to Device Group 1 (DG1).
Result: Device A automatically inherits all the configuration settings of DG1.
Action 2: Device A is assigned to Device Group 2 (DG2) so it now belongs to two device groups (DG1
and DG2).
Result: Device A inherits all the settings from DG2, but it remains a member of DG1.
Action 3: The standard time zone setting on DG1 is changed to America New York.
Result: The time zone of Device A changes to America New York, but the device maintains all its other
configuration settings from DG2.
In this scenario, Device A’s configuration is a hybrid of DG1 and DG2. If you want to specify which
device group settings a device should inherit, you can use the override features described in the
“Overriding Group Configuration Settings” section on page 3-7.
Working with Device Locations
The WAAS Central Manager GUI allows you to create locations that you can associate with a WAAS
device. You assign a device to a location when you first activate the device. The main purpose of
assigning a device to a location is to help you identify a WAAS device by the physical region in which
it resides. Locations are different from device groups because devices do not inherit settings from the
location to which they belong.
You can view reports that aggregate data from all the devices in a particular location. For more
information, see the “Location Level Reports” section on page 17-36.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-9
Chapter 3
Using Device Groups and Device Locations
Working with Device Locations
You assign a device to a location when you activate the device as described in the “Modifying Device
Properties” section on page 10-1.
You can work with locations by performing these tasks:
•
Creating Locations, page 3-10
•
Deleting Locations, page 3-10
•
Viewing the Location Tree, page 3-11
Creating Locations
To create a new location or modify an existing one, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Locations > All Locations. The Locations window
appears.
Step 2
In the taskbar, click the Create New Location icon.
The Creating New Location window appears.
Step 3
In the Name field, enter a location name.
The name can contain letters, numbers, period, hyphen, underscore, and space.
Step 4
From the Parent Location drop-down list, choose a parent location (or choose None).
A location with no parent is a level 1 location. A location with a level 1 parent becomes a level 2 location,
and so forth. The location level is displayed after you choose a parent location (or choose None) and
click Submit to save the configuration.
Step 5
(Optional) In the Comments field, enter comments about the location.
Step 6
Click Submit.
Step 7
Modify a location by going to the Locations window and clicking the Edit icon next to the name of the
location that you want to modify.
Step 8
Assign a device to this location. For more information, see the “Modifying Device Properties” section
on page 10-1.
Deleting Locations
You can delete locations as needed, as long as they are not the root locations of activated WAAS devices.
Note
If a location has a device assigned to it, you can first assign the device to another location and then delete
the original location.
To delete a location, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Locations > location-name.
The Modifying Location window appears.
Cisco Wide Area Application Services Configuration Guide
3-10
OL-26579-01
Chapter 3
Using Device Groups and Device Locations
Working with Device Locations
Step 2
In the taskbar, click the Delete Location icon. You are asked to confirm your decision to delete the
location.
Step 3
To confirm the action, click OK. The location is deleted.
Viewing the Location Tree
The location tree represents the network topology you configured when you assigned a parent to each
location. The WAAS Central Manager GUI graphically displays the relationships between the locations
configured in your WAAS network.
To view the location tree, choose Locations > All Locations. In the taskbar, click the Location Trees
button.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
3-11
Chapter 3
Using Device Groups and Device Locations
Working with Device Locations
Cisco Wide Area Application Services Configuration Guide
3-12
OL-26579-01
CH A P T E R
4
Configuring AppNav
This chapter describes how to configure Cisco WAAS AppNav, which is a hardware and software
solution that simplifies network integration of WAN optimization and overcomes challenges with
provisioning, visibility, scalability, asymmetry, and high availability.
This chapter includes the following topics:
•
Information About AppNav, page 4-1
•
Prerequisites for AppNav Deployment, page 4-9
•
Guidelines and Limitations, page 4-9
•
Configuring an AppNav Cluster, page 4-10
•
Monitoring an AppNav Cluster, page 4-34
Information About AppNav
AppNav greatly reduces dependency on the intercepting switch or router by distributing traffic among
WAAS devices for optimization using a powerful class and policy mechanism. You can use WAAS nodes
(WNs) to optimize traffic based on sites and/or applications.
The AppNav solution has the ability to scale up to available capacity by taking into account WAAS
device utilization as it distributes traffic among nodes. Also, the solution provides for high availability
of optimization capacity by monitoring node overload and liveliness and by providing configurable
failure and overload policies.
This section includes the following sections:
•
System Components, page 4-1
•
AppNav Controller Deployment Models, page 4-2
•
AppNav Controller Interface Modules, page 4-3
•
AppNav Policy, page 4-4
System Components
The AppNav solution consists of the following components (see Figure 4-1):
•
AppNav Controller (ANC)—A WAAS appliance with a Cisco AppNav Controller Interface Module
that intercepts network traffic and, based on an AppNav policy, distributes that traffic to one or more
WAAS nodes (WNs) for optimization.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-1
Chapter 4
Configuring AppNav
Information About AppNav
•
AppNav Controller Group (ANCG)—A group of AppNav Controllers within one service context
that together provide the necessary intelligence for handling asymmetric flows and providing high
availability. The ANCG is configured on the ANC. An ANCG can have up to eight ANCs.
•
WAAS Node (WN)—A WAAS optimization engine (WAE or WAVE appliance, NME-WAE or
SM-SRE network module, or vWAAS instance, but not a WAAS Express device) that optimizes and
accelerates traffic according to the optimization policies configured on the device. You can have up
to 32 WNs in the service context. (In the CLI, a WAAS node is also known as a service node.)
•
WAAS Node Group (WNG)—A group of WAAS nodes within a service context that services a
particular set of traffic flows identified by AppNav policies. The WNG is configured on the ANC.
You can have up to 32 WNGs in the service context. (In the CLI, a WAAS node group is also known
as a service node group.)
•
AppNav Cluster—The group of all ANC and WN devices within a service context.
•
Service Context—The topmost entity that groups together one AppNav Controller Group (ANCG),
one or more WAAS node groups (WNGs), and an associated AppNav policy. The service context is
configured on the ANC.
Figure 4-1
AppNav Solution Components
Service Context
AppNav Cluster
AppNav Controller Group
ANC1
AppNav
Distribution
Policy
ANC2
WAAS Node Group 1
WAAS Node Group 2
WN1
WN3
WN4
333466
WN2
Within a service context, WAAS devices can operate in one of two modes:
•
Application accelerator—The device serves only as a WN within the service context. It receives
traffic from the ANC, optimizes the traffic, and returns the traffic to the ANC to be delivered to its
destination. The WN can be any kind of WAAS device or vWAAS instance.
•
AppNav Controller—The device operates as an ANC that intercepts network traffic and, based on a
flow policy, distributes that traffic to one or more WNs for optimization. Only a WAVE appliance
that contains a Cisco AppNav Controller Interface Module can operate as an ANC. An ANC can also
operate as a WN and optimize traffic as part of a WNG.
AppNav Controller Deployment Models
You can deploy AppNav Controllers in your network in two ways (see Figure 4-2):
Cisco Wide Area Application Services Configuration Guide
4-2
OL-26579-01
Chapter 4
Configuring AppNav
Information About AppNav
•
In-path—The ANC is physically placed between one or more network elements, enabling traffic to
traverse a bridge group configured on the device in inline mode.
•
Off-path—The ANC works with the network infrastructure to intercept traffic through the Web
Cache Communication Protocol (WCCP).
The ANC provides the same features in both in-path and off-path deployments. In either case, only
ANCs participate in interception from the switch or router. The ANCs then distribute flows to WNs using
a consistent and predictable algorithm that considers configured policies and WN utilization.
In Figure 4-2, WAAS Nodes could be attached to either or both switches in the diagrams.
Figure 4-2
Deployment Models
AppNav Controller Interface Modules
A WAAS appliance operating as an ANC requires a Cisco AppNav Controller Interface Module, which
is similar to a standard WAVE appliance interface module but contains additional hardware, including a
network processor and high speed ternary content addressable memory (TCAM), to provide intelligent
and accelerated flow handling. The following AppNav Controller Interface Modules are supported:
•
1-GB copper 12-port AppNav Controller Interface Module
•
1-GB SFP 12-port AppNav Controller Interface Module
•
10-GB SFP+ 4-port AppNav Controller Interface Module
AppNav Controller Interface Module interfaces are configured differently to support either in-path or
off-path models of deployment:
•
In-path—The ANC operates in inline interception mode with at least one inline bridge group
configured on the AppNav Controller Interface Module. A bridge group consists of two or more
physical or logical (port channel) interfaces.
•
Off-path—The ANC operates in WCCP interception mode with one physical or logical (standby or
port channel) interface configured with an IP address.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-3
Chapter 4
Configuring AppNav
Information About AppNav
Interfaces on the AppNav Controller Interface Module can have three functions:
•
Interception—Used to receive traffic intercepted from the network and egress traffic to the network.
The interception interface is implied based on the AppNav Controller placement and does not
require explicit configuration for this function.
•
Distribution—Used to distribute traffic to the WNs and receive egressed traffic from the WNs. The
distribution interface is explicitly configured as the cluster interface for intra-cluster traffic and must
be assigned an IP address.
•
Management—A management interface can be optionally and exclusively designated for
management traffic and isolated from the normal data path. We recommend that you use one of the
appliance’s built-in interfaces for management traffic and reserve the high performance interfaces
on the AppNav Controller Interface Module for interception and distribution.
You should use separate interfaces for interception and distribution for best performance, but you can
use the same interface for both functions.
AppNav Controller Interface Modules support port channel and standby logical interfaces. A port
channel allows you to increase the bandwidth of a link by combining multiple physical interfaces into a
single logical interface. A standby interface allows you to designate a backup interface in case of a
failure.
Interfaces on the AppNav Controller Interface Module support the following:
•
A maximum of seven port channels with up to eight physical interfaces combined into a single port
channel group.
•
A maximum of five bridge groups configured over the physical or logical interfaces.
Interfaces on the AppNav Controller Interface Module do not support the following:
•
Fail-to-wire capability
•
Bridge virtual interfaces (BVIs)
AppNav Policy
The AppNav policy is a flow distribution policy that allows you to control how ANCs distribute traffic
to the available WNs.
The AppNav policy consists of class maps that classify traffic according to one or more match conditions
and a policy that contains rules that specify distribution actions to WNGs for each of the classes.
This section includes the following topics:
•
Class Maps, page 4-4
•
Policies, page 4-5
•
Nested Policies, page 4-6
•
Site and Application Affinity, page 4-6
•
Default Policy Behavior, page 4-8
Class Maps
AppNav class maps classify traffic according to one or more of the following match conditions:
•
Peer device ID—Matches traffic from one peer WAAS device, which could be handling traffic from
a single site or a group of sites.
Cisco Wide Area Application Services Configuration Guide
4-4
OL-26579-01
Chapter 4
Configuring AppNav
Information About AppNav
For example, you can use this kind of matching to classify all traffic from a peer device that serves
one branch office.
•
3-tuple of source IP, and/or destination IP, and/or destination port (matches traffic from a specific
application).
For example, you can use this kind of matching to classify all HTTP traffic that uses port 80.
•
A mix of one peer device ID and the source IP, and/or destination IP, and/or destination port
(matches application-specific traffic from one site).
For example, you can use this kind of matching to classify all HTTP traffic that is from a peer device
that serves the one branch office.
The class-default class map is a system-defined default class map that is defined to match any traffic. By
default, it is placed in the last rule in each policy to handle any traffic that is not matched by other classes.
Policies
An AppNav Controller matches incoming flows to class maps and the policy rules in a policy associate
class maps with actions, such as distributing a flow to a particular WNG for optimization. The order in
which rules are listed in the policy is important. Starting at the top of the policy, the first rule that
matches a flow determines to which WNG it is distributed.
A policy rule can specify four kinds of actions to take on a flow:
•
Specify the primary WNG to which to distribute the flow (required).
•
Specify a backup WNG for distribution if the primary WNG is unavailable or overloaded (optional).
The primary WNG receives all traffic until all WNs within the group become overloaded (reach 95
percent of the maximum number of transport flow optimization [TFO] connections) or are otherwise
unavailable, and then traffic is distributed to the backup WNG. If a WN in the first WNG becomes
available, traffic is again distributed there. If all WNs in both WNGs become overloaded, traffic is
passed through unoptimized.
•
Monitor the load on the application accelerator that corresponds to the application traffic matched
by the class (optional).
If the monitored application accelerator on one WN in a WNG becomes overloaded (reaches 95
percent of its maximum number of connections), the WN is considered overloaded and traffic is
directed to another WN in the group. If all WNs become overloaded, traffic is distributed to the
backup WNG. This application accelerator monitoring feature is useful for ensuring optimization
for critical applications and is recommended for the MAPI and SMB accelerators.
•
Specify a nested policy to apply to the flow (optional).
For more information, see the “Nested Policies” section on page 4-6.
Within a WNG, flows are distributed evenly among WNs. If a WN reaches its maximum capacity or
becomes unavailable, it is not sent new flows. New flows are sent to other available WNs in the WNG
so that they can be optimized successfully.
Note
If a WN that is doing MAPI or ICA application acceleration becomes overloaded, flows associated with
existing MAPI and ICA sessions continue to be sent to the same WN due to the requirement that the
same WN handle these types of flows. New MAPI and ICA flows, however, are distributed to other WNs.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-5
Chapter 4
Configuring AppNav
Information About AppNav
The AppNav policy is specific to each ANC, though typically all ANCs in a cluster have the same policy.
Each ANC consults its AppNav policy to determine which WNG to use for a given flow. Different ANCs
in a cluster can have different AppNav policies, which allows you to customize distribution in certain
cases. For example, when a cluster contains ANCs and WNs that are in different locations, it may be
more desirable for an ANC to distribute traffic to WNs that are closer to it.
Nested Policies
A policy rule can specify one nested policy, which allows traffic identified in a class to be subdivided
and handled differently. Nested policies provide two advantages:
•
It allows another policy to be used as a common subclassification tool.
For example, you can define a policy that contains monitoring actions and apply it as a subpolicy to
multiple classes in the primary policy.
•
It provides a method of including class maps with both match-any and match-all characteristics into
a single subclass.
The nested policy feature is designed for use with site-based classes (matched by peer ID) at the first
level and application-based subclasses (matched by IP address/port) at the second level. Only the first
level policy can contain classes that use match peer conditions.
Site and Application Affinity
You can provision a WNG for serving specific peer locations (site affinity) or applications (application
affinity) or a combination of the two. Using a WNG for site or application affinity provides the following
advantages:
•
Provisioning—Localize a class of traffic to achieve control over provisioning and performance
monitoring. For example, a business-critical application like Sharepoint or a business-critical site
can be given assured capacity and monitored closely for performance.
•
Enhanced application performance—Better compression performance is achieved by limiting data
that belongs to a site to one or a few WNs, which results in better utilization of the Data Redundancy
Elimination (DRE) cache.
Figure 4-3 depicts how sites and applications can be associated with node groups. The following WNGs
are defined:
•
WNG-1—Consists of two WNs that process flows coming only from sites A and B.
•
WNG-2—Consists of two WNs that process HTTP and SSL flows from any site. Whether HTTP and
SSL flows from Site A and Site B should be processed by WNG-2 or WNG-1 is determined by the
order of rules in the policy.
•
WNG-3—Consists of two WNs that process MAPI flows coming from any site. Whether MAPI
flows from Site A and Site B should be processed by WNG-3 or WNG-1 is determined by the order
of rules in the policy.
•
WNG-4—Consists of three WNs. The class-default class is applied to this WNG so that it is sent all
flows that do not match any other class map.
Cisco Wide Area Application Services Configuration Guide
4-6
OL-26579-01
Chapter 4
Configuring AppNav
Information About AppNav
Figure 4-3
Flow Distribution Using Site and Application Affinity
Site A
Site B
Site C
Site D
Site E
Site F
WAN
AppNav Cluster
ANC-1
ANC-2
WNG-1
WNG-2
WNG-3
WNG-4
WN-1
WN-3
WN-5
WN-7
WN-2
WN-4
WN-6
WN-8
Site A
Site B
HTTP
SSL
WN-9
333465
Sites C, D, E, F
All other apps
The following sections provide more details about these topics:
•
Site Affinity, page 4-7
•
Application Affinity, page 4-8
Site Affinity
Site affinity gives you the ability to always send all traffic from one site to a specific WNG, which allows
you to reserve optimization capacity for critical sites and to improve compression performance through
better utilization of the DRE cache.
Traffic from any location, not just a single site, can be matched in a class map and associated with a
WNG.
You can implement site affinity by configuring a class map that matches the device ID of the WAE in the
site. If a site has more than one WAE in a WCCP farm or a serial inline cluster, specify multiple device
IDs in the class map. Next, associate the class map with a distribution action to a WNG in a policy rule.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-7
Chapter 4
Configuring AppNav
Information About AppNav
You can also identify sites using source IP addresses or subnets in the class map, if you know what IP
addresses are used in the site and keep the policy configuration consistent with site IP addresses.
However, we recommend that you use peer device IDs in configuring site affinity.
Note
A peer ID-based class map works only for matching flows that carry the WAAS auto discovery TCP
options. If you configure a class to match a site peer ID at the data center, the same class does not match
flows that originate in the other direction, such as those flows that originate from the data center and go
back to the same site. Such flows are usually small in number compared to the site to data center flows.
If you want flows in both directions to go to the same WNG, you must configure two class maps: one to
match in the site to data center direction, typically using the site device ID; and another to match the data
center to site direction, using destination IP subnets belonging to the site. Both class maps can be
configured to distribute traffic to the same WNG. A mesh network is a specific use case where flows can
originate in either direction.
If the site WAE is in overload or does not mark the SYN packet with auto discovery options for any other
reason, the ANC cannot match it to the peer match class map.
Application Affinity
Application affinity gives you the ability to always send certain application traffic to a specific WNG,
which allows you to reserve optimization capacity for different applications depending on business
priorities.
In the context of AppNav flow distribution, an application is defined using a three-tuple of the source IP,
destination IP, and destination TCP port. The actual type of traffic does not matter for flow distribution.
For example, you can use separate WNGs for HTTP traffic that is addressed to different destination ports
or different server IP addresses. Destination IP and ports are most useful in using application affinity,
but having the source IP also helps you to define the traffic of interest.
A small number of protocols, such as FTP, use dynamic destination ports. An FTP server in active mode
originates a data connection back to the FTP client using a dynamic destination port. This port is
exchanged over the control channel from client to server using the well-defined destination port 21.
Consider trying to define a class map for FTP. Because the destination port is not known in advance, you
cannot map both control and data connections to the same class. In this case, we recommend that you
use the client IP addresses or subnets to match against destination IP addresses for the data connections.
You must configure two class maps: one for the control channel, using destination port 21, and another
for the data channel, using destination IP addresses. You can configure policy rules so that both class
maps distribute traffic to the same WNG.
You can further classify traffic from a site into applications by combining the peer matches with
three-tuple matches in a match-all class map, called a Custom class map type in the Central Manager.
You can define separate WNGs, for example, for HTTP traffic from a particular site and CIFS traffic
from the same site.
Default Policy Behavior
The following default class maps are provided:
•
CIFS—Matches traffic for destination ports 139 and 445
•
Citrix-ICA—Matches traffic for destination port 1494
•
Citrix-CGP—Matches traffic for destination port 2598
Cisco Wide Area Application Services Configuration Guide
4-8
OL-26579-01
Chapter 4
Configuring AppNav
Prerequisites for AppNav Deployment
•
epmap—Matches traffic for destination port 135
•
HTTP—Matches traffic for destination ports 80, 3128, 8000, 8080, and 8088
•
HTTPS—Matches traffic for destination port 443
•
MAPI—Matches traffic for the MS RPC MAPI application (dynamic port assignment)
•
NFS—Matches traffic for destination port 2049
•
RTSP—Matches traffic for destination ports 554 and 8554
•
class-default—Matches any TCP traffic (this class map cannot be edited or deleted)
If you use the Central Manager AppNav Cluster Wizard to create an AppNav Cluster, the wizard creates
a default policy named appnav_default. This policy is assigned by default to all ANCs in a cluster and
contains only the class-default policy rule that has the following characteristics:
•
Matches class-default (any TCP) traffic.
•
Distributes class-default traffic to the default WNG, which includes all WNs created by the wizard,
with no backup WNG specified.
•
Contains the waas_app_default nested policy, which provides application monitoring for each of the
default class maps, except video (RTSP).
When you use the Central Manager to define a policy rule for any class that uses peer matching or
source or destination IP address matching (but not port matching), it automatically adds the
waas_app_default policy as a nested policy. The waas_app_default policy is created by the system
and monitors all application accelerators (except video), so you do not need to manually add
application accelerator monitoring to your policy rules, unless it is for the video accelerator.
If you do not use the Central Manager AppNav Cluster Wizard to create a cluster, there is no default flow
distribution, so if an incoming flow does not match any class in the AppNav policy, it is not distributed
to any WNG; instead, it is passed through.
If a WNG is defined but is not used in any policy rule, it does not receive any flows. If a policy is defined
but not applied to an ANC, it does not take effect.
The default action for a policy rule is none, which is context dependent: in a top level policy it means
pass through and if the policy is nested, it means inherit the parent policy rule action.
Prerequisites for AppNav Deployment
AppNav has the following prerequisites:
•
Each WAAS appliance to be used as an AppNav Controller must contain a Cisco AppNav Controller
Interface Module.
•
Each AppNav Controller must be configured in appnav-controller device mode.
Guidelines and Limitations
AppNav has the following configuration guidelines and limitations:
•
An AppNav Cluster can contain a maximum of the following:
– 8 ANCs
– 32 WNs
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-9
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
– 32 WNGs
•
All ANCs in an ANCG must have the same set of ANCs and WNGs in their configuration.
•
All WNs in one WNG must have identical optimization policies configured on them.
•
AppNav class maps and policies can be configured only at the cluster level, not at the device level,
from the Central Manager. At the device level, class maps and policies may only be viewed.
•
You can define the following maximum policy entities within a service context:
– 1024 match conditions
– 512 AppNav class maps
– 64 rules per AppNav policy
– 64 AppNav policies, though only one policy is actively bound to the service context and used
for flow distribution on a given ANC
•
There is no fail-to-wire capability on AppNav Controller Interface Module interfaces configured in
bridge groups for inline mode, which would allow traffic to bypass the interface if the device fails
or loses power. Therefore, if you are using inline mode, we recommend that you deploy two or more
AppNav Controller appliances to provide high availability.
•
Virtual blades are not supported on WAAS appliances that are operating as AppNav Controllers.
Configuring an AppNav Cluster
This section contains the following topics:
•
Task Flow for Configuring an AppNav Cluster, page 4-10
•
Configuring WAAS Device Interfaces, page 4-11
•
Creating a New AppNav Cluster with the Wizard, page 4-14
•
Configuring AppNav Policies, page 4-19
•
Configuring AppNav Controller ACLs, page 4-26
•
Configuring AppNav Cluster Settings, page 4-26
•
Configuring AppNav Controller Settings, page 4-28
•
Configuring WAAS Node Settings, page 4-29
•
Configuring WAAS Node Group Settings, page 4-30
•
Adding and Removing Devices from the AppNav Cluster, page 4-30
Task Flow for Configuring an AppNav Cluster
You must complete the following steps to configure an AppNav Cluster:
1.
Install and configure the individual ANC and WN devices with basic network settings. See the
“Configuring WAAS Device Interfaces” section on page 4-11.
2.
Use the Central Manager AppNav Cluster Wizard to create a cluster and configure the interception
mode, configure cluster settings, choose cluster devices, configure traffic interfaces, and configure
WCCP settings if you are using WCCP. See the “Creating a New AppNav Cluster with the Wizard”
section on page 4-14.
Cisco Wide Area Application Services Configuration Guide
4-10
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
3.
(Optional) Configure AppNav class maps. This step is necessary only if you want to customize the
default class map configuration. The system adds several default class maps that match traffic
corresponding to most of the application accelerators and a class-default class map that matches all
traffic. See the “Configuring AppNav Class Maps” section on page 4-19.
4.
(Optional) Configure an AppNav policy. This step is necessary only if you want to customize the
default policy. The system adds a default policy that distributes all traffic to the WNG-Default
WNG, which is the node group into which all WNs are grouped by default. See the “Configuring
Rules Within an AppNav Policy” section on page 4-22.
5.
(Optional) Configure WAAS node optimization class maps and policy rules. This step is necessary
only if you want to customize the default optimization policy that is listed in Appendix A,
“Predefined Optimization Policy.”
6.
(Optional) Configure an interception ACL on the ANCs. See the “Configuring AppNav Controller
ACLs” section on page 4-26.
Configuring WAAS Device Interfaces
Before you can use the AppNav Cluster wizard to create an AppNav Cluster, you must connect the
WAAS device interfaces and configure the management interfaces. Configuration differs depending on
whether management traffic uses a separate interface or shares the traffic handling interface.
This section contains the following topics:
•
Interface Configuration with a Separate Management Interface, page 4-11
•
Interface Configuration with a Shared Management Interface, page 4-12
•
Interface Configuration Considerations, page 4-13
For more information about device interface configuration, see Chapter 6, “Configuring Network
Settings.” For more information about configuring a bridge group for inline interception mode, see the
“Configuring Inline Operation on ANCs” section on page 5-49.
Interface Configuration with a Separate Management Interface
If you want management traffic to use a dedicated interface, separate from the traffic data path, connect
and configure the devices as described in this section.
AppNav Controller
Step 1
Connect the last AppNav Controller Interface Module port to the switch/router port for the cluster traffic.
For example, this port is GigabitEthernet 1/11 on a 12-port module or TenGigabitEthernet 1/3 on a 4-port
module.
Step 2
Connect a built-in Ethernet port to the switch/router port for the management interface.
Step 3
For an in-path (inline) deployment, connect the first pair of ports on the AppNav Controller Interface
Module (for example, GigabitEthernet 1/0 [LAN] and GigabitEthernet 1/1 [WAN] for bridge 1) to
corresponding switch/router ports.
If the ANC is connected to a second router for a dual inline deployment, connect the second pair of ports
on the AppNav Controller Interface Module (for example, GigabitEthernet 1/2 [LAN] and
GigabitEthernet 1/3 [WAN] for bridge 2) to corresponding switch/router ports.
Step 4
Use the device setup command to configure the following settings:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-11
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
– Configure the device mode as AppNav Controller.
– Configure the IP address and netmask of the built-in management port.
– Configure the built-in management port as the primary interface.
– Configure the other network and basic settings (default gateway, DNS, NTP server, and so
forth).
– Register the device with the Central Manager by entering the Central Manager IP address.
Step 5
Configure the IP address and netmask of the last AppNav Controller Interface Module port. You can also
configure these settings through the AppNav Cluster wizard, if desired.
WAAS Node
Step 1
Connect a built-in Ethernet port to the switch/router port for the management interface.
Step 2
Use the device setup command to configure the following settings:
– Configure the device mode as Application Accelerator.
– Configure the IP address and netmask of the built-in management port.
– Configure the built-in management port as the primary interface.
– Configure the other network and basic settings (default gateway, DNS, NTP server, and so
forth).
– Register the device with the Central Manager by entering the Central Manager IP address.
Interface Configuration with a Shared Management Interface
If you want management traffic to use an interface shared by the traffic data path, connect and configure
the devices as described in this section.
AppNav Controller
Step 1
Connect the last AppNav Controller Interface Module port to the switch/router port for the cluster traffic.
For example, this port is GigabitEthernet 1/11 on a 12-port module or TenGigabitEthernet 1/3 on a 4-port
module.
Step 2
For an in-path (inline) deployment, connect the first pair of ports on the AppNav Controller Interface
Module (for example, GigabitEthernet 1/0 [LAN] and GigabitEthernet 1/1 [WAN] for bridge 1) to
corresponding switch/router ports.
If the ANC is connected to a second router for a dual inline deployment, connect the second pair of ports
on the AppNav Controller Interface Module (for example, GigabitEthernet 1/2 [LAN] and
GigabitEthernet 1/3 [WAN] for bridge 2) to corresponding switch/router ports.
Step 3
Use the device setup command to configure the following settings:
– Configure the device mode as AppNav Controller.
– Configure the IP address and netmask of the last AppNav Controller Interface Module port.
– Configure the last AppNav Controller Interface Module port as the primary interface.
Cisco Wide Area Application Services Configuration Guide
4-12
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
– Configure the other network and basic settings (default gateway, DNS, NTP server, and so
forth).
– Register the device with the Central Manager by entering the Central Manager IP address.
WAAS Node
Step 1
Connect a built-in Ethernet port to the switch/router port for the management interface.
Step 2
Use the device setup command to configure the following settings:
– Configure the device mode as Application Accelerator.
– Configure the IP address and netmask of the built-in management port.
– Configure the built-in management port as the primary interface.
– Configure the other network and basic settings (default gateway, DNS, NTP server, and so
forth).
– Register the device with the Central Manager by entering the Central Manager IP address.
Interface Configuration Considerations
The following guidelines concern WAAS device interface configuration:
•
On an ANC, the intercepted traffic must go through an interface on the AppNav Controller Interface
Module.
•
On an ANC that also serves as a WN, the cluster interface is the same as the interception interface.
•
On a WN, cluster traffic can be handled on any interface, either built-in or on an interface module.
•
To simplify AppNav deployment, the AppNav Cluster Wizard uses the following conventions for
configuring the AppNav Controller Interface Module ports on an ANC:
– The default port for cluster traffic is the last port on the module (for example, GigabitEthernet
1/11 on a 12-port module or TenGigabitEthernet 1/3 on a 4-port module).
– For an in-path (inline) deployment, the default interception bridge is the first pair of ports on
the module (for example, GigabitEthernet 1/0 [LAN] and GigabitEthernet 1/1 [WAN] for
bridge 1). If the ANC is connected to a second router for a dual inline deployment, the default
second interception bridge is the second pair of ports on the module (for example,
GigabitEthernet 1/2 [LAN] and GigabitEthernet 1/3 [WAN] for bridge 2).
The AppNav Cluster Wizard uses four predefined deployment models to help simplify configuration.
Each deployment model expects interfaces to be connected and configured in a particular way, except
for the Custom option, which allows you to configure interfaces in any way. Before you run the wizard
with one of the four predefined models, the needed interfaces must be in either of these states:
•
Not configured with an IP address and netmask and not used as part of another logical interface.
(However, the last port on the AppNav Controller Interface Module can be configured with an IP
address because it is the default port for cluster traffic.)
The wizard configures all needed traffic interface settings.
•
Configured as expected by the wizard according to the following deployment model expectations.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-13
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
The following sections describe the interface configurations used by each of the four predefined
deployment models.
Single AppNav Controller WCCP Interception
With a 12-port AppNav Controller Interface Module:
•
Port channel 1—Contains ports GigabitEthernet 1/10 and 1/11
•
Cluster interface—Port channel 1
With a 4-port AppNav Controller Interface Module:
•
Cluster interface—GigabitEthernet 1/3
Dual AppNav Controllers WCCP Interception
With a 12-port AppNav Controller Interface Module:
•
Port channel 1—Contains ports GigabitEthernet 1/10 and 1/11
•
Port channel 2—Contains ports GigabitEthernet 1/8 and 1/9
•
Standby group 1—Contains interfaces Port channel 1 (primary) and Port channel 2
•
Cluster interface—Standby Group 1
With a 4-port AppNav Controller Interface Module:
•
Standby group 1—Contains ports GigabitEthernet 1/2 and 1/3 (primary)
•
Cluster interface—Standby Group 1
Single AppNav Controller Inline Interception
•
Interception bridge 1—Contains ports GigabitEthernet 1/0 (LAN) and 1/1 (WAN)
•
Cluster interface—GigabitEthernet 1/11
Dual AppNav Controllers Inline Interception
•
Interception bridge 1—Contains ports GigabitEthernet 1/0 (LAN) and 1/1 (WAN)
•
Interception bridge 2—Contains ports GigabitEthernet 1/2 (LAN) and 1/3 (WAN)
•
Standby group 1—Contains ports GigabitEthernet 1/10 and 1/11 (primary)
•
Cluster interface—Standby Group 1
Creating a New AppNav Cluster with the Wizard
Prerequisites
•
Set up the individual ANC and WN devices as described in the “Configuring WAAS Device
Interfaces” section on page 4-11.
•
Ensure that all ANCs are configured for AppNav Controller device mode. If you need to change the
device mode, see the “Changing Device Mode” section on page 2-16.
•
Use the Central Manager to configure basic settings for all devices such as NTP server, AAA,
logging, and so on.
Cisco Wide Area Application Services Configuration Guide
4-14
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Detailed Steps
To create a new AppNav Cluster by using the wizard, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > All AppNav Clusters.
The Manage AppNav Clusters window appears.
Step 2
Click the AppNav Cluster Wizard icon in the taskbar of the Manage AppNav Clusters area. The Cluster
Wizard window appears.
Step 3
In the Deployment model drop-down list, choose one of the following deployment models that matches
your deployment:
•
Single AppNav Controller WCCP interception
•
Dual AppNav Controllers WCCP interception
•
Single AppNav Controller Inline interception
•
Dual AppNav Controllers Inline interception
•
Custom—For a deployment that does not match one of the choices above
Click Next.
Step 4
(Optional) If you chose the Custom deployment model, from the Interception method drop-down list,
choose the WCCP or Inline interception method and click Next.
Step 5
Define the cluster settings by entering the following information:
•
In the Name field, enter a name for the cluster. Use only letters, numbers, hyphen, and underscore,
up to a maximum of 32 characters and beginning with a letter.
•
(Optional) In the Description field, enter a description of the cluster. Use only letters and numbers,
up to a maximum of 200 characters.
•
Check the Disable Distribution check box if you want make the cluster operate in monitoring mode,
otherwise, it is activated when the wizard finishes. In monitoring mode, all traffic is passed through
instead of being distributed to WNs.
Click Next.
Step 6
Choose the ANC and WN devices that you want to be part of the cluster:
a.
Choose up to eight ANCs in the AppNav Controller device list by clicking the check box next to the
device names. You can use the filter settings in the taskbar to filter the device list.
b.
(Optional) If you want to enable optimization on the ANC devices, check the Enable WAN
optimization on selected AppNav Controller(s) check box (it may be enabled or disabled by
default, depending on the deployment model you chose).
c.
Choose up to 32 WNs in the WAAS Nodes device list by clicking the check box next to the device
names. You can use the filter settings in the taskbar to filter the device list.
If there are devices that are ineligible to join the cluster, click Show Ineligible Devices to see them
and the reasons why they are ineligible. You can use the filter settings to filter the list.
d.
Step 7
Click Next.
Verify the cluster interface, IP address, and netmask for each device in the cluster. The wizard
automatically selects recommended cluster interfaces that should be configured. To edit the IP address
and netmask settings for a device, choose the device and click the Edit taskbar icon. This screen does
not appear if you are configuring a custom cluster.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-15
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Click Finish if you are using inline interception (and you are done) or click Next if you are using WCCP
interception (and continue with the following steps for WCCP).
Step 8
(Optional) Configure the WCCP settings for the ANC. This screen does not appear if you are configuring
an inline cluster.
For details about configuring WCCP, see the “Configuring WCCP on WAEs” section on page 5-11.
a.
Ensure the Enable WCCP Service check box is checked if you want to enable WCCP. This item
appears only if you are defining a custom cluster.
b.
Verify the single WCCP service ID of 61 (default) or change it if desired.
You need to configure only this single WCCP service on both the ingress and egress ports of the
router doing WCCP redirection to this ANC.
Step 9
Step 10
c.
(Optional) If you want to enable two WCCP services, uncheck the Enable Single Service Mode
check box (it is checked by default because two WCCP services are not needed). The automatically
assigned second service ID number is shown in the Service ID2 field.
d.
From the Redirect Method drop-down list, choose the WCCP L2 or WCCP GRE redirect method.
For details on the redirect method, see the “Configuring or Viewing the WCCP Settings on ANCs”
section on page 5-22. This item appears only if you are defining a custom cluster.
e.
(Optional) If you do not want to use the default gateway defined on the device, uncheck the Use
Default Gateway as WCCP Router check box. Enter the address of one or more WCCP routers,
separated by commas, in the WCCP Routers field.
f.
Click Advanced WCCP Settings to configure additional settings as needed. For more information
on these fields, see the “Configuring or Viewing the WCCP Settings on ANCs” section on
page 5-22. This item appears only if you are defining a custom cluster.
g.
Click Next. If you are configuring multiple ANCs, a similar screen is shown for each ANC.
Configure the interception and cluster interface settings for each device. The Cluster Interface Wizard
appears only if you are defining a custom cluster, with one screen for each device in the cluster:
a.
Configure individual interfaces, port channels, standby interfaces, and bridge interfaces (for inline
only) as needed on the device by using the graphical interface wizard. If you are configuring an
inline ANC, you must define a bridge interface with two physical or port-channel interfaces (or one
of each). For details on how to use the wizard, see the “Configuring Interfaces with the Graphical
Interface Wizard” section on page 4-17.
b.
From the Cluster Interface drop-down list, choose the interface to be used for intra-cluster traffic.
c.
Click Next. If you are configuring multiple devices, a similar screen is shown for each device.
Click Finish to save the cluster configuration.
By default, the wizard assigns all WNs to a default WNG named WNG-Default. You can create
additional WNGs as described in the “Adding a New WAAS Node to the Cluster” section on page 4-32.
You can reassign WNs to different WNGs as described in the “Configuring WAAS Node Settings”
section on page 4-29.
After you create an AppNav Cluster, it is shown in the Manage AppNav Clusters list. For details on
monitoring the cluster, see the “Monitoring an AppNav Cluster” section on page 4-34.
Cisco Wide Area Application Services Configuration Guide
4-16
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Configuring Interfaces with the Graphical Interface Wizard
You can easily configure interfaces on AppNav Controller Interface Modules that are installed in devices
that are part of an AppNav Cluster by using the graphical interface wizard (see Figure 4-4).
Figure 4-4
Graphical Interface Wizard
The graphical interface wizard appears when you are editing the settings for a WN or ANC in the
AppNav Cluster context. The top two fields, WAAS Node and WAAS Node Group, do not appear when
configuring ANC interfaces.
In the graphical interface view, hover over a physical or logical interface to see its identifier (for
example, GigabitEthernet 1/0). Port channels, bridge groups, and standby groups are indicated by
colored blocks or dotted outlines. The IP address of each configured physical or logical interface is
shown in a small blue highlight. The legend below the table indicates port channel, bridge group, and
standby interfaces.
Right click on an interface to choose from the following actions:
•
Edit—To display a pane where you can edit the interface description, IP address, netmask, and
shutdown status.
•
Create PortChannel—To create a new port channel with this interface. This choice displays a pane
where you can configure the port channel number, description, IP address, netmask, and shutdown
status.
•
Create Bridge—To create a new bridge group with this interface. This choice displays a pane where
you can configure the bridge group number and description and enable link state propagation. This
choice appears only when configuring a device for inline interception. A bridge interface consists
of two physical or port-channel interfaces (or one of each)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-17
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
•
Create Standby—To create a new standby group with this interface. This choice displays a pane
where you can configure the standby group number, description, IP address, netmask, and shutdown
status.
•
To PortChannel n—To add this interface to an existing port channel, where n is the port channel
number.
•
To Standby n—To add this interface to an existing standby group, where n is the standby group
number.
•
To Bridge n—To add this interface to an existing bridge group, where n is the bridge group number.
•
For standby interfaces (right-click within the standby interface group indicator):
– Edit—To edit the standby group settings such as the description, IP address, netmask, primary
interface, and shutdown status.
– Delete Standby n—To delete the standby group.
•
For port channel interfaces (right-click within the port channel indicator):
– Edit—To edit the port channel settings such as the port channel number, description, IP address,
netmask, and shutdown status.
– Remove from Standby n—To remove the port channel from standby group n.
– Delete PortChannel n—To delete the port channel.
•
For bridge group interfaces (right-click within the bridge group indicator):
– Edit—To edit the bridge group settings such as the bridge group number, description, and link
state propagation status.
– Delete Bridge n—To delete the standby group.
To select an interface:
•
Individual interface—Click and selection is indicated by a blue color.
•
Standby group—Click on colored or dotted line indicator and selection is indicated by a thick dotted
blue outline around all interfaces in the standby group.
•
Port channel or bridge group—Click on colored indicator and selection is indicated by a thick dotted
blue outline around all interfaces in the port channel or bridge group.
You can also perform actions by selecting an interface and clicking the following taskbar icons:
•
Add (choices differ depending on the selected entity):
– Create PortChannel—To create a new port channel with this interface.
– Create Bridge—To create a new bridge group with this interface.
– Create Standby—To create a new standby group with this interface.
– To PortChannel n—To add this interface to an existing port channel, where n is the port channel
number.
– To Standby n—To add this interface to an existing port channel, where n is the port channel
number.
•
Edit—To edit the selected interface.
•
Delete (choices differ depending on the selected entity):
– Remove from Standby n—To remove the port channel from standby group n.
– Delete PortChannel n—To delete the port channel.
– Delete Standby n—To delete the standby group.
Cisco Wide Area Application Services Configuration Guide
4-18
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
– Delete Bridge n—To delete the bridge group.
Use the Cluster Interface drop-down list to select the interface to be used for intra-cluster traffic
(between the ANCs and WNs).
To enable swapping of client and WAAS device source IP address fields in intra-cluster traffic, check the
Enable swapping of source IP address in intra-cluster traffic check box. You may want to enable this
option if you are using a port channel for the cluster interface or there is a load balancing device between
the ANC and WN. This option may improve the load balancing of traffic that the ANC distributes to
WNs for optimization because it load balances based on the client IP address rather than the ANC IP
address. (For traffic from the server to the client, it swaps the server IP address with the ANC IP address.)
Note
If you are using WCCP, the WCCP control messages must pass through the ANC interface that receives
intercepted traffic from the routers. If WCCP control messages are routed to the ANC management
interface, the cluster does not operate.
Configuring AppNav Policies
This section contains the following topics:
•
Configuring AppNav Class Maps, page 4-19
•
Configuring Rules Within an AppNav Policy, page 4-22
•
Managing AppNav Policies, page 4-24
•
Configuring WAAS Node Optimization Policy, page 4-26
Configuring AppNav Class Maps
To configure AppNav class maps, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Choose Configure > AppNav Cluster > AppNav Class-Map.
The AppNav Class-Maps window appears, listing the existing class maps.
From this window, you can perform the following tasks:
•
Use the filter settings in the Show drop-down list to filter the class map list as needed. You can use
a quick filter or show all class maps.
•
Edit a class map by selecting it and clicking the Edit taskbar icon.
•
Delete one or more class maps by selecting them and clicking the Delete taskbar icon.
•
Add a new class map as described in the steps that follow.
Step 3
Click the Add Class-Map taskbar icon.
Step 4
In the Name field enter a name for the class map.
Step 5
(Optional) In the Description field enter a description for the class map.
Step 6
From the Type drop-down list, choose the class map type:
•
Application—Matches traffic for a particular application based on source and/or destination IP
addresses and/or ports, or the Microsoft RPC application identifier (for applications that use
dynamic port allocation). Continue with Step 7.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-19
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
•
Site—Matches traffic from particular WAAS peer devices, for site affinity. Continue with Step 8.
•
Custom—Mixes application and site affinity. Matches traffic for a particular application from one
specific peer WAAS device. Continue with Step 9.
•
Any TCP—Matches any TCP traffic as a catch-all classifier. If you choose this type, there are no
other fields to set. Click OK to finish and return to the class maps list.
The match conditions shown in the lower part of the pane change depending on the class map type.
Step 7
Step 8
(Optional) For an Application class map type, enter one or more match conditions. You can perform the
following tasks in this pane:
•
Edit a match condition by selecting it and clicking the Edit taskbar icon.
•
Delete one or more match conditions by selecting them and clicking the Delete taskbar icon.
•
Add a new match condition as described in the steps that follow.
a.
Click the Add Match Condition taskbar icon.
b.
Enter values in one or more fields to create a condition for a specific type of traffic. For example, to
match all traffic going to ports 5405–5407, enter 5405 in the Destination Port Start field and 5407
in the Destination Port End field. You can use the IP address wildcard fields to specify a range of IP
addresses using a wildcard subnet mask in dotted decimal notation (such as 0.0.0.255 for /24).
c.
If you want to match Microsoft RPC traffic that uses dynamic port allocation, choose the RPC
application identifier from the Protocol drop-down list. For example, to match Microsoft Exchange
Server traffic that uses the MAPI protocol, choose mapi.
d.
Click Save to save the match condition.
e.
Add additional match conditions as needed and click OK to save the class map and return to the
class maps list. If any one of the conditions is matched, the class is considered matched.
(Optional) For a Site class map type, select one or more peer devices. Follow these steps to create the
class map:
Cisco Wide Area Application Services Configuration Guide
4-20
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 9
a.
Use the filter settings in the Show drop-down list to filter the device list as needed. You can use a
quick filter, show all devices, or show all assigned devices.
b.
Check the box next to each device that you want to match traffic from. You can check the box next
to the column titles to select all devices and uncheck it to deselect all devices. If any one of the
selected devices is matched, the class is considered matched.
c.
Click OK to save the class map and return to the class maps list.
(Optional) For a Custom class map type, you must enter one match condition based on IP address/port
or Microsoft RPC application ID and you must choose one WAAS peer device. All specified matching
criteria must be satisfied for the class to be considered matched. Follow these steps to create the class
map:
a.
Enter values in one or more IP address and/or port fields to create a condition for a specific type of
traffic. For example, to match all traffic going to ports 5405–5407, enter 5405 in the Destination Port
Start field and 5407 in the Destination Port End field. You can use the IP address wildcard fields to
specify a range of IP addresses using a wildcard subnet mask in dotted decimal notation (such as
0.0.0.255 for /24).
b.
(Optional) If you want to match Microsoft RPC traffic that uses dynamic port allocation, choose the
RPC application identifier from the Protocol drop-down list. For example, to match Microsoft
Exchange Server traffic that uses the MAPI protocol, choose mapi.
c.
You must choose one WAAS peer device from the Remote Device drop-down list.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-21
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
d.
Click OK to save the class map and return to the class maps configuration window.
Configuring Rules Within an AppNav Policy
To configure rules in an AppNav policy, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Choose Configure > AppNav Cluster > AppNav Policies.
The AppNav Policy window appears.
Step 3
Choose the policy to configure from the AppNav Policy drop-down list at the top.
You can click Manage to create or delete a policy or configure the ANCs to which a policy is applied.
For details see the “Managing AppNav Policies” section on page 4-24.
From the AppNav Policy Rules area, you can perform the following tasks:
Step 4
•
Use the filter settings in the Show drop-down list to filter the rule list as needed. You can use a quick
filter or show all rules.
•
Edit a rule by selecting it and clicking the Edit taskbar icon.
•
Delete one or more rules by selecting them and clicking the Delete taskbar icon.
•
Move one or more selected rules to a new position by clicking the Move To taskbar icon. After
moving the rows, click Save Moved Rows to save the change.
•
Move one or more selected rules up or down one position by clicking the Up or Down Arrow
taskbar icons, then click Save Moved Rows to save the change.
•
Save rows that you have moved with the Move To or Up and Down Arrow functions by clicking the
Save Moved Rows taskbar icon.
•
Insert a new rule before the selected row by clicking the Insert taskbar icon. The workflow for
inserting is the same as for adding (described in the following steps).
•
Add a new rule at the end of the list as described in the steps that follow. (The class-default rule is
always pushed to the last position.)
Click the Add Policy Rule taskbar icon.
Cisco Wide Area Application Services Configuration Guide
4-22
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 5
From the AppNav Class-Map drop-down list, choose the class map to which this policy rule applies.
If you want to edit the class map, click Edit, or if you want to create a new class map, click Create New.
The workflow is the same as described in the “Configuring AppNav Class Maps” section on page 4-19.
Step 6
From the Distribute To drop-down list, choose the distribution action to apply to the class map. The list
includes all defined WNGs and the choices (None), for no action, and (Passthrough), to pass through this
type of traffic. The meaning of (None) is context dependent: in a top level policy it means pass through
and if this policy is nested, it means inherit the parent policy rule action.
When you choose a WNG, other settings appear. If you want create a new WNG, click Create New. The
workflow is the same as described in the “Adding a New WAAS Node Group to the Cluster” section on
page 4-34. The newly created WNG appears in both the Distribute To and Backup drop-down lists.
Step 7
(Optional) From the Backup drop-down list, choose the backup WNG to use for distribution if the
primary WNG is unavailable.
Step 8
(Optional) From the Monitor drop-down list, choose the application accelerator to monitor. When you
monitor an application accelerator, the ANC checks for overload on that application accelerator and does
not send new flows to a WN that is overloaded. If you choose None, a specific application accelerator is
not monitored, only the maximum connection limit of the device is monitored.
Step 9
(Optional) If you want to apply a nested policy within this rule, click Nested Actions (Advanced) to
expand this area.
Step 10
(Optional) From the Nested Policy drop-down list, choose the policy to nest, or choose None to select
no policy. When you choose a policy, the policy rules are displayed in a table.
If there are policies that are ineligible to be specified as a nested policy, click Show Ineligible Policies
to display them and the reasons they are ineligible. A policy is ineligible if it already has a nested policy,
because only one level of nesting is allowed.
To edit the chosen policy, click Edit, or to create a new policy for nesting, click Create New. The
workflow for both editing and creating is the same.
a.
In the Name field enter the policy name. This field is not editable for the waas_app_default policy.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-23
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
b.
Click the Add Policy Rule taskbar icon.
A new row is added, showing fields for configuring the rule.
Step 11
Note
c.
From the Class-Map drop-down list, choose the class map to which this rule applies.
d.
From the Distribute To drop-down list, choose the distribution action to apply to the class map. The
list includes all defined WNGs and the choices (Inherit), to inherit this action from the parent policy,
and (Passthrough), to pass through this type of traffic.
e.
(Optional) From the Backup drop-down list, choose the backup WNG to use for distribution if the
primary WNG is unavailable.
f.
(Optional) From the Monitor drop-down list, choose the application accelerator to monitor.
g.
Click OK to save the policy rule and return to the AppNav Policy Rule pane for the primary policy
rule you are creating.
Click OK to create the policy rule and return to the policy configuration window.
If all AppNav policies have been deleted and you add a new policy rule, the policy rule is added to a new
appnav_default policy, which is created automatically.
Managing AppNav Policies
To create or delete AppNav policies or configure the ANCs to which policies apply, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Choose Configure > AppNav Cluster > AppNav Policies.
The AppNav Policy window appears.
Step 3
Choose the policy to view from the AppNav Policy drop-down list at the top.
For details on using the AppNav Policy Rules area see the “Configuring Rules Within an AppNav
Policy” section on page 4-22.
Step 4
Click Manage.
Cisco Wide Area Application Services Configuration Guide
4-24
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
From the Manage AppNav Policies pane, you can perform the following tasks:
•
Use the filter settings in the Show drop-down list to filter the policy list as needed. You can use a
quick filter or show all policies.
•
Edit a policy and configure the ANCs to which it applies by selecting it and clicking the Edit taskbar
icon.
•
Delete a policy by selecting it and clicking the Delete taskbar icon.
•
Add a new policy as described in the steps that follow.
Step 5
Click the Add Policy taskbar icon.
Step 6
In the Name field enter a name for the policy.
Step 7
(Optional) In the Description field enter a description for the policy.
Step 8
(Optional) Check the box next to each ANC that you want to assign to this policy. To unassign any
assigned devices, uncheck the box.
Assigning the policy to an ANC makes the policy active on that ANC (only one policy can be active on
an ANC) and removes the association of any previously active policy on that ANC. It is not necessary
to assign the policy to an ANC if you want to create the policy as an alternate. You can assign it to ANCs
later as needed.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-25
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 9
Click OK to save the policy and return to the Manage AppNav Policies pane.
Step 10
Click Close to return to the policy configuration window.
Step 11
Add policy rules to the new policy as described in the “Configuring Rules Within an AppNav Policy”
section on page 4-22.
Configuring WAAS Node Optimization Policy
The WAAS node optimization policy controls how traffic that is distributed to the WAAS nodes is
optimized. The optimization policy is configured on the WNs and any ANCs that are also acting as
optimizing nodes.
All WNs in one WNG must have an identical optimization policy configured on them. Otherwise,
optimization of flows is not predictable. The optimization policy can be different for different WNGs.
For information on how to configure the optimization policy, see Chapter 13, “Configuring Application
Acceleration.”
The default optimization policy is listed in Appendix A, “Predefined Optimization Policy.”
Configuring AppNav Controller ACLs
An AppNav Controller ACL controls what traffic is intercepted by an ANC. You may want to configure
an ANC interception ACL for each ANC in an AppNav Cluster.
For information on how to configure an ANC interception ACL, see the “Configuring Interception
Access Control Lists” section on page 5-28.
Configuring AppNav Cluster Settings
To configure AppNav Cluster settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > All AppNav Clusters.
The Manage AppNav Clusters window appears, which shows the status of each cluster.
From this window, you can perform the following tasks:
Step 2
•
View an AppNav Cluster topology and edit its settings by clicking on a cluster name.
•
Delete an AppNav Cluster by selecting an AppNav Cluster and clicking the Delete icon in the
taskbar of the Manage AppNav Clusters area.
•
Create a new AppNav Cluster as described in the steps that follow.
Click the name of the cluster whose settings you want to edit.
The cluster topology diagram appears.
Step 3
Choose Configure > AppNav Cluster > AppNav Cluster.
The Cluster Configuration window appears.
Cisco Wide Area Application Services Configuration Guide
4-26
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 4
In the Name field, enter a new name for the cluster if you want to rename it.
Step 5
(Optional) In the Description field, enter the cluster description. Use only letters and numbers, up to a
maximum of 200 characters.
Step 6
(Optional) In the Authentication Key and Confirm Authentication Key fields, enter an authentication key
that is used to authenticate communications between the WAAS devices in the cluster. Use only letters
and numbers, up to a maximum of 64 characters.
Step 7
(Optional) In the Shutdown Wait Time field, enter the number of seconds that WNs in the cluster should
wait for all connections to terminate before shutting down. The default is 120 seconds.
Step 8
(Optional) To configure cluster distribution and off-loading of pass-through connections, expand the
Advanced Settings section by clicking it.
Step 9
(Optional) To enable distribution of traffic from the ANCs in the cluster to WNs, ensure that the Enable
distribution of traffic on AppNav Controllers check box is checked. To disable distribution of traffic,
uncheck this box. When distribution is disabled, the cluster operates in monitoring mode where it
continues to intercept traffic and, instead of distributing it to WNs, passes it through. This mode can be
useful for monitoring traffic statistics without optimizing the traffic.
Step 10
(Optional) To configure offloading of pass-through connections from WNs to ANCs, check the check
boxes in the Enable offload of pass-through connections from WAAS nodes to AppNav Controllers
for following reasons section. This feature allows pass-through connections to be passed through at the
ANC instead of being distributed to the WN and then passed-through. Configure pass-through offload
as follows:
a.
To offload all pass-through connections, which includes connections passed through due to error
conditions, check the All pass-through connections check box. Check this box only if you do not
need application visibility on the WNs into pass-through traffic due to error conditions. The default
is unchecked.
b.
To offload connections passed through due to missing policy configuration, check the Due to
missing policy configuration check box. The default is checked.
c.
To offload connections passed through due to no peer WN, check the Due to no peer WAAS node
check box. The default is checked.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-27
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 11
d.
To offload connections passed through due to an intermediate WN, check the Due to intermediate
WAAS node check box. The default is checked.
e.
If some of the WNs use different pass-through offload settings, you can synchronize the settings on
all WNs to match the configuration shown here by checking the Synchronize settings on all devices
check box. This check box is shown only if the settings on some WNs are different. The default is
unchecked.
Click Submit.
The lower part of this window shows lists of the ANCs, WNs, and WNGs that are part of the cluster. The
controls in these parts of this window work as described in the following sections:
•
AppNav Controllers—Configuring AppNav Controller Settings, page 4-28
•
WAAS Nodes—Configuring WAAS Node Settings, page 4-29
•
WAAS Node Groups—Configuring WAAS Node Group Settings, page 4-30
Configuring AppNav Controller Settings
To configure ANC settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the AppNav Controllers tab below the topology diagram.
All ANCs in the cluster are listed, showing the name, location, IP address, interface used for intra-cluster
traffic, and enabled status.
From this list, you can perform the following tasks:
Step 3
•
Edit the interface settings for an ANC by choosing the ANC and clicking the Edit taskbar icon.
•
Delete an ANC by choosing the ANC and clicking the Delete taskbar icon.
•
Add a new ANC to the cluster by clicking the Add AppNav Controller taskbar icon. See the
“Adding an ANC to a Cluster” section on page 4-31.
•
Enable a disabled ANC by choosing the cluster and clicking the Enable taskbar icon.
•
Disable an ANC by choosing the ANC and clicking the Disable taskbar icon.
Click the radio button next to the ANC that you want to edit and click the Edit taskbar icon.
The Edit AppNav Controller pane appears.
Step 4
If you want to enable optimization on the ANC, check the Enable WAN optimization (Internal WAAS
Node) check box.
Step 5
If you enabled WAN optimization, from the WAAS Node Group drop-down list, choose the WNG to
which the internal WN should belong.
Step 6
Click Next.
Step 7
(Optional) Configure the WCCP settings for the ANC. This screen does not appear if the ANC is
configured for inline interception. For more information on the WCCP fields, see the “Configuring or
Viewing the WCCP Settings on ANCs” section on page 5-22.
When finished with the WCCP settings, click Next. The graphical interface wizard appears.
Cisco Wide Area Application Services Configuration Guide
4-28
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 8
In the graphical interface view, configure interfaces on the AppNav Controller Interface Module as
needed. For details on how to use the wizard, see the “Configuring Interfaces with the Graphical
Interface Wizard” section on page 4-17.
Step 9
From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
Step 10
(Optional) To enable swapping of client and WAAS device source IP address fields in intra-cluster
traffic, check the Enable swapping of source IP address in intra-cluster traffic check box.
You may want to enable this option if you are using a port channel for the cluster interface or there is a
load balancing device between the ANC and WN. This option may improve the load balancing of traffic
that the ANC distributes to WNs for optimization because it load balances based on the client IP address
rather than the ANC IP address. (For traffic from the server to the client, it swaps the server IP address
with the ANC IP address.) The Central Manager enables this feature automatically if any existing ANCs
have port channel cluster interfaces.
Step 11
Click Finish.
Configuring WAAS Node Settings
All WNs in the cluster must be configured with application-accelerator device mode and
appnav-controller interception mode. If you created the cluster with the Central Manager AppNav
Wizard, both of these settings are already done. (The wizard sets the interception mode and the device
mode would have been set before running the wizard.)
From within the AppNav Cluster context, you can configure the following settings for a WN:
•
WNG to which the WN belongs
•
AppNav Controller Interface Module interface settings (including configuring port channel,
standby, and bridge group interfaces)
•
Choose the cluster interface used for intra-cluster traffic
To configure WN settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Nodes tab below the topology diagram.
All WNs in the cluster are listed, showing the name, location, IP address, interface in use, WNG to which
the node belongs, and enabled status.
From this list, you can perform the following tasks:
Step 3
•
Edit the settings for a WN by choosing the WN and clicking the Edit taskbar icon.
•
Delete a WN by choosing the WN and clicking the Delete taskbar icon.
•
Add a new WN to the cluster by clicking the Add WAAS Node taskbar icon. See the “Adding a New
WAAS Node to the Cluster” section on page 4-32.
•
Enable a disabled WN by choosing the node and clicking the Enable taskbar icon.
•
Disable a WN by choosing the node and clicking the Disable taskbar icon.
Click the radio button next to the WN that you want to edit and click the Edit taskbar icon.
The WAAS Node pane appears.
Step 4
From the WAAS Node Group drop-down list, choose the WNG to which you want to assign the node.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-29
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 5
In the graphical interface view, configure interfaces on the AppNav Controller Interface Module as
needed. For details on how to use the wizard, see the “Configuring Interfaces with the Graphical
Interface Wizard” section on page 4-17.
Step 6
From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
Step 7
(Optional) To enable swapping of client and WAAS device source IP address fields in intra-cluster
traffic, check the Enable swapping of source IP address in intra-cluster traffic check box.
You may want to enable this option if you are using a port channel for the cluster interface or there is a
load balancing device between the ANC and WN. This option may improve the load balancing of traffic
that the ANC distributes to WNs for optimization because it load balances based on the client IP address
rather than the ANC IP address. (For traffic from the server to the client, it swaps the server IP address
with the ANC IP address.) The Central Manager enables this feature automatically if any existing ANCs
have port channel cluster interfaces.
Step 8
Click OK to save the settings.
Configuring WAAS Node Group Settings
To configure WNG settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Node Groups tab below the topology diagram.
All WNGs in the cluster are listed, showing the name, description, and the WNs contained in the group.
From this list, you can perform the following tasks:
•
Edit the settings for a WNG by choosing the WNG and clicking the Edit taskbar icon.
•
Delete a WNG by choosing the WNG and clicking the Delete taskbar icon.
•
Add a new WNG to the cluster by clicking the Add WAAS Node Group taskbar icon. See the
“Adding a New WAAS Node Group to the Cluster” section on page 4-34.
Step 3
Click the radio button next to the WNG that you want to edit and click the Edit taskbar icon.
Step 4
(Optional) In the Description field, enter a description of the WNG.
Step 5
Click Save to save the settings.
Adding and Removing Devices from the AppNav Cluster
This section includes these topics:
•
Adding an ANC to a Cluster, page 4-31
•
Removing an ANC from a Cluster, page 4-32
•
Adding a New WAAS Node to the Cluster, page 4-32
•
Removing a WAAS Node from a Cluster, page 4-33
•
Adding a New WAAS Node Group to the Cluster, page 4-34
•
Removing a WAAS Node Group from a Cluster, page 4-34
Cisco Wide Area Application Services Configuration Guide
4-30
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Adding an ANC to a Cluster
To add a new ANC to an AppNav Cluster, follow these steps:
Step 1
Configure basic device and network settings on the new ANC, and ensure that the device mode is set to
appnav-controller.
Step 2
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 3
Click the AppNav Controllers tab below the topology diagram.
Step 4
Click the Add AppNav Controller taskbar icon.
The Add AppNav Controllers pane appears.
Step 5
Select one or more ANCs in the AppNav Controller device list by checking the check boxes next to the
device names. You can use the filter settings in the taskbar to filter the device list.
If there are devices that are ineligible to join the cluster, you can click Show Ineligible Devices to see
them and the reasons why they are ineligible. You can use the filter settings to filter the list.
Step 6
Click Next.
Step 7
Configure the interception method, policy, WCCP settings (if using WCCP interception), and interfaces
for each ANC device you are adding:
a.
From the Interception Method drop-down list, choose WCCP or Inline.
b.
From the AppNav Policy-Map drop-down list, choose the AppNav policy to apply to the ANC.
c.
(Optional) If you want to enable optimization on the ANC devices, check the Enable WAN
optimization (Internal WAAS Node) check box.
d.
(Optional) If you enabled WAN optimization, from the WAAS Node Group drop-down list, choose
the WNG to which the internal WN should belong.
e.
Click Next.
f.
(Optional) If you chose WCCP interception, configure the WCCP settings on the WCCP settings
pane that appears. For details on WCCP settings, see the “Configuring or Viewing the WCCP
Settings on ANCs” section on page 5-22. Remember to check the Enable WCCP Service check box
to enable WCCP.
g.
If you configured WCCP settings, click Next.
h.
Use the Cluster Interface Wizard graphical interface to configure the ANC interfaces. If you chose
inline interception, you must configure a bridge group interface. For details on using this wizard,
see the “Configuring Interfaces with the Graphical Interface Wizard” section on page 4-17.
i.
From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
j.
(Optional) To enable swapping of client and WAAS device source IP address fields in intra-cluster
traffic, check the Enable swapping of source IP address in intra-cluster traffic check box.
You may want to enable this option if you are using a port channel for the cluster interface or there
is a load balancing device between the ANC and WN. This option may improve the load balancing
of traffic that the ANC distributes to WNs for optimization because it load balances based on the
client IP address rather than the ANC IP address. (For traffic from the server to the client, it swaps
the server IP address with the ANC IP address.) The Central Manager enables this feature
automatically if any existing ANCs have port channel cluster interfaces.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-31
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
k.
Click Next to save the settings and continue with the next ANC you are adding. If this is the last
ANC being added, click Finish.
After a convergence waiting period of up to two minutes, the new ANCs are available in the cluster for
traffic interception and distribution. Traffic interception on the new ANCs is prevented until the devices
have fully joined the cluster. You can monitor the ANC status as described in the “Monitoring an
AppNav Cluster” section on page 4-34.
Removing an ANC from a Cluster
To gracefully remove an ANC from an AppNav Cluster, follow these steps:
Step 1
Disable the traffic interception path on the ANC. For an inline ANC, shut down the in-path interfaces,
and for an ANC using WCCP, disable WCCP.
Traffic previously routed to this ANC is rerouted to other ANCs in the cluster.
Step 2
Disable the ANC:
a.
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
b.
Click the AppNav Controllers tab below the topology diagram.
c.
Click the radio button next to the ANC that you want to disable and then click the Disable taskbar
icon.
The ANC is disabled and the service unreachable alarm is raised on the other ANCs in the cluster.
Step 3
(Optional) To permanently remove the ANC, click the radio button next to the ANC that you want to
remove and then click the Delete taskbar icon.
This action removes the ANC from the ANCG on all other ANCs and clears the service unreachable
alarm on the other ANCs. If the ANC is configured for WCCP interception, all WCCP settings on the
device are removed. If the ANC is also configured as a WN, the WN is removed from the cluster.
Step 4
(Optional) Power down the ANC.
Adding a New WAAS Node to the Cluster
To add a new WAAS node (WN) to a cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Nodes tab below the topology diagram.
Step 3
Click the Add WAAS Node taskbar icon.
The Add WAAS Nodes pane appears.
Step 4
Select one or more WNs in the WAAS Nodes device list by checking the check boxes next to the device
names. You can use the filter settings in the taskbar to filter the device list.
If there are devices that are ineligible to join the cluster, click Show Ineligible Devices to see them and
the reasons why they are ineligible. You can use the filter settings to filter the list.
Step 5
Click Next.
Cisco Wide Area Application Services Configuration Guide
4-32
OL-26579-01
Chapter 4
Configuring AppNav
Configuring an AppNav Cluster
Step 6
Configure the WNG and interfaces for each WN device you are adding.
a.
From the WAAS Node Group drop-down list, choose the WNG to which you want to add the new
WNs. The list shows defined WNGs.
b.
Click Next.
c.
Use the Cluster Interface Wizard graphical interface to configure the WN interfaces. For details on
using this wizard, see the “Configuring Interfaces with the Graphical Interface Wizard” section on
page 4-17.
d.
From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
e.
(Optional) To enable swapping of client and WAAS device source IP address fields in intra-cluster
traffic, check the Enable swapping of source IP address in intra-cluster traffic check box.
You may want to enable this option if you are using a port channel for the cluster interface or there
is a load balancing device between the ANC and WN. This option may improve the load balancing
of traffic that the ANC distributes to WNs for optimization because it load balances based on the
client IP address rather than the ANC IP address. (For traffic from the server to the client, it swaps
the server IP address with the ANC IP address.) The Central Manager enables this feature
automatically if any existing ANCs have port channel cluster interfaces.
f.
Step 7
Click Next to save the settings and continue with the next WN you are adding. If this is the last WN
being added, click Finish.
Configure and enable optimization on the WNs. For details on configuring optimization, see Chapter 13,
“Configuring Application Acceleration.”
After a convergence waiting period of up to two minutes, the new WNs are available on all the ANCs
for optimization.
Removing a WAAS Node from a Cluster
To remove a WAAS node (WN) from a cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Nodes tab below the topology diagram.
Step 3
Choose the node and click the Disable taskbar icon.
This causes a graceful exit of the WN from the cluster, where the ANCs stop sending new flows to the
WN but continue to distribute existing flows to it until the connection count reaches zero or the
maximum shutdown wait time expires.
Note
Step 4
The default shutdown wait time is 120 seconds. You can configure it from the Shutdown Wait
Time field in the AppNav Cluster tab.
(Optional) When the graceful exit process on the WN is complete (all existing connections have
terminated), remove the WN from the WNG on the ANCs by choosing the node and clicking the Delete
taskbar icon.
You can monitor the node status in the topology diagram in the upper part of the window. The colored
status light indicator on the device turns gray when the node is no longer processing connections.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-33
Chapter 4
Configuring AppNav
Monitoring an AppNav Cluster
Step 5
(Optional) Power down the WN.
Adding a New WAAS Node Group to the Cluster
To add a new WNG to a cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Node Groups tab below the topology diagram.
Step 3
Click the Add WAAS Node Group taskbar icon.
The Add WAAS Node Group pane appears.
Step 4
In the Name field, enter the name of the WNG.
Step 5
(Optional) In the Description field, enter a description of the WNG.
Step 6
Click OK to save the settings.
Step 7
Add one or more WNs to the new WNG. To add a new WN, see the “Adding a New WAAS Node to the
Cluster” section on page 4-32, or to reassign an existing WN to the new WNG, see the “Configuring
WAAS Node Settings” section on page 4-29.
After a convergence waiting period of up to two minutes, the new WNG is available on all the ANCs for
optimization.
Removing a WAAS Node Group from a Cluster
To remove a WAAS node group (WNG) from a cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Click the WAAS Nodes tab below the topology diagram.
Step 3
For each WN in the WNG, click the radio button next to the node name and click the Disable taskbar
icon. This causes a graceful exit of each WN from the cluster.
Step 4
After all WNs have completed a graceful exit from the cluster, click the WAAS Node Groups tab.
You can monitor the node status in the topology diagram in the upper part of the window. The colored
status light indicator on a device turns gray when the node is no longer processing connections.
Step 5
(Optional) Choose the WNG you want to remove and click the Delete taskbar icon.
Monitoring an AppNav Cluster
To monitor an AppNav Cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
The cluster home window displays the cluster topology and device status (see Figure 4-5).
Cisco Wide Area Application Services Configuration Guide
4-34
OL-26579-01
Chapter 4
Configuring AppNav
Monitoring an AppNav Cluster
Figure 4-5
AppNav Cluster Topology and Status
To zoom in or out on the topology diagram, click the + or – magnifying glass icons in the taskbar. You
can also click on the diagram and drag it within the window to reposition it.
To change the cluster settings, edit any of the fields below the topology diagram and click Submit.
To see all ANCs, click the AppNav Controllers tab below the diagram. From this tab, you can edit,
delete, add, enable, or disable an ANC in the cluster.
To see all WNs, click the WAAS Nodes tab below the diagram. From this tab, you can edit, delete, add,
enable, or disable a WN in the cluster.
To see all WNGs, click the WAAS Node Groups tab below the diagram. From this tab, you can edit,
delete, or add a WNG in the cluster.
The overall cluster status is shown in the top left corner of the diagram, as follows:
•
Green—All ANCs are operational with no error conditions.
•
Yellow—Degraded because one or more ANCs have operational issues. This is also the initial state
before all nodes have sent status updates.
•
Red—Cluster is down because all ANCs are down or indicates a split cluster where there is no
connectivity between one or more ANCs.
The overall cluster status does not include administratively disabled ANCs.
The colored status light indicators on each device and dotted lines around each WNG show the status of
the device or group:
•
Green—Operational with no error conditions
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-35
Chapter 4
Configuring AppNav
Monitoring an AppNav Cluster
•
Yellow—Degraded (overloaded, joining cluster, or has other noncritical operational issues)
•
Red—Critical (one or more processes is in a critical state)
•
Gray—Disabled
•
Black—Unknown status
The colored lines between each device show the status of the link between devices:
•
Green—Operational with no error conditions
•
Red—Link is down
•
Black—Unknown status
An orange triangle
warning indicator is shown on any device for which the Central Manager may
not have current information because the device has not responded within the last 30 seconds (the device
could be offline or unreachable).
Note
A recently removed device still appears in the topology diagram for a few minutes until all devices agree
on the new cluster topology.
To view a more comprehensive device status display, hover your cursor over a device icon to see the
360-degree Network Device View popup window (Figure 4-6). The popup window for a WN device is
similar.
Figure 4-6
ANC 360-Degree Network Device View
The 360-degree Network Device View shows the following status information:
•
Device name and IP address
•
Device type and software version
•
(ANC only) Interception tab that displays the interception method: Inline or WCCP. For inline, this
tab shows the bridge groups defined for interception, their member interfaces, and their status. For
WCCP, this tab lists the defined WCCP service IDs, their associated client IP addresses, router IP
address, and notes about problems.
•
(ANC only) Overloaded Policies tab that lists any monitored AppNav policies that are overloaded.
•
(ANC only) Cluster Control tab that lists all devices in the cluster, with device name, IP address,
service type, liveliness state, and reason for any error condition
Cisco Wide Area Application Services Configuration Guide
4-36
OL-26579-01
Chapter 4
Configuring AppNav
Monitoring an AppNav Cluster
•
(WN only) Optimization tab that lists the application accelerators and their status
•
Alarms tab that lists pending alarms on the device
•
Interfaces tab that lists the device interfaces and status. You can filter the list by choosing a filter
type from the drop-down list above the interface list, entering filter criteria, and clicking the filter
icon.
You can pin the status popup window so it stays open by clicking the pin icon in the upper right corner.
You can also drag the popup to any location within your browser window.
For additional cluster status, you can view the Monitor > AppNav > AppNav Report as described in the
“AppNav Report” section on page 17-43.
If you have multiple AppNav Clusters, you can see brief status for all at once by choosing AppNav
Clusters > All AppNav Clusters from the menu.
To trace connections, see the “AppNav Connection Tracing” section on page 4-37.
Note
You may see a taskbar icon named Force Settings on all Devices in a Group if the configuration across
all ANCs in the cluster becomes unsynchronized. If you see the icon, the cluster settings, ANC
configuration, WN configuration, and WNG configuration do not match on all ANCs in the cluster. This
problem can occur if you configure a device outside the Central Manager by using the CLI. Click this
taskbar icon to update all devices with the configuration that is currently shown in the Central Manager
for the cluster.
AppNav Connection Tracing
To assist in troubleshooting AppNav flows, you can use the Connection Trace tool in the Central
Manager. This tool shows the following information for a particular connection:
•
If the connection was passed through or distributed to a WNG
•
Pass-through reason, if applicable
•
The WNG and WN to which the connection was distributed
•
Accelerator monitored for the connection
•
Class-map applied
To use the Connection Trace tool, follow these steps:
Step 1
From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name.
Step 2
Choose Monitor > Tools > Connection Trace.
Step 3
In the AppNav Controller drop-down list, choose the ANC that has the connection you want to trace.
Step 4
From the Site (Remote Device) drop-down list, choose the peer WAAS device at the remote site.
Step 5
In one or more of the Source IP, Source Port, Destination IP, and Destination Port fields, enter matching
criteria for one or more connections.
Step 6
Click Trace to display the connections that match the IP address and port criteria.
Connections are displayed in the Connection Tracing Results table below the fields. Use the filter
settings in the Show drop-down list to filter the connections as needed. You can use a quick filter to filter
on any value or show all connections.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
4-37
Chapter 4
Configuring AppNav
Monitoring an AppNav Cluster
You can display flow distribution information from the CLI by using the show appnav-controller
flow-distribution EXEC command.
Another troubleshooting tool that you can use to trace connections is the WAAS Tcptraceroute tool. For
details, see the “Using WAAS TCP Traceroute” section on page 17-61.
Cisco Wide Area Application Services Configuration Guide
4-38
OL-26579-01
CH A P T E R
5
Configuring Traffic Interception
This chapter describes how to configure interception of TCP traffic in an IP-based network, based on the
IP and TCP header information and how to redirect the traffic to WAAS devices. This chapter describes
the use of the Web Cache Communication Protocol (WCCP), policy-based routing (PBR), inline mode
for transparent redirection of traffic to WAEs, appnav-controller mode for use with an AppNav
Controller, and VPATH interception for redirection of VMware packets to virtual WAAS (vWAAS).
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, WAE
Network Modules (the NME-WAE family of devices), SM-SRE modules running WAAS, and vWAAS
instances.
Before you do the procedures in this chapter, you should complete a basic initial installation and
configuration of your WAAS network as described in the Cisco Wide Area Application Services Quick
Configuration Guide. For detailed command syntax information for any of the CLI commands in this
chapter, see the Cisco Wide Area Application Services Command Reference. For more information about
WCCP see the CISCO IOS documentation.
This chapter contains the following sections:
•
Information About Interception Methods, page 5-1
•
Information About WCCP Interception, page 5-3
•
Configuring Advanced WCCP Features on Routers, page 5-6
•
Configuring WCCP on WAEs, page 5-11
•
Using Policy-Based Routing Interception, page 5-33
•
Using Inline Mode Interception, page 5-42
•
Configuring VPATH Interception on a vWAAS Device, page 5-55
•
Configuring AppNav Interception, page 5-56
Information About Interception Methods
In a WAAS network, traffic between clients in the branch offices and the servers in the data center can
be redirected to WAEs for optimization, redundancy elimination, and compression. Traffic is
transparently intercepted and redirected to WAEs based on policies that have been configured on the
routers or on an AppNav Controller (ANC). The network elements that transparently redirect requests
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-1
Chapter 5
Configuring Traffic Interception
Information About Interception Methods
to a local WAE can be a router using WCCP Version 2 or PBR to redirect traffic to the local WAE or a
Layer 4 to Layer 7 switch (for example, the Catalyst 6500 series Content Switching Module [CSM] or
Application Control Engine [ACE]). Alternately, you can intercept traffic directly by using the inline
mode with a WAE that has a Cisco WAE Inline Network Adapter or Interface Module. When equipped
with a Cisco AppNav Controller Interface Module, a WAVE appliance or cluster can intercept network
traffic through WCCP or inline mode and, based on flow policies, distribute that traffic to one or more
WAEs (WAAS nodes) for optimization.
Table 5-1 summarizes the transparent traffic interception methods that are supported in your WAAS
network.
Table 5-1
Supported Methods of Transparent Traffic Interception
Method
WCCP
Version 2
Comment
Used for transparent interception of application traffic and Common Internet File
System (CIFS) traffic. Used in branch offices and data centers to transparently redirect
traffic to the WAAS devices. The traffic is transparently intercepted and redirected to
the local WAE or ANC by a WCCP-enabled router or a Layer 3 switch.
You must configure WCCP on the router and WAE in the branch office and the router
and WAE in the data center. For more information, see the following sections:
PBR
•
Information About WCCP Interception, page 5-3
•
Configuring Advanced WCCP Features on Routers, page 5-6
•
Configuring WCCP on WAEs, page 5-11
In branch offices, used for wide area application optimization. The branch office
router is configured to use PBR to transparently intercept and route both client and
server traffic to the WAE that resides in the same branch office.
In data centers, used for data center application optimization. The data center router
or Layer 3 switch may be configured to use PBR to transparently intercept and route
client and server traffic to WAEs within the data center. PBR, however, does not
support load balancing across multiple WAEs (such as WCCP does). Neither does it
support load balancing when you are using a hardware load balancer, such as the Cisco
CSM or ACE. See the “Using Policy-Based Routing Interception” section on
page 5-33.
Inline
The WAE physically and transparently intercepts traffic between the clients and the
router. To use this mode, you must use a WAAS device with the Cisco WAE Inline
Network Adapter, Cisco Interface Module, or Cisco AppNav Controller Interface
Module installed. See the “Using Inline Mode Interception” section on page 5-42.
VPATH
Used for VPATH interception on vWAAS devices. See the “Configuring VPATH
Interception on a vWAAS Device” section on page 5-55.
AppNav
Controller
For WAEs that are part of an AppNav deployment and are configured as WAAS nodes
in an AppNav Cluster, you must configure them to use the appnav-controller
interception method. This configuration allows WAEs to receive and optimize traffic
that is intercepted and distributed by the AppNav Controllers. See the “Configuring
AppNav Interception” section on page 5-56.
ACE or CSM
Cisco Application Control Engine (ACE) or Catalyst 6500 series Content Switching
Module (CSM) installed in the data center for data center application optimization.
The ACE or CSM allows for both traffic interception and load balancing across
multiple WAEs within the data center.
Cisco Wide Area Application Services Configuration Guide
5-2
OL-26579-01
Chapter 5
Configuring Traffic Interception
Information About WCCP Interception
If a WAE device is behind a firewall that prevents traffic optimization, you can use the directed mode of
communicating between peer WAEs over the WAN. For details, see the “Configuring Directed Mode”
section on page 6-27.
Information About WCCP Interception
The WAAS software uses the WCCP standard, Version 2 for redirection. The main features of
WCCP Version 2 include support for the following:
Note
•
Up to 32 WAEs per WCCP service
•
Up to 32 routers per WCCP service
•
Authentication of protocol packets
•
Redirection of non-HTTP traffic
•
Packet return (including generic routing encapsulation [GRE], allowing a WAE to reject a redirected
packet and to return it to the router to be forwarded)
•
Masking for improved load balancing
•
Multiple forwarding methods
•
Packet distribution method negotiation within a service group
•
Command and status interaction between the WAE and a service group
WCCP works only with IPv4 networks.
WAAS software supports the WCCP TCP promiscuous mode service (services 61 and 62 by default,
though these service IDs are configurable). This WCCP service requires that WCCP Version 2 is running
on the router and the WAE.
The TCP promiscuous mode service is a WCCP service that intercepts all TCP traffic and redirects it to
the local WAE.
The WAAS software also supports service passwords, WAE failover, flow protection, and interception
ACLs.
Many Cisco routers and switches can be configured and enabled with WCCP Version 2 support for use
with WAAS devices.
Note
Many legacy Cisco routers, including the 2500, 2600, and 3600 routers, have far less processing power
and memory than newer routing platforms such as the Integrated Services Router (ISR) models 2800 and
3800. As such, the use of WCCPv2 or PBR may cause a high level of CPU utilization on the router and
cause erratic behavior. WAAS can be configured to work with these routers, but not to the same levels
of performance or scalability as can be found with newer routing platforms. The Cisco ISR is the routing
platform of choice for the branch office.
If you are experiencing erratic behavior, such as the WAE being ejected from the service group, enable
fair-queuing, weighted fair-queuing, or rate-limiting on all physical interfaces on the router that connect
to users, servers, WAEs, and the WAN. Fair-queuing cannot be configured on subinterfaces, and should
be configured on both ingress and egress physical interfaces. If another form of queuing is already
configured on the LAN or WAN interfaces other than fair-queuing that provides similar fairness, it
should be sufficient.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-3
Chapter 5
Configuring Traffic Interception
Information About WCCP Interception
Additionally, limit the amount of bandwidth that can be received on the LAN-side interface of the router,
to help the router keep its interface queues less congested and provide better performance and lower CPU
utilization. Set the maximum interface bandwidth on the router to no more than 10 times the WAN
bandwidth capacity. For instance, if the WAN link is a T1, the LAN interface and WAE LAN interface
bandwidth should be throttled to 10 * T1 = 10 * 1.544 Mbps, or approximately 15 Mbps. See the
Cisco IOS documentation for more information.
This section contains the following topics:
•
Guidelines for Configuring WCCP, page 5-4
•
Guidelines for File Server Access Methods, page 5-6
Guidelines for Configuring WCCP
When you configure transparent redirection on a WAE using WCCP Version 2, follow these guidelines:
•
Intercept and redirect packets on the inbound interface whenever possible.
•
Use WCCP GRE or generic GRE as the egress method if you want to place WAEs on the same
VLAN or subnet as clients and servers. This topology is not allowed when using the IP forwarding
egress method.
•
Branch WAEs must not have their packets encrypted or compressed and should be part of the
“inside” Network Address Translation (NAT) firewall if one is present.
•
Use Layer 2 redirection as the packet forwarding method if you are using Catalyst 6500 series
switches or Cisco 7600 series routers. Use Layer 3 GRE packet redirection if you are using any other
Cisco series router.
•
When you configure WCCP for use with the Hot Standby Router Protocol (HSRP), you must
configure the WAE with the HSRP or the Virtual Router Redundancy Protocol (VRRP) virtual router
address as its default gateway, and the WAE WCCP router-list with the primary address of the
routers in the HSRP group.
•
CEF is required for WCCP and must be enabled on the router.
•
Place branch WAEs on the client side of the network to minimize client-side packets through the
router.
•
Use WCCP passwords to avoid denial-of-service attacks. For more information, see the “Setting a
Service Group Password on a Router” section on page 5-10.
•
Use WCCP redirect lists for new implementations to limit client or server populations. For more
information, see the “Configuring IP Access Lists on a Router” section on page 5-9.
•
You must configure the WAE to accept redirected packets from one or more WCCP-enabled routers.
•
To configure basic WCCP, you must enable the WCCP service on at least one router in your network
and on the WAE or ANC that you want the traffic redirected to. It is not necessary to configure all
of the available WCCP features or services to get your WAE up and running. For an example of how
to complete a basic WCCP configuration on routers and WAEs in a branch office and data center,
see the Cisco Wide Area Application Services Quick Configuration Guide.
•
You must configure the routers and WAEs to use WCCP Version 2 instead of WCCP Version 1
because WCCP Version 1 only supports web traffic (port 80).
Cisco Wide Area Application Services Configuration Guide
5-4
OL-26579-01
Chapter 5
Configuring Traffic Interception
Information About WCCP Interception
•
After enabling WCCP on the router, you must configure the TCP promiscuous mode service on the
router and the WAE, as described in the Cisco Wide Area Application Services Quick Configuration
Guide. The service IDs are configurable on the WAE and you can choose a pair of numbers different
from the default of 61 and 62 to allow the router to support multiple WCCP farms because the WAEs
in different farms can use different service IDs. The router configuration must use WCCP service
IDs that match those configured on the WAEs in each farm that it is supporting.
•
In order for the WAE to function in TCP promiscuous mode, the WAE uses WCCP Version 2
services 61 and 62 (the service IDs are configurable). These two WCCP services are represented by
the canonical name tcp-promiscuous on the WAE.
•
You can use CLI commands to configure basic WCCP on both the routers and the WAEs or ANCs,
or you can use CLI commands to configure the router for WCCP and use the WAAS Central
Manager to configure basic WCCP on the WAEs or ANCs. In the configuration example provided
in the Cisco Wide Area Application Services Quick Configuration Guide, the wccp global
configuration command is used to configure basic WCCP on the WAEs or ANCs.
We recommend that you use the WAAS CLI to complete the initial basic configuration of WCCP on
your first branch WAE and data center WAE, as described in the Cisco Wide Area Application
Services Quick Configuration Guide. After you have verified that WCCP transparent redirection is
working properly, you can use the WAAS Central Manager to modify this basic WCCP
configuration or configure additional WCCP settings (for example, load balancing) for a WAE. For
more information, see the “Configuring WCCP on WAEs” section on page 5-11. After you have
configured basic WCCP on the router, you can configure advanced WCCP features on the router, as
described in the “Configuring Advanced WCCP Features on Routers” section on page 5-6.
•
To ensure consistency among WAEs, we recommend that you configure WCCP settings on one
device and then use the Copy Settings taskbar icon from within the WCCP configuration window
to copy the settings to other devices in your network. You should copy the settings only to WAEs in
the same WCCP service farm, AppNav Controller group (ANCG), or WAAS node group (WNG),
since WCCP settings may need to be different in different farms or service groups.
•
When you add a new router to an existing WCCP router farm or WCCP service group, the new router
will reset existing connections. Until WCCP reestablishes path redirections and assignments,
packets are sent directly to the client (as expected).
•
The router must support the redirect and return methods configured on the WAE. If the router does
not support the configured methods, the WAE will not join the WCCP router farm. If you have a mix
of routers in the farm, only those routers that support the configured methods will join the farm.
•
The WAE only joins the WCCP farm if the assignment method configured on the WAE is supported
by the router. (The strict assignment method is always enforced with version 4.4.1 and later.)
•
A WAE joins a WCCP farm only if it is seen by all the configured routers in the farm. If there is a
link failure with any one of the routers, the farm reconfigures and the WAE is removed from the
farm.
•
All WAEs in a WCCP farm must use the same pair of WCCP service IDs (the default is 61 and 62),
and these IDs must match all routers that are supporting the farm. A WAE with different WCCP
service IDs is not allowed to join the farm and an alarm is raised. Likewise, all WAEs in a farm must
use the same value for the failure detection timeout. A WAE raises an alarm if you configure it with
a mismatching value.
•
VPN routing and forwarding (VRF)-aware WCCP scalability is as follows:
– The maximum number of WAEs supported by a single VRF instance is 32.
– The maximum number of VRF instances supported by the router is router dependent.
– VRF-aware WCCP is supported only on specific releases of Cisco IOS software. Ensure that the
router is running a release of Cisco IOS software that supports VRF-aware WCCP.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-5
Chapter 5
Configuring Traffic Interception
Configuring Advanced WCCP Features on Routers
– Each VRF instance has independent assignment, redirection, and return methods.
•
In a WAAS AppNav deployment, enable WCCP only on the ANC devices that are intercepting
traffic and distributing it to the optimizing WAAS nodes (WNs). Configure WNs that are part of the
AppNav Cluster with the appnav-controller interception method.
Guidelines for File Server Access Methods
Some file servers have several network interfaces and can be reached through multiple IP addresses. For
these server types, you must add all the available IP addresses to the branch WAE’s WCCP accept list.
This situation prevents a client from bypassing the branch WAE by using an unregistered IP address. The
WAE Device Manager GUI displays all the IP addresses in the GUI.
Some file servers have several NetBIOS names and only one IP address. For these servers, if the client
connects using the IP address in the UNC path (that is, \\IP_address\share instead of \\server\share),
WAAS selects the first NetBIOS name from the server list in the WAE Device Manager GUI that matches
this IP address. WAAS uses that name to perform NetBIOS negotiations between the data center WAE
and the file server, and to create resources in the cache. If a file server uses multiple NetBIOS names to
represent virtual servers (possibly with different configurations) and has one NetBIOS name that is
identified as the primary server name, put that name in the server list before the other names.
Configuring Advanced WCCP Features on Routers
This section describes how to configure the advanced WCCP Version 2 features on a WCCP-enabled
router that is transparently redirecting requests to WAEs in your WAAS network and contains the
following topics:
Note
•
Information About Configuring a Router to Support WCCP Service Groups, page 5-6
•
Configuring IP Access Lists on a Router, page 5-9
•
Setting a Service Group Password on a Router, page 5-10
•
Configuring a Loopback Interface on the Router, page 5-10
•
Configuring Router QoS for WCCP Control Packets, page 5-11
Before you do the procedures in this section, you should have already configured your router for basic
WCCP as described in the Cisco Wide Area Application Services Quick Configuration Guide.
Information About Configuring a Router to Support WCCP Service Groups
WCCP Version 2 enables a set of branch WAEs in a WAE or ANC group to connect to multiple routers.
The WAEs in a group and the WCCP Version 2-enabled routers connected to the WAE group that are
running the same WCCP service are known as a service group.
Through communication with the branch WAEs, the WCCP Version 2-enabled routers are aware of the
available branch WAEs. Routers and branch WAEs become aware of one another and form a service
group using WCCP Version 2. See Figure 5-1.
In a WAAS AppNav deployment, only the ANCs are included in the service group. The routers do not
send traffic directly to the optimizing WAEs (WNs); instead, ANCs distribute traffic within the WAAS
network to the optimizing WNs.
Cisco Wide Area Application Services Configuration Guide
5-6
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring Advanced WCCP Features on Routers
Figure 5-1
Service Groups with WCCP Version 2
Internet
1
2
3
1
Clients requesting file services
3
Branch WAEs
2
Cisco routers
4
WAE service group
159091
4
If you have a group of branch WAEs, the WAE that is seen by all the WCCP Version 2-enabled routers
and that has the lowest IP address becomes the lead branch WAE.
The following procedure describes how a branch WAE in a service group is designated as the lead:
1.
Each branch WAE is configured with a list of WCCP-enabled routers.
Multiple WCCP-enabled routers can service a group (up to 32 routers can be specified). Any of the
available routers in a service group can redirect packets to each of the branch WAEs in the group.
2.
Each branch WAE announces its presence to each router on the router list. The routers reply with
their view of branch WAEs in the service group.
3.
After the view is consistent across all of the branch WAEs in the group, one branch WAE is
designated as the lead branch WAE and sets the policy that the WCCP-enabled routers need to
deploy in redirecting packets.
The lead branch WAE determines how traffic should be allocated across the branch WAEs in the group.
The assignment information is passed to the entire service group from the designated lead branch WAE
so that the WCCP-enabled routers of the group can redirect the packets and the branch WAEs in the
group can better manage their load.
WCCP uses service groups to define WAAS services for a WCCP Version 2-enabled router and
branch WAEs in a group. WCCP also redirects client requests to these groups in real time.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-7
Chapter 5
Configuring Traffic Interception
Configuring Advanced WCCP Features on Routers
All ports receiving redirected traffic that are configured as members of the same WCCP service group
share the following characteristics:
•
They have the same hash or mask parameters, as configured with the WAAS Central Manager (the
“Configuring or Viewing the WCCP Settings on WAEs” section on page 5-17) or the WAAS CLI
(the wccp service-number mask global configuration command).
•
The WCCP Version 2 service on individual ports cannot be stopped or started individually (a WCCP
Version 2 restriction).
Configuring a Router to Support WCCP Service Groups
To direct a WCCP Version 2-enabled router to enable or disable support for a WCCP service group, use
the ip wccp global configuration command. To remove the ability of a router to control support for a
WCCP service group, use the no form of this command.
The following example shows how to enable the TCP promiscuous mode service (WCCP Version 2
services 61 and 62) on a router:
Router(config)# ip wccp 61
Router(config)# ip wccp 62
On each WAE, configure multiple router addresses in the WCCP router list, one for each router in the
service group.
WAE(config)# wccp router-list 1 10.10.10.20 10.10.10.21
Finally, you need to configure each router for WCCP interception on the inbound direction of the
appropriate interfaces, using commands similar to the following:
Router(config)# interface fa1/0.40
Router(config-subif)# ip wccp 61 redirect in
Router(config-subif)# exit
Router(config)# interface serial0
Router(config-subif)# ip wccp 62 redirect in
Router(config-subif)# exit
When a new WAE is brought online, it joins the WCCP service group. With a new WAE in the service
group, the hash tables responsible for distributing the load are changed, and traffic that previously went
to WAE1 may now go to WAE2. Flow protection must be enabled in order for WAE2 to forward packets
of already connected clients to WAE1. The end result is that all requests that belong to a single session
are processed by the same WAE. Without flow protection enabled, adding a WAE to the service group
might disconnect some of the existing clients.
When an WAE is removed from the service group, its clients are disconnected (if they reconnect, they
will reach another WAE, if one is available, or the origin file server).
WAAS supports WAE failover by reconnecting clients with other branch WAEs if a branch WAE
crashed. In the event of a crash, the branch WAE stops issuing WCCP keepalives (constant high CPU
load may also result in loss of keepalives and can also be considered a failover case). The router detects
the lack of keepalives and removes the branch WAE from the service group. The designated branch WAE
updates the WCCP configuration hash table to reflect the loss of the branch WAE and divides its buckets
among the remaining branch WAEs. A new designated lead branch WAE is elected if the crashed one
was the lead branch WAE. The client is disconnected, but subsequent connections are processed by
another branch WAE.
Once a TCP flow has been intercepted and received by a branch WAE, the failure behavior is identical
to that exhibited during nontransparent mode. For example, data center WAE and file server failure
scenarios are not handled any differently as a result of using WCCP interception.
Cisco Wide Area Application Services Configuration Guide
5-8
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring Advanced WCCP Features on Routers
Note
When you add a new router to an existing WCCP router farm or WCCP service group, the new router
will reset existing connections. Until WCCP reestablishes path redirections and assignments, packets are
sent directly to the client (as expected).
Configuring IP Access Lists on a Router
You can optionally configure the router to redirect traffic from your WAE based on access control lists
(ACLs) that you define on the router. These access lists are also referred to as redirect lists.
Note
We recommend that you use redirect lists on the WCCP-enabled router where possible, because that is
the most efficient method to control traffic interception. However, you can also configure static bypass
lists or interception ACLs on the WAEs, and of these two, we recommend using interception ACLs
because they are more flexible and give better statistics about passed-through connections. For
information about how to configure an interception ACL for a WAE, see the “Configuring Interception
Access Control Lists” section on page 5-28. For information about how to configure a static bypass list,
see the “Configuring Static Bypass Lists for WAEs” section on page 5-27. You can also configure
interface ACLs on WAEs to control management access to the WAE, as described in Chapter 9,
“Creating and Managing IP Access Control Lists for WAAS Devices.”
Redirect lists that are configured on the routers have the highest priority, followed by static bypass lists
or interception ACLs on WAEs. Interception ACLs that are configured on WAEs take precedence over
any application definition policies that have been defined on the WAE.
A WCCP Version 2-enabled router can be configured with access lists to permit or deny redirection of
TCP traffic to a WAE. The following example shows that traffic conforming to the following criteria are
not redirected by the router to the WAE:
•
Originating from the host 10.1.1.1 destined for any other host
•
Originating from any host destined for the host 10.255.1.1
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
ip wccp 61 redirect-list 120
ip wccp 62 redirect-list 120
access-list 120 deny ip host 10.1.1.1 any
access-list 120 deny ip any host 10.1.1.1
access-list 120 deny ip any host 10.255.1.1
access-list 120 deny ip host 10.255.1.1 any
access-list 120 permit ip any
Traffic not explicitly permitted is implicitly denied redirection. The access-list 120 permit ip any
command explicitly permits all traffic (from any source on the way to any destination) to be redirected
to the WAE. Because criteria matching occurs in the order in which the commands are entered, the global
permit command is the last command entered.
To limit the redirection of packets to those packets matching an access list, use the ip wccp redirect-list
global configuration command. Use this command to specify which packets should be redirected to the
WAE.
When WCCP is enabled but the ip wccp redirect-list command is not used, all packets matching the
criteria of a WCCP service are redirected to the WAE. When you specify the ip wccp redirect-list
command, only packets that match the access list are redirected.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-9
Chapter 5
Configuring Traffic Interception
Configuring Advanced WCCP Features on Routers
The ip wccp global configuration command and the ip wccp redirect interface configuration command
are the only commands required to start redirecting requests to the WAE using WCCP. To instruct an
interface on the WCCP-enabled router to check for appropriate outgoing packets and redirect them to a
WAE, use the ip wccp redirect interface configuration command. If the ip wccp command is enabled
but the ip wccp redirect command is disabled, the WCCP-enabled router is aware of the WAE but does
not use it.
To specify the access list by name or number, use the ip wccp group-list global configuration command,
which defines criteria for group membership. In the following example, the access-list 1 permit
10.10.10.1 command is used to define the IP address of the WAE that is allowed to join the WCCP
service group:
Router(config)# ip wccp 61 group-list 1
Router(config)# ip wccp 62 group-list 1
Router(config)# access-list 1 permit 10.10.10.1
Tip
If you have a WCCP service farm with multiple WAEs, the load balancing assignment may cause packets
that are sent to the WAE devices themselves (such as management traffic) to be redirected to a different
WAE in the farm, negatively impacting performance. To avoid this situation, we recommend that you
configure a WCCP redirect list that excludes traffic that is sent to the WAE IP addresses from being
redirected.
For more information on access lists, see the Cisco IOS IP addressing and services documentation.
Setting a Service Group Password on a Router
For security purposes, you can set a service password for your WCCP Version 2-enabled router and the
WAEs that access it. Only devices configured with the correct password are allowed to participate in the
WCCP service group.
From the global configuration mode of your WCCP-enabled router, enter the following commands to
specify the service group password for the TCP promiscuous mode service on the router (the service IDs
must match the service IDs configured on the WAE):
Router(config)# ip wccp 61 password [0-7] password
Router(config)# ip wccp 62 password [0-7] password
The required password argument is the string that directs the WCCP Version 2-enabled router to apply
MD5 authentication to messages received from the specified service group. Messages that are not
accepted by the authentication are discarded. 0-7 is the optional value that indicates the HMAC MD5
algorithm used to encrypt the password. This value is generated when an encrypted password is created
for the WAE. 7 is the recommended value. The optional password argument is the optional password
name that is combined with the HMAC MD5 value to create security for the connection between the
router and the WAE.
For information about how to use the WAAS Central Manager to specify the service group password on
a WAE, see the “Configuring or Viewing the WCCP Settings on WAEs” section on page 5-17.
Configuring a Loopback Interface on the Router
The highest IP address among the router’s loopback interfaces is used to identify the router to the WAEs.
Cisco Wide Area Application Services Configuration Guide
5-10
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
The following example configures the loopback interface, exits configuration mode, and saves the
running configuration to the startup configuration:
Router(config)# interface Loopback0
Router(config-if)# ip address 111.111.111.111 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# end
Router# copy running-config startup-config
Configuring Router QoS for WCCP Control Packets
WAAS sends WCCP control packets marked with a differentiated services code point (DSCP) value of
192. (In WAAS versions earlier than 4.2, packets were unmarked.) For a router to honor this priority
value, you must configure the router’s multilayer switching (MLS) quality of service (QoS) port trust
state and classify traffic by examining the DSCP value. To configure the router appropriately, use the
mls qos trust dscp command in interface configuration mode on the interface connected to the WAE.
Configuring WCCP on WAEs
This section contains the following topics:
Note
•
Information About Load Balancing and WAEs, page 5-11
•
Information About Packet-Forwarding Methods, page 5-14
•
Information About WCCP Flow Redirection on WAEs, page 5-16
•
Configuring or Viewing the WCCP Settings on WAEs, page 5-17
•
Configuring or Viewing the WCCP Settings on ANCs, page 5-22
•
Configuring and Viewing WCCP Router Lists for WAEs, page 5-26
•
Configuring WAEs for a Graceful Shutdown of WCCP, page 5-26
•
Configuring Static Bypass Lists for WAEs, page 5-27
•
Configuring Interception Access Control Lists, page 5-28
•
Configuring Egress Methods for WCCP Intercepted Connections, page 5-29
Before you do the procedures in this section, you should have completed an initial configuration of your
WAAS network, which includes the basic configuration of WCCP Version 2 and the TCP promiscuous
mode service on your routers and WAEs, as described in the Cisco Wide Area Application Services Quick
Configuration Guide.
Information About Load Balancing and WAEs
Multiple WAEs with WCCP support can be deployed for dynamic load balancing to enable adjustments
to the loads being forwarded to the individual WAEs in a service group. IP packets received by a
WCCP-enabled router are examined to determine if it is a request that should be directed to a WAE.
Packet examination involves matching the request to a defined service criteria. These packets are passed
to the processing routine on the router to determine which WAE, if any, should receive the redirected
packets.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-11
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Note
In a WAAS AppNav deployment, only the ANCs are included in the service group and are load balanced
by the routers. The routers do not send traffic to the optimizing WAEs (WNGs); instead, ANCs distribute
traffic to the optimizing WNGs.
You can use load balancing to balance the traffic load across multiple WAEs. Load balancing allows the
set of hash address buckets assigned to a WAE to be adjusted, shifting the load from an overwhelmed
WAE to other WAEs that have available capacity. Two assignment methods are used by this technique:
hashing and masking.
Assignment method denotes the method used by WCCP to perform load distribution across WAEs. The
two possible load-balancing assignment methods are hashing and masking. If the mask load-balancing
method is not specified, then the hash load-balancing method, which is the default method, is used.
Note
In a WAAS AppNav deployment, only the mask assignment method is supported and is the default.
WCCP supports redirection based on a hash function. The hash key may be based on the source or
destination IP address of the packet. For WAAS, load-balancing hashing is based on a source IP address
(default), a destination IP address, or both.
The hash function uses the source IP address to obtain an address bucket to which the packet is assigned.
These source address buckets are then mapped to a particular WAE depending on how many WAEs are
present and how busy they are. (See Figure 5-2.)
Figure 5-2
Load Balancing Through Hashing of IP Addresses
32-bit IP addresses
4 billion
0
Hash
255
...
171 170
...
86
85
...
1
WCCP Version 2enabled router
Note
WAE2
Address
buckets
171-255
Address
buckets
86-170
WAE3
Address
buckets
1-85
159090
WAE1
Packets that the WAEs do not service are tunneled back to the same router from which they were
received. When a router receives a formerly redirected packet, it knows not to redirect it again.
Cisco Wide Area Application Services Configuration Guide
5-12
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Destination IP address hashing guarantees that a single WAE caches a given file server. This method,
which allows a local coherency directive to be safely applied to the file server content (provided that no
other collaboration on the content occurs), improves performance and WAN link and disk utilization.
This method may distribute the load unevenly because of uneven activity on a file server.
Source IP address hashing has better potential for session distribution between the caches on
branch WAEs. This method may impact performance and WAN link and disk utilization (see the
previous description of factors to be aware of when load balancing is applied). Also, any change in the
IP address of a client (which can happen when working in DHCP environments) may cause the client to
switch to another branch WAE, which can cause the client to experience reduced performance until the
client’s working set is retrieved into the new cache.
Hashing that is based on a client IP address does not guarantee any locality of the hash key. For example,
clients from the same subnet (which are likely to share and collaborate on the same content) may be
assigned two different hash numbers and may be redirected to different branch WAEs, while clients from
different subnets may be assigned the same hash number and may be redirected to the same branch WAE.
Hashing that is based on a client IP address does guarantee consistency. For example, a client using the
same IP address is redirected to the same branch WAE.
In the service farm, a lead WAE is chosen to build the hash table that distributes the load between the
available WAEs. The lead WAE distributes the buckets evenly. The source IP address is hashed and the
resulting bucket determines the WAE that will handle the packet.
WCCP supports redirection by mask value assignments. This method relies on masking to make
redirection decisions. The decisions are made using special hardware support in the WCCP-enabled
router. This method can be very efficient because packets are switched by the hardware.
Note
The masking method can only be used for load balancing with the Catalyst 3750, Catalyst 4500, and
Catalyst 6500 series switches, Cisco 7600 series routers, and Cisco ASR 1000 series routers. And, the
masking method can be used with the Cisco 2800, 3800, and 7200 series routers when they are running
Cisco IOS release 12.4(20)T or later releases.
You must explicitly specify masking. You can specify two mask values based on the source or destination
IP address of the packet. For WAAS, the default mask value is based on the source IP address. You can
enable masks by using the default values or specifying a particular mask. The default mask values,
specified in hexadecimal notation, are as follows:
•
dst-ip-mask= 0x0
•
src-ip-mask= 0xF00
You may specify the mask value with a maximum of seven bits. The WAE creates a table of the 27 (or
128) combinations, assigns the WAE IP addresses to them, and sends this table to the WCCP-enabled
routers. The router uses this table to distribute the traffic among all the WAEs that are in the service
group. Each packet that matches the WCCP service parameters is compared to this table and the packets
are sent to the matching WAE.
In a service farm where the WAEs have different masks, the first WAE to establish two-way
communication with the routers determines the farm’s mask. All other WAEs cannot join the farm unless
they are configured with the same mask.
Masking is typically used at the data center, where you can take advantage of the hardware accelerated
WCCP redirection capabilities of switches such as the Catalyst 6500 series switches. At the data center,
the load balancing goal should be to have all connections originating from a given client subnet
(typically equivalent to a branch) go to one data center WAE, to improve data redundancy elimination
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-13
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
(DRE) compression performance. Also, mask assignment on the Catalyst 6500 series switches uses the
ACL TCAM. When combined with WCCP redirect lists, mask assignment can use a large portion of the
TCAM. To minimize TCAM usage, use a mask with fewer care bits.
Given these considerations, beginning with WAAS version 4.2.1, the default mask has been changed
from src-ip-mask 0x1741 and dst-ip-mask 0x0 (in 4.1x versions) to src-ip-mask 0xF00 and
dst-ip-mask 0x0 (in 4.2.1 and later versions). The current source IP mask uses only 4 care bits rather than
the 6 care bits used by the old mask.
With a typical data center WCCP interception configuration (ingress interception with service 61 on the
WAN, ingress interception with service 62 on the LAN), this mask load balances /24 branch subnets (it
extracts the last 4 bits of /24 subnets). Connections from one branch subnet will be pinned to one data
center WAE. If your network has a different distribution of IP addresses (for example, /16 subnets), you
should configure a mask that extracts bits from the /16 network part of the address, for example,
src-ip-mask 0xF0000. Similarly, if some branches generate more traffic than others, you may want to
create a mask that also extracts bits from the host part of the address, for example, 0xF03.
Information About Packet-Forwarding Methods
A WCCP-enabled router redirects intercepted TCP segments to a WAE using one of the following two
packet-forwarding methods:
•
Generic routing encapsulation (GRE)—Allows packets to reach the WAE even if there are any
number of routers in the path to the WAE.
•
Layer 2 redirection—Allows packets to be switched at Layer 2 (MAC layer) and reach the WAE.
Table 5-2 describes the packet-forwarding methods.
Table 5-2
Packet-Forwarding Methods
Packet-Forwarding
Method
Load-Balancing Method:
Hashing
Load-Balancing Method:
Masking
GRE (Layer 3)
Packet redirection is completely
handled by the router software.
Packet redirection is handled by the router
software. We do not recommend using mask
assignment when GRE is being used as the
packet-forwarding method.
Layer 2 redirection First redirected packet is handled
by the router software; all
subsequent redirected packets are
handled by the router hardware.
All packets are handled by the router
hardware (currently supported only on the
Catalyst 6500 series switches or Cisco 7600
series routers because special hardware is
required).
The redirection mode is controlled by the branch WAE. The first branch WAE that joins the WCCP
service group decides the forwarding method (GRE or Layer 2 redirection) and the assignment method
(hashing or masking). The term mask assignment refers to WCCP Layer 2 Policy Feature Card 2 (PFC2)
input redirection.
If masking is selected with WCCP output redirection, then the branch WAE falls back to the original
hardware acceleration that is used with the Multilayer Switch Feature Card (MSFC) and the Policy
Feature Card (PFC).
Cisco Wide Area Application Services Configuration Guide
5-14
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
For example, WCCP filters the packets to determine which redirected packets have been returned from
the branch WAE and which ones have not. WCCP does not redirect the ones that have been returned
because the branch WAE has determined that the packets should not be processed. WCCP Version 2
returns packets that the branch WAE does not service to the same router from which they were
transmitted.
This section contains the following topics:
•
Reasons for Packet Rejection and Return, page 5-15
•
Layer 3 GRE as a Packet-Forwarding Method, page 5-15
•
Layer 2 Redirection as a Packet-Forwarding Method, page 5-16
Reasons for Packet Rejection and Return
A branch WAE rejects packets and initiates packet return for the following reasons:
Note
•
The WAE is filtering out certain conditions that make processing packets unproductive, for example,
when IP authentication has been turned on.
•
You have configured a static bypass list or interception ACL on the branch WAE.
The packets are redirected to the source of the connection between the WCCP-enabled router and the
branch WAE. Depending on the Cisco IOS software version used, this source could be either the address
of the outgoing interface or the router IP address. In the latter case, it is important that the branch WAE
has the IP address of the WCCP-enabled router stored in the router list. For more information on router
lists, see the “Configuring and Viewing WCCP Router Lists for WAEs” section on page 5-26.
Cisco Express Forwarding (CEF) is required for WCCP and must be enabled on the router.
WCCP also allows you to configure multiple routers in a router list to support a particular WCCP service
(for example, CIFS redirection).
Layer 3 GRE as a Packet-Forwarding Method
A WCCP-enabled router redirects intercepted requests to a WAE and can encapsulate the packets using
GRE. This method for forwarding packets allows packets to reach the WAE even if there are routers in
the path to the WAE. Packet redirection is handled entirely by the router software.
GRE allows datagrams to be encapsulated into IP packets at the WCCP-enabled router and then
redirected to a WAE (the transparent proxy server). At this intermediate destination, the datagrams are
decapsulated and then handled by the WAAS software. If the request cannot be handled locally, the
origin server may be contacted by the associated WAE to complete the request. In doing so, the trip to
the origin server appears to the inner datagrams as one hop. The redirected traffic using GRE usually is
referred to as GRE tunnel traffic. With GRE, all redirection is handled by the router software.
With WCCP redirection, a Cisco router does not forward the TCP SYN packet to the destination because
the router has WCCP enabled on the destination port of the connection. Instead, the WCCP-enabled
router encapsulates the packet using GRE tunneling and sends it to the WAE that has been configured to
accept redirected packets from this WCCP-enabled router.
After receiving the redirected packet, the WAE does the following:
1.
Strips the GRE layer from the packet.
2.
Decides whether it should accept this redirected packet and process the request for content or deny
the redirected packet as follows:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-15
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
a. If the WAE decides to accept the request, it sends a TCP SYN ACK packet to the client. In this
response packet, the WAE uses the IP address of the original destination (origin server) that was
specified as the source address so that the WAE can be invisible (transparent) to the client; it
pretends to be the destination that the TCP SYN packet from the client was trying to reach.
b. If the WAE decides not to accept the request, it reencapsulates the TCP SYN packet in GRE,
and sends it back to the WCCP-enabled router. The router understands that the WAE is not
interested in this connection and forwards the packet to its original destination (that is, the
origin server).
Layer 2 Redirection as a Packet-Forwarding Method
Layer 2 redirection is accomplished when a WCCP-enabled router or switch takes advantage of internal
switching hardware that either partially or fully implements the WCCP traffic interception and
redirection functions at Layer 2. This type of redirection is currently supported only with the
Catalyst 6500 series switches and Cisco 7200 and 7600 series routers. With Layer 2 redirection, the first
redirected traffic packet is handled by the router software. The rest of the traffic is handled by the router
hardware. The branch WAE instructs the router or switch to apply a bit mask to certain packet fields,
which in turn provides a mask result or index mapped to the branch WAE in the service group in the form
of a mask index address table. The redirection process is accelerated in the switching hardware, making
Layer 2 redirection more efficient than Layer 3 GRE.
Note
WCCP is licensed only on the WAE and not on the redirecting router. WCCP does not interfere with
normal router or switch operations.
Information About WCCP Flow Redirection on WAEs
Flow protection reduces the impact on existing client TCP connections when branch WAEs are added
and removed from a service group. By default, WCCP flow redirection is disabled on a WAE. The client
impact is reduced because of flow protection in the following situations, typical in large WCCP service
farms:
•
WAAS network expansion—When branch WAEs are added to the service group, the newly started
branch WAEs receives traffic that was previously processed by a different branch WAE. It forwards
the traffic to the relevant branch WAE for continued processing. New connections are processed by
the new branch WAE.
•
Branch WAE replacement following a failure—When a branch WAE fails, another branch WAE may
receive traffic that was previously processed by either that branch WAE or the origin file server. The
receiving branch WAE operates according to the previous two use cases.
Without flow protection, established client connections are broken through a TCP RESET in the
situations listed earlier. Flow protection applies to all supported WCCP services and cannot be
configured on a per-service basis.
To enable flow protection for a specified time period, use the wccp flow-redirect enable timeout
seconds global configuration command. After the timeout period, flow protection ceases. If you do not
specify the timeout option, flow protection is enabled indefinitely.
Note
Network designs that require redirected frames to be returned to the originating router are not compatible
with the WCCP flow protection feature.
Cisco Wide Area Application Services Configuration Guide
5-16
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Configuring or Viewing the WCCP Settings on WAEs
This section describes how to configure or view WCCP settings on WAEs that are configured as
application accelerators and are not part of an AppNav Cluster (WAEs that are part of an AppNav Cluster
use only the appnav-controller interception method). If you want to configure or view the WCCP settings
on WAEs configured as AppNav Controllers, see “Configuring or Viewing the WCCP Settings on
ANCs” section on page 5-22.
Device group configuration is not possible beginning with WAAS version 5.0. However, you can use the
Copy Settings taskbar icon in the configuration window to copy the settings to other devices in your
network. To ensure consistency, we recommend that you copy the same WCCP settings to all devices in
the same WCCP service farm.
Note
Before you do the procedure in this section, you should have already completed a basic WCCP
configuration for your WAAS network that includes the configuration of the TCP promiscuous mode
service as described in the Cisco Wide Area Application Services Quick Configuration Guide.
To modify the WCCP settings for a WAE, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Interception > Interception Configuration. The Interception Configuration
window appears. (See Figure 5-3.)
Note
If you are configuring a device using a WAAS version earlier than 5.0, choose Configure >
Interception > WCCP > Settings to configure WCCP settings. The configuration window looks
different but has similar settings.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-17
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Figure 5-3
Step 3
Interception Configuration Window for WAE
Check the current settings for the chosen device:
•
To keep the current settings and to close the window, click Cancel.
•
To remove the current settings, click the Remove Settings taskbar icon.
•
To modify the current settings, change the current setting as described in the rest of this procedure.
•
To copy the settings to other WAEs in your network, click the Copy Settings taskbar icon. The Copy
Interception Settings window opens where you can select other WAEs to which the interception
settings can be copied. You can copy all settings or you can exclude the router list and enable the
WCCP service. Click OK to copy the settings to the selected WAEs devices.
By default, WCCP is disabled on a WAE. However, as part of the initial configuration of WCCP in your
WAAS network, you should have enabled WCCP Version 2 on your WAEs (the branch WAE and the data
center WAE) as well as on the routers in the data center and branch office that will be transparently
redirecting requests to these WAEs. For information about how to perform a basic WCCP configuration
in your WAAS network, see the Cisco Wide Area Application Services Quick Configuration Guide.
Cisco Wide Area Application Services Configuration Guide
5-18
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Step 4
From the Interception Method drop-down list, choose wccp to enable the WCCP interception method.
If you change this setting from any setting other than None, you must click the Submit button to update
the window with the proper fields for configuring WCCP. (The Interception Method drop-down list is
not shown for devices using WAAS versions earlier than 5.0.)
Step 5
Check the Enable WCCP Service check box to enable WCCP Version 2 on the chosen device, or
uncheck the check box to disable WCCP on the chosen device.
Step 6
Note
Ensure that the routers used in the WCCP environment are running a version of the Cisco IOS
software that also supports the WCCP Version 2.
Note
If you use the Central Manager to disable WCCP on a WAAS device, the Central Manager
immediately shuts down WCCP and closes any existing connections, ignoring the setting
configured by the wccp shutdown max-wait global configuration command. If you want to
gracefully shut down WCCP connections, use the no enable WCCP configuration command on
the WAAS device.
In the Service ID1 field, specify the first service ID of the WCCP service pair. After you submit, the
Service ID2 field is filled in with the second service ID of the pair, which is one greater than Service
ID1. For WAEs with version 4.4.1 or later, you can change the WCCP service IDs from the default of
61/62 to a different pair of numbers, which allows a router to support multiple WCCP farms because the
WAEs in different farms can use different service IDs. (The Service ID fields are not shown for devices
using WAAS versions earlier than 4.4 and the service IDs are fixed at 61/21.)
The router service priority varies inversely with the service ID. The service priority of the default service
IDs 61/62 is 34. If you specify a lower service ID, the service priority is higher than 34; if you specify
a higher service ID, the service priority is lower than 34.
Step 7
Check the Use Default Gateway as WCCP Router check box to use the default gateway of the WAE
device as the router to associate with the WCCP TCP promiscuous mode service. Alternatively, you can
uncheck this box and specify a list of one more routers by their IP addresses, separated by spaces. The
Central Manager assigns the router list number, which is displayed next to the router list field after the
page is submitted. As part of the initial configuration of your WAAS network, you may have already
created a WCCP router list with the setup utility, as described in the Cisco Wide Area Application
Services Quick Configuration Guide. For more information about WCCP router lists, see the
“Configuring and Viewing WCCP Router Lists for WAEs” section on page 5-26.
Note
Step 8
Checking or unchecking this check box, changing the router list, or submitting the WCCP page
removes any other existing router lists that are not assigned to the WCCP service, including
router lists configured by the setup utility or through the CLI.
(Optional) To force WCCP to use the configured assignment method only, check the Only Use Selected
Assignment Method check box. You can specify only one load-balancing method (hashing or masking)
per WCCP service in a branch WAE service group. (This check box is shown only for devices using
WAAS versions earlier than 4.4.)
Note
If you check the Only Use Selected Assignment Method check box, the WAE only joins a WCCP
farm if the assignment method configured on the WAE is supported by the router. If you do not
check the Only Use Selected Assignment Method check box, the WAE uses the assignment
method that the router supports, even if the WAE is configured differently from the router.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-19
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Step 9
(Optional) From the Assignment Method drop-down list, choose the type of WAE load-balancing
assignment method to use (for more information, see the “Information About Load Balancing and
WAEs” section on page 5-11):
•
Choose Hash to use the hash method (the default for devices using WAAS versions earlier than 5.0).
Follow Steps 10 and 11 to define how the hash works, and skip to Step 13 because the mask settings
are not used.
•
Choose Mask to use the mask method (the default for devices using WAAS versions 5.0 or later).
Skip to Step 12 to define the service mask.
Step 10
(Optional) To define the load-balancing hash for WCCP service ID1 on the source IP address, check the
Hash on Source IP check box. This check box is shown only if the hash assignment method is used.
Step 11
(Optional) To define the load-balancing hash for WCCP service ID1 on the destination IP address, check
the Hash on Destination IP check box. This check box is shown only if the hash assignment method is
used.
Step 12
(Optional) To use a custom service mask, enter different mask values in the WCCP Assignment Settings
for Load Balancing area, overwriting the default mask settings. If you do not change these settings, the
defaults are used. Define the custom mask as follows:
•
In the Source IP Mask field, specify the IP address mask defined by a hexadecimal number (for
example, FE000000) used to match the packet source IP address. The range is 00000000–FE000000.
The default is F00.
•
In the Destination IP Mask field, specify the IP address mask defined by a hexadecimal number (for
example, FE000000) used to match the packet destination IP address. The range is
0000000–FE000000. The default is 0.
Note
If you apply the default mask to a WAE running version 4.1.x or earlier, the mask is different
from the default mask (0x1741) set under software version 4.1.x and earlier.
If the WAE detects that its configured mask is not the same as advertised by one or more routers in the
farm, it is not allowed to join the farm and a major alarm is raised (“Configured mask mismatch for
WCCP”). This alarm can occur when a WAE is trying to join a farm that already has other WAEs and
these other WAEs are configured with a different mask. The routers do not allow other WAEs to join the
farm unless they advertise the same mask. To correct this alarm, ensure that all WAEs in the farm are
configured with the same mask. This alarm is cleared when the WAE’s configured mask matches the
mask of all the routers in the farm.
Step 13
Step 14
From the Redirect Method drop-down list, choose the type of packet redirection (forwarding) method to
use:
•
WCCP GRE (the default for devices using WAAS versions earlier than 5.0) to use Layer 3 GRE
packet redirection.
•
WCCP L2 (the default for devices using WAAS versions 5.0 or later) to permit the WAE to receive
transparently redirected traffic from a WCCP Version 2-enabled switch or router if the WAE has a
Layer 2 connection with the device and the device is configured for Layer 2 redirection. For more
information, see the “Information About Packet-Forwarding Methods” section on page 5-14.
From the Return Method drop-down list, choose the type of method to use to return nonoptimized
(bypassed) packets to the router:
•
WCCP GRE (the default) to use GRE packet return.
•
WCCP L2 to use Layer 2 rewriting for packet return.
Cisco Wide Area Application Services Configuration Guide
5-20
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
(The Return Method drop-down list is shown only for devices using WAAS versions earlier than 5.0. For
later WAAS versions, the return method is set the same as the redirect method.)
Step 15
(Optional) From the Egress Method drop-down list, choose the method to use to return optimized packets
to the router or switch:
•
Generic GRE (available and set as the default only if Redirect Method is WCCP GRE)
•
IP Forwarding
•
L2 (available and set as the default only if Redirect Method is WCCP L2)
•
WCCP GRE (available only if Redirect Method is WCCP GRE)
For devices using WAAS versions earlier than 5.0, the choices are as follows: IP Forwarding (the
default), WCCP Negotiated Return, or Generic GRE. For more details on choosing the egress method,
see the “Configuring Egress Methods for WCCP Intercepted Connections” section on page 5-29.
Step 16
(Optional) Modify the current advanced settings in the Advanced WCCP Settings area as follows:
a.
Check the Enable Flow Protection check box to keep the TCP flow intact and to avoid
overwhelming the device when it comes up or is reassigned new traffic. For more information, see
the “Information About WCCP Flow Redirection on WAEs” section on page 5-16. Flow protection
is disabled by default.
b.
In the Flow Protection Timeout field, specify the amount of time (in seconds) that flow protection
should be enabled. The default is 0, which means it stays enabled with no timeout. (The Flow
Protection Timeout field is not shown for devices using WAAS versions earlier than 5.0.)
c.
In the Shutdown Delay field, specify the maximum amount of time (in seconds) that the chosen
device waits to perform a clean shutdown of WCCP. The default is 120 seconds.
The WAE does not reboot until either all connections have been serviced or the maximum wait time
(specified through this Shutdown Delay field) has elapsed for WCCP.
d.
In the Failure Detection Timeout drop-down list, choose the failure detection timeout value (9, 15,
or 30 seconds). The default is 30 seconds and is the only value supported on WAAS versions prior
to 4.4.1. This failure detection value determines how long it takes the router to detect a WAE failure.
(The Failure Detection Timeout field is not shown for devices using WAAS versions earlier than
4.4.)
The failure detection timeout value is negotiated with the router and takes effect only if the router
also has the variable timeout capability. If the router has a fixed timeout of 30 seconds and you have
configured a failure detection value on the WAE other than the default 30 seconds, the WAE is not
able to join the farm and an alarm is raised (“Router unusable” with a reason of “Timer interval
mismatch with router”).
e.
In the Weight field, specify the weight value that is used for load balancing. The weight value ranges
from 0 to 10000. If the total of all the weight values of the WAEs in a service group is less than or
equal to 100, then the weight value represents a literal percentage of the total load redirected to the
device for load-balancing purposes. For example, a WAE with a weight of 10 receives 10 percent of
the total load in a service group where the total of all weight values is 50. If a WAE in such a service
group fails, the other WAEs still receive the same load percentages as before the failure; they will
not receive the load allocated to the failed WAE.
If the total of all the weight values of the WAEs in a service group is between 101 and 10000, then
the weight value is treated as a fraction of the total weight of all the active WAEs in the service
group. For example, a WAE with a weight of 200 receives 25 percent of the total load in a service
group where the total of all the weight values is 800. If a WAE in such a service group fails, the other
WAEs will receive the load previously allocated to the failed WAE. The failover handling is different
than if the total weights are less than or equal to 100.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-21
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
By default, weights are not assigned and the traffic load is distributed evenly between the WAEs in
a service group.
f.
In the Password field, specify the password to be used for secure traffic between the WAEs within
a cluster and the router for a specified service. Be sure to enable all other WAEs and routers within
the cluster with the same password. Passwords must not exceed eight characters in length. Do not
use the following characters: space, backwards single quote (`), double quote ("), pipe (|), or
question mark (?). Reenter the password in the Confirm Password field.
Note
Step 17
For information about how to use the CLI to specify the service group password on a router,
see the “Setting a Service Group Password on a Router” section on page 5-10.
Click Submit to save the settings.
To configure WCCP settings from the CLI, you must first set the interception method to WCCP by using
the interception-method global configuration command, and then you can use the wccp flow-redirect,
wccp router-list, wccp shutdown, and wccp tcp-promiscuous global configuration commands.
For more information about a graceful shut down of WCCP Version 2 on WAEs, see the “Configuring
WAEs for a Graceful Shutdown of WCCP” section on page 5-26.
Configuring or Viewing the WCCP Settings on ANCs
This section describes how to configure or view WCCP settings on WAAS devices configured as
AppNav Controllers (ANCs). Typically, you configure ANCs and their settings through the AppNav
Clusters window in the Central Manager, which includes WCCP settings, so you do not need to configure
the WCCP settings outside the AppNav Cluster context as described in this section.
If you want to configure or view the WCCP settings on WAEs configured as application accelerators,
see the “Configuring or Viewing the WCCP Settings on WAEs” section on page 5-17. To configure
interception settings on WAEs operating as WAAS nodes for an AppNav Controller, see the
“Configuring AppNav Interception” section on page 5-56.
Device group configuration is not possible beginning with WAAS version 5.0. However, you can use the
Copy Settings taskbar icon in the configuration window to copy the settings to other devices in your
network. To ensure consistency, we recommend that you copy the same WCCP settings to all devices in
the same WCCP service farm.
To modify the WCCP settings for an ANC, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Interception > Interception Configuration. The Interception Configuration
window appears. (See Figure 5-3.)
Cisco Wide Area Application Services Configuration Guide
5-22
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Figure 5-4
Step 3
Interception Configuration Window for ANC
Check the current settings for the chosen device:
•
To keep the current settings and to close the window, click Cancel.
•
To remove the current settings, click the Remove Settings taskbar icon.
•
To modify the current settings, change the current setting as described in the rest of this procedure.
•
To copy the settings to other WAEs in your network, click the Copy Settings taskbar icon. The Copy
Interception Settings window opens where you can select other WAEs to which the interception
settings can be copied. You can copy all settings or you can exclude the router list and enable the
WCCP service. Click OK to copy the settings to the selected WAEs devices.
By default, WCCP is disabled on a WAE. However, as part of the initial configuration of WCCP in your
WAAS network, you should have enabled WCCP Version 2 on your WAEs (the branch WAE and the data
center WAE) as well as on the routers in the data center and branch office that will be transparently
redirecting requests to these WAEs. For information about how to perform a basic WCCP configuration
in your WAAS network, see the Cisco Wide Area Application Services Quick Configuration Guide.
Step 4
From the Interception Method drop-down list, choose wccp to enable the WCCP interception method.
If you change this setting from any setting other than None, you must click the Submit button to update
the window with the proper fields for configuring WCCP.
Step 5
Check the Enable WCCP Service check box to enable WCCP Version 2 on the chosen device, or
uncheck the check box to disable WCCP on the chosen device.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-23
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Note
Ensure that the routers used in the WCCP environment are running a version of the Cisco IOS
software that also supports the WCCP Version 2.
Note
If you use the Central Manager to disable WCCP on a WAAS device, the Central Manager
immediately shuts down WCCP and closes any existing connections, ignoring the setting
configured by the wccp shutdown max-wait global configuration command. If you want to
gracefully shut down WCCP connections, use the no enable WCCP configuration command on
the WAAS device.
Step 6
(Optional) You can enable single service mode by checking the Enable Single Service Mode check box
(the default). Single service mode simplifies configuration by using the same service ID for incoming
and outgoing traffic, which is possible only with an AppNav deployment because it can handle
asymmetric traffic flows.
Step 7
In the Service ID1 field, specify the service ID of the WCCP service.
If the Enable Single Service Mode check box is unchecked, a pair of WCCP service IDs are required and
the Service ID2 field is filled in with the second service ID of the pair, which is one greater than Service
ID1. The default service IDs are 61 and 62. You can change the WCCP service IDs from the default of
61/62 to a different pair of numbers, which allows a router to support multiple WCCP farms because the
ANCs in different farms can use different service IDs.
The router service priority varies inversely with the service ID. The service priority of the default service
IDs 61/62 is 34. If you specify a lower service ID, the service priority is higher than 34; if you specify
a higher service ID, the service priority is lower than 34.
Step 8
Check the Use Default Gateway as WCCP Router check box to use the default gateway of the WAE
device as the router to associate with the WCCP TCP promiscuous mode service. Alternatively, you can
uncheck this box and specify a list of one more routers by their IP addresses, separated by spaces. The
Central Manager assigns the router list number, which is displayed next to the router list field after the
page is submitted. As part of the initial configuration of your WAAS network, you may have already
created a WCCP router list with the setup utility, as described in the Cisco Wide Area Application
Services Quick Configuration Guide. For more information about WCCP router lists, see the
“Configuring and Viewing WCCP Router Lists for WAEs” section on page 5-26.
Note
Step 9
Checking or unchecking this check box, changing the router list, or submitting the WCCP page
removes any other existing router lists that are not assigned to the WCCP service, including
router lists configured by the setup utility or through the CLI.
(Optional) To use a custom service mask, enter different mask values in the WCCP Assignment Settings
for Load Balancing area, overwriting the default mask settings. If you do not change these settings, the
defaults are used. Define the custom mask as follows (for more information, see the “Information About
Load Balancing and WAEs” section on page 5-11):
•
In the Source IP Mask field, specify the IP address mask defined by a hexadecimal number (for
example, FE000000) used to match the packet source IP address. The range is 00000000–FE000000.
The default is F.
•
In the Destination IP Mask field, specify the IP address mask defined by a hexadecimal number (for
example, FE000000) used to match the packet destination IP address. The range is
0000000–FE000000. The default is 0.
Cisco Wide Area Application Services Configuration Guide
5-24
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
If the WAE detects that its configured mask is not the same as advertised by one or more routers in the
farm, it is not allowed to join the farm and a major alarm is raised (“Configured mask mismatch for
WCCP”). This alarm can occur when a WAE is trying to join a farm that already has other WAEs and
these other WAEs are configured with a different mask. The routers do not allow other WAEs to join the
farm unless they advertise the same mask. To correct this alarm, ensure that all WAEs in the farm are
configured with the same mask. This alarm is cleared when the WAE’s configured mask matches the
mask of all the routers in the farm.
Step 10
(Optional) Modify the current advanced settings in the Advanced WCCP Settings area as follows:
a.
From the Redirect Method drop-down list, choose the type of packet redirection (forwarding)
method to use:
– WCCP GRE to use Layer 3 GRE packet redirection.
– WCCP L2 (the default) to permit the WAE to receive transparently redirected traffic from a
WCCP Version 2-enabled switch or router if the WAE has a Layer 2 connection with the device
and the device is configured for Layer 2 redirection. For more information, see the “Information
About Packet-Forwarding Methods” section on page 5-14.
The return method is the same as the redirect method. The egress method is generic GRE when the
WCCP GRE redirect method is chosen or WCCP L2 return when the WCCP L2 redirect method is
chosen.
b.
In the Failure Detection Timeout drop-down list, choose the failure detection timeout value (3, 6, 9,
15, or 30 seconds). The default is 30 seconds and is the only value supported on WAAS versions
prior to 4.4.1. This failure detection value determines how long it takes the router to detect a WAE
failure.
The failure detection timeout value is negotiated with the router and takes effect only if the router
also has the variable timeout capability. If the router has a fixed timeout of 30 seconds and you have
configured a failure detection value on the WAE other than the default 30 seconds, the WAE is not
able to join the farm and an alarm is raised (“Router unusable” with a reason of “Timer interval
mismatch with router”).
c.
In the Weight field, specify the weight value that is used for load balancing. The weight value ranges
from 0 to 10000. If the total of all the weight values of the WAEs in a service group is less than or
equal to 100, then the weight value represents a literal percentage of the total load redirected to the
device for load-balancing purposes. For example, a WAE with a weight of 10 receives 10 percent of
the total load in a service group where the total of all weight values is 50. If a WAE in such a service
group fails, the other WAEs still receive the same load percentages as before the failure; they will
not receive the load allocated to the failed WAE.
If the total of all the weight values of the WAEs in a service group is between 101 and 10000, then
the weight value is treated as a fraction of the total weight of all the active WAEs in the service
group. For example, a WAE with a weight of 200 receives 25 percent of the total load in a service
group where the total of all the weight values is 800. If a WAE in such a service group fails, the other
WAEs will receive the load previously allocated to the failed WAE. The failover handling is different
than if the total weights are less than or equal to 100.
By default, weights are not assigned and the traffic load is distributed evenly between the WAEs in
a service group.
d.
In the Password field, specify the password to be used for secure traffic between the WAEs within
a cluster and the router for a specified service. Be sure to enable all other WAEs and routers within
the cluster with the same password. Passwords must not exceed eight characters in length. Do not
use the following characters: space, backwards single quote (`), double quote ("), pipe (|), or
question mark (?). Reenter the password in the Confirm Password field.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-25
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Note
Step 11
For information about how to use the CLI to specify the service group password on a router,
see the “Setting a Service Group Password on a Router” section on page 5-10.
Click Submit to save the settings.
To configure WCCP settings from the CLI, you must first set the interception method to WCCP by using
the interception-method global configuration command, and then you can use the wccp router-list and
wccp tcp-promiscuous global configuration commands.
Configuring and Viewing WCCP Router Lists for WAEs
You can configure and view one router list from the Central Manager through the WCCP settings (see
the “Configuring or Viewing the WCCP Settings on WAEs” section on page 5-17). The Central Manager
supports only a single router list assigned to the WCCP service and removes any other existing router
lists that may be configured through the CLI if you use the Central Manager to configure a router list,
check or uncheck the Use Default Gateway check box in the WCCP settings page, or submit the WCCP
settings page. If you want to configure a router list through the CLI, you can use the wccp router-list
global configuration command.
Note
WCCP must be enabled before you can use the WCCP global configuration commands.
To delete a router list, use the no wccp router-list global configuration command.
To view an unassigned router list configured by the wccp router-list command, use the show
running-config wccp EXEC command.
Configuring WAEs for a Graceful Shutdown of WCCP
To prevent broken TCP connections, the WAE performs a clean shutdown of WCCP after you disable
WCCP Version 2 on a WAE or reload the WAE from the CLI. You can perform this task locally through
the CLI on a device by entering the no enable WCCP configuration command.
The WAAS Central Manager also allows you to disable WCCP Version 2 on a WAE, but this does not
perform a graceful shut down of WCCP connections. To disable WCCP immediately for a chosen device,
uncheck the Enable WCCP check box in the WAAS Central Manager Interception Configuration
window. (See Figure 5-3.)
Note
If you use the Central Manager to disable WCCP on a WAAS device, the Central Manager immediately
shuts down WCCP and closes any existing connections, ignoring the setting configured by the
wccp shutdown max-wait global configuration command. If you want to gracefully shut down WCCP
connections, use the no enable WCCP configuration command on the WAAS device.
During a graceful shut down, the WAE does not reboot until one of the following occurs:
•
All the connections have been serviced.
Cisco Wide Area Application Services Configuration Guide
5-26
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
•
The maximum wait time (specified through the Shutdown Delay field in the WCCP Configuration
Settings window or with the wccp shutdown max-wait command [by default, 120 seconds]) has
elapsed for WCCP Version 2.
During a clean shutdown of WCCP, the WAE continues to service the flows that it is handling, but it
starts to bypass new flows. When the number of flows goes down to zero, the WAE takes itself out of the
group by having its buckets reassigned to other WAEs by the lead WAE. TCP connections can still be
broken if the WAE crashes or is rebooted without WCCP being cleanly shut down.
You cannot shut down an individual WCCP service on a particular port on a WAE; you must shut down
WCCP on the WAE. After WCCP is shut down on the WAE, the WAE preserves its WCCP configuration
settings.
Configuring Static Bypass Lists for WAEs
Note
Static bypass lists are supported only for devices (but not device groups) using WAAS versions earlier
than 5.0 and are deprecated for such devices. Interception ACLS are recommended instead.
Using a static bypass allows traffic flows between a configurable set of clients and servers to bypass
handling by the WAE. By configuring static bypass entries on the branch WAE, you can control traffic
interception without modifying the router configuration. IP access lists may be configured separately on
the router to bypass traffic without first redirecting it to the branch WAE. Typically, the WCCP accept
list defines the group of servers that are accelerated (and the servers that are not). Static bypass can be
used occasionally when you want to prevent WAAS from accelerating a connection from a specific client
to a specific server (or from a specific client to all servers).
Note
We recommend that you use ACLs on the WCCP-enabled router where possible, rather than using static
bypass lists or interception ACLs on the WAEs, because that is the most efficient method to control
traffic interception. If you decide to use static bypass lists or interception ACLs, we recommend using
interception ACLs because they are more flexible and give better statistics about passed-through
connections. For information about how to configure ACLs on a router, see the “Configuring IP Access
Lists on a Router” section on page 5-9. For information about how to configure an interception ACL for
a WAE, see the “Configuring Interception Access Control Lists” section on page 5-28.
To configure a static bypass list for a version 4.x WAE, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Interception > Bypass Lists.
Step 3
In the taskbar, click the Create New WCCP/Inline Bypass List icon. The Creating new WCCP/Inline
Bypass List window appears.
Step 4
In the Client Address field, enter the IP address for the client.
Step 5
In the Server Address field, enter the IP address for the server.
Step 6
Check Submit to save the settings.
To configure a static bypass list from the CLI, you can use the bypass static global configuration
command.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-27
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Configuring Interception Access Control Lists
You can configure an interception ACL to control what incoming traffic across all interfaces is to be
intercepted by an ANC or WAE device (on an ANC, the interception ACL is called an AppNav
Controller interception ACL). Packets that are permitted by the ACL are intercepted by the device, and
packets that are denied by the ACL are passed through without processing.
By configuring an interception ACL on the WAAS device, you can control traffic interception without
modifying the router configuration. IP ACLs may be configured separately on the router to bypass traffic
without first redirecting it to the WAAS device. Typically, the WCCP accept list defines the group of
servers that are accelerated (and the servers that are not). Using an interception ACL allows you to easily
bypass uninteresting traffic, for example in a pilot deployment where you do not want to modify the
router configuration. Additionally, it allows you to more easily transition from a pilot to a production
deployment by allowing and accelerating different kinds of traffic in phases.
An interception ACL can be used both with WCCP and inline interception.
When used with interface ACLs and WCCP ACLs, the interface ACL is applied first, the WCCP ACL is
applied second, and then the interception ACL is applied last. Application policies defined on the WAE
are applied after all ACLs have filtered the traffic.
An ANC that is also operating as a WAAS node can have both an AppNav Controller interception ACL
to control what is intercepted by the ANC and an interception ACL to control what is accepted by the
optimizing engine. A flow may be permitted by the AppNav Controller interception ACL and then
subsequently rejected by the WAAS node interception ACL.
Note
The interception ACL feature is mutually exclusive with static bypass lists. You cannot use both types
of lists at the same time. We recommend that you use interception ACLs instead of static bypass lists.
Static bypass lists are supported only for devices using WAAS versions earlier than 5.0.
To use an interception ACL, first define an ACL (see Chapter 9, “Creating and Managing IP Access
Control Lists for WAAS Devices”) and then apply it to a device. Interception ACLs are configured for
individual devices only and not device groups.
To configure an interception ACL for an ANC or WAE device, follow these steps:
Step 1
Follow the instructions in Chapter 9, “Creating and Managing IP Access Control Lists for WAAS
Devices” to create an ACL that you want to use for interception, but do not apply it to an interface.
Step 2
From the WAAS Central Manager menu, choose Devices > device-name.
Step 3
Choose Configure > Interception > Interception Access List.
Step 4
To configure a WAE interception ACL, click the arrow control next to the Interception Access List field
to display a drop-down list of ACLs you have defined and choose an ACL to apply to WAE interception.
Alternatively, you can enter an ACL name directly in the field and create it after you submit this page.
If you type in this field, the drop-down list of displayed ACLs is filtered to show only entries beginning
with entered text.
If you need to create or edit an ACL, click the Go to IP ACL link next to the field to take you to the IP
ACL configuration window (this is the Configure > Network > TCP/IP Settings > IP ACL page).
Step 5
To configure an ANC interception ACL, click the arrow control next to the AppNav Controller
Interception Access List field to display a drop-down list of ACLs you have defined and choose an ACL
to apply to ANC interception. Alternatively, you can enter an ACL name directly in the field and create
Cisco Wide Area Application Services Configuration Guide
5-28
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
it after you submit this page. If you type in this field, the drop-down list of displayed ACLs is filtered to
show only entries beginning with entered text. This field is shown only on devices configured in
appnav-controller mode.
If you need to create or edit an ACL, click the Go to IP ACL link to take you to the IP ACL configuration
window (this is the Configure > Network > TCP/IP Settings > IP ACL page).
Step 6
Note
Check Submit to save the settings.
In AppNav Controller interception ACLs, the tcp ... established extended ACL condition is not
supported and is ignored if encountered.
To configure an interception ACL from the CLI, you can use the ip access-list and interception
access-list global configuration commands. To configure an AppNav Controller interception ACL, use
the interception appnav-controller access-list global configuration command.
You can determine if a connection was passed through by an interception ACL by using the show
statistics connection EXEC command. Flows passed through by an interception ACL are identified with
a connection type of “PT Interception ACL.”
Additionally, the show statistics pass-through command “Interception ACL” counter reports the
number of active and completed pass through flows due to an interception ACL.
You can use the show ip access-list command to view the individual ACL rules that are being matched.
Configuring Egress Methods for WCCP Intercepted Connections
This section contains the following topics:
•
Information About Egress Methods, page 5-29
•
Configuring the Egress Method, page 5-31
•
Configuring a GRE Tunnel Interface on a Router, page 5-31
Information About Egress Methods
The WAAS software supports the following egress methods for WCCP intercepted connections:
Note
•
IP forwarding
•
WCCP GRE return (available only if the redirect method is WCCP GRE; called WCCP negotiated
return for devices earlier than version 5.0)
•
Generic GRE (available only if the redirect method is WCCP GRE)
•
Layer 2 (available only if the redirect method is WCCP L2)
For ANCs the egress method is not configurable. The egress method that is used depends on the redirect
method. The ANC uses generic GRE when the WCCP GRE redirect method is chosen, or Layer 2 when
the WCCP L2 redirect method is chosen.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-29
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
The default egress method is L2. This egress method sends optimized data out through a Layer 2
connection to the router. This method is available only if the redirect method is also set to WCCP L2,
and is not available on devices using WAAS versions earlier than 5.0. The router must also support Layer
2 redirect. If you configure the WCCP GRE redirect method or switch between WCCP GRE and L2, the
default egress method is set to IP Forwarding.
For devices with a WAAS version earlier than 5.0, the default egress method is IP forwarding. The IP
forwarding egress method does not allow you to place WAEs on the same VLAN or subnet as the clients
and servers, and it does not ensure that packets are returned to the intercepting router.
The WCCP GRE return and generic GRE egress methods allow you to place WAEs on the same VLAN
or subnet as clients and servers. Repeating redirection is prevented by encapsulating the outgoing frames
in the GRE frames. Cisco IOS routers handle these GRE frames as bypass frames and do not apply
WCCP redirection. With the WCCP GRE return method, WAAS uses the router ID address as the
destination for GRE frames; with the generic GRE method, WAAS uses the address of the router
configured in the WAE router list.
This technique makes it possible to support redundant routers and router load balancing; WAAS makes
a best effort to return frames back to the router from which they arrived, though this is not guaranteed.
An exception is that if flow protection is enabled, the WAE is unable to return flow-protected traffic to
the originating router because the router information is not available.
Note
Network designs that require redirected frames to be returned to the originating router are not compatible
with the WCCP flow-protection feature.
If you want to use this functionality with multiple routers connected to the WAAS network segment, you
must ensure connectivity to the router ID address, for example, by configuring static routes. The router
ID is the address of the first loopback interface or highest active physical interface. This address can be
found in the output of the show wccp routers EXEC command.
WAAS applies the following logic in its router selection for WCCP GRE and generic GRE:
•
When the WAAS software applies data redundancy elimination (DRE) and compression to a TCP
flow, the number of packets that are sent out may be fewer. A single packet that carries optimized
data may represent original data that was received in multiple packets redirected from different
routers. That optimized data-carrying packet will egress from the WAE to the router that last
redirected a packet to the WAE for that flow direction.
•
When the WAE receives optimized data, the data may arrive in multiple packets from different
routers. The WAAS software expands the optimized data back to the original data, which will be
sent out as several packets. Those original data-carrying packets will egress from the WAE to the
router that last redirected a packet to the WAE for that flow direction.
The WCCP GRE return and generic GRE egress methods are similar, but the generic GRE egress method
is designed specifically to be used in deployments where the router or switch does hardware-accelerated
processing of GRE packets, such as with the Cisco 7600 series router or the Catalyst 6500 series switch
with the Supervisor Engine 32 or 720. Additionally, the generic GRE egress method returns packets to
the intercepting router by using a GRE tunnel that you must configure on the router (the WAE end of the
tunnel is configured automatically). The generic GRE egress method is supported only when the WCCP
GRE interception method is used.
To use the generic GRE egress method, you must create an intercepting router list on the WAE (multicast
addresses are not supported) and configure a GRE tunnel interface on each router. For details on
configuring GRE tunnel interfaces on the routers, see the “Configuring a GRE Tunnel Interface on a
Router” section on page 5-31.
Cisco Wide Area Application Services Configuration Guide
5-30
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
Note
For devices with WAAS versions earlier than 5.0, WCCP Version 2 is capable of negotiating the redirect
method and the return method for intercepted connections. The WAAS software supports WCCP GRE and
WCCP Layer 2 as WCCP-negotiated return methods. If WCCP negotiates a WCCP Layer 2 return, the
WAE defaults to using IP forwarding as the egress method. The WAE also defaults to IP forwarding if
the interception method is set to WCCP Layer 2 and you configure generic GRE as the egress method,
which are not compatible. When the WAE defaults to IP forwarding, the WAE logs a minor alarm that
is cleared when you correct the configuration so that the interception and egress methods are consistent.
The output of the show egress methods EXEC command also displays a warning if the interception and
egress methods are not consistent.
For devices with WAAS version 5.0, you must explicitly configure the egress method.
Configuring the Egress Method
To configure the egress method for WCCP-intercepted connections from the Central Manager, see the
“Configuring or Viewing the WCCP Settings on WAEs” section on page 5-17.
To configure the egress method for WCCP GRE packet return from the CLI, use the egress-method
WCCP configuration command:
WAE(config)# wccp tcp-promiscuous service-pair 61 62
WAE(config-wccp-service)# egress-method wccp-gre
To configure the egress method for L2 return from the CLI, use the egress-method WCCP configuration
command:
WAE(config)# wccp tcp-promiscuous service-pair 61 62
WAE(config-wccp-service)# egress-method L2
To configure the generic GRE egress method from the CLI, configure an intercepting router list and
configure the egress method, as follows:
WAE(config)# wccp router-list 1 192.168.68.98
WAE(config)# wccp tcp-promiscuous service-pair 61 62
WAE(config-wccp-service)# router-list-num 1
WAE(config-wccp-service)# egress-method generic-gre
The router list must contain the IP address of each intercepting router. Multicast addresses are not
supported. Additionally, you must configure a GRE tunnel interface on each router. For details on
configuring GRE tunnel interfaces on the routers, see the “Configuring a GRE Tunnel Interface on a
Router” section on page 5-31.
To view the egress method that is configured and that is being used on a particular WAE, use the
show wccp egress EXEC command. To view information about the egress method for each connection
segment, use the show statistics connection egress-methods EXEC command.
To view the generic GRE tunnel statistics for each intercepting router, use the show statistics
generic-gre EXEC command. To clear statistics information for the generic GRE egress method, use the
clear statistics generic-gre EXEC command.
Configuring a GRE Tunnel Interface on a Router
If you plan to use the generic GRE egress method on the WAE, you must configure a GRE tunnel
interface on each intercepting router. For ease of configuration, we recommend that you create a single
multipoint tunnel on the router, instead of one point-to-point tunnel per WAE in the farm.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-31
Chapter 5
Configuring Traffic Interception
Configuring WCCP on WAEs
If you have only one WAE in the farm, you can use a point-to-point tunnel, however, ensure that the
router is configured with no other tunnel that has the same tunnel source as the WAE tunnel.
Note
On the Catalyst 6500 series switch with the Supervisor Engine 32 or 720, do not configure more than
one GRE tunnel (multipoint or point-to-point) with the same tunnel source interface, otherwise, high
switch CPU load can result.
The tunnel interface must have a Layer 3 source interface to which it is attached and this source interface
must be the interface whose IP address is configured in the WAE’s intercepting router list.
The tunnel interface must be excluded from WCCP interception to avoid routing loops when outbound
interception is used. Use the ip wccp redirect exclude in command. You can always use this command
because it does not cause any impact even when it is not needed, such as for inbound interception.
This section contains the following topics:
•
Multipoint Tunnel Configuration, page 5-32
•
Point-To-Point Tunnel Configuration, page 5-33
Multipoint Tunnel Configuration
Consider a deployment in which there are two intercepting routers and two WAEs in the farm. Each WAE
configuration would look like the following example:
wccp router-list 1 192.168.1.1 192.168.2.1
wccp tcp-promiscuous service-pair 61 62
router-list-num-1
egress-method generic-gre
redirect-method gre
enable
Each router can configure a single multipoint GRE tunnel to the WAE farm.
The router 1 configuration would look like the following example:
interface gigabitEthernet 1/1
ip address 192.168.1.1 255.255.255.0
...
interface Tunnel1
ip address 12.12.12.1 255.255.255.0
tunnel source GigabitEthernet1/1
tunnel mode gre multipoint
ip wccp redirect exclude in
end
The router 2 configuration would look like the following:
interface Vlan815 1/0
ip address 192.168.2.1 255.255.255.0
...
interface Tunnel1
ip address 13.13.13.1 255.255.255.0
tunnel source vlan815
tunnel mode gre multipoint
ip wccp redirect exclude in
end
Cisco Wide Area Application Services Configuration Guide
5-32
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Note
The tunnel interface is enabled for IP by provisioning an IP address, which allows it to process and
forward transit packets. If you do not want to provision an IP address, the tunnel must be IP enabled by
making it an IP unnumbered interface. This restricts the tunnel to be a point-to-point tunnel.
Point-To-Point Tunnel Configuration
This section describes how to configure a point-to-point tunnel for a single WAE instead of a multipoint
tunnel on the router. A point-to-point tunnel is enabled for IP either by making it unnumbered or by
giving it an IP address. The unnumbered method is shown in the following example router configuration:
interface gigabitEthernet 1/1
ip address 192.168.1.1 255.255.255.0
...
! Tunnel1 is an unnumbered point-to-point tunnel towards WAE1
interface Tunnel1
ip unnumbered GigabitEthernet1/1
tunnel source GigabitEthernet1/1
! tunnel destination is the IP address of WAE1
tunnel destination 10.10.10.10
ip wccp redirect exclude in
end
Using Policy-Based Routing Interception
This section contains the following topics:
•
Information About Policy-Based Routing, page 5-33
•
Configuring Policy-Based Routing, page 5-36
•
Methods of Verifying PBR Next-Hop Availability, page 5-39
Information About Policy-Based Routing
Policy-based routing (PBR), introduced in Cisco IOS Release 11.0, allows you to implement policies
that selectively cause packets to take specific paths in the network.
PBR also provides a method to mark packets so that certain kinds of traffic receive differentiated,
preferential service when used in combination with queuing techniques enabled through the Cisco IOS
software. These queuing techniques provide an extremely powerful, simple, and flexible tool to network
managers who implement routing policies in their networks.
PBR enables the router to put packets through a route map before routing them. When configuring PBR,
you must create a route map that specifies the match criteria and the resulting action if all of the match
clauses are met. You must enable PBR for that route map on a particular interface. All packets arriving
on the specified interface matching the match clauses will be subject to PBR.
One interface can have only one route map tag; but you can have several route map entries, each with its
own sequence number. Entries are evaluated in order of their sequence numbers until the first match
occurs. If no match occurs, packets are routed as usual.
Router(config-if)# ip policy route--tag
The route map determines which packets are routed next.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-33
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
You can enable PBR to establish a route that goes through WAAS for some or all packets. WAAS proxy
applications receive PBR-redirected traffic in the same manner as WCCP redirected traffic, as follows:
1.
In the branch office, define traffic of interest on the branch office router (Edge-Router1) as follows:
a. Specify which traffic is of interest to the LAN interface (ingress interface) on Edge-Router1.
Use extended IP access lists to define traffic of interest (traffic from all or filtered local source
addresses to any or filtered destination address).
b. Specify which traffic is of interest to the WAN interface (egress interface) on Edge-Router1.
Use extended IP access lists to define traffic of interest (traffic from all or filtered local source
addresses from any or filtered remote addresses).
2.
In the data center, specify which traffic is of interest to the data center router (Core-Router1) as
follows:
a. Specify which traffic is of interest to the LAN interface (ingress interface) on Core-Router1.
Use extended IP access lists to define traffic of interest (traffic from all or filtered local source
addresses to any or filtered destination address).
b. Specify which traffic is of interest to the WAN interface (egress interface) on Core-Router1.
Use extended IP access lists to define traffic of interest (traffic from all or filtered local source
addresses from any or filtered remote addresses).
3.
In the branch office, create route maps on Edge-Router1, as follows:
a. Create a PBR route map on the LAN interface of Edge-Router1.
b. Create a PBR route map on the WAN interface of Edge-Router1.
4.
In the data center, create route maps on Core-Router1, as follows:
a. Create a PBR route map on the LAN interface of Core-Router1.
b. Create a PBR route map on the WAN interface of Core-Router1.
Note
5.
In the branch office, apply the PBR route maps to Edge-Router1.
6.
In the data center, apply the PBR route maps to Core-Router1.
7.
Determine which PBR method to use to verify PBR next-hop availability of a WAE. For more
information, see the “Methods of Verifying PBR Next-Hop Availability” section on page 5-39.
For a description of the PBR commands that are referenced in this section, see the Cisco Quality of
Service Solutions Command Reference.
Figure 5-5 shows that the WAEs (Edge-WAE1 and Core-WAE1) must reside in an out-of-band network
that is separate from the traffic’s destination and source. For example, Edge-WAE1 is on a subnet
separate from the clients (the traffic source), and Core-WAE is on a subnet separate from the file servers
and application servers (the traffic destination). Additionally, the WAE may need to be connected to the
router that is redirecting traffic to it through a tertiary interface (a separate physical interface) or
subinterface to avoid a routing loop. For more information on this topic, see the “Using Tertiary
Interfaces or Subinterfaces to Connect WAEs to Routers” section on page 2-24.
Cisco Wide Area Application Services Configuration Guide
5-34
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Example of Using PBR or WCCP Version 2 for Transparent Redirection of All TCP Traffic to WAEs
Data center (10.10.11.0/24)
Branch office (10.10.10.0/24)
Clients
C
A
Edge-Router1
B
WAN
D
F
Core-Router1
E
1.1.1.100
Edge-WAE1
File servers
and application
servers
PBR or
WCCP Version 2
PBR or
WCCP Version 2
2.2.2.100
WAAS Central
Manager
Core-WAE1
159088
Figure 5-5
Table 5-3 provides a summary of the router interfaces that you must configure to use PBR or WCCP
Version 2 to transparently redirect traffic to a WAE.
Table 5-3
Router
interface
Router Interfaces for WCCP or PBR Traffic Redirection to WAEs
Comment
Edge-Router1
A
Edge LAN interface (ingress interface) that performs redirection on outbound traffic.
B
Tertiary interface (separate physical interface) or a subinterface off of the LAN port on Edge-Router1. Used to
attach Edge-WAE1 to Edge-Router1 in the branch office.
C
Edge WAN interface (egress interface) on Edge-Router1 that performs redirection on inbound traffic.
Core-Router1
D
Core LAN interface (ingress interface) that performs redirection on outbound traffic.
E
Tertiary interface or subinterface off of the LAN port on Core-Router1. Used to attach Core-WAE1 to
Core-Router1 in the data center.
F
Core WAN interface (egress interface) on Core-Router1 that performs redirection on inbound traffic.
Note
In Figure 5-5, redundancy (for example, redundant routers, switches, WAEs, WAAS Central Managers,
and routers) is not depicted.
The example in the “Configuring Policy-Based Routing” section on page 5-36 shows how to configure
PBR as the traffic redirection method in a WAAS network that has one WAE in a branch office and one
WAE in the data center (as shown in Figure 5-5).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-35
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Note
The commands that are used to configure PBR on a router, can vary based on the Cisco IOS release
installed on the router. For information about the commands that are used to configure PBR for the Cisco
IOS release that you are running on your routers, see the appropriate Cisco IOS configuration guide.
Configuring Policy-Based Routing
The example in this section shows how to configure PBR as the traffic redirection method in a WAAS
network that has one WAE in a branch office and one WAE in the data center (as shown in Figure 5-5).
To configure PBR to transparently redirect TCP traffic to WAEs, follow these steps:
Step 1
In the branch office, use extended IP access lists to specify which traffic is of interest to the LAN
interface (ingress interface-A) on Edge-Router:
a.
On Edge-Router1, define an extended IP access list within the range of 100 to 199. For example,
create access list 100 on Edge-Router1:
Edge-Router1(config)# ip access-list extended 100
b.
On Edge-Router1, specify which traffic is of interest to this particular interface:
•
For example, mark any IP/TCP traffic from any local source addresses (traffic for any branch office
clients) on any TCP port to any destination as interesting:
Edge-Router1(config-ext-nac1)# permit tcp 10.10.10.0 0.0.0.255 any
•
Alternatively, you can selectively mark interesting traffic by defining the source IP subnet,
destination IP address, and TCP port numbers. For example, mark IP/TCP traffic from any local
source address on TCP ports 135 and 80 to any destination as interesting:
Edge-Router1(config-ext-nac1)# permit tcp 10.10.10.0 0.0.0.255 any eq 135
Edge-Router1(config-ext-nac1)# permit tcp 10.10.10.0 0.0.0.255 any eq 80
Step 2
In the branch office, use extended IP access lists to specify which traffic is of interest to the WAN
interface (egress interface-C) on Edge-Router1:
a.
On Edge-Router1, define an extended IP access list within the range of 100 to 199. For example,
create access list 101 on Edge-Router1:
Edge-Router1(config)# ip access-list extended 101
b.
On Edge-Router1, specify which traffic is of interest to its WAN interface:
•
For example, mark any IP/TCP traffic to a local device as interesting:
Edge-Router1(config-ext-nac1)# permit tcp any 10.10.10.0 0.0.0.255
•
Alternatively, you can selectively mark interesting traffic by defining the source IP subnet,
destination IP address, and TCP port numbers. For example, mark IP/TCP traffic to any local source
addresses on TCP ports 135 and 80 to any destination as interesting:
Edge-Router1(config-ext-nac1)# permit tcp any 10.10.10.0 0.0.0.255 eq 135
Edge-Router1(config-ext-nac1)# permit tcp any 10.10.10.0 0.0.0.255 eq 80
Step 3
In the data center, use extended IP access lists to specify which traffic is of interest to the LAN interface
(ingress interface-D) on Core-Router1:
a.
On Core-Router1, define an extended IP access list within the range of 100 to 199. For example,
create access list 102 on Core-Router1:
Cisco Wide Area Application Services Configuration Guide
5-36
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Core-Router1(config)# ip access-list extended 102
b.
On Core-Router1, specify which traffic is of interest to its LAN interface:
•
For example, mark any IP/TCP traffic sourced from any local device (for example, traffic sourced
from any file server or application server in the data center) on any TCP port to any destination as
interesting:
Core-Router1(config-ext-nac1)# permit tcp 10.10.11.0 0.0.0.255 any
•
Alternatively, you can selectively mark traffic as interesting by defining the source IP subnet,
destination IP address, and TCP port numbers. For example, selectively mark IP/TCP traffic sourced
from any local device on TCP ports 135 and 80 to any destination as interesting:
Core-Router1(config-ext-nac1)# permit tcp 10.10.11.0 0.0.0.255 any eq 135
Core-Router1(config-ext-nac1)# permit tcp 10.10.11.0 0.0.0.255 any eq 80
Step 4
In the data center, use extended IP access lists to mark traffic of interest for the WAN interface (egress
interface-F) on Core-Router1:
a.
On Core-Router1, define an extended access list within the range of 100 to 199. For example, create
access list 103 on Core-Router1:
Core-Router1(config)# ip access-list extended 103
b.
On Core-Router1, mark interesting traffic for the WAN interface:
•
For example, mark any IP/TCP traffic destined to any local device (for example, traffic destined to
any file server or application server in the data center) as interesting:
Core-Router1(config-ext-nac1)# permit tcp any 10.10.11.0 0.0.0.255
•
Alternatively, you can selectively mark traffic as interesting by defining the source IP subnet,
destination IP address, and TCP port numbers. For example, mark IP/TCP traffic on ports 135 and
80 to any local source addresses as interesting:
Core-Router1(config-ext-nac1)# permit tcp any 10.10.11.0 0.0.0.255 eq 135
Core-Router1(config-ext-nac1)# permit tcp any 10.10.11.0 0.0.0.255 eq 80
Step 5
In the branch office, define PBR route maps on Edge-Router1:
a.
Define a route map for the LAN interface (ingress interface). In the following example, the
WAAS-EDGE-LAN route map is created:
Edge-Router1(config)# route-map WAAS-EDGE-LAN permit
b.
Define a route map for the WAN interface (egress interface).
In the following example, the WAAS-EDGE-WAN route map is created:
Edge-Router1(config)# route-map WAAS-EDGE-WAN permit
c.
Specify the match criteria.
Use the match command to specify the extended IP access list that Edge-Router1 should use to
determine which traffic is of interest to its WAN interface. If you do not specify a match command,
the route map applies to all packets.
In the following example, Edge-Router1 is configured to use the access list 101 as the criteria for
determining which traffic is of interest to its WAN interface:
Edge-Router1(config-route-map)# match ip address 101
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-37
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Note
d.
The ip address command option matches the source or destination IP address that is
permitted by one or more standard or extended access lists.
Specify how the matched traffic should be handled.
In the following example, Edge-Router1 is configured to send the packets that match the specified
criteria to the next hop, which is Edge-WAE1 that has an IP address of 1.1.1.100:
Edge-Router1(config-route-map)# set ip next-hop 1.1.1.100
Note
Step 6
If you have more than one branch WAE, you can specify the IP address of a second branch
WAE for failover purposes (for example, enter the set ip next-hop 1.1.1.101 command on
Edge-Router1) to specify a next-hop address of 1.1.1.101 (the IP address of Edge-WAE2)
for failover purposes. The next-hop command is used for failover purposes and not for
load-balancing purposes.
In the data center, create route maps on Core-Router1:
a.
Define a route map on the LAN interface (ingress interface).
In the following example, the WAAS-CORE-LAN route map is created:
Core-Router1(config)# route-map WAAS-CORE-LAN permit
b.
Define a route map on the WAN interface (egress interface).
In the following example, the WAAS-CORE-WAN route map is created:
Core-Router1(config)# route-map WAAS-CORE-WAN permit
c.
Specify the match criteria.
Use the match command to specify the extended IP access list that Core-Router 1 should use to
determine which traffic is of interest to its WAN interface. If you do not enter a match command,
the route map applies to all packets. In the following example, Core-Router1 is configured to use
the access list 103 as the criteria for determining which traffic is of interest to its WAN interface:
Core-Router1(config-route-map)# match ip address 103
d.
Specify how the matched traffic is to be handled.
In the following example, Core-Router1 is configured to send packets that match the specified
criteria to the next hop, which is Core-WAE1 that has an IP address of 2.2.2.100:
Core-Router1(config-route-map)# set ip next-hop 2.2.2.100
Note
Step 7
If you have more than one data center WAE, you can specify the IP address of a second data
center WAE for failover purposes (for example, enter the set ip next-hop 2.2.2.101
command on Core-Router1) to specify a next-hop address of 2.2.2.101 (the IP address of
Core-WAE2) for failover purposes. The next-hop command is used for failover purposes
and not for load-balancing purposes.
In the branch office, apply the route maps to the LAN interface (ingress interface) and the WAN interface
(egress interface) on Edge-Router1:
a.
On Edge-Router1, enter interface configuration mode:
Cisco Wide Area Application Services Configuration Guide
5-38
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Edge-Router1(config)# interface FastEthernet0/0.10
b.
Specify that the LAN router interface should use the WAAS-EDGE-LAN route map for PBR:
Edge-Router1(config-if)# ip policy route-map WAAS-EDGE-LAN
c.
Enter interface configuration mode:
Edge-Router1(config-if)# interface Serial0
d.
Specify that the WAN router interface should use the WAAS-EDGE-WAN route map for PBR:
Edge-Router1(config-if)# ip policy route-map WAAS-EDGE-WAN
Step 8
In the data center, apply the route maps to the LAN interface (ingress interface) and the WAN interface
(egress interface) on Core-Router1:
a.
On Core-Router1, enter interface configuration mode:
Core-Router1(config)# interface FastEthernet0/0.10
b.
Specify that for PBR, the LAN router interface should use the WAAS-CORE-LAN route map:
Core-Router1(config-if)# ip policy route-map WAAS-CORE-LAN
c.
Enter interface configuration mode:
Core-Router1(config-if)# interface Serial0
d.
Specify that for PBR, the WAN router interface should use the WAAS-CORE-WAN route map:
Core-Router1(config-if)# ip policy route-map WAAS-CORE-WAN
Methods of Verifying PBR Next-Hop Availability
When using PBR to transparently redirect traffic to WAEs, we recommend that you use one of the
following methods to verify the PBR next-hop availability of a WAE. The method that you choose is
based on the version of the Cisco IOS software that is running on the routers and the placement of your
WAEs. However, method 2 is the preferred method whenever possible:
Note
•
Method 1—If the device sees the WAEs as a CDP neighbor (directly connected), it can use CDP and
ICMP to verify that the WAE is operational. For more information, see the “Method 1: Using CDP
to Verify Operability of WAEs” section on page 5-40.
•
Method 2 (Recommended method)—If the device is running the Cisco IOS software Release 12.4
or later and the device does not see the WAE as a CDP neighbor, IP service level agreements (SLAs)
can be used to verify that the WAE is operational using ICMP echoes. For more information, see the
“Method 2: Using IP SLAs to Verify WAE Operability Using ICMP Echo Verification
(Recommended Method)” section on page 5-40.
•
Method 3—If the device is running the Cisco IOS software Release 12.4 or later and does not see
the WAE as a CDP neighbor, IP SLAs can be used to verify that the WAE is operational using TCP
connection attempts. For more information, see the “Method 3: Using IP SLAs to Verify WAE
Operability Using TCP Connection Attempts” section on page 5-41.
In this section, device is used to refer to the router or switch that has been configured to use PBR to
transparently redirect traffic to a WAE.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-39
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
To verify whether the WAE is CDP visible to a device that has been configured to use PBR, enter the
show cdp neighbors command on the device. If the WAE is CDP visible to the device, the WAE will be
listed in the output of the show cdp neighbors command.
Method 1: Using CDP to Verify Operability of WAEs
If the device that is configured to use PBR views the WAEs as a CDP neighbor (the WAE is directly
connected to the device), you can configure CDP and ICMP to verify the availability of a WAE as a PBR
next hop.
The following example shows how to use this method to verify PBR next-hop availability of a WAE. You
must complete the following configuration process for each of the LAN and WAN route maps that are
configured when CDP should be used.
To use CDP to verify operability of WAEs, follow these steps:
Step 1
On the router where PBR is configured (for example, on the branch office router named Edge-Router1),
enter configuration mode and enable CDP on the router:
Edge-Router1(config)# cdp run
Step 2
Enable route-map configuration mode for the route map, WAAS-EGDE-LAN, which has already been
created on the router:
Edge-Router1(config)# route-map WAAS-EDGE-LAN permit
Step 3
Configure the router to use CDP to verify the availability of the configured next-hop addresses:
Edge-Router1(config-route-map)# set ip next-hop verify-availability
Step 4
Enable CDP on the WAE (for example, on the branch office WAE named Edge-WAE1) that you want the
router to redirect traffic to using PBR:
Edge-WAE1(config)# cdp enable
If you are configuring PBR and have multiple WAEs and are using Method 1 to verify the PBR next-hop
availability of a WAE, no additional configuration is necessary after you have completed the preceding
process.
Method 2: Using IP SLAs to Verify WAE Operability Using ICMP Echo Verification (Recommended
Method)
To use IP SLAs and ICMP (the recommended method) to verify PBR next-hop availability of a WAE,
follow these steps:
Step 1
On the branch office router named Edge-Router1, enter the route-map configuration mode for the route
map named WAAS-EDGE-LAN, which has been previously configured on this router:
Edge-Router1(config)# route-map WAAS-EDGE-LAN permit
Step 2
Specify a match condition for the traffic. In the following example, the match condition specifies access
list number 105:
Edge-Router1(config)# match ip address 105
Cisco Wide Area Application Services Configuration Guide
5-40
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Policy-Based Routing Interception
Step 3
Configure the route map to use IP SLA tracking instance number 1 to verify the availability of the
next-hop WAE (for example, the branch WAE named Edge-WAE1 that has an IP address of 1.1.1.100):
Edge-Router1(config-route-map)# set ip next-hop verify-availability 1.1.1.100 track 1
Note
Step 4
Enter the set ip next-hop verify-availability command for each route-map that has been
configured on this branch office edge router and on the data center’s core router that has also
been configured to use PBR to redirect traffic to WAEs.
Configure the IP SLA tracking instance 1:
Edge-Router1(config-route-map)# exit
Edge-Router1(config)# ip sla 1
Edge-Router1(config-ip-sla)#
Step 5
Configure the router to echo Edge-WAE1 using the specified source interface:
Edge-Router1(config-ip-sla)# icmp-echo 1.1.1.100 source-interface FastEthernet 0/0.20
Step 6
Configure the router to perform the echo every 20 seconds:
Edge-Router1(config-ip-sla)# frequency 20
Edge-Router1(config-ip-sla)# exit
Step 7
Schedule the IP SLA tracking instance 1 to start immediately and to run continuously:
Edge-Router1(config)# ip sla schedule 1 life forever start-time now
Step 8
Configure the IP SLA tracking instance 1 to track the device, which is defined in the IP SLA tracking
instance 1:
Edge-Router1(config)# track 1 rtr 1
If you are configuring PBR and have multiple WAEs, and you are using Method 2 to verify PBR next-hop
availability of a WAE, you must configure a separate IP SLA per WAE and then run the track command
per IP SLA.
Method 3: Using IP SLAs to Verify WAE Operability Using TCP Connection Attempts
If the device that is configured for PBR is running the Cisco IOS software Release 12.4 or later and does
not see the WAE as a CDP neighbor, IP SLAs can be used to verify that the WAE is alive using TCP
connection attempts. IP SLAs can be used to monitor a WAE’s availability as the PBR next hop using
TCP connection attempts at a fixed interval of 60 seconds.
To verify PBR next-hop availability of a WAE, follow these steps:
Step 1
On the branch office router named Edge-Router1, enter route-map configuration mode for the route map
named WAAS-EDGE-LAN, which has been previously configured on this router:
Edge-Router1(config)# route-map WAAS-EDGE-LAN permit
Step 2
Configure the route map to use IP SLA tracking instance number 1 to verify the availability of the
next-hop WAE (the Edge WAE that has an IP address of 1.1.1.100):
Edge-Router1(config-route-map)# set ip next-hop verify-availability 1.1.1.100 track 1
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-41
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Note
Step 3
Enter the set ip next-hop verify-availability command for each route map that is configured on
this branch office edge router and on the data center’s core router that has also been configured
to use PBR to transparently redirect traffic to WAEs.
Configure the IP SLA tracking instance 1:
Edge-Router1(config-route-map)# exit
Edge-Router1(config)# ip sla 1
Step 4
Configure the router to use the specified source and destination ports to use TCP connection attempts at
a fixed interval of 60 seconds to monitor the WAE availability:
Edge-Router1(config-ip-sla)# tcp-connect 1.1.1.100 80 source-port 51883 control disable
Edge-Router1(config-ip-sla)# exit
Step 5
Schedule the IP SLA tracking instance 1 to start immediately and to run forever:
Edge-Router1(config)# ip sla schedule 1 life forever start-time now
Step 6
Configure the IP SLA tracking instance 1 to track the device, which is defined in the IP SLA tracking
instance 1:
Edge-Router1(config)# track 1 rtr 1
If you are configuring PBR and have multiple WAEs, and you are using Method 3 to verify PBR next-hop
availability of a WAE, you must configure a separate IP SLA per WAE and then run the track command
per IP SLA.
Using Inline Mode Interception
This section contains the following topics:
•
Information About Inline Interception, page 5-42
•
Enabling Inline Operation on WAEs, page 5-44
•
Configuring Inline Interface Settings on WAEs, page 5-46
•
Configuring Inline Operation on ANCs, page 5-49
•
Configuring an IP Address on an Inline Interface, page 5-51
•
Configuring VLANs for Inline Support, page 5-52
•
Information About Clustering Inline WAEs, page 5-53
•
Disabling Peer Optimization Between Serial Inline WAEs, page 5-54
Information About Inline Interception
The WAE can physically and transparently intercept traffic between the clients and the router by using
inline mode. To use inline mode, you must use a WAE with the Cisco WAE Inline Network Adapter or
Interface Module installed. In this mode, you physically position the WAE device in the path of the
traffic that you want to optimize, typically between a switch and a router, as shown in Figure 5-6.
Redirection of traffic is not necessary.
Cisco Wide Area Application Services Configuration Guide
5-42
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Note
When you install any inline WAE device, you must follow the cabling requirements described in the
“Cabling” section of Installing the Cisco WAE Inline Network Adapter or the appropriate platform
hardware guide.
Any combination of traffic interception mechanisms on peer WAEs is supported. For example, you can
use inline interception on the branch WAE and WCCP on the data center WAE. For complex data center
deployments, we recommend that you use hardware-accelerated WCCP interception with the WAAS
AppNav solution (see Chapter 4, “Configuring AppNav”) or load balancing with the Cisco Application
Control Engine (ACE).
Figure 5-6
Inline Interception
File and
application servers
Clients
Switch
Edge WAE
Router
Router
Core WAE
Switch
159919
WAN
Note
Inline mode and WCCP redirection are exclusive. You cannot configure inline mode if the WAE is
configured for WCCP operation. Inline mode is the default mode when a Cisco WAE Inline Network
Adapter is installed in a WAE device, but you must configure inline mode explicitly on a device with a
Cisco Interface Module.
Note
An inline WAE can be configured as a Central Manager, but the inline interception functionality is not
be available.
The Cisco WAE Inline Network Adapter contains two or four Ethernet ports, the Cisco Interface Module
contains two to eight Ethernet ports, and the Cisco AppNav Controller Interface Module contains four
to 12 Ethernet ports. Ports on the Cisco WAE Inline Network Adapter are always configured as inline
ports, while ports on the Interface Modules are configured as normal standalone ports by default, and
you must explicitly configure these ports as inline ports. Each pair of inline ports is grouped into a
logical inline group.
Each inline group has one LAN-facing port and one WAN-facing port. Typically, you use just one inline
group, and connect the LAN-facing port to a switch and the WAN-facing port to a router. On adapters or
interface modules with additional ports, the additional groups of interfaces are provided if you are using
a network topology where you need to connect the WAE to multiple routers. Traffic that enters on one
interface in a group exits the device on another interface in the same group.
Hardware platform support for inline ports is as follows:
•
WAVE-274/474—Support one installed two-port Cisco WAE Inline Network Adapter.
•
WAVE-574—Supports one installed two-port or four-port Cisco WAE Inline Network Adapter.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-43
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Note
•
WAE-674/7341/7371—Support up to two installed four-port Cisco WAE Inline Network Adapters,
providing a total of eight inline ports.
•
WAVE-294—Supports one installed Cisco Interface Module with 2, 4, or 8 ports.
•
WAVE-594/694/7541/7571/8541—Support one installed Cisco Interface Module with 2, 4, or 8
ports or a Cisco AppNav Controller Interface Module with 4 or 12 ports.
The two-port 10-Gigabit Cisco Interface Module cannot be used in inline mode. The four-port
10-Gigabit Cisco AppNav Controller Interface Module is supported only on the WAVE-594.
You have the option of assigning an IP address to an inline interface, but it is not required. For more
information, see the “Configuring an IP Address on an Inline Interface” section on page 5-51.
Traffic that flows through an inline group is transparently intercepted for optimization. Traffic that does
not need to be optimized is bridged across the LAN/WAN interfaces. If a power, hardware, or
unrecoverable software failure occurs, the network adapter automatically begins operating in bypass
mode (fail-close), where all traffic is mechanically bridged between the LAN and WAN interfaces in
each group. The Cisco WAE Inline Network Adapter and Cisco Interface Module also operate in bypass
mode when the WAE is powered off or starting up. Additionally, you can manually put an inline group
into bypass mode.
Note
AppNav Controller Interface Modules do not support automatic bypass mode to continue traffic flow in
the event of a failure. For high availability, two or more AppNav Controller Interface Modules should
be deployed in an AppNav cluster. For more information on using inline mode with the AppNav solution,
see Chapter 4, “Configuring AppNav.”
Inline mode is configured by default to accept all TCP traffic. If the network segment in which the WAE
is inserted is carrying 802.1Q tagged (VLAN) traffic, initially traffic on all VLANs is accepted. Inline
interception can be enabled or disabled for each VLAN. However, optimization policies cannot be
customized based on the VLAN.
You can serially cluster WAE devices operating in inline mode to provide higher availability if a device
fails. For details, see the “Information About Clustering Inline WAEs” section on page 5-53.
Note
When a WAE inline group enters bypass mode, the switch and router ports to which it is connected may have
to reinitialize, which may cause an interruption of several seconds in the traffic flow through the WAE.
If the WAE is deployed in a configuration where the creation of a loop is not possible (that is, if it is
deployed in a standard fashion between a switch and a router), configure PortFast on the switch port to
which the WAE is connected. PortFast allows the port to skip the first few stages of the Spanning Tree
Algorithm (STA) and move more quickly into a packet forwarding mode.
Enabling Inline Operation on WAEs
This section describes how to enable and configure inline settings on WAEs configured as application
accelerators and that are not part of an AppNav Cluster (WAEs that are part of an AppNav Cluster use
only the appnav-controller interception method). If you want to configure the inline settings on WAEs
configured as AppNav Controllers, see the “Configuring Inline Operation on ANCs” section on
page 5-49.
Cisco Wide Area Application Services Configuration Guide
5-44
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
On WAVE-294/594/694/7541/7571/8541 devices that use Cisco Interface Modules, the Interface Module
ports are configured by default for normal standalone operation. If you want to use the device in inline
mode, you must configure the ports for inline operation. Enabling inline mode configures all ports for
inline operation and converts each pair of ports to an inline group.
On other WAE devices that use the Cisco WAE Inline Network Adapter, the ports on the adapter always
operate in inline mode. You can use this configuration window to enable or disable VLAN ID connection
checking, which is the only setting that appears for such WAE devices.
To enable inline operation and configure general settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (You cannot enable inline
operation from device groups.)
Step 2
Choose Configure > Interception > Interception Configuration.
Note
If you are configuring a device using a WAAS version earlier than 5.0, choose Configure >
Interception > Inline > General Settings to configure inline general settings. The
configuration window looks different but has similar settings.
The Interception Configuration window appears.
Step 3
From the Interception Method drop-down list, choose Inline to enable inline mode. The Interception
Method drop-down list is not shown for devices using WAAS versions earlier than 5.0.
The screen refreshes with the inline settings. (See Figure 5-7.)
Figure 5-7
Step 4
Inline Interception Settings Window
Check the Inline Enable check box to enable inline operation.
The Inline Enable check box is shown only for WAVE devices using WAAS versions earlier than 5.0 and
that have a Cisco Interface Module installed.
Step 5
Check the Vlan ID Connection Check check box to enable VLAN ID connection checking. Uncheck
the check box to disable it. The default setting is enabled.
WAAS uses the VLAN ID to intercept or bridge VLAN traffic on the inline interface for a TCP flow.
The VLAN ID of all packets sent in a particular TCP connection must match; any packets with a different
VLAN ID will be bridged and not optimized. If your system has an asymmetric routing topology, in
which the traffic flow in one direction uses a different VLAN ID than the traffic flow from the other
direction, you may need to disable VLAN ID checking to ensure that the traffic is optimized.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-45
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Step 6
From the Failover Timeout drop-down list, choose the failover timeout (1, 5 or 25 seconds), which is the
number of seconds that the interface should wait before going into bypass mode, after a device or power
failure. The default is 1 second.
This item appears only for WAVE devices that use Cisco Interface Modules but not for AppNav
Controller Interface Modules. For devices that use Cisco WAE Inline Network Adapters, the failover
timeout is configured in the Inline Interface Settings window (see Figure 5-8 on page 5-47). This item
is named Time Out for WAAS versions earlier than 5.0 and appears before the VLAN ID Connection
Check item.
Step 7
Click Submit. A message appears for you to confirm that all Interface Module interfaces are to be
converted to inline group interfaces and existing Interface Module interface configurations are to be
removed.
Step 8
Click OK to confirm.
The inline groups are configured with basic default settings. To configure inline group settings, see the
“Configuring Inline Interface Settings on WAEs” section on page 5-46.
For devices running WAAS versions earlier than 5.0, after enabling inline mode, it takes about two data
feed poll cycles (about 10 minutes by default) for the inline groups to appear in the Inline Interfaces list
in the lower part of the window.
Note
Inline mode cannot be enabled if any of the Interface Module ports are configured as the primary
interface. You must change the primary interface and return to this window to enable inline
mode.
For devices running WAAS versions earlier than 5.0, if you configure any of the interfaces on a
Interface Module with nondefault settings (standby group, port channel, BVI, speed, duplex, IP
address, ACLs, and so on), inline mode cannot be enabled and a warning message appears that
tells you to check all interfaces for any configuration settings. You must remove all configuration
settings from all interface module interfaces (slot 1) and then return to this window to enable
inline mode.
To enable inline operation from the CLI, use the interception-method inline global configuration
command.
To configure VLAN ID checking from the CLI, use the inline vlan-id-connection-check global
configuration command after inline operation is enabled.
Configuring Inline Interface Settings on WAEs
This section describes how to configure inline settings on WAEs configured as application accelerators
and that are not part of an AppNav Cluster (WAEs that are part of an AppNav Cluster use only the
appnav-controller interception method). If you want to configure the inline settings on WAEs configured
as AppNav Controllers, see the “Configuring Inline Operation on ANCs” section on page 5-49.
To configure inline interface settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (You cannot configure inline
interface settings from device groups.)
Step 2
Choose Configure > Interception > Interception Configuration.
Cisco Wide Area Application Services Configuration Guide
5-46
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Note
If you are configuring a device using a WAAS version earlier than 5.0, choose Configure >
Interception > Inline > Inline Interfaces to configure inline interface settings. The
configuration window looks different but has similar settings.
The Inline Interfaces window appears, listing the inline interface groups available on the device.
Step 3
Choose an inline group to configure and click the Edit taskbar icon. (For devices using WAAS versions
earlier than 5.0, click the Edit icon next to the interface.)
The Edit Inline Settings window appears, displaying the inline interface configurations for a particular
slot and port group. (See Figure 5-8.)
Figure 5-8
Step 4
Edit Inline Settings Window
Check the Use CDP check box to enable Cisco Discovery Protocol (CDP) on the inline group interfaces.
The Use CDP check box is not shown for devices using WAAS versions earlier than 5.0.
When enabled, CDP obtains protocol addresses of neighboring devices and discovers the platform of
those devices. It also shows information about the interfaces used by your router.
Configuring CDP from the CDP Settings window enables CDP globally on all the interfaces. For
information on configuring CDP settings, see the “Configuring CDP Settings” section on page 6-25.
Step 5
Check the Shutdown check box to shut down the inline group. This setting bridges traffic across the
LAN/WAN interfaces without any processing.
Step 6
In the Encapsulation field, enter the VLAN ID that is to be assigned to traffic that leaves the WAE. The
VLAN ID should be set to match the VLAN ID expected by the router.
For more information about the VLAN ID, see the “Configuring an IP Address on an Inline Interface”
section on page 5-51.
Step 7
From the Load Interval drop-down list, choose the interval in seconds at which to poll the interface for
statistics and calculate throughput. The default is 30 seconds. (The Load Interval item is not shown for
devices using WAAS versions earlier than 5.0.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-47
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Step 8
Check the Intercept all VLANs check box to enable inline interception on the interface group. Inline
interception is enabled by default when the WAE contains a Cisco WAE Inline Network Adapter but
must be explicitly enabled on devices with a Cisco Interface Module (see the “Enabling Inline Operation
on WAEs” section on page 5-44).
Step 9
In the Exclude VLAN field, enter a list of one or more VLAN ranges to exclude from optimization. You
can enter the word “native” to exclude the native VLAN. Separate each VLAN range from the next with
a comma. Alternatively, you can select VLAN ranges from a list by following these steps:
a.
Click the Configure Include VLANs button when you know the list of VLANs that you want to
include in inline interception. This button runs a script that prompts you for a comma-separated list
of VLANs that you want to include. The script generates an inverse list of all VLANs that should be
excluded and then updates the window and puts the list into the Exclude VLAN field.
b.
Click the Choose VLANs from the list button to choose VLAN ranges. The VLAN Range
Assignments window appears, displaying the VLAN ranges that are defined. Defining VLAN ranges
is described in the “Configuring VLANs for Inline Support” section on page 5-52.
c.
Choose the VLAN ranges to include or exclude by doing the following:
– Check the check box next to each VLAN range that you want to include for optimization and
click the Include Vlan taskbar icon. All VLANs that are not included for optimization are
excluded. For devices using WAAS versions earlier than 5.0, click
next to each VLAN range
that you want to include. The icon changes to
.
– Check the check box next to each VLAN range that you want to exclude from optimization and
click the Exclude Vlan taskbar icon. For devices using WAAS versions earlier than 5.0, click
next to each VLAN range that you want to exclude from optimization. The icon changes to
.
– Click the Clear Selection taskbar icon to clear all selections. For devices using WAAS versions
earlier than 5.0, click
in the taskbar to select all available VLAN ranges for optimization,
or click
in the taskbar to exclude all VLAN ranges from optimization.
d.
Step 10
Click OK. For devices using WAAS versions earlier than 5.0, click Submit.
From the Failover Timeout drop-down list, choose 1, 3, 5, or 10 seconds. The default is 1 second. This
value sets the number of seconds after a failure event that the WAE waits before beginning to operate in
bypass mode. In bypass mode, all traffic received on either port of the interface group is forwarded out
the other port in the group.
This check box applies only to devices that use Cisco WAE Inline Network Adapters. For devices that
use Cisco Interface Modules, the failover timeout is configured in the Inline Interception Settings
window (see Figure 5-7 on page 5-45) and does not appear in this window.
Step 11
Configure the Speed and Mode port settings as follows (these settings are not used for interfaces on the
Cisco Interface Module on a device using WAAS version 5.0 or later, which uses auto sensing):
a.
Uncheck the AutoSense check box, which is enabled by default.
b.
From the Speed drop-down list, choose a transmission speed (10, 100, 1000, or 10000 Mbps). You
must choose 1000 Mbps for fiber Gigabit Ethernet interfaces on a Cisco Interface Module for
devices using WAAS versions earlier than 5.0.
c.
From the Mode drop-down list, choose a transmission mode (full-duplex or half-duplex). You must
choose full-duplex for fiber Gigabit Ethernet interfaces on a Cisco Interface Module for devices
using WAAS versions earlier than 5.0.
Cisco Wide Area Application Services Configuration Guide
5-48
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Note
We strongly recommend that you do not use half-duplex connections on the WAE or on
routers, switches, or other devices. Half duplex impedes performance and should not be
used. Check each Cisco WAE interface and the port configuration on the adjacent device
(router, switch, firewall, and WAE) to verify that full duplex is configured.
Step 12
In the Address field, enter an IP address for the inline interface, if you want to assign an IP address.
Step 13
In the Netmask field, enter a subnet mask for the inline interface.
Step 14
Enter up to four secondary IP addresses and corresponding subnet masks in the Secondary Address and
Secondary Netmask fields.
Configuring multiple IP addresses allows the device to be present in more than one subnet and can be
used to optimize response time because it allows the data to go directly from the WAAS device to the
client that is requesting the information without being redirected through a router. The WAAS device
becomes visible to the client because both are configured on the same subnet.
Step 15
In the Default Gateway field, enter the default gateway IP address. The Default Gateway field is not
shown for devices using WAAS versions 5.0 or later.
Step 16
(Optional) From the Inbound ACL drop-down list, choose an IP ACL to apply to inbound packets.
The drop-down list contains all the IP ACLs that you configured in the system.
Step 17
(Optional) From the Outbound ACL drop-down list, choose an IP ACL to apply to outbound packets.
Step 18
Click OK. For devices using WAAS versions earlier than 5.0, click Submit.
Step 19
For WAAS version 5.0 and later, choose Configure > Network > Default Gateway to configure the
default gateway for an inline interface.
a.
In the Default Gateway field, enter the default gateway IP address.
b.
Click Submit.
To configure inline interception from the CLI, use the interface InlineGroup global configuration
command.
Configuring Inline Operation on ANCs
This section describes how to enable and configure inline settings on WAAS devices configured as
AppNav Controllers (ANCs). You can also use the AppNav Cluster wizard to configure an inline ANC
and create an inline bridge interface, as described in the “Creating a New AppNav Cluster with the
Wizard” section on page 4-14.
If you want to configure the inline settings on WAEs configured as application accelerators, see the
“Enabling Inline Operation on WAEs” section on page 5-44.
On WAVE-594/694/7541/7571/8541 devices that use Cisco AppNav Controller Interface Modules, the
AppNav Controller Interface Module ports are configured by default for normal standalone operation. If
you want to use the device in inline mode, you must configure the ports for inline operation and create
an inline bridge group. Enabling inline mode configures all ports for inline operation.
To enable inline operation and configure an inline bridge group, follow these steps:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-49
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (You cannot enable inline
operation from device groups.)
Step 2
Choose Configure > Interception > Interception Configuration.
The Interception Configuration window appears.
Step 3
From the Interception Method drop-down list, choose Inline to enable inline mode.
Step 4
Click Submit to enable inline mode and refresh the window with additional settings.
All existing bridge groups are listed, showing the bridge group number, protocol, link state propagation
setting, VLAN ranges, and included interfaces.
From this list, you can perform the following tasks:
•
Edit the settings for a bridge group by choosing it and clicking the Edit taskbar icon.
•
Delete a bridge group by choosing it and clicking the Delete taskbar icon.
•
Create a new bridge group as described in the following steps.
Step 5
Click the Create Bridge taskbar icon.
Step 6
From the Bridge Index drop-down list, choose the bridge group number.
Step 7
(Optional) In the Description field, enter a bridge group description.
Step 8
(Optional) Check the Link State Propagation check box to enable link state propagation. It is enabled
by default.
Link state propagation means that if one interface in the inline bridge group is down, the system
automatically shuts down the other interface to ensure that any network failover scheme is triggered.
Step 9
(Optional) Configure VLANs to include in interception. Initially all VLANS are included. If you want
to include or exclude specific VLAN ranges, follow these steps:
a.
Click the Vlan Calculator button.
Cisco Wide Area Application Services Configuration Guide
5-50
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
b.
For each VLAN range that you want to include in interception, set the Select Operation Type
drop-down list to Add/Include. In the Vlan Range field, enter a comma-separated list of one or more
VLAN ranges to include. You can enter the word “native” to include the native VLAN.
c.
For each VLAN range that you want to exclude from interception, set the Select Operation Type
drop-down list to Except/Exclude. In the Vlan Range field, enter a comma-separated list of one or
more VLAN ranges to exclude. You can enter the word “native” to exclude the native VLAN.
d.
Click OK to save your settings.
Step 10
In the Assign Interfaces area check the box next to two interfaces that you want to assign to this bridge
group, then click the Assign taskbar icon. To unassign any assigned interfaces, check each interface that
you want to unassign and click the Unassign taskbar icon. The bridge group can contain two physical or
two port-channel interfaces, or a combination.
Step 11
Click OK to create the bridge group.
Configuring an IP Address on an Inline Interface
You can assign IP addresses to the inline group interfaces but it is not required. You can assign a primary
IP address and up to four secondary IP addresses, using the procedure discussed in the “Configuring
Inline Interface Settings on WAEs” section on page 5-46.
You can set an inline group interface as the primary interface on the WAE by using the Configure >
Network > Network Interfaces window, in the Primary Interface drop-down list.
In scenarios where the primary interface for a WAE is set to an inline group interface and management
traffic is configured on a separate IP address (either on a secondary IP address on the same inline group
interface or on a built-in interface), you must configure the WAAS Central Manager to communicate
with the WAE on the IP address designated for management traffic. Configure the WAE management
interface settings with the Configure > Network > Management Interface Settings menu item. For WAAS
versions earlier than 5.0, configure the WAE management traffic IP address in the device-name >
Activation window, in the Management IP field.
If a WAE operating in inline mode is present in an 802.1Q VLAN trunk line between a switch and a
router, and you are configuring the inline interface with an IP address, you must set the VLAN ID that
is to be assigned to traffic that leaves the WAE. The VLAN ID should be set to match the VLAN ID
expected by the router.
Use the encapsulation dot1Q interface command to assign a VLAN ID, as follows:
(config)# interface inlineGroup 1/0
(config-if)# encapsulation dot1Q 100
This example shows how to assign VLAN ID 100 to the traffic leaving the WAE. The VLAN ID can
range from 1 through 4094.
Note
You can set the VLAN ID of the inline traffic by using the encapsulation dot1Q interface command or
by using the Central Manager menu item Configure > Interception > Interception Configuration (see
the “Configuring Inline Interface Settings on WAEs” section on page 5-46).
If the VLAN ID that you set does not match the VLAN ID expected by the router subinterface, you may
not be able to connect to the inline interface IP address.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-51
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
The inline adapter supports only a single VLAN ID for each inline group interface. If you have
configured a secondary address from a different subnet on an inline interface, you must have the same
secondary address assigned on the router subinterface for the VLAN.
Using IEEE 802.1Q tunneling increases the frame size by 4 bytes when the tag is added. Therefore, you
must configure all switches through which the tunneled packet traverses to be able to process larger
frames by increasing the device MTU to at least 1504 bytes.
The following operating considerations apply to configuring IP addresses on the inline interfaces:
•
This feature provides basic routable interface support and does not support the following additional
features associated with the built-in interfaces: standby and port channel.
•
If you have configured a WAE to use the inline interfaces for all traffic, inline interception must be
enabled or the WAE will not receive any traffic.
•
If you have configured a WAE to use the inline interfaces for all traffic and it goes into mechanical
bypass mode, the WAE become inaccessible through the inline interface IP address. Console access
is required for device management when an inline interface is in bypass mode.
•
If you have configured a WAE with an IP address on an inline interface, the interface can accept only
traffic addressed to it and ARP broadcasts, and the interface cannot accept multicast traffic.
•
In a deployment using the Hot Standby Router Protocol (HSRP) where two routers that participate
in an HSRP group are directly connected through two inline groups, HSRP works for all clients if
the active router fails. However, this redundancy does not apply to the IP address of the WAE itself
for management traffic, if management traffic is also configured to use the inline interface. If the
active router fails, you will not be able to connect to the WAE inline IP address because the inline
interface is physically connected to the failed router interface. You will be able to connect to the
WAE through the second inline group interface that is connected to the standby router. If redundancy
is needed for the IP address of the WAE itself for management traffic, we recommend that you use
the IP addresses of the built-in interfaces rather than the inline interfaces.
Configuring VLANs for Inline Support
Initially, the WAE accepts traffic from all VLANs. You can configure the WAE to include or exclude
traffic from certain VLANs; for excluded VLANs, traffic is bridged across the LAN/WAN interfaces in
a group and is not processed.
To configure a VLAN for inline support, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Platform > Vlans.
The Vlans window appears, which lists the VLANs that are defined. You can click the Edit Vlan icon
next to an existing VLAN that you want to modify.
Step 2
In the taskbar, click the Create New Vlan icon. The Creating VLAN window appears.
Step 3
In the VLAN Name field, enter a name for the VLAN list.
Step 4
In the VLAN Ranges field, enter a list of one or more VLAN ranges. Separate each VLAN range from
the next with a comma (but no space). This list of VLAN ranges can be included or excluded from
optimization when you configure the inline interface group, as described in the “Configuring Inline
Interface Settings on WAEs” section on page 5-46. You cannot specify the term “native” in this field.
Cisco Wide Area Application Services Configuration Guide
5-52
OL-26579-01
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Step 5
Click Submit.
This facility for creating VLAN lists is provided so that you can configure VLAN lists globally. You do
not need to use this facility to configure VLANs for an inline interface. You can configure VLANs
directly in the inline interface settings window, as described in the “Configuring Inline Interface Settings
on WAEs” section on page 5-46.
Information About Clustering Inline WAEs
You can serially cluster two WAE devices that are operating in inline mode to provide higher availability
in the data center if a device fails. If the current optimizing device fails, the inline group shuts down, or
the device becomes overloaded, the second WAE device in the cluster provides the optimization services.
Deploying WAE devices in a serial inline cluster for scaling or load balancing is not supported.
Note
Overload failover occurs on TFO overload, not overload of individual application accelerators, and it is
intended for temporary overload protection. We do not recommend that you continually run a WAE in
an overloaded state, frequently triggering overload failover.
A serial cluster consists of two WAE devices connected together sequentially in the traffic path. The
WAN port of one device is connected to the LAN port of the next device, as shown in Figure 5-9.
Inline Cluster
1
2
3
4
WAN
File and
application servers
Switch
WAE-1
Router
WAE-2
1
Inline LAN port on WAE-1
3
Inline LAN port on WAE-2
2
Inline WAN port on WAE-1
4
Inline WAN port on WAE-2
159918
Figure 5-9
In a serial cluster, all traffic between the switch and router passes through all inline WAEs. In Figure 5-9,
TCP connections are optimized by WAE-1. If WAE-1 fails, it bypasses the traffic and connections are
then optimized by WAE-2.
The policy configuration of serially clustered WAEs should be the same. Additionally, we recommend
that you use the same device for both WAEs in the cluster.
When serially clustering inline WAEs, on each WAE you must configure the address of the other WAE
in the cluster as a non-optimizing peer. This disables optimization between the two peer WAEs in the
serial cluster, since you want optimization only between the WAE peers on each side of the WAN link.
For information on how to disable optimization between peers, see the “Disabling Peer Optimization
Between Serial Inline WAEs” section on page 5-54.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-53
Chapter 5
Configuring Traffic Interception
Using Inline Mode Interception
Disabling Peer Optimization Between Serial Inline WAEs
To disable peer optimization between WAEs in a serial cluster, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (You cannot configure peer
settings from device groups.)
Step 2
Choose Configure > Peers > Peer Settings.
The Peer Settings window appears. (See Figure 5-10.)
Figure 5-10
Peer Settings Window
Step 3
Click the Select Peer triangle control to display in the lower part of the window other WAEs that are
registered with this Central Manager (see the Select Peer area).
Step 4
In the Select Peer area, click the radio button next to the serial peer of the current device. The peer device
name appears in the Disable Optimization With Peer field.
If you need to filter the device list, enter a string in the Filter field. As you enter characters, the device
list is dynamically filtered to include only devices that have the filter string in their name or hardware
device ID.
Step 5
Check the Automatically Configure Peer check box to allow the Central Manager to configure the other
peer with a similar setting to disable optimization with the current device.
If you do not check this box, you must manually configure the other peer to disable optimization with
the current device. After you submit your changes, you can click the Switch to Peer button to go to this
same configuration page for the peer device.
Step 6
In the Description field, enter a description for the peer. The default description is the device name of
the peer.
Step 7
Click Submit.
Cisco Wide Area Application Services Configuration Guide
5-54
OL-26579-01
Chapter 5
Configuring Traffic Interception
Configuring VPATH Interception on a vWAAS Device
To disable serial peer optimization from the CLI, use the no peer device-id global configuration
command. To reenable serial peer optimization, use the peer device-id global configuration command.
To view the status of all serial cluster pairs registered with the Central Manager, from the WAAS Central
Manager menu, choose Configure > Global > Peer Settings. The Peer Settings status window appears,
as shown in Figure 5-11.
Figure 5-11
Peer Settings For All Devices Window
The window lists each WAE for which you have configured peer optimization settings. Verify that there
are two entries for each serial cluster pair, both with a check mark in the Mutual Pair column. There
should be an entry for each WAE in the pair (for example, the first and last entries in the figure).
If you see an entry without a check mark in the Mutual Pair column (like the third one in the figure), it
indicates a WAE on which a serial peer is configured, but the peer is not similarly configured with the
first device as its serial peer.
Configuring VPATH Interception on a vWAAS Device
VPATH intercepts traffic from the VM server, redirects it to a vWAAS device for WAN optimization,
and then returns the response back to the Virtual Ethernet Module (VEM). The vWAAS egress traffic
received by the VEM is forwarded without further VPATH interception.
Interception is configured on the server VM port profile in both directions.
To configure VPATH interception on a vWAAS device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (You cannot configure vWAAS
interface settings from device groups.)
Step 2
Choose Configure > Interception > Interception Configuration. The VPATH settings window
appears.
Note
Step 3
If you are configuring a device using a WAAS version earlier than 5.0, choose Configure >
Interception > VPATH to configure VPATH settings.
From the Interception Method drop-down list, choose vn-service (VPATH on devices using WAAS
versions earlier than 5.0) to enable VPATH interception on the vWAAS device.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
5-55
Chapter 5
Configuring Traffic Interception
Configuring AppNav Interception
Step 4
On devices using WAAS versions earlier than 5.0, check the Enable VPATH check box to enable
VPATH interception on the vWAAS device. This check box is not editable on devices using WAAS
versions 5.0 or later.
Note
Step 5
Only one type of interception can be enabled at a time.
Click Submit.
To enable VPATH from the CLI, use the interception-method vn-service vpath global configuration
command. The default is disabled. For monitoring and troubleshooting, use the show statistics
vn-service vpath and clear statistics vn-service vpath EXEC configuration commands.
For more information on virtual WAAS configuration, see the Cisco Wide Area Application Services
vWAAS Installation and Configuration Guide.
Configuring AppNav Interception
For WAEs that are part of an AppNav deployment and are configured as WAAS nodes (WNs) in an
AppNav Cluster, you must configure them to use the appnav-controller interception method. These WNs
receive traffic only from the ANCs, not directly from routers. It is on the ANC devices that you configure
an interception method such as WCCP, PBR, or inline to intercept network traffic. For more information
about an AppNav deployment, see Chapter 4, “Configuring AppNav.”
If you create an AppNav Cluster by using the Central Manager wizard, or you add WNs to a cluster
through the AppNav Clusters window, the Central Manager automatically configures WNs with the
appnav-controller interception method. Once the WN is added to a cluster, its interception method
cannot be changed.
To manually configure appnav-controller interception on a WN device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Interception > Interception Configuration. The Interception Configuration
window appears.
Step 3
From the Interception Method drop-down list, choose appnav-controller to enable the
appnav-controller interception method.
Step 4
Click Submit.
Cisco Wide Area Application Services Configuration Guide
5-56
OL-26579-01
CH A P T E R
6
Configuring Network Settings
This chapter describes how to configure basic network settings such as configuring additional network
interfaces to support network traffic, creating port channel and standby interfaces, creating bridge
interfaces for virtual blades, configuring optimization on WAAS Express interfaces, specifying a default
gateway and DNS servers, enabling the Cisco Discovery Protocol (CDP), and configuring the directed
mode of operation where peer WAEs exchange traffic using UDP encapsulation to avoid firewall
traversal issues.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
Configuring Network Interfaces, page 6-1
•
Configuring TCP Settings, page 6-21
•
Configuring Static IP Routes, page 6-25
•
Configuring CDP Settings, page 6-25
•
Configuring the DNS Server, page 6-26
•
Configuring Windows Name Services, page 6-27
•
Configuring Directed Mode, page 6-27
For information on configuring a bridge group for inline interfaces on an AppNav Controller Interface
Module, see the “Configuring Inline Operation on ANCs” section on page 5-49 or use the AppNav
Cluster wizard as described in the “Creating a New AppNav Cluster with the Wizard” section on
page 4-14.
Configuring Network Interfaces
During initial setup, you chose an initial interface and either configured it for DHCP or gave it a static
IP address, as described in the Cisco Wide Area Application Services Quick Configuration Guide. This
section describes how to configure additional interfaces using options for redundancy, load balancing,
and performance optimization.
This section contains the following topics:
•
Configuring a Standby Interface, page 6-3
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-1
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
•
Configuring Multiple IP Addresses on a Single Interface, page 6-6
•
Modifying Ethernet Interface Settings, page 6-7
•
Configuring the Default Gateway, page 6-9
•
Configuring Port-Channel Settings, page 6-9
•
Configuring Interfaces for DHCP, page 6-13
•
Modifying Virtual Interface Settings for a vWAAS Device, page 6-14
•
Configuring Optimization on WAAS Express Interfaces, page 6-15
•
Bridging to a Virtual Blade Interface, page 6-17
•
Configuring Management Interface Settings, page 6-20
•
Configuring a Jumbo MTU, page 6-21
We recommend that you use the WAAS Central Manager instead of the WAAS CLI to configure network
settings, but if you want to use the CLI, see the following commands in the Cisco Wide Area Application
Services Command Reference: interface, ip address, port-channel, and primary-interface.
Network interfaces are named as follows on WAAS devices:
Note
•
WAVE-274/474—Have one built-in Ethernet interface named GigabitEthernet 1/0.
•
WAE-512/612/7326/674/7341/7371 and WAVE-574—Have two built-in Ethernet interfaces named
GigabitEthernet 1/0 and GigabitEthernet 2/0.
•
WAVE-294/594/694/7541/7571/8541—Have two built-in Ethernet interfaces named
GigabitEthernet 0/0 and GigabitEthernet 0/1. Additional interfaces on the Cisco Interface Module
and AppNav Controller Interface Module are named GigabitEthernet 1/0 to 1/11 or
TenGigabitEthernet 1/0 to 1/3, depending on the number and type of ports.
•
NME-WAE devices—Have an internal interface to the router that is designated 1/0 and an external
interface that is designated 2/0.
•
SM-SRE devices—Have an internal interface to the router that is designated 1/0 and an external
interface that is designated 2/0.
We strongly recommend that you do not use half-duplex connections on the WAE or on routers, switches,
or other devices. Half duplex impedes performance and should not be used. Check each Cisco WAE
interface and the port configuration on the adjacent device (router, switch, firewall, and WAE) to verify
that full duplex is configured.
When connecting an AppNav Controller to a Cisco Nexus 7000 Series switch, the interfaces on both
devices must be set to the same auto-negotiate setting: either both on or both off. If they are set
differently, switch link flapping can occur.
Note
Layer 3 interfaces may drop bridge protocol data unit (BPDU) packets. This does not affect data traffic.
Cisco Wide Area Application Services Configuration Guide
6-2
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Configuring a Standby Interface
In this procedure, you configure a logical interface called a standby interface. After you configure this
standby interface, you must associate physical or port-channel interfaces with the standby interface to
create the standby group. In the WAAS Central Manager, you create the standby group by assigning two
interfaces to the standby group and assigning one as primary.
Standby interfaces remain unused unless a member interface that is in use fails. When an in-use network
interface fails (because of cable trouble, Layer 2 switch failure, or other failure), the other member
interface of the standby group changes its state to in use and starts to carry traffic and take the load off
the failed interface. With the standby interface configuration, only one interface is in use at a given time.
To configure standby interfaces, you must assign two physical or two port-channel interface members to
a standby group. The following operating considerations apply to standby groups:
•
A standby group consists of two physical or two port-channel interfaces. (If you are configuring a
WAAS device running a version earlier than 5.0, both interfaces must be physical interfaces.)
•
The maximum number of standby groups on a WAAS device is two. When using a Cisco AppNav
Controller Interface Module, you can have up to three standby groups.
•
A standby group is assigned a unique standby IP address, shared by all members of the group.
•
Configuring the duplex and speed settings of the standby group member interfaces provides better
reliability.
•
IP ACLs can be configured on physical interfaces that are members of a standby group.
•
One interface in a standby group is designated as the primary standby interface. Only the primary
interface uses the group IP address.
•
If the in-use interface fails, another interface in its standby group takes over and carries the traffic.
•
If all the members of a standby group fail, then one recovers, the WAAS software brings up the
standby group on the operational interface.
•
The primary interface in a standby group can be changed at runtime. (The default action is to
preempt the currently in-use interface if a different interface is made primary.)
•
If a physical interface is a member of a standby group, it cannot also be a member of a port channel.
•
If a device has only two interfaces, you cannot assign an IP address to both a standby group and a
port channel. On such a device, only one logical interface can be configured with an IP address.
•
The member interfaces of a standby group can be connected to different switches if you use a VLAN
tagging protocol and assign the same VLAN tag to each interface.
•
You cannot include a built-in Ethernet port and a port on a Cisco Interface Module in the same
standby group.
Configuring a standby interface differs, depending on the version of the WAAS device that you are
configuring. See one of the following topics:
•
Configuring a Standby Interface on a Device with Version 5.0 or Later, page 6-4
•
Configuring a Standby Interface on a Device Earlier than Version 5.0, page 6-5
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-3
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Configuring a Standby Interface on a Device with Version 5.0 or Later
To configure a standby interface for devices with WAAS version 5.0 or later, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears. (See Figure 6-1.)
Figure 6-1
Network Interfaces for Device Window
Step 3
In the taskbar of the lower area, click the Create Logical Interface icon. The Create Logical Interface
window appears.
Step 4
From the Logical Interface Type drop-down list, choose Standby and click OK. The window refreshes
with fields for configuring the standby group settings.
Step 5
From the Standby Group Number drop-down list, choose a group number for the interface.
Step 6
(Optional) From the Bridge Group Number drop-down list, choose a bridge virtual interface (BVI) group
number with which to associate this standby interface, or None. For more information on BVI, see the
“Bridging to a Virtual Blade Interface” section on page 6-17. This configuration item is not supported
on AppNav Controller Interface Module ports.
Step 7
(Optional) In the Description field, enter a description for the standby group.
Step 8
(Optional) Check the Shutdown check box to shut down the hardware interface. By default, this option
is disabled.
Step 9
(Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the
interface for statistics and calculate throughput. The default is 30 seconds.
Step 10
In the Address field, specify the IP address of the standby group.
Step 11
In the Netmask field, specify the netmask of the standby group.
Cisco Wide Area Application Services Configuration Guide
6-4
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 12
In the Assign Interfaces area, check the boxes next to the two interfaces that you want to assign to this
standby group and click the Assign taskbar icon. To unassign any assigned interfaces, check each
interface that you want to unassign and click the Unassign taskbar icon.
If you want to have two port-channel interfaces as members of the standby group, do not assign any
interfaces here. When you create the port-channel interfaces, you assign the standby group number in
that window.
Step 13
To assign one physical interface as the primary (active) interface in the standby group, ensure that it is
the only interface checked and then click the Enable Primary taskbar icon.
Step 14
Click OK.
Configuring a Standby Interface on a Device Earlier than Version 5.0
To configure a standby interface for devices with WAAS versions earlier than 5.0, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears.
Step 3
In the taskbar, click the Create New Interface icon. The Creating New Network Interface window
appears.
Step 4
From the Port Type drop-down list, choose Standby. The window refreshes with fields for configuring
the standby group settings.
Step 5
From the Standby Group Number drop-down list, choose a group number for the interface.
Step 6
(Optional) In the Description field, optionally enter a description for the standby group.
Step 7
In the Address field, specify the IP address of the standby group.
Step 8
In the Netmask field, specify the netmask of the standby group.
Step 9
(Optional) Check the Shutdown check box to shut down the hardware interface. By default, this option
is disabled.
Step 10
In the Default Gateway field, enter the default gateway IP address. If an interface is configured for
DHCP, then this field is read only.
Step 11
(Optional) From the Bridge Group Number drop-down list, choose a bridge virtual interface (BVI) group
number with which to associate this standby interface, or choose None. For more information on BVI,
see the “Bridging to a Virtual Blade Interface” section on page 6-17.
Step 12
Click Submit.
Step 13
Configure the physical interface members as described in the “Assigning Physical Interfaces to the
Standby Group” section on page 6-5.
After you create the standby interface, you need to assign two physical interfaces to the standby group.
Assigning Physical Interfaces to the Standby Group
After you have configured a logical standby interface for a device with a WAAS version earlier than 5.0,
you configure the standby group by assigning physical interfaces to the standby group and setting one
physical interface as the primary standby interface. The primary interface in the standby group uses the
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-5
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
standby group IP address. You must have a standby interface configured before you can set it as primary.
(See the “Configuring a Standby Interface” section on page 6-3.)
You can assign an interface to a standby group only if the interface does not have an IP address assigned.
The interface uses the IP address of the standby group.
Note
Removing a physical interface from standby group 2 on all WAAS device models can cause network
disruption for up to 30 seconds. Additionally, removing a physical interface from standby group 1 on
device models WAE-612/674/7341/7371 and WAVE-574 can cause network disruption for up to 30
seconds. The best practice is to make such changes when traffic interception is disabled or at an off-peak
time when traffic disruption is acceptable.
To associate an interface with a standby group and set it as the primary standby interface, follow these
steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears.
Step 3
Click the Edit icon next to the physical interface that you want to assign to a standby group. The
Interface Settings window appears.
Choose a physical interface, not a logical interface (standby, port channel, or BVI), in this step.
Step 4
Step 5
Complete the following steps to assign the interface to a standby group and specify it as the primary
standby interface:
a.
In the Port Type To Assign drop-down list, choose Standby.
b.
Check either the Join Standby Group 1 or Join Standby Group 2 check box. (Only one check box
is shown if only one standby interface has been defined.)
c.
(Optional) Check the Standby Primary check box if you want this physical interface to be the
primary (active) interface in the standby group.
Click Submit.
Configuring Multiple IP Addresses on a Single Interface
You can configure up to four secondary IP addresses on a single interface. This configuration allows the
device to be present in more than one subnet and can be used to optimize the response time because it
allows the data to go directly from the WAAS device to the client that is requesting the information
without being redirected through a router. The WAAS device becomes visible to the client because both
are configured on the same subnet.
Configuring multiple IP addresses is not supported on AppNav Controller Interface Module ports.
To configure multiple IP addresses on a single interface, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces listing window appears.
Step 3
Choose the physical interface that you want to modify and click the Edit taskbar icon. (For devices using
WAAS versions earlier than 5.0, click the Edit icon next to the interface.)
Cisco Wide Area Application Services Configuration Guide
6-6
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
The Interface Settings window appears.
Note
Do not choose a standby or port-channel interface in this step. You cannot configure multiple IP
addresses on these types of interfaces.
Step 4
In the Secondary Address and Secondary Netmask fields 1 through 4, enter up to four different IP
addresses and secondary netmasks for the interface.
Step 5
Click Submit.
Modifying Ethernet Interface Settings
To modify the settings of a physical Ethernet interface, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces.
The Network Interfaces window appears, listing the configured network interfaces.
Note
Step 3
On NME-WAE and SM-SRE devices, the internal interface to the router is designated slot 1, port
0 and the external interface is designated slot 2, port 0. For NME-WAE configuration details, see
the document Configuring Cisco WAAS Network Modules for Cisco Access Routers. For
SM-SRE configuration details, see the document Cisco SRE Service Module Configuration and
Installation Guide.
Choose the physical interface that you want to modify and click the Edit taskbar icon. (For devices using
WAAS versions earlier than 5.0, click the Edit icon next to the interface.)
The Interface Settings window appears, displaying the interface configurations on a particular slot and
port. The interface type, slot, and port are determined by the hardware.
Note
When configuring the internal interface (GigabitEthernet 1/0) on an NME-WAE or SM-SRE
device, you cannot change the following fields or check boxes: Port Channel Number,
AutoSense, Speed, Mode, Address, Netmask, Use DHCP, and Standby Group. If you attempt to
change these values, the Central Manager displays an error when you click Submit. These
settings for the internal interface can be configured only through the host router CLI. For
NME-WAE details, see the document Configuring Cisco WAAS Network Modules for Cisco
Access Routers. For SM-SRE details, see the document Cisco SRE Service Module
Configuration and Installation Guide.
Step 4
(Optional) In the Description field, enter a description for the interface.
Step 5
(Optional) Check the Use CDP check box to enable the Cisco Discovery Protocol (CDP) on an interface.
When enabled, CDP obtains protocol addresses of neighboring devices and discovers the platform of
those devices. It also shows information about the interfaces used by your router.
Configuring CDP from the CDP Settings window enables CDP globally on all the interfaces. For
information on configuring CDP settings, see the “Configuring CDP Settings” section on page 6-25.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-7
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 6
(Optional) Check the Shutdown check box to shut down the hardware interface.
Step 7
(Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the
interface for statistics and calculate throughput. The default is 30 seconds. (The Load Interval item is
not shown for devices using WAAS versions earlier than 5.0.)
Step 8
(Optional) Check the AutoSense check box to set the interface to autonegotiate the speed and mode.
(This setting is not available on interfaces on some Cisco Interface Modules.)
Checking this check box disables the manual Speed and Mode drop-down list settings.
Note
Step 9
When autosense is on, manual configurations are overridden. You must reboot the WAAS device
to start autosensing.
(Optional) Manually configure the interface transmission speed and mode settings as follows (these
settings are not available on interfaces on some Cisco Interface Modules):
a.
Uncheck the AutoSense check box.
b.
From the Speed drop-down list, choose a transmission speed (10, 100, 1000, or 10000 Mbps). You
must choose 1000 Mbps for fiber Gigabit Ethernet interfaces on a Cisco Interface Module.
c.
From the Mode drop-down list, choose a transmission mode (full-duplex or half-duplex). You must
choose full-duplex for fiber Gigabit Ethernet interfaces on a Cisco Interface Module. This
configuration item is not supported on AppNav Controller Interface Module ports.
Full-duplex transmission allows data to travel in both directions at the same time through an
interface or a cable. A half-duplex setting ensures that data only travels in one direction at any given
time. Although full duplex is faster, the interfaces sometimes cannot operate effectively in this
mode. If you encounter excessive collisions or network errors, you may configure the interface for
half-duplex rather than full duplex.
Note
Step 10
We strongly recommend that you do not use half-duplex connections on the WAE or on
routers, switches, or other devices. Half duplex impedes performance and should not be
used. Check each Cisco WAE interface and the port configuration on the adjacent device
(router, switch, firewall, and WAE) to verify that full duplex is configured.
Specify a value (in bytes) in the MTU field to set the interface Maximum Transmission Unit (MTU) size.
The range is 576–1500 bytes. The MTU is the largest size of IP datagram that can be transferred using
a specific data link connection.
Note
Step 11
The MTU field is not editable if the interface is assigned to a standby or port-channel group, or
if a system jumbo MTU is configured.
(Optional) Check the Use DHCP check box to obtain an interface IP address through DHCP. Checking
this box hides the IP address and Netmask fields. (For devices with WAAS versions earlier than 5.0,
these fields are not hidden but become grayed out.) This configuration item is not supported on AppNav
Controller Interface Module ports.
Optionally supply a hostname in the Hostname field and a client ID in the Client Id field.
Step 12
In the Address field, enter a new IP address to change the interface IP address.
Step 13
In the Netmask field, enter a new netmask to change the interface netmask.
Cisco Wide Area Application Services Configuration Guide
6-8
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 14
(Optional) Enter up to four secondary IP addresses and corresponding subnet masks in the Secondary
Address and Secondary Netmask fields. These fields are not supported on AppNav Controller Interface
Module ports.
Configuring multiple IP addresses allows the device to be present in more than one subnet and can be
used to optimize the response time because it allows the data to go directly from the WAAS device to
the client that is requesting the information without being redirected through a router. The WAAS device
becomes visible to the client because both are configured on the same subnet.
Step 15
In the Default Gateway field, enter the default gateway IP address. If an interface is configured for
DHCP, then this field is read only. (The Default Gateway field is not shown for devices using WAAS
versions 5.0 or later; instead configure it as described in the “Configuring the Default Gateway” section
on page 6-9.)
Step 16
(Optional) From the Inbound ACL drop-down list, choose an IP ACL to apply to inbound packets.
The drop-down list contains all the IP ACLs that you configured in the system.
Step 17
(Optional) From the Outbound ACL drop-down list, choose an IP ACL to apply to outbound packets.
Step 18
Click OK. (For devices using WAAS versions earlier than 5.0, click Submit.)
Note
Changing the interface transmission speed, duplex mode, or MTU can cause network disruption for up
to 30 seconds. The best practice is to make such changes when traffic interception is disabled or at an
off-peak time when traffic disruption is acceptable.
Configuring the Default Gateway
On WAAS devices with version 5.0 or later, configure the default gateway as follows:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Default Gateway.
The Default Gateway window appears.
Step 3
In the Default Gateway field, enter the default gateway IP address.
Step 4
Click Submit.
To configure a default gateway from the CLI, you can use the ip default-gateway global configuration
command.
On WAAS devices with versions earlier than 5.0, the default gateway is configured within the interface
settings for each interface.
Configuring Port-Channel Settings
The WAAS software supports the grouping of up to four (eight on AppNav Controller Interface
Modules) physical network interfaces into one logical interface called a port channel. After you
configure this port-channel interface, you must associate physical interfaces with the port channel.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-9
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
You can configure up to four port-channel interfaces (seven on AppNav Controller Interface Modules).
This capability also provides interoperability with Cisco routers, switches, and other networking devices
or hosts supporting EtherChannel, load balancing, and automatic failure detection and recovery based
on each interface’s current link status. EtherChannel is also referred to as a port channel.
You can use a port channel in standby interface, a bridge virtual interface (BVI) for a virtual blade, or
as a member of an inline bridge group on an AppNav Controller Interface Module. For more information
on configuring a BVI, see the “Bridging to a Virtual Blade Interface” section on page 6-17. For more
information on configuring a bridge group on an AppNav Controller Interface Module, see the
“Configuring Inline Operation on ANCs” section on page 5-49 or use the AppNav Cluster wizard as
described in the “Creating a New AppNav Cluster with the Wizard” section on page 4-14.
The following operating considerations apply to a port-channel virtual interface:
Note
•
A physical interface can be a member of a port channel or a standby group, but not both.
•
You cannot assign an IP address to both a port channel and a standby group. Only one logical
interface can be configured with an IP address.
•
All port-channel member interfaces must have the same port bandwidth.
•
Port-channel settings are not applicable to vWAAS devices.
•
You cannot include a built-in Ethernet port and a port on a Cisco Interface Module in the same
port-channel interface.
You must disable autoregistration if the device has only two interfaces and both device interfaces are
configured as port-channel interfaces.
Configuring a port-channel interface differs, depending on the version of the WAAS device that you are
configuring. See one of the following topics:
•
Configuring a Port-Channel Interface on a Device with Version 5.0 or Later, page 6-10
•
Configuring a Port-Channel Interface on a Device Earlier than Version 5.0, page 6-11
Configuring a Port-Channel Interface on a Device with Version 5.0 or Later
To configure a port-channel interface for devices with WAAS version 5.0 or later, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears.
Step 3
In the taskbar of the lower area, click the Create Logical Interface icon. The Create Logical Interface
window appears.
Step 4
From the Logical Interface Type drop-down list, choose PortChannel and click OK. The window
refreshes with fields for configuring the port-channel interface settings.
Step 5
From the Port Channel Number drop-down list, choose a number for the interface.
Step 6
(Optional) From the Bridge Group Number drop-down list, choose a bridge group number with which
to associate this interface, or choose None. The bridge group number can be associated with a BVI or
an inline bridge group defined on an AppNav Controller.
Step 7
(Optional) From the Standby Group Number drop-down list, choose a standby group number with which
to associate this interface, or choose None.
Cisco Wide Area Application Services Configuration Guide
6-10
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
You must create the standby group with no assigned interfaces before it appears as a choice in this list.
Step 8
(Optional) In the Description field, optionally enter a description for the interface.
Step 9
(Optional) Check the Shutdown check box to shut down the hardware interface. By default, this option
is disabled.
If you plan to assign this port-channel interface to a standby interface, check this box.
Step 10
(Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the
interface for statistics and calculate throughput. The default is 30 seconds.
Step 11
In the Address field, specify the IP address of the interface.
If you are assigning this port-channel interface to a standby group, do not configure an IP address or
netmask. The standby group supplies the IP address and netmask.
Step 12
In the Netmask field, specify the netmask of the interface.
Step 13
(Optional) From the Inbound ACL drop-down list, choose an IP ACL to apply to inbound packets.
The drop-down list contains all the IP ACLs that you configured in the system.
Step 14
(Optional) From the Outbound ACL drop-down list, choose an IP ACL to apply to outbound packets.
Step 15
In the Assign Interfaces area, click the check box next to the interfaces that you want to assign to this
port channel and click the Assign taskbar icon. To unassign any assigned interfaces, check each interface
that you want to unassign and click the Unassign taskbar icon.
If you plan to assign this port-channel interface to a standby interface, do not assign interfaces until after
the port channel is assigned to the standby interface.
Step 16
Click OK.
Configuring a Port-Channel Interface on a Device Earlier than Version 5.0
To configure a port-channel interface for devices with WAAS versions earlier than 5.0, follow these
steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window appears, listing
all the interfaces for the chosen device.
Step 3
In the taskbar, click the Create New Interface icon. The Creating New Network Interface window
appears.
Step 4
From the Port Type drop-down list, choose PortChannel.
The window refreshes and provides fields for configuring the network interface settings.
Step 5
In the Port Channel Number drop-down list, choose the number of the port-channel interface. Up to four
port channels are supported, depending on the WAAS device model and installed interface module.
Step 6
(Optional) In the Bridge Group Number drop-down list, choose the number of the bridge group to which
you want to assign this port-channel interface, if you want to bridge to a virtual blade.
Step 7
(Optional) In the Description field, optionally enter a description for the port channel.
Step 8
(Optional) Check the Shutdown check box to shut down this interface. By default, this option is
disabled.
Step 9
In the Default Gateway field, enter the default gateway IP address.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-11
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 10
In the Address field, specify the IP address of the interface.
Step 11
In the Netmask field, specify the netmask of the interface.
Step 12
(Optional) From the Inbound ACL drop-down list, choose an IP ACL to apply to inbound packets.
The drop-down list contains all the IP ACLs that you configured in the system.
Step 13
(Optional) From the Outbound ACL drop-down list, choose an IP ACL to apply to outbound packets.
Step 14
Click Submit.
Step 15
Configure the physical interface members as described in the “Assigning Physical Interfaces to a Port
Channel” section on page 6-12.
After you create the port-channel interface, you need to assign physical interfaces to the port channel.
Assigning Physical Interfaces to a Port Channel
After you have configured a logical port-channel interface, you must assign multiple physical interfaces
to the port channel. You can assign up to four physical interfaces to one port-channel interface,
depending on the WAAS device.
You can assign an interface to a port channel only if the interface does not have an IP address assigned.
The interface uses the IP address of the port channel.
You cannot combine built-in Ethernet ports with ports on a Cisco Interface Module into the same
port-channel interface.
Note
Removing a physical interface from a port channel on device models WAE-612/674/7341/7371 and
WAVE-574 can cause network disruption for up to 30 seconds. The best practice is to make such changes
when traffic interception is disabled or at an off-peak time when traffic disruption is acceptable.
To add an interface to a port channel, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears.
Step 3
Click the Edit icon next to the physical interface that you want to assign to a port channel. The
Modifying Network Interface window appears.
Choose a physical interface, not a logical interface (standby, port channel, or BVI), in this step.
Step 4
Step 5
Complete the following steps to assign the interface to a port channel:
a.
In the Port Type To Assign drop-down list, choose PortChannel.
b.
In the Port Channel Number drop-down list, choose the number of the port channel to which you
want to add the physical interface.
Click Submit.
Cisco Wide Area Application Services Configuration Guide
6-12
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Configuring a Load-Balancing Method for Port-Channel Interfaces
Before you configure load balancing, ensure that you have configured the port-channel settings
described in the “Configuring Port-Channel Settings” section on page 6-9.
To configure load balancing, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Port Channel.
Step 3
From the Load Balancing Method drop-down list, choose a load-balancing method:
Step 4
•
src-dst-ip-port—The distribution function is based on a combination of source and destination IP
addresses and ports. This load-balancing method is available only on devices running version 4.4.1
and later.
•
src-dst-ip—The distribution function is based on a combination of source and destination IP
addresses. This load-balancing method is available only on devices running version 5.0.1 and later.
•
round-robin—Round robin allows traffic to be distributed evenly among all interfaces in the
channel group. This load-balancing method is available only on devices running versions earlier
than 4.4.1.
Click Submit.
To configure a load-balancing method from the CLI, you can use the port-channel global configuration
command.
Note
A device group may be configured with a load-balancing method supported only by previous WAAS
software versions to configure devices running previous versions. When viewing the Port Channel
Settings page for a version 4.4.1 or later device that gets its settings from such a device group, you may
see an unsupported load-balancing method listed. However, a version 4.4.1 or later device supports only
the load-balancing methods as described above, regardless of what the device group or device
configuration window shows for the setting.
Configuring Interfaces for DHCP
Note
You must disable autoregistration before you can manually configure an interface for DHCP.
A WAAS device sends its configured client identifier and hostname to the DHCP server when requesting
network information. You can configure DHCP servers to identify the client identifier information and
the hostname information that the WAAS device is sending and then to send back the specific network
settings that are assigned to the WAAS device.
To enable an interface for DHCP, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces listing window appears.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-13
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 3
Choose the physical interface that you want to modify and click the Edit taskbar icon. (For devices using
WAAS versions earlier than 5.0, click the Edit icon next to the interface.)
The Interface Settings window appears.
Note
Step 4
Do not choose a logical interface (standby, port channel, or BVI) in this step, because you cannot
configure DHCP on a logical interface. In addition, do not choose the internal interface
(GigabitEthernet 1/0) on an NME-WAE or SM-SRE module, because this interface can be
configured only through the host router CLI. For NME-WAE details, see the document
Configuring Cisco WAAS Network Modules for Cisco Access Routers. For SM-SRE details, see
the document Cisco SRE Service Module Configuration and Installation Guide.
Check the Use DHCP check box.
When this check box is checked, the IP address and netmask fields are disabled.
Step 5
In the Hostname field, specify the hostname for the WAAS device or other device.
Step 6
In the Client Id field, specify the configured client identifier for the device.
The DHCP server uses this identifier when the WAAS device requests the network information for the
device.
Step 7
Click Submit.
Modifying Virtual Interface Settings for a vWAAS Device
To modify the settings of an existing vWAAS interface, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces.
The Network Interfaces window appears, listing the network interfaces configured.
Note
Step 3
Certain values (including autosense) are not applicable to a vWAAS interface.
Choose the interface that you want to modify and click the Edit taskbar icon. (For devices using WAAS
versions earlier than 5.0, click the Edit icon next to the interface.)
The Interface Settings window appears, displaying the interface configurations on a particular slot and
port.
Note
Interface configurations for slot, port, and port type are set for virtual interfaces during initial
startup or by using the WAAS CLI.
Some of the fields in the window (port-channel number, autosense, speed, mode, and
standby-related fields) are not available because they are not applicable.
Step 4
(Optional) In the Description field, optionally enter a description for the interface.
Step 5
(Optional) Check the Use CDP check box to enable the Cisco Discovery Protocol (CDP) on an interface.
Cisco Wide Area Application Services Configuration Guide
6-14
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
When enabled, CDP obtains protocol addresses of neighboring devices and discovers the platform of
those devices. It also shows information about the interfaces used by your router.
Configuring CDP from the CDP Settings window enables CDP globally on all the interfaces. For
information on configuring CDP settings, see the “Configuring CDP Settings” section on page 6-25.
Step 6
(Optional) Check the Shutdown check box to shut down the virtual interface.
Step 7
(Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the
interface for statistics and calculate throughput. The default is 30 seconds. (The Load Interval item is
not shown for devices using WAAS versions earlier than 5.0.)
Step 8
Specify a value (in bytes) in the MTU field to set the interface Maximum Transmission Unit (MTU) size.
The range is 576–1500 bytes. The MTU is the largest size of IP datagram that can be transferred using
a specific data link connection.
Note
Step 9
The MTU field is not editable if a system jumbo MTU is configured.
Check the Use DHCP check box to obtain an interface IP address through DHCP. Checking this box
hides the IP address and Netmask fields. (For devices with WAAS versions earlier than 5.0, these fields
are not hidden but become grayed out.)
a.
(Optional) In the Hostname field, specify the hostname for the WAAS device or other device.
b.
(Optional) In the Client Id field, specify the configured client identifier for the device. The DHCP
server uses this identifier when the WAAS device requests the network information for the device.
Step 10
In the Address field, enter a new IP address to change the interface IP address.
Step 11
In the Netmask field, enter a new netmask to change the interface netmask.
Step 12
In the Default Gateway field, enter the default gateway IP address. The gateway interface IP address
should be in the same network as one of the device’s network interfaces. If an interface is configured for
DHCP, then this field is read only. (The Default Gateway field is not shown for devices using WAAS
versions 5.0 or later; instead, configure it as described in the “Configuring the Default Gateway” section
on page 6-9.)
Step 13
(Optional) From the Inbound ACL drop-down list, choose an IP ACL to apply to inbound packets.
The drop-down list contains all the IP ACLs that you configured in the system.
Step 14
(Optional) From the Outbound ACL drop-down list, choose an IP ACL to apply to outbound packets.
Step 15
Click OK. (For devices using WAAS versions earlier than 5.0, click Submit.)
Configuring Optimization on WAAS Express Interfaces
WAAS Express device interfaces are configured by using the router CLI, not through the WAAS Central
Manager. However, you can enable or disable WAAS optimization on the available interfaces on the
router.
To enable or disable WAAS optimization on WAAS Express device interfaces, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > WAAS-Express-device-name (or Device
Groups > WAAS-Express-device-group-name).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-15
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window appears and lists
the available interfaces. (See Figure 6-2.)
Note
Loopback interfaces are not included because they are not valid interfaces for optimization.
Null, Virtual-Access, NVI, and Embedded-Service interfaces are also not supported.
Figure 6-2
WAAS Express Network Interfaces Device Window
For a device group, the Network Interfaces window appears differently and displays an interface name,
the number of devices that contain that interface, and the Optimization check box, which is checked if
any devices in the group have optimization enabled on the interface. A message describes how many
devices have optimization enabled on the interface. (See Figure 6-3.)
Figure 6-3
Step 3
WAAS Express Network Interfaces Device Group Interfaces Window
Check the Optimization check box for each interface on which you want to enable WAAS optimization.
Remove check marks from interfaces on which you want to disable WAAS optimization. You can click
Enable All to select all interfaces or click Disable All to deselect all interfaces.
Enable WAAS optimization only on WAN interfaces, not LAN interfaces.
For a device group, checking the optimization check box for an interface enables optimization on that
interface for all devices in the group that have the interface. You can click the number of devices to
display a list of devices on which an interface is available and individually configure optimization on
those devices. (See Figure 6-4.)
Cisco Wide Area Application Services Configuration Guide
6-16
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Figure 6-4
Step 4
WAAS Express Network Interfaces Device Group Devices Window
Click Submit.
Bridging to a Virtual Blade Interface
To provide network connectivity to a virtual blade, you use a bridge group and bridge virtual interface
(BVI) to associate a physical interface with a virtual interface on the virtual blade.
BVIs are supported only on WAAS devices that support virtual blades. BVIs are not supported on
AppNav Controller Interface Modules or on WAAS devices operating as AppNav Controllers.
You can create up to five bridge interfaces on a device, depending on the device model.
Configuring a BVI differs, depending on the version of the WAAS device that you are configuring. See
one of the following topics:
•
Configuring a Bridge Virtual Interface on a Device with Version 5.0 or Later, page 6-17
•
Configuring a Bridge Virtual Interface on a Device Earlier than Version 5.0, page 6-18
Configuring a Bridge Virtual Interface on a Device with Version 5.0 or Later
To configure a BVI for devices with WAAS version 5.0 or later, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device
appears.
Step 3
In the lower part of the window, click the Bridge tab.
Step 4
In the taskbar of the lower area, click the Create Bridge icon. The Create Bridge window appears.
Step 5
From the Bridge Index drop-down list, choose a bridge group number for the interface.
Step 6
From the Protocol drop-down list, choose the ieee protocol type to support a BVI.
Step 7
(Optional) In the Description field, enter a description for the interface.
Step 8
(Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the
interface for statistics and calculate throughput. The default is 30 seconds.
Step 9
(Optional) Check the Use DHCP check box to obtain an interface IP address through DHCP. Checking
this box hides the Address and Netmask fields.
Optionally supply a hostname in the Hostname field and a client ID in the Client Id field.
Step 10
In the Address field, specify the IP address of the interface.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-17
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 11
In the Netmask field, specify the netmask of the interface.
Step 12
(Optional) In the Secondary Address and Secondary Netmask fields, enter up to four secondary IP
addresses and corresponding subnet masks.
Step 13
In the Assign Interfaces area, check the box next to the interface that you want to assign to this bridge
group and click the Assign taskbar icon. To unassign an assigned interface, check the interface that you
want to unassign and click the Unassign taskbar icon. Only one interface can be assigned to the bridge
group and it can be a physical, port-channel, or standby interface.
Step 14
Click OK.
Configuring a Bridge Virtual Interface on a Device Earlier than Version 5.0
To configure a BVI for devices with WAAS versions earlier than 5.0, follow these steps:
1.
Create a bridge group.
2.
Create a bridge virtual interface in the bridge group.
3.
Assign one physical, port-channel, or standby interface to the bridge group.
4.
Assign the virtual blade interface to the bridge group.
These steps are described in more detail in this section.
To create a bridge group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Bridge.
The Bridge Settings window appears, listing the bridge interfaces configured.
From the Bridge Settings window, you can perform the following tasks:
Step 3
•
Delete an existing bridge interface by clicking the Edit icon next to the interface number. You can
then delete the bridge interface by clicking the Delete taskbar icon.
•
Add a new bridge interface, as described in the following steps.
Click the Create Bridge Interface taskbar icon to create a bridge interface.
The Creating new Bridge window appears.
Step 4
From the Bridge Index drop-down list, choose the number of the bridge interface (1–4).
Step 5
From the Protocol drop-down list, choose the ieee protocol type to support a BVI.
Step 6
Click Submit.
To create a bridge group from the CLI, you can use the bridge global configuration command.
After you create the bridge group, you must create a bridge virtual interface associated with the bridge
group.
To create the bridge virtual interface, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Cisco Wide Area Application Services Configuration Guide
6-18
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window appears, listing
all the interfaces for the chosen device.
Step 3
In the taskbar, click the Create New Interface icon. The Creating New Network Interface window
appears.
Step 4
From the Port Type drop-down list, choose BVI.
The window refreshes and provides fields for configuring the network interface settings.
Step 5
In the Bridge Group Number drop-down list, choose the number of the bridge group for this interface.
Up to five bridge groups are supported, depending on the WAAS device model.
Step 6
(Optional) In the Description field, enter a description for the bridge virtual interface.
Step 7
Check the Use DHCP check box to obtain an interface IP address through DHCP. Checking this box
grays out the IP address and Netmask fields.
a.
(Optional) In the Hostname field, specify the hostname for the WAAS device or other device.
b.
(Optional) In the Client Id field, specify the configured client identifier for the device. The DHCP
server uses this identifier when the WAAS device requests the network information for the device.
Step 8
In the Default Gateway field, enter the default gateway IP address. If an interface is configured for
DHCP, then this field is read only.
Step 9
In the Address field, specify the IP address of the interface.
Step 10
In the Netmask field, specify the netmask of the interface.
Step 11
In the Secondary Address and Secondary Netmask fields 1 through 4, enter up to four different IP
addresses and secondary netmasks for the interface.
Step 12
Click Submit.
To create a bridge virtual interface from the CLI, you can use the interface bvi global configuration
command.
After you create the bridge virtual interface, you must assign a physical, port-channel, or standby
interface to the bridge group.
To assign an interface to the bridge group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Network Interfaces. The Network Interfaces window appears, listing
all the interfaces for the chosen device.
Step 3
Click the Edit icon next to the physical, port-channel, or standby interface that you want to assign to the
bridge group.
Do not choose a primary interface because a primary interface cannot be assigned to a bridge group.
Step 4
In the Description field, optionally enter a description for the interface.
Step 5
Leave the Address and Netmask fields empty.
Step 6
If the interface is a physical interface, in the Port Type To Assign drop-down list, choose Bridge Group.
Step 7
In the Bridge Group Number drop-down list, choose the bridge group to which to assign the interface.
Step 8
Click Submit.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-19
Chapter 6
Configuring Network Settings
Configuring Network Interfaces
To assign a physical, port-channel, or standby interface to the bridge group from the CLI, you can use
the interface GigabitEthernet, interface TenGigabitEthernet, interface portchannel, or interface
standby global configuration commands, with the bridge-group keyword.
After you assign a physical or port-channel interface to the bridge group, you must assign a virtual blade
interface to the bridge group. For details, see the “Configuring Virtual Blades” section on page 14-4.
Configuring Management Interface Settings
On WAAS devices with version 5.0 or later, you can designate a specific interface to be used as the
management interface for communicating with the Central Manager, Telnet, SSH, and so on. This
configuration separates management traffic from data traffic. If you designate a management interface,
you must have another active interface to handle data traffic.
To configure the management interface settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Management Interface Settings.
The Management Interface Settings window appears.
Step 3
From the Management Interface drop-down list, choose the interface that you want to use as the
management interface.
Step 4
In the Management Default Gateway field, enter the default gateway IP address for management traffic.
Step 5
Check the Use Management Interface for FTP Traffic check box if you want to use the designated
management interface for FTP traffic.
Step 6
Check the Use Management Interface for TFTP Traffic check box if you want to use the designated
management interface for TFTP traffic.
Step 7
Click Submit. A confirmation message appears.
Step 8
Click OK.
To configure a different default gateway for management traffic from the CLI, you can use the ip
default-gateway management global configuration command.
When you have designated a management interface, you can create static IP routes for management
traffic, so that any IP packet that is designated for the specified destination uses the configured route.
To configure a static route for management traffic, follow these steps:
Step 1
In the Management Interface Settings window, in the Management IP Routes area, click the Create
Management IP Route taskbar button. The Management IP Routes window appears.
Step 2
In the Destination Network Address field, enter the destination network IP address.
Step 3
In the Netmask field, enter the destination host netmask.
Step 4
In the Gateway’s IP Address field, enter the IP address of the gateway interface.
The gateway interface IP address should be in the same network as the device’s management interface.
Step 5
Click Submit.
Cisco Wide Area Application Services Configuration Guide
6-20
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring TCP Settings
To configure a static route for management traffic from the CLI, you can use the ip route management
global configuration command.
Configuring a Jumbo MTU
A jumbo MTU can be configured on the following devices: WAE-674/7341/7371,
WAVE-294/594/694/7541/7571/8541, and vWAAS.
If configured, a jumbo MTU applies to all the device interfaces, including logical interfaces with at least
one member physical interface. The MTU for individual interfaces cannot be changed while the jumbo
MTU is configured. If the jumbo MTU is disabled, all interfaces are configured with a MTU of 1500.
To configure a jumbo MTU, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Jumbo MTU.
The Jumbo MTU Settings window appears.
Step 3
In the System Jumbo MTU field, enter the jumbo MTU size in bytes (maximum size varies by platform).
Step 4
Click Submit.
Note
If the original and optimized maximum segment sizes are set to their default values and you configure a
jumbo MTU setting, the segment sizes are changed to the jumbo MTU setting minus 68 bytes. If you
have configured custom maximum segment sizes, their values are not changed if you configure a jumbo
MTU. For more information on configuring maximum segment sizes, see the “Modifying the
Acceleration TCP Settings” section on page 13-61.
To configure a jumbo MTU from the CLI, you can use the system jumbomtu global configuration
command.
Configuring TCP Settings
For data transactions and queries between client and servers, the size of windows and buffers is
important, so fine-tuning the TCP stack parameters becomes the key to maximizing cache performance.
Because of the complexities involved in TCP parameters, be careful when tuning these parameters. In
nearly all environments, the default TCP settings are adequate. Fine-tuning TCP settings is for network
administrators with adequate experience and full understanding of TCP operation details.
To configure TCP and IP settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > TCP/IP Settings > TCP/IP. The TCP/IP Settings window appears.
Step 3
Make the necessary changes to the TCP settings.
See Table 6-1 for a description of each TCP field in this window.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-21
Chapter 6
Configuring Network Settings
Configuring TCP Settings
Step 4
Click Submit.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default or device group settings. You can also revert
to the previously configured settings by clicking Reset. The Reset button is visible only when you have
applied default or group settings to change the current device settings but have not yet submitted the
changes.
Table 6-1
TCP Settings
TCP Setting
Description
TCP General Settings
Enable Explicit Congestion
Notification
Enables reduction of delay and packet loss in data transmissions. It
provides TCP support for RFC 2581. By default, this option is
enabled. For more information, see the “Explicit Congestion
Notification” section on page 6-23.
Initial Send Congestion Window Initial congestion window size value in segments. The range is 0 to
Size
10 segments. The default is 0 segments. For more information, see
the “Congestion Windows” section on page 6-23.
ReTransmit Time Multiplier
Factor used to modify the length of the retransmit timer by 1 to 3
times the base value determined by the TCP algorithm. The default
is 1, which leaves the times unchanged. The range is 1 to 3. For
more information, see the “Retransmit Time Multiplier” section on
page 6-23.
Note
Modify this factor with caution. It can improve throughput
when TCP is used over slow reliable connections but should
never be changed in an unreliable packet delivery
environment.
Keepalive Probe Count
Number of times that the WAAS device can retry a connection
before the connection is considered unsuccessful. The range is 1 to
120 attempts. The default is 4 attempts.
Keepalive Probe Interval
Length of time that the WAAS device keeps an idle connection
open. The default is 75 seconds.
Keepalive Timeout
Length of time that the WAAS device keeps a connection open
before disconnecting. The range is 1 to 120 seconds. The default is
90 seconds.
Enable Path MTU Discovery
Enables discovery of the largest IP packet size allowable between
the various links along the forwarding path and automatically sets
the correct value for the packet size. By default, this option is
disabled. For more information, see the “Path MTU Discovery”
section on page 6-24.
To configure TCP settings from the CLI, you can use the tcp global configuration command.
To enable the MTU discovery utility from the CLI, you can use the ip path-mtu-discovery enable global
configuration command.
This section contains the following topics:
Cisco Wide Area Application Services Configuration Guide
6-22
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring TCP Settings
•
Explicit Congestion Notification, page 6-23
•
Congestion Windows, page 6-23
•
Retransmit Time Multiplier, page 6-23
•
TCP Slow Start, page 6-24
•
Path MTU Discovery, page 6-24
Explicit Congestion Notification
The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to notify the end
hosts of impending network congestion. It also provides enhanced support for TCP sessions associated
with applications that are sensitive to delay or packet loss. The major issue with ECN is that the
operation of both the routers and the TCP software stacks needs to be changed to accommodate the
operation of ECN.
Congestion Windows
The congestion window (cwnd) is a TCP state variable that limits the amount of data that a TCP sender
can transmit onto the network before receiving an acknowledgment (ACK) from the receiving side of the
TCP transmission. The TCP cwnd variable is implemented by the TCP congestion avoidance algorithm.
The goal of the congestion avoidance algorithm is to continually modify the sending rate so that the
sender automatically senses any increase or decrease in available network capacity during the entire data
flow. When congestion occurs (manifested as packet loss), the sending rate is first lowered then
gradually increased as the sender continues to probe the network for additional capacity.
Retransmit Time Multiplier
The TCP sender uses a timer to measure the time that has elapsed between sending a data segment and
receiving the corresponding ACK from the receiving side of the TCP transmission. When this retransmit
timer expires, the sender (according to the RFC standards for TCP congestion control) must reduce its
sending rate. However, because the sender is not reducing its sending rate in response to network
congestion, the sender is not able to make any valid assumptions about the current state of the network.
Therefore, in order to avoid congesting the network with an inappropriately large burst of data, the
sender implements the slow start algorithm, which reduces the sending rate to one segment per
transmission. (See the “TCP Slow Start” section on page 6-24.)
You can modify the sender’s retransmit timer by using the Retransmit Time Multiplier field in the WAAS
Central Manager. The retransmit time multiplier modifies the length of the retransmit timer by one to
three times the base value, as determined by the TCP algorithm that is being used for congestion control.
When making adjustments to the retransmit timer, be aware that they affect performance and efficiency.
If the retransmit timer is triggered too early, the sender pushes duplicate data onto the network
unnecessarily; if the timer is triggered too slowly, the sender remains idle for too long, unnecessarily
slowing data flow.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-23
Chapter 6
Configuring Network Settings
Configuring TCP Settings
TCP Slow Start
Slow start is one of four congestion control algorithms used by TCP. The slow start algorithm controls
the amount of data being inserted into the network at the beginning of a TCP session when the capacity
of the network is not known.
For example, if a TCP session began by inserting a large amount of data into the network, much of the
initial burst of data would likely be lost. Instead, TCP initially transmits a modest amount of data that
has a high probability of successful transmission. Next, TCP probes the network by sending increasing
amounts of data as long as the network does not show signs of congestion.
The slow start algorithm begins by sending packets at a rate that is determined by the congestion window,
or cwnd variable. (See the “Congestion Windows” section on page 6-23.) The algorithm continues to
increase the sending rate until it reaches the limit set by the slow start threshold (ssthresh) variable.
Initially, the value of the ssthresh variable is adjusted to the receiver’s maximum segment size (RMSS).
However, when congestion occurs, the ssthresh variable is set to half the current value of the cwnd
variable, marking the point of the onset of network congestion for future reference.
The starting value of the cwnd variable is set to that of the sender maximum segment size (SMSS), which
is the size of the largest segment that the sender can transmit. The sender sends a single data segment,
and because the congestion window is equal to the size of one segment, the congestion window is now
full. The sender then waits for the corresponding ACK from the receiving side of the transmission. When
the ACK is received, the sender increases its congestion window size by increasing the value of the cwnd
variable by the value of one SMSS. Now the sender can transmit two segments before the congestion
window is again full and the sender is once more required to wait for the corresponding ACKs for these
segments. The slow start algorithm continues to increase the value of the cwnd variable and therefore
increase the size of the congestion window by one SMSS for every ACK received. If the value of the
cwnd variable increases beyond the value of the ssthresh variable, then the TCP flow control algorithm
changes from the slow start algorithm to the congestion avoidance algorithm.
Path MTU Discovery
The WAAS software supports the IP Path Maximum Transmission Unit (MTU) Discovery method, as
defined in RFC 1191. When enabled, the Path MTU Discovery feature discovers the largest IP packet
size allowable between the various links along the forwarding path and automatically sets the correct
value for the packet size. By using the largest MTU that the links can handle, the sending device can
minimize the number of packets it must send.
IP Path MTU Discovery is useful when a link in a network goes down, which forces the use of another,
different MTU-sized link. IP Path MTU Discovery is also useful when a connection is first being
established, and the sender has no information about the intervening links.
Note
IP Path MTU Discovery is a process initiated by the sending device. If a server does not support IP Path
MTU Discovery, the receiving device will have no available means to avoid fragmenting datagrams
generated by the server.
By default, this feature is disabled. With the feature disabled, the sending device uses a packet size that
is the lesser of 576 bytes and the next hop MTU. Existing connections are not affected when this feature
is turned on or off.
Cisco Wide Area Application Services Configuration Guide
6-24
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Static IP Routes
Configuring Static IP Routes
The WAAS software allows you to configure a static route for a network or host. Any IP packet
designated for the specified destination uses the configured route.
To configure a static IP route, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > TCP/IP Settings > Static Routes. The IP Route Entries window
appears.
Step 3
In the taskbar, click the Create New IP Route Entry icon. The Creating New IP Route window appears.
Step 4
In the Destination Network Address field, enter the destination network IP address.
Step 5
In the Netmask field, enter the destination host netmask.
Step 6
In the Gateway’s IP Address field, enter the IP address of the gateway interface.
The gateway interface IP address should be in the same network as that of one of the device’s network
interfaces.
Step 7
Click Submit.
To configure a static route from the CLI, you can use the ip route global configuration command.
Aggregating IP Routes
An individual WAE device can have IP routes defined and can belong to device groups that have other
IP routes defined.
In the IP Route Entries window, the Aggregate Settings radio button controls how IP routes are
aggregated for an individual device, as follows:
•
Choose Yes if you want to configure the device with all IP routes that are defined for itself and for
device groups to which it belongs.
•
Choose No if you want to limit the device to just the IP routes that are defined for itself.
When you change the setting, you get the following confirmation message: “This option will take effect
immediately and will affect the device configuration. Do you wish to continue?” Click OK to continue.
Configuring CDP Settings
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured
devices. With CDP, each device in a network sends periodic messages to all other devices in the network.
All devices listen to periodic messages that are sent by others to learn about neighboring devices and
determine the status of their interfaces.
With CDP, network management applications can learn the device type and the Simple Network
Management Protocol (SNMP) agent address of neighboring devices. Applications are able to send
SNMP queries within the network. CiscoWorks2000 also discovers the WAAS devices by using the CDP
packets that are sent by the WAAS device after booting.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-25
Chapter 6
Configuring Network Settings
Configuring the DNS Server
To perform device-related tasks, the WAAS device platform must support CDP to be able to notify the
system manager of the existence, type, and version of the WAAS device platform.
To configure CDP settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > CDP. The CDP Settings window appears.
Step 3
Check the Enable check box to enable CDP support. By default, this option is enabled.
Step 4
In the Hold Time field, enter the time (in seconds) to specify the length of time that a receiver is to keep
the CDP packets.
The range is 10 to 255 seconds. The default is 180 seconds.
Step 5
In the Packet Send Rate field, enter a value (in seconds) for the interval between CDP advertisements.
The range is 5 to 254 seconds. The default is 60 seconds.
Step 6
Click Submit.
To configure CDP settings from the CLI, you can use the cdp global configuration command.
Configuring the DNS Server
DNS allows the network to translate domain names entered in requests into their associated IP addresses.
To configure DNS on a WAAS device, you must complete the following tasks:
•
Specify the list of DNS servers, which are used by the network to translate requested domain names
into IP addresses that the WAAS device should use for domain name resolution.
•
Enable DNS on the WAAS device.
To configure DNS server settings for a WAAS device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > DNS. The DNS Settings window appears.
Step 3
In the Local Domain Name field, enter the name of the local domain. You can configure up to three local
domain names. Separate items in the list with a space.
Step 4
In the List of DNS Servers field, enter a list of DNS servers used by the network to resolve hostnames
to IP addresses.
You can configure up to three DNS servers. Separate items in the list with a space.
Step 5
Click Submit.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default and device group settings. To revert to the
previously configured window settings, click Reset. The Reset button appears only when you have
applied default or group settings to change the current device settings but the settings have not yet been
submitted.
Cisco Wide Area Application Services Configuration Guide
6-26
OL-26579-01
Chapter 6
Configuring Network Settings
Configuring Windows Name Services
To configure DNS name servers from the CLI, you can use the ip name-server global configuration
command.
Configuring Windows Name Services
To configure Windows name services for a device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > WINS. The Windows Name Services Settings window appears.
Step 3
In the Workgroup or Domain Name field, enter the name of the workgroup (or domain) in which the
chosen device or device group resides.
This name must be entered in shortname format and cannot exceed 127 characters. Valid characters
include alphanumeric characters, a forward slash (\), an underscore (_), and a dash (-).
For example, if your domain name is cisco.com, the short name format is cisco.
Step 4
Check the NT check box if the workgroup or domain is a Windows NT 4 domain. For example, if your
domain name is cisco.com, the short name format is cisco. If your workgroup or domain is a Windows
2000 or Windows 2003 domain, do not check the NT check box. By default, this option is disabled.
Step 5
In the WINS server field, enter the hostname or IP address of the Windows Internet Naming Service
(WINS) server.
Step 6
Click Submit.
To configure Windows name services from the CLI, you can use the windows-domain global
configuration command.
Configuring Directed Mode
By default, WAAS transparently sets up new TCP connections to peer WAEs, which can cause firewall
traversal issues when a WAAS device tries to optimize the traffic. If a WAE device is behind a firewall
that prevents traffic optimization, you can use the directed mode of communicating to a peer WAE. In
directed mode, all TCP traffic that is sent to a peer WAE is encapsulated in UDP, which allows a firewall
to either bypass the traffic or inspect the traffic (by adding a UDP inspection rule).
Any firewall between two WAE peers must be configured to pass UDP traffic on port 4050, or whatever
custom port is configured for directed mode if a port other than the default is used. Additionally, because
the WAAS automatic discovery process uses TCP options before directed mode begins sending UDP
traffic, the firewall must be configured to pass the TCP options. Cisco firewalls can be configured to
allow TCP options by using the ip inspect waas command (for Cisco IOS Release 12.4(11)T2 and later
releases) or the inspect waas command (for FWSM 3.2(1) and later releases and PIX 7.2(3) and later
releases).
After directed mode is activated, the WAE transparently intercepts only packets coming from the LAN,
while WAN packets are directly routed between the WAEs using UDP.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
6-27
Chapter 6
Configuring Network Settings
Configuring Directed Mode
Directed mode operates with all configurable methods of traffic interception. Directed mode requires
that you configure the WAAS devices (or inline interfaces) with routable, non-NATed IP addresses.
When using directed mode with inline mode, you must configure the inline group with routable IP
addresses on its interfaces or traffic is black holed.
If a WAE at either end of a peer WAE connection specifies directed mode, and both WAEs support
directed mode, then both WAEs use directed mode, even if one is not explicitly configured for directed
mode. If a peer WAE does not support directed mode, then the peers pass through traffic unoptimized
and each WAE creates a transaction log entry that notes the failed directed mode attempt.
You can invoke directed mode operation in the following ways:
•
Directed mode can be explicitly activated in the WAAS Central Manager or by CLI.
•
Directed mode can be automatically invoked when a peer WAE requests that directed mode be used.
To activate directed mode, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Directed Mode. The Directed Mode Settings window appears.
Step 3
Check the Enable directed mode check box to activate directed mode.
Step 4
In the UDP Port field, enter a port number to configure a custom UDP port for directed mode. The default
is port 4050.
Step 5
Click Submit to save the settings.
To configure directed mode from the CLI, use the directed-mode global configuration command.
Cisco Wide Area Application Services Configuration Guide
6-28
OL-26579-01
CH A P T E R
7
Configuring Administrative Login Authentication,
Authorization, and Accounting
This chapter describes how to configure administrative login authentication, authorization, and
accounting for Wide Area Application Services (WAAS) devices.
This chapter contains the following sections:
•
About Administrative Login Authentication and Authorization, page 7-1
•
Configuring Administrative Login Authentication and Authorization, page 7-5
•
Configuring AAA Command Authorization, page 7-31
•
Configuring AAA Accounting for WAAS Devices, page 7-31
•
Viewing Audit Trail Logs, page 7-33
You use the WAAS Central Manager GUI to centrally create and manage two different types of
administrator user accounts (device-based CLI accounts and roles-based accounts) for your WAAS
devices. For more information, see Chapter 8, “Creating and Managing Administrator User Accounts
and Groups.”
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
About Administrative Login Authentication and Authorization
In the WAAS network, administrative login authentication and authorization are used to control login
requests from administrators who want to access a WAAS device for configuring, monitoring, or
troubleshooting purposes.
Login authentication is the process by which WAAS devices verify whether the administrator who is
attempting to log in to the device has a valid username and password. The administrator who is logging
in must have a user account registered with the device. User account information serves to authorize the
user for administrative login and configuration privileges. The user account information is stored in an
AAA database, and the WAAS devices must be configured to access the particular authentication server
(or servers) where the AAA database is located. When the user attempts to login to a device, the device
compares the person’s username, password, and privilege level to the user account information that is
stored in the database.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-1
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
About Administrative Login Authentication and Authorization
The WAAS software provides the following authentication, authorization, and accounting (AAA)
support for users who have external access servers (for example, RADIUS or TACACS+ servers), and
for users who need a local access database with AAA features:
•
Authentication (or login authentication) is the action of determining who the user is. It checks the
username and password.
•
Authorization (or configuration) is the action of determining what a user is allowed to do. It permits
or denies privileges for authenticated users in the network. Generally, authentication precedes
authorization. Both authentication and authorization are required for a user log in.
•
Accounting is the action of keeping track of administrative user activities for system accounting
purposes. In the WAAS software, AAA accounting through TACACS+ is supported. For more
information, see the “Configuring AAA Accounting for WAAS Devices” section on page 7-31.
Note
An administrator can log in to the WAAS Central Manager device through the console port
or the WAAS Central Manager GUI. An administrator can log in to a WAAS device that is
functioning as a data center or branch WAE through the console port or the WAE Device
Manager GUI.
When the system administrator logs in to a WAAS device before authentication and authorization have
been configured, the administrator can access the WAAS device by using the predefined superuser
account (the predefined username is admin and the predefined password is default). When you log in to
a WAAS device using this predefined superuser account, you are granted access to all the WAAS services
and entities in the WAAS system.
Note
Each WAAS device must have one administrator account with the username admin. You cannot change
the username of the predefined superuser account. The predefined superuser account must have the
username admin.
After you have initially configured your WAAS devices, we strongly recommend that you immediately
change the password for the predefined superuser account (the predefined username is admin, the
password is default, and the privilege level is superuser, privilege level 15) on each WAAS device.
For instructions on using the WAAS Central Manager GUI to change the password for the predefined
superuser account, see the “Changing the Password for Your Own Account” section on page 8-6.
Figure 7-1 shows how an administrator can log in to a WAE through the console port or the WAAS GUIs
(the WAAS Central Manager GUI or the WAE Device Manager GUI). When the WAAS device receives
an administrative login request, the WAE can check its local database or a remote third-party database
(TACACS+, RADIUS, or Windows domain database) to verify the username with the password and to
determine the access privileges of the administrator.
Cisco Wide Area Application Services Configuration Guide
7-2
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
About Administrative Login Authentication and Authorization
Figure 7-1
Authentication Databases and a WAE
3
4
6
5
2
7
10
10
1
10
10
159092
8
9
1
FTP/SFTP client
6
Windows domain server
2
WAAS Central Manager GUI or
WAE Device Manager GUI
7
Console or Telnet clients
3
Third-party AAA servers
8
SSH client
4
RADIUS server
9
WAE that contains a local database and the
default primary authentication database
5
TACACS+ server
10 Administrative login requests
The user account information is stored in an AAA database, and the WAAS devices must be configured
to access the particular authentication server (or servers) that contains the AAA database. You can
configure any combination of these authentication and authorization methods to control administrative
login access to a WAAS device:
Note
•
Local authentication and authorization
•
RADIUS
•
TACACS+
•
Windows domain authentication
If you configure authentication using an external authentication server, you still must create a role-based
user or user group account in the WAAS Central Manager as described in Chapter 8, “Creating and
Managing Administrator User Accounts and Groups.”
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-3
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
About Administrative Login Authentication and Authorization
For more information on the default AAA configuration, see the “Default Administrative Login
Authentication and Authorization Configuration” section on page 7-4. For more information on
configuring AAA, see the “Configuring Administrative Login Authentication and Authorization”
section on page 7-5.
Default Administrative Login Authentication and Authorization Configuration
By default, a WAAS device uses the local database to obtain login authentication and authorization
privileges for administrative users.
Table 7-1 lists the default configuration for administrative login authentication and authorization.
Table 7-1
Default Configuration for Administrative Login Authentication and
Authorization
Feature
Default Value
Administrative login authentication
Enabled
Administrative configuration authorization
Enabled
Authentication server failover because the authentication server is unreachable
Disabled
TACACS+ port
Port 49
TACACS+ login authentication (console and Telnet)
Disabled
TACACS+ login authorization (console and Telnet)
Disabled
TACACS+ key
None specified
TACACS+ server timeout
5 seconds
TACACS+ retransmit attempts
2 times
RADIUS login authentication (console and Telnet)
Disabled
RADIUS login authorization (console and Telnet)
Disabled
RADIUS server IP address
None specified
RADIUS server UDP authorization port
Port 1645
RADIUS key
None specified
RADIUS server timeout
5 seconds
RADIUS retransmit attempts
2 times
Windows domain login authentication
Disabled
Windows domain login authorization
Disabled
Windows domain password server
None specified
Windows domain realm (Kerberos realm used for authentication when Kerberos Null string
authentication is used).
Note
When Kerberos authentication is enabled, the default realm is
DOMAIN.COM and security is the Active Directory Service (ADS).
Hostname or IP address of the Windows Internet Naming Service (WIN) server None specified
for Windows domain
Cisco Wide Area Application Services Configuration Guide
7-4
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Table 7-1
Default Configuration for Administrative Login Authentication and
Authorization (continued)
Feature
Default Value
Window domain administrative group
There are no
predefined
administrative
groups.
Windows domain NETBIOS name
None specified
Kerberos authentication
Disabled
Kerberos server hostname or IP address (host that is running the Key Distribution None specified
Center (KDC) for the given Kerberos realm
Note
Kerberos server port number (port number on the KDC server)
Port 88
Kerberos local realm (default realm for WAAS)
kerberos-realm:
null string
Kerberos realm (maps a hostname or DNS domain name to a Kerberos realm)
Null string
If you configure a RADIUS or TACACS+ key on the WAAS device (the RADIUS and the TACACS+
client), make sure that you configure an identical key on the external RADIUS or TACACS+ server.
You change these defaults through the WAAS Central Manager GUI, as described in the “Configuring
Administrative Login Authentication and Authorization” section on page 7-5.
Multiple Windows domain utilities are included in the WAAS software to assist with Windows domain
authentication configuration. You can access these utilities through the WAAS CLI by using the
windows-domain diagnostics EXEC command.
Configuring Administrative Login Authentication and
Authorization
To centrally configure administrative login authentication and authorization for a WAAS device or a
device group (a group of WAEs), follow these steps:
Step 1
Determine the login authentication scheme that you want to configure the WAAS device to use when
authenticating administrative login requests (for example, use the local database as the primary login
database and your RADIUS server as the secondary authentication database).
Step 2
Configure the login access control settings for the WAAS device, as described in the “Configuring Login
Access Control Settings for WAAS Devices” section on page 7-7.
Step 3
Configure the administrative login authentication server settings on the WAAS device (if a remote
authentication database is to be used). For example, specify the IP address of the remote RADIUS
servers, TACACS+ servers, or Windows domain server that the WAAS device should use to authenticate
administrative login requests, as described in the following sections:
•
Configuring RADIUS Server Authentication Settings, page 7-12
•
About TACACS+ Server Authentication Settings, page 7-14
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-5
Chapter 7
Configuring Administrative Login Authentication and Authorization
•
Step 4
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Windows Domain Server Authentication Settings, page 7-17
Specify one or all of the following login authentication configuration schemes that the WAAS device
should use to process administrative login requests:
•
Specify the administrative login authentication scheme.
•
Specify the administrative login authorization scheme.
•
Specify the failover scheme for the administrative login authentication server (optional).
For example, specify which authentication database the WAAS device should check to process an
administrative login request. See the “Enabling Administrative Login Authentication and Authorization
Schemes for WAAS Devices” section on page 7-26.
Caution
Make sure that RADIUS, TACACS+, or Windows domain authentication is configured and operating
correctly before disabling local authentication and authorization. If you disable local authentication and
RADIUS, TACACS+, or Windows domain settings are not configured correctly, or if the RADIUS,
TACACS+, or Windows domain server is not online, you may be unable to log in to the WAAS device.
You can enable or disable the local and the remote databases (TACACS+, RADIUS, and Windows
domain) through the WAAS Central Manager GUI or the WAAS CLI. The WAAS device verifies
whether all databases are disabled and, if so, sets the system to the default state (see Table 7-1). If you
have configured the WAAS device to use one or more of the external third-party databases (TACACS+,
RADIUS, or Windows domain authentication) for administrative authentication and authorization, make
sure that you have also enabled the local authentication and authorization method on the WAAS device,
and that the local method is specified as the last option; otherwise, the WAAS device will not go to the
local authentication and authorization method by default if the specified external third-party databases
are not reachable.
By default, local login authentication is enabled first. Local authentication and authorization uses locally
configured login and passwords to authenticate administrative login attempts. The login and passwords
are local to each WAAS device and are not mapped to individual usernames. When local authentication
is disabled, if you disable all other authentication methods, local authentication is reenabled
automatically.
You can disable local login authentication only after enabling one or more of the other administrative
login authentication methods. However, when local login authentication is disabled, if you disable all
other administrative login authentication methods, local login authentication is reenabled automatically.
You cannot specify different administrative login authentication methods for console and Telnet
connections.
We strongly recommend that you set the administrative login authentication and authorization methods
in the same order. For example, configure the WAAS device to use RADIUS as the primary login
method, TACACS+ as the secondary login method, Windows as the tertiary method, and the local
method as the quaternary method for both administrative login authentication and authorization.
Note
A TACACS+ server will not authorize a user who is authenticated by a different method. For example,
if you configure Windows as the primary authentication method, but TACACS+ as the primary
authorization method, TACACS+ authorization will fail.
Cisco Wide Area Application Services Configuration Guide
7-6
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
We strongly recommend that you specify the local method as the last method in your prioritized list of
login authentication and authorization methods. By adhering to this practice, if the specified external
third-party servers (TACACS+, RADIUS, or Windows domain servers) are not reachable, a WAAS
administrator can still log in to a WAAS device through the local authentication and authorization
method.
This section describes how to centrally configure administrative login authentication and contains the
following topics:
•
Configuring Login Access Control Settings for WAAS Devices, page 7-7
•
Configuring Remote Authentication Server Settings for WAAS Devices, page 7-12
•
Enabling Administrative Login Authentication and Authorization Schemes for WAAS Devices,
page 7-26
Configuring Login Access Control Settings for WAAS Devices
This section describes how to centrally configure remote login and access control settings for a WAAS
device or device group and contains the following topics:
•
Configuring Secure Shell Settings for WAAS Devices, page 7-7
•
Disabling and Reenabling the Telnet Service for WAAS Devices, page 7-9
•
Configuring Message of the Day Settings for WAAS Devices, page 7-10
•
Configuring Exec Timeout Settings for WAAS Devices, page 7-11
•
Configuring Line Console Carrier Detection for WAAS Devices, page 7-11
Configuring Secure Shell Settings for WAAS Devices
Secure Shell (SSH) consists of a server and a client program. Like Telnet, you can use the client program
to remotely log in to a machine that is running the SSH server, but unlike Telnet, messages transported
between the client and the server are encrypted. The functionality of SSH includes user authentication,
message encryption, and message authentication.
Note
By default, the SSH feature is disabled on a WAAS device.
The SSH management window in the WAAS Central Manager GUI allows you to specify the key length,
login grace time, and maximum number of password guesses allowed when logging in to a specific
WAAS device or device group for configuration, monitoring, or troubleshooting purposes.
To centrally enable the SSH feature on a WAAS device or a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Console Access > SSH.
The SSH Configuration window appears. (See Figure 7-2.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-7
Chapter 7
Configuring Administrative Login Authentication and Authorization
Figure 7-2
Configuring Administrative Login Authentication, Authorization, and Accounting
SSH Configuration Window
Step 3
Check the Enable check box to enable the SSH feature. SSH enables login access to the chosen WAAS
device (or the device group) through a secure and encrypted channel.
Step 4
Check the Allow non-admin users check box to allow non-administrative users to gain SSH access to
the chosen device (or device group). By default, this option is disabled.
Note
Step 5
Nonadministrative users are non-superuser administrators. All non-superuser administrators
only have restricted access to a WAAS device because their login accounts have a privilege level
of 0. Superuser administrators have full access to a WAAS device because their login accounts
have the highest level of privileges, a privilege level of 15.
In the Length of key field, specify the number of bits needed to create an SSH key. The default is 1024.
When you enable SSH, be sure to generate both a private and a public host key, which client programs
use to verify the server’s identity. When you use an SSH client and log in to a WAAS device, the public
key for the SSH daemon running on the device is recorded in the client machine known_hosts file in your
home directory. If the WAAS administrator subsequently regenerates the host key by specifying the
number of bits in the Length of key field, you must delete the old public key entry associated with the
WAAS device in the known_hosts file before running the SSH client program to log in to the WAAS
device. When you use the SSH client program after deleting the old entry, the known_hosts file is
updated with the new SSH public key for the WAAS device.
Step 6
In the Login grace time field, specify the number of seconds for which an SSH session will be active
during the negotiation (authentication) phase between client and server before it times out. The default
is 300 seconds.
Step 7
In the Maximum number of password guesses field, specify the maximum number of incorrect password
guesses allowed per connection. The default is 3.
Although the value in the Maximum number of password guesses field specifies the number of allowed
password guesses from the SSH server side, the actual number of password guesses for an SSH login
session is determined by the combined number of allowed password guesses of the SSH server and the
SSH client. Some SSH clients limit the maximum number of allowed password guesses to three (or to
one in some cases), even though the SSH server allows more than this number of guesses. When you
specify n allowed password guesses, certain SSH clients interpret this number as n + 1. For example,
when configuring the number of guesses to two for a particular device, SSH sessions from some SSH
clients will allow three password guesses.
Step 8
Specify whether the clients should be allowed to connect using the SSH protocol Version 1 or Version 2:
Cisco Wide Area Application Services Configuration Guide
7-8
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
•
To specify Version 1, check the Enable SSHv1 check box.
•
To specify Version 2, check the Enable SSHv2 check box.
Note
Step 9
You can enable both SSH Version 1 and Version 2, or you can enable one version and not the
other. You cannot disable both versions of SSH unless you disable the SSH feature by
unchecking the Enable check box. (See Step 3.)
Click Submit to save the settings.
A “Click Submit to Save” message appears in red in the Current Settings line when there are pending
changes to be saved after you have applied default or device group settings. You can also revert to the
previously configured settings by clicking the Reset button. The Reset button is visible only when you
have applied default or group settings to change the current device settings but have not yet submitted
the changes.
If you try to exit this window without saving the modified settings, a warning dialog box prompts you
to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
To configure SSH settings from the CLI, you can use the sshd and ssh-key-generate global
configuration commands.
Disabling and Reenabling the Telnet Service for WAAS Devices
By default, the Telnet service is enabled on a WAAS device. You must use a console connection instead
of a Telnet session to define device network settings on a WAAS device. However, after you have used
a console connection to define the device network settings, you can use a Telnet session to perform
subsequent configuration tasks.
You must enable the Telnet service before you can use the Telnet button in the Device Dashboard window
to Telnet to a device.
Note
Telnet is not supported in Internet Explorer. If you want to use the Telnet button from the Device
Dashboard, use a different web browser.
To centrally disable the Telnet service on a WAAS device or a device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Console Access > Telnet. The Telnet Settings window appears.
Step 3
Uncheck the Telnet Enable check box to disable the terminal emulation protocol for remote terminal
connection for the chosen device (or device group).
Step 4
Click Submit to save the settings.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default or device group settings. You can also revert
to the previously configured settings by clicking the Reset button. The Reset button is visible only when
you have applied default or group settings to change the current device settings but have not yet
submitted the changes.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-9
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
If you try to exit this window without saving the modified settings, a warning dialog box prompts you
to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
To centrally reenable the Telnet service on the device (or device group) at a later time, check the Telnet
Enable check box in the Telnet Settings window and click Submit.
From the CLI, you can use the no telnet enable global configuration command to disable Telnet or the
telnet enable global configuration command to enable it.
Configuring Message of the Day Settings for WAAS Devices
The Message of the Day (MOTD) feature enables you to provide information bits to the users when they
log in to a device that is part of your WAAS network. There are three types of messages that you can set
up:
Note
•
MOTD banner
•
EXEC process creation banner
•
Login banner
When you run an SSH version 1 client and log in to the device, the MOTD and login banners are not
displayed. You need to use SSH version 2 to display the banners when you log in to the device.
To configure the MOTD settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > Console Access > Message of the day. The MOTD Configuration
window for the chosen device appears.
Step 3
To enable the MOTD settings, check the Enable check box. The Message of the Day (MOTD) banner,
EXEC process creation banner, and Login banner fields become enabled.
Step 4
In the Message of the Day (MOTD) Banner field, enter a string that you want to display as the MOTD
banner after a user logs in to the device.
Note
In the Message of the Day (MOTD) Banner, EXEC Process Creation Banner, and Login Banner
fields, you can enter a maximum of 1024 characters. A new line character (or Enter) is counted
as two characters, as it is interpreted as \n by the system. You cannot use special characters such
as `, % ,^ , and " in the MOTD text. If your text contains any of these special characters, WAAS
software removes it from the MOTD output.
Step 5
In the EXEC Process Creation Banner field, enter a string to be displayed as the EXEC process creation
banner when a user enters into the EXEC shell of the device.
Step 6
In the Login Banner field, enter a string to be displayed after the MOTD banner, when a user attempts
to login to the device.
Step 7
To save the configuration, click Submit.
Cisco Wide Area Application Services Configuration Guide
7-10
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Configuring Exec Timeout Settings for WAAS Devices
To centrally configure the length of time that an inactive Telnet session remains open on a WAAS device
or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Click the Edit icon next to the device (or device group) for which you want to configure the EXEC
timeout.
Step 3
Choose Configure > Network > Console Access > Exec Timeout.
Step 4
In the Exec Timeout field, specify the number of minutes after which an active session times out. The
default is 15 minutes.
A Telnet session with a WAAS device can remain open and inactive for the period specified in this field.
When the EXEC timeout period elapses, the WAAS device automatically closes the Telnet session.
Step 5
Click Submit to save the settings.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default or device group settings. You can also revert
to the previously configured settings by clicking the Reset button. The Reset button is visible only when
you have applied default or group settings to change the current device settings but have not yet
submitted the changes.
If you try to exit this window without saving the modified settings, a warning dialog box prompts you
to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
To configure the Telnet session timeout from the CLI, you can use the exec-timeout global configuration
command.
Configuring Line Console Carrier Detection for WAAS Devices
You need to enable carrier detection if you plan to connect the WAAS device to a modem for receiving
calls.
Note
By default, this feature is disabled on a WAAS device.
To centrally enable console line carrier detection for a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Console Access > Console Carrier Detect. The Console Carrier
Detect Settings window appears.
Step 3
Check the Enable console line carrier detection before writing to the console check box to enable the
window for configuration.
Step 4
Click Submit to save the settings.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-11
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
A message appears that explains that if a null-modem cable that has no carrier detect pin wired is being
used, the WAE may appear unresponsive on the console until the carrier detect signal is asserted. To
recover from a misconfiguration, the WAE should be rebooted and the 0x2000 bootflag should be set to
ignore the carrier detect setting.
Step 5
Click OK to continue.
To configure console line carrier detection from the CLI, you can use the line console carrier-detect
global configuration command.
Configuring Remote Authentication Server Settings for WAAS Devices
If you have determined that your login authentication scheme is to include one or more external
authentication servers, you must configure these server settings before you can configure the
authentication scheme in the WAAS Central Manager GUI. The section contains the following topics:
•
Configuring RADIUS Server Authentication Settings, page 7-12
•
About TACACS+ Server Authentication Settings, page 7-14
•
Configuring TACACS+ Server Settings, page 7-15
•
Configuring Windows Domain Server Authentication Settings, page 7-17
•
LDAP Server Signing, page 7-23
Configuring RADIUS Server Authentication Settings
RADIUS is a client/server authentication and authorization access protocol used by a network access
server (NAS) to authenticate users attempting to connect to a network device. The NAS functions as a
client, passing user information to one or more RADIUS servers. The NAS permits or denies network
access to a user based on the response that it receives from one or more RADIUS servers. RADIUS uses
the User Datagram Protocol (UDP) for transport between the RADIUS client and server.
RADIUS authentication clients reside on devices that are running WAAS software. When enabled, these
clients send authentication requests to a central RADIUS server, which contains user authentication and
network service access information.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must
be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key
to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not
encrypted. The key itself is never transmitted over the network.
Note
For more information about how the RADIUS protocol operates, see RFC 2138, Remote Authentication
Dial In User Service (RADIUS).
Cisco Wide Area Application Services Configuration Guide
7-12
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
RADIUS authentication usually occurs when an administrator first logs in to the WAAS device to
configure the device for monitoring, configuration, or troubleshooting purposes. RADIUS
authentication is disabled by default. You can enable RADIUS authentication and other authentication
methods at the same time. You can also specify which method to use first.
You can configure multiple RADIUS servers; authentication is attempted on the servers in order. If the
first server is unreachable, then authentication is attempted on the other servers in the farm, in order. If
authentication fails for any reason other than a server is unreachable, authentication is not attempted on
the other servers in the farm.
Tip
The WAAS Central Manager does not cache user authentication information. Therefore, the user is
reauthenticated against the RADIUS server for every request. To prevent performance degradation
caused by many authentication requests, install the WAAS Central Manager device in the same location
as the RADIUS server, or as close as possible to it, to ensure that authentication requests can occur as
quickly as possible.
To centrally configure RADIUS server settings for a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > RADIUS. The RADIUS Server Settings window appears. (See
Figure 7-3.)
Figure 7-3
RADIUS Server Settings Window
Step 3
In the Time to Wait field, specify how long the device or device group should wait for a response from
the RADIUS server before timing out. The range is from 1 to 20 seconds. The default value is 5 seconds.
Step 4
In the Number of Retransmits field, specify the number of attempts allowed to connect to a RADIUS
server. The default value is 2 times.
Step 5
In the Shared Encryption Key field, enter the secret key that is used to communicate with the RADIUS
server.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-13
Chapter 7
Configuring Administrative Login Authentication and Authorization
Note
Configuring Administrative Login Authentication, Authorization, and Accounting
If you configure a RADIUS key on the WAAS device (the RADIUS client), make sure that you
configure an identical key on the external RADIUS server. Do not use the following characters:
space, backwards single quote (`), double quote ("), pipe (|), or question mark (?).
Step 6
In the Server Name field, enter an IP address or hostname of the RADIUS server. Five different hosts
are allowed.
Step 7
In the Server Port field, enter a UDP port number on which the RADIUS server is listening. You must
specify at least one port. Five different ports are allowed.
Step 8
Click Submit to save the settings.
You can now enable RADIUS as an administrative login authentication and authorization method for this
WAAS device or device group, as described in the “Enabling Administrative Login Authentication and
Authorization Schemes for WAAS Devices” section on page 7-26.
To configure RADIUS settings from the CLI, you can use the radius-server global configuration
command.
About TACACS+ Server Authentication Settings
TACACS+ controls access to network devices by exchanging network access server (NAS) information
between a network device and a centralized database to determine the identity of a user or an entity.
TACACS+ is an enhanced version of TACACS, a UDP-based access-control protocol specified by
RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+
server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and
challenge-response authentication. TACACS+ authentication usually occurs when an administrator first
logs in to the WAAS device to configure the WAE for monitoring, configuring, or troubleshooting.
When a user requests restricted services, TACACS+ encrypts the user password information using the
MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the
packet type being sent (for example, an authentication packet), the packet sequence number, the
encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to
the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services,
while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use
any or all of the three services.
When the TACACS+ server receives a packet, it does the following:
•
Authenticates the user information and notifies the client that the login authentication has either
succeeded or failed.
•
Notifies the client that authentication will continue and that the client must provide additional
information. This challenge-response process can continue through multiple iterations until login
authentication either succeeds or fails.
You can configure a TACACS+ key on the client and server. If you configure a key on a WAAS device,
it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers
use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key,
packets are not encrypted.
Cisco Wide Area Application Services Configuration Guide
7-14
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local
authentication at the same time.
You can configure one primary and two backup TACACS+ servers; authentication is attempted on the
primary server first. If the primary server is unreachable, then authentication is attempted on the other
servers in the farm, in order. If authentication fails for any reason other than a server is unreachable,
authentication is not attempted on the other servers in the farm.
The TACACS+ database validates users before they gain access to a WAAS device. TACACS+ is derived
from the United States Department of Defense (RFC 1492) and is used by Cisco Systems as an additional
control of nonprivileged and privileged mode access. The WAAS software supports TACACS+ only and
not TACACS or Extended TACACS.
If you are using TACACS+ for user authentication, you can create WAAS user group names that match
the user groups that you have defined on the TACACS+ server. WAAS can then dynamically assign roles
and domains to users based on their membership in the groups defined on the TACACS+ server. (See the
“Working with Accounts” section on page 8-3.) You must specify associated group names for each user
in the TACACS+ configuration file, as follows:
user = tacusr1 {
default service = permit
service = exec
{
waas_rbac_groups = admin,groupname1,groupname2
priv-lvl = 15
}
global = cleartext "tac"
}
For each user, list the groups they belong to in the waas_rbac_groups attribute, separating each group
from the next with a comma.
The dynamic assignment of roles and domains based on external user groups requires a TACACS+ server
that supports shell custom attributes. For example, these are supported in Cisco ACS 4.x and 5.1 and
later.
Tip
The WAAS Central Manager does not cache user authentication information, so the user is
reauthenticated against the TACACS+ server for every request. To prevent performance degradation
caused by many authentication requests, install the WAAS Central Manager device in the same location
as the TACACS+ server, or as close as possible to it, to ensure that authentication requests can occur as
quickly as possible.
Configuring TACACS+ Server Settings
The WAAS software CLI EXEC mode allows you to set, view, and test system operations. The mode is
divided into two access levels: user and privileged. To access privileged-level EXEC mode, enter the
enable EXEC command at the user access level prompt and specify the admin password when prompted
for a password.
In TACACS+, the enable password feature allows an administrator to define a different enable password
per administrative-level user. If an administrative-level user logs in to the WAAS device with a
normal-level user account (privilege level of 0) instead of an admin or admin-equivalent user account
(privilege level of 15), that user must enter the admin password to access privileged-level EXEC mode.
WAE> enable
Password:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-15
Chapter 7
Configuring Administrative Login Authentication and Authorization
Note
Configuring Administrative Login Authentication, Authorization, and Accounting
This caveat applies even if the WAAS users are using TACACS+ for login authentication.
To centrally configure TACACS+ server settings on a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > TACACS+. The TACACS+ Server Settings window appears.
Note
Step 3
The TACACS+ server configuration cannot be modified or deleted when AAA Command
Authorization is enabled.
Check the Use ASCII Password Authentication check box to use the ASCII password type for
authentication.
The default password type is PAP (Password Authentication Protocol). However, you can change the
password type to ASCII when the authentication packets are to be sent in ASCII cleartext format.
Step 4
In the Time to Wait field, specify how long the device should wait before timing out. The range is from
1 to 20 seconds. The default value is 5 seconds.
Step 5
In the Number of Retransmits field, specify the number of attempts allowed to connect to a TACACS+
server. The range is 1 to 3 times. The default value is 2 times.
Step 6
In the Security Word field, enter the secret key that is used to communicate with the TACACS+ server.
Note
Step 7
If you configure a TACACS+ key on the WAAS device (the TACACS+ client), make sure that
you configure an identical key on the external TACACS+ server. Do not use the following
characters: space, backwards single quote (`), double quote ("), pipe (|), number sign (#),
question mark (?), or backslash (\). The key is limited to 32 characters.
In the Primary Server field, enter an IP address or hostname for the primary TACACS+ server.
If you want to change the default port (49), enter the port in the Primary Server Port field.
Step 8
In the Secondary Server field, enter an IP address or hostname for a secondary TACACS+ server.
If you want to change the default port (49), enter the port in the Secondary Server Port field.
Step 9
In the Tertiary Server field, enter an IP address or hostname for a tertiary TACACS+ server.
If you want to change the default port (49), enter the port in the Tertiary Server Port field.
Note
Step 10
You can specify up to two backup TACACS+ servers.
Click Submit to save the settings.
You can now enable TACACS+ as an administrative login authentication and authorization method for
this WAAS device or device group, as described in the “Enabling Administrative Login Authentication
and Authorization Schemes for WAAS Devices” section on page 7-26.
To configure TACACS+ settings from the CLI, you can use the tacacs global configuration command.
Cisco Wide Area Application Services Configuration Guide
7-16
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Configuring Windows Domain Server Authentication Settings
A Windows domain controller can be configured to control access to the WAAS software services using
either a challenge/response or shared secret authentication method. The system administrator can log in
to the WAAS device by using an FTP, SSH, or Telnet session, the console, or the WAAS Central Manager
GUI with a single user account (username/password/privilege). RADIUS and TACACS+ authentication
schemes can be configured simultaneously with Windows domain authentication. Logging of a variety
of authentication login statistics can be configured when Windows domain authentication is enabled.
The log files and the statistical counters and related information can be cleared at any time.
In a WAAS network, Windows domain authentication is used in the following cases:
•
Log in to the WAAS Central Manager GUI
•
Log in to the WAE Device Manager GUI
•
CLI configuration on any WAAS device
You can configure Windows authentication for the WAAS Central Manager device, a single WAAS
device, or a group of devices. To configure Windows domain authentication on a WAAS device, you
must configure a set of Windows domain authentication settings.
Note
Windows domain authentication is not performed unless a Windows domain server is configured on the
WAAS device. If the device is not successfully registered, authentication and authorization do not occur.
WAAS supports authentication by a Windows domain controller running only on Windows Server 2000,
Windows Server 2003, or Windows Server 2008.
If you are using NTLM authentication, the Windows domain server must be installed with the option to
support pre-Windows 2000 operating systems. (On the installation Permissions screen of the Windows
server dcpromo wizard, select “Permissions compatible with pre-Windows 2000 server operating
systems.”)
This section contains the following topics:
•
Configuring Windows Domain Server Settings on a WAAS Device, page 7-17
•
Unregistering a WAE from a Windows Domain Controller, page 7-22
Configuring Windows Domain Server Settings on a WAAS Device
You will need to know the name and IP address, or hostname, of the Windows domain controller that
will be used for authentication.
Note
If the Central Manager is version 4.2.3a or later and you want to configure the Windows domain settings
on a WAAS device that is running version 4.2.3 or 4.2.1, you cannot use the Windows Domain Server
Settings page on the Central Manager. You must use the windows-domain diagnostics net CLI
command as described following the procedure below.
To configure Windows Domain server settings on a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > Windows User Authentication. The Windows User
Authentication window appears. (See Figure 7-4.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-17
Chapter 7
Configuring Administrative Login Authentication and Authorization
Note
Workgroup settings are only required for Windows domain authentication, not for a domain join.
You may skip to workgroup settings if you are only preforming a domain join.
Figure 7-4
Step 3
Windows User Authentication
In the Windows group for authorizing normal users field, specify an administrative group for normal
users (non-superuser administrators), who only have restricted access to the chosen device (or device
group) because their administrator user account has a privilege level of 0.
Note
Step 4
Configuring Administrative Login Authentication, Authorization, and Accounting
By default, there are not predefined user groups for Windows domain authorization configured
on a WAE.
In the Windows group for authorizing super users field, specify an administrative group for superusers
(superuser administrators), who have unrestricted access to the chosen device (or device group) because
their administrator user account has a privilege level of 15.
Note
In addition to configuring Windows domain administrative group on a WAE, you must configure
the Windows domain administrative group on your Microsoft Windows 2000 or 2003 server. You
must create a Windows Domain administrative superuser group and a normal user group. Make
sure that the group scope for the superuser group is set to global, assign user member to newly
created administrative group, and add the user account (for example, the winsuper user) to the
Windows domain superuser group. For more information about how to configure the Windows
domain administrative group on your Windows server, see your Microsoft documentation.
When a user attempts to access this WAE through a Telnet session, FTP, or SSH session, the WAE is now
configured to use the Active Directory user database to authenticate a request for administrative access.
Step 5
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 6
Choose Configure > Security > Windows Domain > Domain Settings. The Windows Domain tab
appears. (See Figure 7-5.)
Cisco Wide Area Application Services Configuration Guide
7-18
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Figure 7-5
Note
Windows Domain Tab
If the related WINS server and the workgroup or domain name have not been defined for the
chosen device (or device group), an informational message is displayed at the top of this window
to inform you that these related settings are currently not defined, as shown in Figure 7-5. To
define these settings, choose Configure > Network > WINS.
Domain name, DNS server, and NTP configuration are mandatory prerequisites for the windows
domain join. For full AAA functionality, workgroup and WINS server must also be configured.
NetBIOS name need not be configured for windows domain join. If left unconfigured, the first
15 characters of the hostname are automatically assigned as the NetBIOS name during the join.
Step 7
Select the Domain Name from the drop-down list or click Create New to create a new Local Domain
Name.
Step 8
Select Kerberos or NTLM as a shared secure authentication method for administrative logins to the
chosen device (or device group). The default authentication protocol is kerberos.
Note
Windows domain user login authentication using NTLM protocol is deprecated in this release
onwards. We recommend using Kerberos protocol for windows-domain user login
authentication.
You must use Kerberos protocol for encrypted MAPI acceleration.
Click the Auto Detect The Parameters button when using kerberos to automatically obtain the kerberos
realm, kerberos server, and domain controller. Domain, DNS, and NTP parameters must be configured
first. This option is not supported with NTLM.
Once the device has been queried for the parameters, a status message will be displayed on the screen
indicating either success or failure. The process may not be immediate and the status message will not
appear until the auto detection process has been completed.
When successful, the parameters can be reviewed and edited, if required. Once the parameters have been
reviewed, the values can then be submitted.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-19
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
If the auto detection fails, you will need to check the configured domain/DNS configuration and enter
them manually. The values can then be submitted.
Kerberos version 5 is used for Windows systems running Windows 2000 or higher with users
logging in to domain accounts.
Note
For Kerberos, skip the next step.
Step 9
For NTLM, select version 1 or version 2 from the drop-down list. NTLM version 1 is selected by default.
NTLM cannot be used for encrypted MAPI acceleration.
Note
•
NTLM version 1 is used for all Windows systems, including legacy systems such as Windows 98
with Active Directory, Windows NT, and more recent Windows systems, such as Windows 2000,
Windows XP, and Windows 2003. We recommend the use of Kerberos if you are using a
Windows 2000 SP4 or Windows 2003 domain controller.
•
NTLM version 2 is used for Windows systems running Windows 98 with Active Directory,
Windows NT 4.0 (Service Pack 4 or higher), Windows XP, Windows 2000, and Windows 2003.
Enabling NTLM version 2 support on the WAAS print server will not allow access to clients who
use NTLM or LM.
Caution
Enable NTLM version 2 support in the print server only if all the clients’ security policy has
been set to Send NTLMv2 responses only/Refuse LM and NTLM.
Skip the next step.
Step 10
In the Kerberos Realm field, enter the fully qualified name of the realm in which the WAAS device
resides. In the Key Distribution center, enter the fully qualified name or the IP address of the distribution
center for the Kerberos key. If you clicked the Auto Detect The Parameters button when you selected
Kerberos authentication method, these fields will already be populated.
All Windows 2000 domains are also Kerberos realms. Because the Windows 2000 domain name is also
a DNS domain name, the Kerberos realm name for the Windows 2000 domain name is always in
uppercase letters. This capitalization follows the recommendation for using DNS names as realm names
in the Kerberos Version 5 protocol document (RFC-4120) and affects only interoperability with other
Kerberos-based environments.
Step 11
In the Domain Controller field, enter the name of the Windows Domain Controller.
When you click Submit, the Central Manager validates this name by requesting the WAAS device (if
version 4.2.x or later) to resolve the domain controller name. If the domain controller is not resolvable,
you are asked to submit a valid name. If the device is offline, you are asked to verify device connectivity.
If you are configuring a device group, the domain controller name is not validated on each device before
this page is accepted and if it is not resolvable on a device, the configuration changes on this page are
not applied to that device.
Step 12
Click Submit.
Note
Make sure that you click Submit now so that the specified changes are committed to the WAAS
Central Manager database. The Domain Administrator’s username and password, which you will
enter in Step 13, are not stored in the WAAS Central Manager’s database.
Cisco Wide Area Application Services Configuration Guide
7-20
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Step 13
Register the chosen device (or device group) with the Windows Domain Controller as follows:
a.
Click the Domain Join tab. (See Figure 7-6.)
Figure 7-6
b.
Domain Join Tab
In the User Name field, enter a username (the domain\username or the domain name plus the
username) for the specified Windows Domain Controller. This must be the username and password
of a user who has administrative privileges in Active Directory (permission to add a computer to a
domain).
For NTLM, the user credentials can be any normal user belonging to the Domain Users group. For
Kerberos, the user credentials must be a user that belongs to the Domain Admins group, but need
not be the system default Administrator user.
Note
To use Windows domain server authentication, the WAAS device must join the Windows
domain. For registration, you will need a user credential with permission to join a machine
to the Windows domain. The user credential used for registration is not shown in clear text
anywhere, including log files. WAAS does not modify the structure or schema of Windows
Active Directory.
Note
A domain join is required for encrypted MAPI acceleration using a machine account.
c.
In the Password field, enter the password of the specified Windows Domain Controller account.
d.
In the Confirm password field, reenter the password of the specified Windows Domain Controller.
e.
(Optional) If desired, enter the name of the organizational unit in the Organizational Unit field (for
Kerberos authentication only).
f.
Click the Join button.
Note
When you click the Join button, the WAAS Central Manager immediately sends a
registration request to the WAAS device (or all of the devices in the device group) using SSH
(the specified domain administrator password is encrypted by SSH). The registration request
instructs the device to perform domain registration with the specified Windows Domain
Controller using the specified domain username and password. If the device is accessible (if
it is behind a NAT and has an external IP address), the registration request is performed by
the device (or device group).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-21
Chapter 7
Configuring Administrative Login Authentication and Authorization
g.
Configuring Administrative Login Authentication, Authorization, and Accounting
To check the status of the registration request, click the Show Join Status button.
The status of domain join for the device (or all of the devices in the device group) is shown. It may
take a few moments for the results to be updated.
h.
If the join request fails, the result is shown in the join status window. Wait a few more minutes and
try again to see the updated authentication status.
If the request succeeds, the domain registration status is shown in the Domain Join Status window.
After configuring the Windows domain settings, to complete the process of enabling Windows
authentication, you must set Windows as the authentication and authorization method for the device by
using the Authentication Methods window, as described in the “Enabling Administrative Login
Authentication and Authorization Schemes for WAAS Devices” section on page 7-26.
We recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to configure
Windows Domain server settings, but if you want to use the CLI, see the following commands in the
Cisco Wide Area Application Services Command Reference: windows-domain join and kerberos (if you
are using Kerberos as a shared secure authentication method).
Next, register the WAAS device with the Windows domain server that you configured, by using the
following command:
WAE# windows-domain join domain-name DomainName user UserName password Password
Finally, enable Windows Domain as the administrative login authentication and authorization
configuration by using the following commands:
WAE(config)# authentication login windows-domain enable primary
WAE(config)# authentication configuration windows-domain enable primary
Unregistering a WAE from a Windows Domain Controller
If you want to unregister a WAE device from a Windows domain controller, you can do that directly from
the WAAS Central Manager, as long as you have used the Kerberos shared secure authentication method.
If you have used the NTLM method, you cannot unregister the WAE by using the WAAS Central
Manager; you must log into the domain controller and remove the device registration manually.
Before you can unregister a device, you must disable windows authentication for the device.
To unregister a WAE device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-name).
Step 2
Choose Configure > Security > AAA > Authentication Methods. The Authentication and
Authorization Methods window appears. (See Figure 7-7 on page 7-28.)
Step 3
Under both the Authentication Login Methods and the Authorization Methods sections, change each of
the drop-down lists that are set to WINDOWS so that they are set to something different. For more
information about changing these settings, see the “Enabling Administrative Login Authentication and
Authorization Schemes for WAAS Devices” section on page 7-26.
Step 4
Click Submit to save the settings.
Step 5
Choose Configure > Security > Windows Domain > Domain Settings and click the Domain Join tab.
Cisco Wide Area Application Services Configuration Guide
7-22
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Step 6
(Optional) Enter the administrative username and password in the Administrator Username, Password,
and Confirm Password fields. It is not mandatory to enter the username and password, but in some cases,
the domain controller requires them to perform the unregistration.
Step 7
Click the Leave button.
Note
When you click the Leave button, the WAAS Central Manager immediately sends an
unregistration request to the WAAS device (or device group) using SSH. The unregistration
request instructs the device to unregister from the specified Windows Domain Controller.
Request to unregister the device is not allowed when encrypted MAPI is configured to use
machine accounts. You must delete the machine account identity before proceeding with the
leave.
Step 8
Check the status of the unregistration request by waiting a few minutes and clicking the Show Join
Status button.
If you want to use the CLI to unregister a WAE device, you must first use the following commands to
disable windows authentication:
WAE(config)# no authentication login windows-domain enable
WAE(config)# no authentication configuration windows-domain enable
Next, unregister the WAAS device from the Windows domain server by using the following command
(for Kerberos authentication):
WAE# windows-domain leave user UserName password Password
There is no CLI command to unregister the WAAS device if it is using NTLM authentication.
LDAP Server Signing
LDAP server signing is a configuration option of the Microsoft Windows Server’s Network security
settings. This option controls the signing requirements for Lightweight Directory Access Protocol
(LDAP) clients. LDAP signing is used to verify that an intermediate party did not tamper with the LDAP
packets on the network and to guarantee that the packaged data comes from a known source. Windows
Server 2003 administration tools use LDAP signing to secure communications between running
instances of these tools and the servers that they administer.
By using the Transport Layer Security (TLS, RFC 2830) protocol to provide communications privacy
over the Internet, client/server applications can communicate in a way that prevents eavesdropping,
tampering, or message forging. TLS v1 is similar to Secure Sockets Layer (SSL). TLS offers the same
encryption on regular LDAP connections (ldap://:389) as SSL, while operating on a secure connection
(ldaps://:636). A server certificate is used by the TLS protocol to provide a secure, encrypted connection
to the LDAP server. A client certificate and key pair are required for client authentication.
In the WAAS software, login authentication with Windows 2003 domains is supported when the LDAP
server signing requirements option for the Domain Security Policy is set to “Require signing.” The
LDAP server signing feature allows the WAE to join the domain and authenticate users securely.
Note
When you configure your Windows domain controller to require an LDAP signature, you must also
configure LDAP signing on the client WAE. By not configuring the client to use LDAP signatures,
communication with the server is affected, and user authentication, group policy settings, and logon
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-23
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
scripts might fail. Install the Certification Authority service on the Microsoft server with the server’s
certificate (Programs > Administrative Tools > Certification Authority). Enable the LDAP server
signing requirements property on the Microsoft server (Start > Programs > Administrative Tools >
Domain Controller Security Policy). In the displayed window, choose Require signing from the
drop-down list, and click OK.
For information about how to configure your Windows domain controller to require an LDAP signature,
see your Microsoft documentation.
This section contains the following topics:
•
Configuring LDAP Signing on the Client WAEs, page 7-24
•
Disabling LDAP Server Signing on a Client WAE, page 7-25
Configuring LDAP Signing on the Client WAEs
You can configure a security setting on Windows 2003 domain controllers to require clients (such as
WAEs) to sign LDAP requests. Because unsigned network traffic can be intercepted and manipulated by
outside parties, some organizations require LDAP server signing to prevent man-in-the-middle attacks
on their LDAP servers. You can only configure LDAP signing on a single WAE; it cannot be configured
at a system level. In addition, you must configure LDAP signing on a WAE through the WAAS CLI; you
cannot configure LDAP signing through any of the WAAS GUIs (either the WAAS Central Manager GUI
or the WAE Device Manager GUI).
By default, LDAP server signing is disabled on a WAE. To enable this feature on a WAE, follow these
steps:
Step 1
Enable LDAP server signing on the WAE:
WAE# configure
WAE(config)# smb-conf section "global" name "ldap ssl" value "yes"
Step 2
Save the configuration on the WAE:
WAE(config)# exit
WAE# copy run start
Step 3
Check the current running LDAP client configuration on the WAE:
WAE# show smb-conf
Step 4
Register the WAE with the Windows domain:
WAE# windows-domain diagnostics net "ads join -U username%password"
Step 5
Enable user login authentication on the WAE:
WAE# configure
WAE(config)# authentication login windows-domain enable primary
Step 6
Enable user login authorization on the WAE:
WAE(config)# authentication configuration windows-domain enable primary
Step 7
Check the current configuration for login authentication and authorization on the WAE:
WAE# show authentication user
Login Authentication:
Console/Telnet/Ftp/SSH Session
----------------------------- -----------------------------local
enabled (secondary)
Cisco Wide Area Application Services Configuration Guide
7-24
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
Windows domain
Radius
Tacacs+
enabled (primary)
disabled
disabled
Configuration Authentication: Console/Telnet/Ftp/SSH Session
----------------------------- -----------------------------local
enabled (primary)
Windows domain
enabled (primary)
Radius
disabled
Tacacs+
disabled
The WAE is now configured to authenticate Active Directory users. Active Directory users can use
Telnet, FTP, or SSH to connect to the WAE or they can access the WAE through the WAAS GUIs (WAAS
Central Manager GUI or the WAE Device Manager GUI).
Step 8
View statistics that are related to Windows domain user authentication. Statistics increment after each
user authentication attempt:
WAE# show statistics windows-domain
Windows Domain Statistics
----------------------------------------------Authentication:
Number of access requests:
Number of access deny responses:
Number of access allow responses:
Authorization:
Number of authorization requests:
Number of authorization failure responses:
Number of authorization success responses:
Accounting:
Number of accounting requests:
Number of accounting failure responses:
Number of accounting success responses:
9
3
6
9
3
6
0
0
0
WAE# show statistics authentication
Authentication Statistics
-------------------------------------Number of access requests:
9
Number of access deny responses: 3
Number of access allow responses: 6
Step 9
Use the clear statistics EXEC command to clear the statistics on the WAE:
•
To clear all of the login authentication statistics, enter the clear statistics authentication EXEC
command.
•
To clear only the statistics that are related to Windows domain authentication, enter the clear
statistics windows-domain EXEC command.
•
To clear all of the statistics, enter the clear statistics all EXEC command.
Disabling LDAP Server Signing on a Client WAE
To disable LDAP server signing on a WAE, follow these steps:
Step 1
Unregister the WAE from the Windows domain:
WAE# windows-domain diagnostics net "ads leave -U Administrator"
Step 2
Disable user login authentication:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-25
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
WAE# configure
WAE(config)# no authentication login windows-domain enable primary
Step 3
Disable LDAP signing on the WAE:
WAE(config)# no smb-conf section "global" name "ldap ssl" value "yes"
Enabling Administrative Login Authentication and Authorization Schemes for
WAAS Devices
This section describes how to centrally enable the various administrative login authentication and
authorization schemes (the authentication configuration) for a WAAS device or device group.
Caution
Make sure that RADIUS, TACACS+, or Windows domain authentication is configured and operating
correctly before disabling local authentication and authorization. If you disable local authentication and
if RADIUS, TACACS+, or Windows domain authentication is not configured correctly, or if the
RADIUS, TACACS+, or Windows domain server is not online, you may be unable to log in to the WAAS
device.
By default, a WAAS device uses the local database to authenticate and authorize administrative login
requests. The WAAS device verifies whether all authentication databases are disabled and if so, sets the
system to the default state. For information on this default state, see the “Default Administrative Login
Authentication and Authorization Configuration” section on page 7-4.
Note
You must configure the TACACS+, or RADIUS, or Windows server settings for the WAAS device (or
device group) before you configure and submit these settings. See the “About TACACS+ Server
Authentication Settings” section on page 7-14, the “Configuring RADIUS Server Authentication
Settings” section on page 7-12, and the “Configuring Windows Domain Server Authentication Settings”
section on page 7-17 for information on how to configure these server settings on a WAAS device or
device group.
By default, WAAS devices fail over to the secondary method of administrative login authentication
whenever the primary administrative login authentication method fails for any reason. You change this
default login authentication failover method through the WAAS Central Manager GUI, as follows:
•
To change the default for a WAAS device, choose Devices > device-name and then choose
Configure > Security > AAA > Authentication Methods from the menu. Check the Failover to
next available authentication method box in the displayed window and click Submit.
•
To change the default for a device group, choose Device Groups > device-group-name and then
choose Configure > Security > AAA > Authentication Methods from the menu. Check the
Failover to next available authentication method box in the displayed window and click Submit.
After you enable the failover to next available authentication method option, the WAAS device (or the
devices in the device group) queries the next authentication method only if the administrative login
authentication server is unreachable, not if authentication fails for some other reason. The authentication
server could be unreachable due to an incorrect key in the RADIUS or TACACS+ settings on the WAAS
device.
Cisco Wide Area Application Services Configuration Guide
7-26
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
You can configure multiple TACACS+ or RADIUS servers; authentication is attempted on the primary
server first. If the primary server is unreachable, then authentication is attempted on the other servers in
the TACACS+ or RADIUS farm, in order. If authentication fails for any reason other than a server is
unreachable, authentication is not attempted on the other servers in the farm. This process applies
regardless of the setting of the Failover to next available authentication method check box.
Note
To use the login authentication failover feature, you must set TACACS+, RADIUS, or Windows
domain as the primary login authentication method, and local as the secondary login
authentication method.
If the failover to next available authentication method option is enabled, follow these guidelines:
•
You can configure only two login authentication schemes (a primary and secondary scheme) on the
WAAS device.
•
Note that the WAAS device (or the devices in the device group) fails over from the primary
authentication scheme to the secondary authentication scheme only if the specified authentication
server is unreachable.
•
Configure the local database scheme as the secondary scheme for both authentication and
authorization (configuration).
For example, if the failover to next available authentication method option is enabled and RADIUS is
set as the primary login authentication scheme and local is set as the secondary login authentication
scheme, the following events occur:
1.
When the WAAS device (or the devices in the device group) receives an administrative login request,
it queries the external RADIUS authentication server.
2.
One of the following occurs:
a. If the RADIUS server is reachable, the WAAS device (or the devices in the device group) uses
this RADIUS database to authenticate the administrator.
b. If the RADIUS server is not reachable, the WAAS device (or the devices in the device group)
tries the secondary authentication scheme (that is, it queries its local authentication database)
to authenticate the administrator.
Note
The local database is contacted for authentication only if this RADIUS server is not available.
In any other situation (for example, if the authentication fails in the RADIUS server), the local
database is not contacted for authentication.
Conversely, if the failover to next available authentication method option is disabled, then the WAAS
device (or the devices in the device group) contacts the secondary authentication database regardless of
the reason why the authentication failed with the primary authentication database.
If all the authentication databases are enabled for use, then all the databases are queried in the order of
priority selected and based on the failover reason. If no failover reason is specified, then all the databases
are queried in the order of their priority. For example, first the primary authentication database is
queried, then the secondary authentication database is queried, then the tertiary database is queried, and
finally the quaternary authentication database is queried.
To specify the login authentication and authorization scheme for a WAAS device or device group, follow
these steps:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-27
Chapter 7
Configuring Administrative Login Authentication and Authorization
Configuring Administrative Login Authentication, Authorization, and Accounting
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > Authentication Methods. The Authentication and
Authorization Methods window appears. (See Figure 7-7.)
Figure 7-7
Step 3
Authentication and Authorization Methods Window
Check the Failover to next available authentication method check box to query the secondary
authentication database only if the primary authentication server is unreachable. When the box is
unchecked, the other authentication methods are tried if the primary method fails for any reason.
To use this feature, you must set TACACS+, RADIUS, or Windows domain as the primary authentication
method and local as a secondary authentication method. Make sure that you configure the local method
as a secondary scheme for both authentication and authorization (configuration).
Step 4
Check the Authentication Login Methods check box to enable authentication privileges using the local,
TACACS+, RADIUS, or WINDOWS databases.
Step 5
Specify the order of the login authentication methods that the chosen device or device group are to use:
a.
From the Primary Login Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the first method that the chosen device (or the device group)
should use for administrative login authentication.
b.
From the Secondary Login Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or the device group) should
use for administrative login authentication if the primary method fails.
Cisco Wide Area Application Services Configuration Guide
7-28
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring Administrative Login Authentication and Authorization
c.
From the Tertiary Login Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or the device group) should
use for administrative login authentication if both the primary and the secondary methods fail.
d.
From the Quaternary Login Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or device group) should use
for administrative login authentication if the primary, secondary, and tertiary methods all fail.
Note
Step 6
Check the Authorization Methods check box to enable authorization privileges using the local,
TACACS+, RADIUS, or WINDOWS databases.
Note
Step 7
We strongly recommend that you specify the local method as the last method in your prioritized
list of login authentication and authorization methods. By adhering to this practice, the WAAS
administrator will be able to still log in to a WAAS device (or the devices in the device groups)
through the local authentication and authorization method if the specified external third-party
servers (TACACS+, RADIUS, or Windows domain servers) are not reachable.
Authorization privileges apply to console and Telnet connection attempts, secure FTP (SFTP)
sessions, and Secure Shell (SSH, Version 1 and Version 2) sessions.
Specify the order of the login authorization (configuration) methods that the chosen device (or the device
group) should use:
Note
a.
We strongly recommend that you set the administrative login authentication and authorization
methods in the same order. For example, configure the WAAS device (or device group) to use
RADIUS as the primary login method, TACACS+ as the secondary login method, Windows as
the tertiary method, and the local method as the quaternary method for both administrative login
authentication and authorization.
From the Primary Configuration Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the first method that the chosen device (or the device group)
should use to determine authorization privileges.
Note
b.
If you have checked the Failover to next available authentication method check box
(Step 3), make sure that you choose TACACS+ or RADIUS from the Primary Configuration
Method drop-down list to configure either the TACACS+ or RADIUS method as the primary
scheme for authorization (configuration).
From the Secondary Configuration Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or the device group) should
use to determine authorization privileges if the primary method fails.
Note
If you have checked the Failover to next available authentication method check box
(Step 3), make sure that you choose local from the Secondary Configuration Method
drop-down list to configure the local method as the secondary scheme for authorization
(configuration).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-29
Chapter 7
Configuring Administrative Login Authentication and Authorization
Step 8
Configuring Administrative Login Authentication, Authorization, and Accounting
c.
From the Tertiary Configuration Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or the device group) should
use to determine authorization privileges if both the primary and secondary methods fail.
d.
From the Quaternary Configuration Method drop-down list, choose local, TACACS+, RADIUS, or
WINDOWS. This option specifies the method that the chosen device (or device group) should use
to determine authorization privileges if the primary, secondary, and tertiary methods all fail.
To refresh the authentication status, check the box and click the Show Windows Authentication Status
button. This option is only available when Windows is set as the authentication and authorization
methods.
A dialog box appears prompting if you want to continue with this request to refresh the status of the
authentication request. (See Figure 7-8.)
Figure 7-8
Confirmation Dialog Box
Click OK to continue or Cancel to cancel the request.
If the request fails, you will receive an error dialog. Wait a few more minutes and try again to see the
updated authentication status.
Step 9
Click Submit to save the settings.
Note
Note
If you have enabled the Windows authentication or authorization method, the Central Manager
queries the WAE (of version 4.2.1 or higher) to ensure that it is registered to a Windows domain.
This can take up to one minute after you click Submit. You will see a message asking you to
confirm this process and you must click OK to proceed. If you are configuring a WAE of version
4.1.x or lower, or a device group, the Central Manager does not query the WAE(s) and you must
ensure that each WAE is properly registered. You will see a message informing you that system
behavior is unknown (if a WAE is unregistered) and you must click OK to proceed.
If you have enabled the Windows authentication method, it takes about 15 seconds to activate it. Wait at
least 15 seconds before checking Windows authentication status or performing any operation that
requires Windows authentication.
To configure the login authentication and authorization scheme from the CLI, you can use the
authentication global configuration command. Before you can enable Windows domain authentication
or authorization for a device, the device must be registered with the Windows domain controller.
Cisco Wide Area Application Services Configuration Guide
7-30
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring AAA Command Authorization
Configuring AAA Command Authorization
Command authorization enforces authorization through an external AAA server for each command
executed by the CLI user. All commands executed by a CLI user are authorized before they are executed.
RADIUS, Windows domain, and local users are not affected.
Note
Only commands executed through the CLI interface are subject to command authorization.
When command authorization is enabled, you must specify "permit null" on the TACACS+ server to
allow authorized commands with no arguments to be executed.
To configure command authorization for a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > Command Authorization Settings. The Command
Authorization window appears.
Step 3
Check the Command Authorization Level check box for the desired level.
•
Level 0—Only EXEC commands are authorized by the TACACS+ server before they are executed,
regardless of user level (normal or super). Global configuration commands are not allowed.
•
Level 15—Both EXEC and global configuration level commands are authorized by the TACACS+
server before they are executed, regardless of user level (normal or super).
Note
Step 4
You must have a TACACS+ server configured before you can configure command authorization.
Click Submit to save the settings.
Configuring AAA Accounting for WAAS Devices
Accounting tracks all user actions and when the actions occurred. It can be used for an audit trail or for
billing for connection time or resources used (bytes transferred). Accounting is disabled by default.
The WAAS accounting feature uses TACACS+ server logging. Accounting information is sent to the
TACACS+ server only, not to the console or any other device. The syslog file on the WAAS device logs
accounting events locally. The format of events stored in the syslog is different from the format of
accounting messages.
The TACACS+ protocol allows effective communication of AAA information between WAAS devices
and a central server. It uses TCP for reliable connections between clients and servers. WAAS devices
send authentication and authorization requests, as well as accounting information to the
TACACS+ server.
Note
Before you can configure the AAA accounting settings for a WAAS device, you must first configure the
TACACS+ server settings for the WAAS device. (See the “About TACACS+ Server Authentication
Settings” section on page 7-14.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-31
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Configuring AAA Accounting for WAAS Devices
Note
If you enable AAA accounting for a device, we strongly recommended that you create an IP ACL
condition in the first entry position permitting access to the TACACS+ servers to avoid delay while
processing the commands. For information on IP ACLs, see Chapter 9, “Creating and Managing IP
Access Control Lists for WAAS Devices.”
To centrally configure AAA accounting settings for a WAAS device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > AAA Accounting. The AAA Accounting Settings window
appears.
Step 3
From the System Events drop-down list, choose a keyword to specify when the chosen device (or the
device group) should track system-level events that are not associated with users, such as reloads, and
to activate accounting for system events.
Step 4
From the Exec Shell and Login/Logout Events drop-down list, choose a keyword to specify when the
chosen device (or the device group) should track EXEC shell and user login and logout events and to
activate accounting for EXEC mode processes. Reports include username, date, start and stop times, and
the WAAS device IP address.
Step 5
From the Normal User Commands drop-down list, choose a keyword to specify when the chosen device
(or the device group) should track all the commands at the normal user privilege level (privilege level 0)
and to activate accounting for all commands at the non-superuser administrative (normal user) level.
Step 6
From the Administrative User Commands drop-down list, choose a keyword to specify when the
chosen device (or the device group) should track all commands at the superuser privilege level (privilege
level 15) and to activate accounting for all commands at the superuser administrative user level.
Caution
Before using the wait-start option, ensure that the WAAS device is configured with the TACACS+
server and is able to successfully contact the server. If the WAAS device cannot contact a configured
TACACS+ server, it might become unresponsive.
Table 7-2 describes the event type options.
Table 7-2
Event Types for AAA Accounting
GUI Parameter
Function
Event Type Options
stop-only
start-stop
The WAAS device sends a stop record accounting notice at the end of
the specified activity or event to the TACACS+ accounting server.
The WAAS device sends a start record accounting notice at the
beginning of an event and a stop record at the end of the event to the
TACACS+ accounting server.
The start accounting record is sent in the background. The requested
user service begins regardless of whether or not the start accounting
record was acknowledged by the TACACS+ accounting server.
Cisco Wide Area Application Services Configuration Guide
7-32
OL-26579-01
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Viewing Audit Trail Logs
Table 7-2
GUI Parameter
wait-start
Do Not Set
Event Types for AAA Accounting (continued)
Function
The WAAS device sends both a start and a stop accounting record to the
TACACS+ accounting server. However, the requested user service does
not begin until the start accounting record is acknowledged. A stop
accounting record is also sent.
Accounting is disabled for the specified event.
Step 7
Check the Enable CMS CLI Accounting check box to enable AAA accounting to TACACS+ server.
Step 8
Click Submit to save the settings.
To configure AAA accounting settings from the CLI, you can use the aaa accounting global
configuration command.
Viewing Audit Trail Logs
The WAAS Central Manager device logs user activity in the system. The only activities that are logged
are those activities that change the WAAS network. For more information on viewing a record of user
activity on your WAAS system, see the “Viewing the Audit Trail Log” section on page 17-57.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
7-33
Chapter 7
Configuring Administrative Login Authentication, Authorization, and Accounting
Viewing Audit Trail Logs
Cisco Wide Area Application Services Configuration Guide
7-34
OL-26579-01
CH A P T E R
8
Creating and Managing Administrator User
Accounts and Groups
This chapter describes how to create user accounts and groups from the WAAS Central Manager GUI.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
Overview of Administrator User Accounts, page 8-1
•
Creating and Managing User Accounts, page 8-2
Overview of Administrator User Accounts
Your WAAS system comes with an administrator account already created that you can use to access the
WAAS Central Manager GUI as well as the WAAS CLI. This account has a username of admin and a
password of default. You can use the WAAS Central Manager GUI to change the password of this
account.
If you want to create additional administrator user accounts, see Table 8-1 for a description of the two
types of accounts you can create from the WAAS Central Manager GUI.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-1
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Table 8-1
Account Type Descriptions
Account Type
Description
Roles-based account
Allows you to create accounts that manage and configure specific WAAS services. For example, you
may want to delegate the configuration of application acceleration to a specific administrator. In this
case, you could create a roles-based account that only has access to the Acceleration pages in the
WAAS Central Manager GUI.
You can also create a roles-based account that only has access to the WAE Device Manager instead
of the WAAS Central Manager GUI. And you can create a role-based account that also is a local user
account.
You create roles-based accounts from the Admin menu in the WAAS Central Manager GUI.
Local account
Provides CLI access to WAE devices and optionally allows users to access the WAE Device Manager
GUI. A user with this account type can log into the WAAS Central Manager but they have the access
rights assigned to the default account, which initially has access to no GUI functionality.
We recommend that you create a local account if there is an administrator that only needs CLI access
to WAE devices or to the WAE Device Manager GUI.
You create local accounts in the same way as roles-based accounts, but you check the Local User
check box when creating the account.
Creating and Managing User Accounts
This section contains the following topics:
•
Overview for Creating an Account, page 8-2
•
Working with Accounts, page 8-3
•
Working with Passwords, page 8-8
•
Working with Roles, page 8-9
•
Working with Domains, page 8-14
•
Working with User Groups, page 8-17
Overview for Creating an Account
Table 8-2 provides an overview of the steps you must complete to create a new roles-based administrator
account.
Table 8-2
Checklist for Creating a Roles-based Administrator Account
Task
1. Create a new account.
2.
Create a role for the new account.
Additional Information and Instructions
Creates an account on the system with a specific username, password, and privilege
level. For more information, see the “Creating a New Account” section on
page 8-4.
Creates a role that specifies the services that an account can configure in your
WAAS network. For more information, see the “Creating a New Role” section on
page 8-10. If you are using an external authentication server, you can define
matching user groups that automatically assign roles to users.
Cisco Wide Area Application Services Configuration Guide
8-2
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Table 8-2
Checklist for Creating a Roles-based Administrator Account (continued)
Task
Additional Information and Instructions
3. Assign the role to the new account. Assigns the new role to the new account. For more information, see the “Assigning
a Role to a User Account” section on page 8-12. If you are using an external
authentication server, you can define matching user groups that automatically
assign roles to users.
4. Create a domain.
Creates a domain that will specify the WAEs, device groups, or AppNav Clusters
that the new account can manage. For more information, see the “Creating a New
Domain” section on page 8-14.
5. Add an entity to the domain.
Adds one or more WAEs, device groups, or AppNav Clusters to the domain. For
more information, see the “Adding an Entity to a Domain” section on page 8-15.
6. Assign a domain to a user account. Assigns the domain to the new user account. For more information, see the
“Assigning a Domain to a User Account” section on page 8-15. If you are using an
external authentication server, you can define matching user groups that
automatically assign domains to users.
Working with Accounts
When you create a user account, you enter information about the user such as the username, the name
of the individual who owns the account, contact information, job title, and department. All user account
information is stored in an internal database on the WAAS Central Manager.
Each user account can then be assigned to a role. A role defines which WAAS Central Manager GUI
configuration pages the user can access and which services the user has authority to configure or modify.
The WAAS Central Manager provides one predefined role, known as the admin role. The admin role has
access to all services. A domain defines which entities in the network that the user can access and
configure or modify. You can assign a user account to zero or more roles and to zero or more domains.
In addition to user accounts, you can create user groups if you are using external authentication of users
on a TACACS+ or Windows domain server (not a RADIUS server). By creating user group names that
match the user groups that you have defined on the external authentication server, WAAS can
dynamically assign roles and domains to users based on their membership in a group as defined on the
external authentication server. You do not need to define a role or domain for each user individually.
Two default user accounts are preconfigured in the WAAS Central Manager. The first account, called
admin, is assigned the administrator role that allows access to all services and access to all entities in the
system. This account cannot be deleted from the system, but it can be modified. Only the username and
the role for this account are unchangeable. Only an account that has been assigned the admin role can
create other admin-level accounts.
The second preconfigured user account is called default. Any user account that is authenticated but has
not been registered in the WAAS Central Manager obtains the access rights (role) assigned to the default
account. This account is configurable by an administrator, but it cannot be deleted nor its username
changed. Initially, the default account has no access to GUI functionality because it has no roles defined,
though it can log into the WAAS Central Manager GUI.
This section contains the following topics:
•
Creating a New Account, page 8-4
•
Modifying and Deleting User Accounts, page 8-6
•
Changing the Password for Your Own Account, page 8-6
•
Changing the Password for Another Account, page 8-7
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-3
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
•
Viewing User Accounts, page 8-8
•
Unlocking User Accounts, page 8-8
Creating a New Account
The first step in setting up an account is to create the account by specifying a username and selecting
whether a local CLI account is created at the same time. After the account is created, you can assign roles
to the account that determine the WAAS services and devices that the account can manage and configure.
Table 8-3 describes the results of creating a local CLI user when setting up an account.
Table 8-3
Results of Creating a Local User
Action
Creating a Local User
Not Creating a Local
User
Note
Result
•
The account can be used to access the WAAS CLI, WAAS Central
Manager GUI (with the default role), and WAE Device Manager (if
that option is selected).
•
Users can change their own passwords, and the password change will
propagate to standby WAAS Central Managers.
•
The account is stored in the WAAS Central Manager database and is
also propagated to the standby WAAS Central Managers.
•
The user account is created in the primary and standby WAAS Central
Manager management databases.
•
No user account is created in the CLI. Users will have to use another
account to access the CLI.
•
The new account can be used to log in to the WAAS Central Manager
GUI if an external authentication server is set. The user is assigned the
roles defined for the default user (initially none).
•
Local users can change their passwords using the WAAS Central
Manager GUI only if they have roles that allow access to the
Admin > AAA section.
If a user account has been created from the CLI only, when you log in to the WAAS Central Manager
GUI for the first time, the Centralized Management System (CMS) automatically creates a user account
(with the same username as configured in the CLI) with default authorization and access control. An
account created from the CLI initially will be unable to access any configuration pages in the WAAS
Central Manager GUI. You must use an admin account to give the account created from the CLI the roles
that it needs to perform configuration tasks from the WAAS Central Manager GUI.
To create a new account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users.
The User Accounts window displays all the user accounts on the system.
Step 2
Click the Create New User Accounts icon.
The Creating New User Account window appears.
Cisco Wide Area Application Services Configuration Guide
8-4
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Note
Step 3
This window can be accessed only by users with administrator-level privileges.
In the Username field, enter the user account name.
Usernames are case sensitive and cannot contain characters other than letters, numbers, period, hyphen,
and underscore.
Step 4
Complete the following steps to allow the user to access the WAE Device Manager GUI:
a.
Check the WAE Device Manager User check box.
b.
From the Device Manager Access drop-down list, choose one of the following options for Device
Manager GUI access for this account:
– Read Only—Limits this user to read only access to the Device Manager GUI.
– Read Write—Allows this user to have read and write access to the Device Manager GUI.
Step 5
Complete the following steps to create a local CLI user account:
a.
Note
Check the Local User check box. See Table 8-3 on page 8-4 for information about the benefits of
creating a local CLI user. A local user is created on all WAE devices.
Do not create a local user that has a username identical to a username defined in an external
authentication server that is authorizing access to the WAAS device.
b.
In the Password field, enter a password for the local user account, and reenter the same password in
the Confirm Password field. Passwords are case-sensitive, must be 1 to 31 characters in length, and
cannot contain the characters ‘ “ | (apostrophe, double quote, or pipe) or any control characters.
c.
From the CLI Privilege Level drop-down list, select one of the following options for the local user
account:
– 0 (normal user)—Limits the CLI commands this user can use to only user-level EXEC
commands. This is the default value.
– 15 (super user)—Allows this user to use privileged EXEC-level CLI commands, similar to the
functions that a Central Manager GUI user with the admin role can perform.
Note
The WAAS CLI EXEC mode is used for setting, viewing, and testing system operations. It is
divided into two access levels: user and privileged. A local user who has “normal” privileges can
only access the user-level EXEC CLI mode. A local user who has “superuser” privileges can
access the privileged EXEC mode as well as all other modes (for example, configuration mode
and interface mode) to perform any administrative task. For more information about the
user-level and privileged EXEC modes and CLI commands, see the Cisco Wide Area Application
Services Command Reference.
Step 6
(Optional) In the User Information fields, enter the following information about the user in the
appropriate fields: first name, last name, phone number, e-mail address, job title, and department.
Step 7
(Optional) In the Comments field. enter any additional information about this account.
Step 8
Click Submit.
A Changes Submitted message appears at the bottom of the window.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-5
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Step 9
Assign roles to this new account as described in the “Working with Roles” section on page 8-9 and assign
domains as described in the “Working with Domains” section on page 8-14.
Modifying and Deleting User Accounts
Note
Modifying a user account from the CLI does not update the Centralized Management System (CMS)
database and the change will not be reflected in the Central Manager GUI.
To modify an existing user account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users.
The User Accounts window appears.
Step 2
Click the Edit icon next to the user account that you want to modify.
The Modifying User Account window appears. You can delete or edit user accounts as follows:
Note
•
This window can only be accessed by users with administrator-level privileges.
To delete the user account, click the Delete icon in the taskbar, and then click OK to confirm the
deletion.
If the local user account was created using the WAAS Central Manager GUI, the corresponding user
account is removed from the CLI and is also deleted from all standby WAAS Central Managers.
Note
•
Deleting a user account from the CLI does not disable the corresponding user account in the
CMS database. Consequently, the user account remains active in the CMS database. User
accounts created in the WAAS Central Manager GUI should always be deleted from the
WAAS Central Manager GUI.
To edit the user account, make the necessary changes to the username and account information, and
click Submit.
Changing the Password for Your Own Account
If you are logged in to the WAAS Central Manager GUI, you can change your own account password if
you meet the following requirements:
Note
•
Your account and password were created in the WAAS Central Manager GUI and not in the CLI.
•
You are authorized to access the password window.
We do not recommend changing the local CLI user password from the CLI. Any changes to local CLI
user passwords from the CLI are not updated in the management database and are not propagated to the
standby WAAS Central Manager. Therefore, passwords in the management database will not match a
new password configured in the CLI.
Cisco Wide Area Application Services Configuration Guide
8-6
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Note
The advantage of initially setting passwords from the WAAS Central Manager GUI is that both the
primary and the standby WAAS Central Managers will be synchronized, and GUI users will not have to
access the CLI to change their password.
To change the password for your own account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > Security > Password.
The Changing Password for User Account window appears.
Step 2
In the New Password field, enter the changed password. Passwords are case sensitive, must be 1 to 31
characters in length, and cannot contain the characters ‘ “ | (apostrophe, double quote, or pipe) or any
control characters.
Step 3
In the Confirm New Password field, reenter the password for confirmation.
Step 4
Click Submit.
The message “Changes Submitted” appears at the bottom of the window confirming that your password
has been changed.
When you change the password of an account by using the WAAS Central Manager GUI, it changes the
password for all WAE devices managed by the Central Manager.
Changing the Password for Another Account
If you log into the WAAS Central Manager GUI using an account with admin privileges, you can change
the password of any other account.
Note
If you change a user password from the CLI, the password change applies only to the local device, will
not be reflected in the Central Manager GUI, and is not propagated to any other devices.
To change the password for another account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users.
A list of roles-based user accounts appears.
Step 2
Click the Edit icon next to the account that needs a new password. The Modifying User Account window
appears.
Step 3
In the Password field, enter the changed password. Passwords are case-sensitive, must be 1 to 31
characters in length, and cannot contain the characters ‘ “ | (apostrophe, double quote, or pipe) or any
control characters.
Step 4
In the Confirm Password field, reenter the password for confirmation.
Step 5
Click Submit.
The message “Changes Submitted” appears at the bottom of the window confirming that your password
has been changed.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-7
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Viewing User Accounts
To view all user accounts, choose Admin > AAA> Users from the WAAS Central Manager GUI. The
User Accounts window displays all the user accounts in the management database. From this window,
you can also create new accounts as described in the “Creating a New Account” section on page 8-4.
To view user accounts for a specific device, choose Devices > device-name and then choose
device-name > Device Users or CM Users, depending on the device mode. The Users for device window
displays all the user accounts defined for the device.
If a user account is locked out on the device, you can unlock it from this window. Check the box next to
the account and click the Unlock button.
To view the details for an account, click the View icon next to the account.
Unlocking User Accounts
When a user account is locked out, the user cannot log in to the WAAS device until an administrator
unlocks the account. A user account will be locked out if the user unsuccessfully tries to log in three
consecutive times.
To unlock an account, follow these steps:
Step 1
From the WAAS Central Manager GUI, choose Admin > AAA > Users.
The User Accounts listing window appears and displays the status of each user account.
Note
Step 2
This window can only be accessed by users with administrator-level privileges.
Click the Edit icon next to the user account that you want to modify.
The Modifying User Account window appears and displays a list of devices on which this account is
locked out.
Step 3
Choose the device on which you want to unlock the account.
The list of device users appears.
Step 4
Choose the user or users to unlock, and click the unlock button.
Working with Passwords
The WAAS system features two levels of password policy: standard and strong. By default, the standard
password policy is enabled.
To change the password policy, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > AAA > Password Policy Settings.
Step 3
Check the Enforce stringent password check box to enable the strong password policy.
Cisco Wide Area Application Services Configuration Guide
8-8
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Step 4
In the Maximum login retries field, enter the maximum number of login attempts to be allowed before
the user is locked out. The user remains locked out until cleared by the administrator. To clear a
locked-out account, see the “Unlocking User Accounts” section on page 8-8.
Step 5
Click Submit to save your changes.
To configure password policy from the CLI, use the authentication strict-password-policy global
configuration command.
When the standard password policy is enabled, user passwords must meet the following requirements:
•
The password must be 1 to 31 characters long.
•
The password can include both uppercase and lowercase letters (A–Z and a–z) and numbers (0–9).
•
The password cannot contain the characters ‘ “ | (apostrophe, double quote, or pipe) or any control
characters.
When the strong password policy is enabled, user passwords must meet the following requirements:
•
The password must be 8 to 31 characters long.
•
The password can include both uppercase and lowercase letters (A–Z and a–z), numbers (0–9), and
special characters including ~`!@#$%^&*()_+-=[]\{};:,</>.
•
The password cannot contain the characters ‘ “ | (apostrophe, double quote, or pipe) or any control
characters.
•
The password cannot contain all the same characters (for example, 99999).
•
The password cannot contain consecutive characters (for example, 12345).
•
The password cannot be the same as the username.
•
Each new password must be different from the previous 12 passwords. User passwords expire within
90 days.
•
The password cannot contain dictionary words.
A user account will be locked out after the configured number of failed login attempts (the default is
three). The user remains locked-out until cleared by the administrator. To clear a locked-out account, see
the “Unlocking User Accounts” section on page 8-8.
Working with Roles
The WAAS Central Manager GUI allows you to create roles for your WAAS system administrators so
that each administrator can focus on configuring and managing a specific WAAS service. For example,
you can set up a role that allows an administrator to create and modify application policies but does not
allow the administrator to make any other changes to the system.
You can think of a role as a set of enabled services. Make sure you have a clear idea of the services that
you want the role to be responsible for because you will select these services when you create the role.
Once you create the role, you can assign the role to existing accounts as described later in this chapter.
A role can give read and write or read-only access to each enabled service.
Each user account or group can be assigned to zero or more roles. Roles are not inherited or embedded.
The WAAS Central Manager provides one predefined role, known as the admin role. The admin role has
access to all services, similar to a CLI user that has privilege level 15. Without the admin role, a user
will not be able to perform all administrative tasks.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-9
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Note
Assigning the admin role to a user does not change the user privilege level to 15. The user must also have
privilege level 15 in order to perform administrative tasks.
Assigning the admin role to a user grants read and write permission to all Device Manager GUI pages.
WAAS can dynamically assign a role to users based on their membership in a group as defined on an
external TACACS+ or Windows domain authentication server. To take advantage of this feature, you
must define user group names on the WAAS Central Manager that match the user groups defined on the
external authentication server and you must assign a role to the user groups on the WAAS Central
Manager. For more information on user groups, see the “Working with User Groups” section on
page 8-17.
Note
For user groups authenticated on a TACACS+ server to gain access to the Device Manager GUI, the user
group must be configured with the admin role and the user intending to access the Device Manager GUI
must first log in to the Central Manager, which creates a member account on the Central Manager and
the WAE. Periodically, member accounts of a user group are removed from the Central Manager
database to reduce database load, so after a period (60 days by default) of no Central Manager activity,
a user will need to log in again to the Central Manager before accessing the Device Manager GUI. The
cdm.remoteuser.deletionDaysLimit system property controls the removal interval.
This section contains the following topics:
•
Creating a New Role, page 8-10
•
Assigning a Role to a User Account, page 8-12
•
Modifying and Deleting Roles, page 8-13
•
Viewing Role Settings, page 8-13
Creating a New Role
To create a new role, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Roles.
The Roles listing window appears.
Step 2
Click the Create New Role icon from the taskbar.
The Creating New Role window appears.
Step 3
In the Name field, enter the name of the role.
The name cannot contain characters other than letters, numbers, period, hyphen, underscore, and space.
Step 4
Check the check box next to the services that you want this role to manage.
The check boxes in this window are tri-state check boxes. When there is a check in the box, it means that
the user will have read and write access to the listed service. Click the check box again to change the
indicator to a square partially filling the check box. This indicator means that the user will have
read-only access to the service. An empty square signifies no access to the service.
To expand the listing of services under a category, click the folder, and then check the check box next to
the services that you want to enable for this role. To choose all the services under one category
simultaneously, check the check box next to the top-level folder for those services.
Cisco Wide Area Application Services Configuration Guide
8-10
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Table 8-4 lists the services that you can enable for a role.
Table 8-4
Description of the WAAS Services
Service
Home
Device Groups
Devices
AppNav Clusters
Locations
All Devices
Description
Allows this role to view, configure, and manage the system dashboard and
settings in the Configure, Monitor, and Admin menus of the WAAS
Central Manager GUI in the Home (global) context. Under each folder you
can select the subpages that you want this role to manage.
Allows this role to view, configure, and manage the settings and subpages
for the various device groups in the WAAS Central Manager GUI in the
device group context.
Allows this role to view, configure, and manage the settings and subpages
for various kinds of devices in the WAAS Central Manager GUI in the
device context.
Allows this role to view, configure, and manage the settings and subpages
in the WAAS Central Manager GUI in the AppNav Cluster context.
Allows this role to view, configure, and manage the settings and subpages
in the WAAS Central Manager GUI in the Location context.
Allows this role to access all the devices in your WAAS network. If this
service is not enabled, the user account will only have access to the devices
associated with the domain that you assign to the account.
Selecting this service allows you to skip the following tasks when setting
up a roles-based account:
•
Creating and maintaining a domain that contains all the devices in
your network.
Assigning to the account the domain that contains all the devices.
Allows this role to access all the device groups in your WAAS network. If
this service is not enabled, then the user account will only have access to
the device groups associated with the domain that you assigned to the
account.
•
All Device Groups
Selecting this service allows you to skip the following tasks when setting
up a roles-based account:
•
Creating and maintaining a domain that contains all the device groups
in your network.
Assigning to the account the domain that contains all the device
groups.
Allows this role to access all the AppNav Clusters in your WAAS network.
If this service is not enabled, the user account will only have access to the
AppNav Clusters associated with the domain that you assign to the
account.
•
All AppNav Clusters
Selecting this service allows you to skip the following tasks when setting
up a roles-based account:
•
Creating and maintaining a domain that contains all the AppNav
Clusters in your network.
•
Assigning to the account the domain that contains all the AppNav
Clusters.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-11
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Table 8-4
Description of the WAAS Services (continued)
Service
Monitoring API
System Status
Description
Allows this role to access monitoring APIs through HTTPS requests. For
more information, see the Cisco Wide Area Application Services API
Reference.
Allows this role to access the device Alarms panel. For more information
about device alarms, see Chapter 17, “Monitoring and Troubleshooting
Your WAAS Network.”
Step 5
(Optional) Enter any comments about this role in the Comments field.
Step 6
Click Submit to save your settings.
Assigning a Role to a User Account
After you create a role, you need to assign the role to an account (or a user group). If you create an
account but do not assign a role to the account, that account can log into the WAAS Central Manager
GUI but no data will be displayed and the configuration pages will not be available.
Note
The admin user account, by default, is assigned to the role that allows access to all entities in the system.
It is not possible to change the role for this user account.
To assign one or more roles to a user account group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users (or Admin > AAA > User
Groups).
The User Accounts (or User Groups) window appears with all configured user accounts listed.
Step 2
Click the Edit icon next to the user account or group for which you want to assign roles.
The Modifying User Account (or Modifying User Group) window appears.
Step 3
Click the Role Management tab.
The Role Management window appears with all configured role names listed.
Step 4
Click the Assign icon (blue cross mark) that appears next to the role name that you want to assign to the
selected user account or group.
Step 5
Click the Unassign (green tick mark) next to the role name to unassign a previously assigned role.
Note
Step 6
Click the Assign all Roles icon in the taskbar to assign all roles in the current window to a user
account or group. Alternatively, click the Remove all Roles icon to unassign all roles associated
with a user account or group.
Click Submit.
Cisco Wide Area Application Services Configuration Guide
8-12
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned
roles. The roles assigned to this user account or group will be listed in the Roles section in the Modifying
User Account (or Modifying User Group) window.
Modifying and Deleting Roles
Note
The admin user account, by default, is allowed access to all services and cannot be modified.
To modify or delete a role, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Roles.
The Roles window appears.
Step 2
Click the Edit icon next to the name of the role you want to change or delete.
The Modifying Role window appears. You can modify the role as follows:
•
To delete this role, click the Delete icon in the taskbar.
•
To edit this role, make the necessary changes to the fields, and click Submit.
•
To enable a service for this role, check the check box next to the services that you want. To disable
a previously selected service, uncheck the check box next to the service you want to disable. To
choose all the services under one category simultaneously, check the check box next to the top-level
service.
Viewing Role Settings
You might want to view role settings before assigning a role to a particular user account or group.
To view role settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users (or Admin > AAA > User
Groups).
The User Accounts (or User Groups) window appears with all configured user accounts or groups listed.
Step 2
Click the Edit icon next to the user account or group that you want to view.
The Modifying User Account (or Modifying User Group) window appears.
Step 3
Click the Role Management tab.
The Role Management window appears.
Step 4
Click the View icon next to the role that you want to view.
The Viewing Role window appears, which displays the role name, comments about this role, and the
services that are enabled for this role.
Step 5
After you have finished viewing the settings, click Close.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-13
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Working with Domains
A WAAS domain is a collection of device groups or WAEs that make up the WAAS network. A role
defines which services a user can manage in the WAAS network, but a domain defines the device groups,
WAEs, or file server dynamic shares that are accessible and configurable by the user.
Note
A WAAS domain is not the same as a DNS domain or Windows domain.
When you create a domain, you choose the type of entities that can be associated with the domain. Entity
types include Devices, Device Groups, or None (for file server dynamic shares). For file server dynamic
shares, the dynamic shares are assigned in the dynamic shares configuration, as described in the
“Creating Dynamic Shares for the CIFS Accelerator” section on page 12-9.
WAAS can dynamically assign a domain to a user based on their membership in a group as defined on
an external TACACS+ or Windows domain authentication server. To take advantage of this feature, you
must define user group names on the WAAS Central Manager that match the user groups defined on the
external authentication server and you must assign a domain to the user groups on the WAAS Central
Manager. For more information on user groups, see the “Working with User Groups” section on
page 8-17.
This section contains the following topics:
•
Creating a New Domain, page 8-14
•
Adding an Entity to a Domain, page 8-15
•
Assigning a Domain to a User Account, page 8-15
•
Modifying and Deleting Domains, page 8-16
•
Viewing Domains, page 8-17
Creating a New Domain
To create a new domain, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Domains.
The Domains listing window appears.
Step 2
Click the Create New Domain icon in the taskbar.
The Creating New Domain window appears.
Step 3
In the Name field, enter the name of the domain.
Step 4
From the Entity Type drop-down list, choose the entity type that you want to assign to the domain. Entity
choices include Devices, Device Groups, and None. Choose None if this domain is used for a file server
dynamic share.
Step 5
(Optional) In the Comments field, enter any comments about this domain.
Step 6
Click Submit.
If the entity type you chose has not already been assigned to the domain, then a message indicating that
the entity type has not been assigned appears.
Step 7
Assign an entity to this domain as described in the section that follows, “Adding an Entity to a Domain”.
If you chose None for the Entity Type, do not assign an entity to the domain, instead, the entity is used
in a dynamic share configuration, as described in the “Creating Dynamic Shares for the CIFS
Cisco Wide Area Application Services Configuration Guide
8-14
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Accelerator” section on page 12-9.
For a domain used in a dynamic share configuration, you must assign the domain to each user that needs
to edit the dynamic share configuration, as described in the “Assigning a Domain to a User Account”
section on page 8-15. Only users assigned to the domain will be able to edit the dynamic share.
Adding an Entity to a Domain
Once you have created a domain, you can assign an entity to the domain. An entity is either a collection
of devices or a collection of device groups. You do not need to assign an entity to a domain that is used
for a file server dynamic share, where the entity type is None.
To add an entity to a domain, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Domains.
Step 2
Click the Edit icon next to the domain that you want to modify.
Step 3
Click the Entity Management tab.
The Entity_name Assignments for Domain window for the current domain appears.
You can filter your view of the items in the list. Filtering enables you to find items in the list that match
the criteria that you set.
You can add or remove entities from the domain as follows:
•
To add an entity to the current domain, click the Assign icon (blue cross mark) next to the entity that
you want to add. A green tick mark appears next to the selected entity when you submit the settings.
Alternatively, to add all entities to the selected domain, click the Assign all icon in the taskbar.
•
To remove an entity from the current domain, click the Unassign icon (green tick mark) next to the
name of the entity that you want to remove from the domain. A blue cross mark appears next to the
unassigned entity after you submit the settings.
Alternatively, to remove all entities from the domain, click the Remove all icon in the taskbar.
Step 4
Click Submit.
Green check marks appear next to the entities that you assigned to the domain.
Step 5
Assign the domain to an account as described in the section that follows.
Assigning a Domain to a User Account
Assigning a domain to an account or user group specifies the entities (devices or device groups) or file
server dynamic shares that the account or user group can access.
When working with a domain of type None that is used for dynamic file shares, you will need a user
account for every user that needs to edit the dynamic share configuration. If you are using external
authentication of users on TACACS+ or Windows domain servers, you can use user groups to more
easily assign WAAS domains to users, see the “Working with User Groups” section on page 8-17.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-15
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Note
If the role that you assigned to an account or group has the All Devices or All Device Groups service
enabled, you do not need to assign a domain to the account or group. The account or group can
automatically access all the devices and/or device groups in the WAAS system. For more information,
see Table 8-4 on page 8-11.
To assign a domain to a user account or group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users (or Admin > AAA > User
Groups).
The User Accounts (or User Groups) window appears with all configured user accounts or groups listed.
Step 2
Click the Edit icon next to the user account or group for which you want to assign domains.
The Modifying User Account (or Modifying User Group) window appears.
Step 3
Click the Domain Management tab.
The Domain Management window appears with all configured domains and their entity types listed.
Step 4
Click the Assign icon (blue cross mark) that appears next to the domain name that you want to assign to
the selected user account or group.
To dissociate an already associated domain from the user account or group, click the Unassign (green
tick mark) next to the domain name.
Note
Step 5
To assign all domains in the current window to a user account or group, click the Assign all
Domains icon in the taskbar. Alternatively, to unassign all domains associated with a user
account or group, click the Remove all Domains icon.
Click Submit.
A green check mark appears next to the assigned domains, and a blue cross mark appears next to the
unassigned domains. The domains assigned to a user account or group are listed in the Domains section
in the Modifying User Account (or Modifying User Group) window.
Modifying and Deleting Domains
To modify or delete an existing domain, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Domains.
The Domains window appears.
Step 2
Click the Edit icon next to the domain that you want to modify.
The Modifying Domain window appears. You can modify the domain as follows:
•
To delete the domain, click the Delete icon in the taskbar and then click OK to confirm the deletion.
•
To modify a domain, make the necessary changes to the fields and click Submit.
Cisco Wide Area Application Services Configuration Guide
8-16
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Viewing Domains
To view the domain configuration for a particular user account or group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > Users (or Admin > AAA > User
Groups).
The User Accounts (or User Groups) window appears with all configured user accounts or groups listed.
Step 2
Click the Edit icon next to the user account or group for which you want to view the domain
configuration.
The Modifying User Account (or Modifying User Group) window appears.
Step 3
Click the Domain Management tab.
The Domain Management window appears.
Step 4
Click the View (eyeglass) icon next to the domain name to view details about the domain.
The Viewing Domain window appears and displays the domain name, entity type, comments about this
domain, and entities assigned to this domain.
Step 5
After you have finished viewing the settings, click Close.
Working with User Groups
If you are using external authentication of users on TACACS+ or Windows domain servers (not RADIUS
servers), you may want to create user groups. By creating user group names that match the user groups
that you have defined on the external authentication server, WAAS can dynamically assign roles and
WAAS domains to users based on their membership in a group as defined on the external authentication
server. You do not need to define a role or WAAS domain for each user individually; instead, you define
roles and WAAS domains for the user groups, and the user is assigned the roles and WAAS domains that
are defined for the groups to which they belong.
Note
The dynamic assignment of roles and WAAS domains based on external user groups requires a
TACACS+ server that supports shell custom attributes. For example, these are supported in Cisco ACS
4.x and 5.1 and later.
WAAS reads group membership information for each user from the external authentication server.
This section contains the following topics:
•
Creating a New User Group, page 8-18
•
Assigning Roles to a User Group, page 8-18
•
Assigning Domains to a User Group, page 8-19
•
Modifying and Deleting a User Group, page 8-20
•
Viewing User Groups, page 8-20
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-17
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Creating a New User Group
To create a new user group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > User Groups.
The User Groups listing window appears.
Step 2
Click the Create New User Groups icon in the taskbar.
The Creating New User Group window appears.
Step 3
In the Name field, enter the name of the user group.
Ensure that the name matches the name of a user group defined on the external authentication server that
you are using. Name matching is case sensitive.
Note
A user group name cannot contain the following characters: # + " < > , (comma). A user group
name cannot consist solely of numbers, periods (.), or spaces. Any leading periods, asterisks (*),
or spaces are cropped.
Step 4
(Optional) In the Comments field, enter any comments about this user group.
Step 5
Click Submit.
Step 6
Assign a role or WAAS domain to this user group as described in the sections that follow.
Assigning Roles to a User Group
After you create a user group, you need to assign a role to the group. If you create a user group but do
not assign a role to the group, the users in that group can log into the WAAS Central Manager GUI but
no data will be displayed and the configuration pages will not be available.
To assign one or more roles to a user group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > User Groups.
The User Groups window appears with all configured user groups listed.
Step 2
Click the Edit icon next to the user group for which you want to assign roles.
The Modifying User Group window appears.
Step 3
Click the Role Management tab.
The Role Management for User Group window appears with all configured role names listed.
Step 4
Click the Assign icon (blue cross mark) that appears next to the role name that you want to assign to the
selected user group.
Step 5
Click the Unassign (green tick mark) next to the role name to unassign a previously assigned user group
role.
Note
Click the Assign all Roles icon in the taskbar to assign all roles in the current window to a user
group. Alternatively, click the Remove all Roles icon to unassign all roles associated with a user
group.
Cisco Wide Area Application Services Configuration Guide
8-18
OL-26579-01
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Step 6
Click Submit.
A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned
roles. The roles assigned to this user group will be listed in the Roles section in the Modifying User
Group window.
Assigning Domains to a User Group
Assigning a WAAS domain to a user group specifies the entities (devices or device groups) that the users
who are members of the user group can manage.
Note
If the role that you assigned to a user group has the All Devices or All Device Groups service enabled,
you do not need to assign a domain to the user group. The users in that group can automatically access
all the devices and/or device groups in the WAAS system. For more information, see Table 8-4 on
page 8-11.
To assign a domain to a user group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA> User Groups.
The User Groups window appears with all configured user groups listed.
Step 2
Click the Edit icon next to the user group for which you want to assign domains.
The Modifying User Group window appears.
Step 3
Choose the Domain Management tab.
The Domain Management for User Group window appears with all configured domains and their entity
types listed.
Step 4
Click the Assign icon (blue cross mark) that appears next to the domain name that you want to assign to
the selected user group.
To dissociate an already associated domain from the user group, click the Unassign (green tick mark)
next to the domain name.
Note
Step 5
To assign all domains in the current window to a user group, click the Assign all Domains icon
in the taskbar. Alternatively, to unassign all domains associated with a user group, click the
Remove all Domains icon.
Click Submit.
A green check mark appears next to the assigned domains, and a blue cross mark appears next to the
unassigned domains. The domains assigned to a user group are listed in the Domains section in the
Modifying User Group window.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
8-19
Chapter 8
Creating and Managing Administrator User Accounts and Groups
Creating and Managing User Accounts
Modifying and Deleting a User Group
To modify an existing user group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > AAA > User Groups.
The User Groups window appears.
Step 2
Click the Edit icon next to the user group that you want to modify.
The Modifying User Group window appears. You can delete or edit user groups as follows:
This window can be accessed only by users with administrator-level privileges.
Note
•
To delete the user group, click the Delete icon in the taskbar, and then click OK to confirm the
deletion.
•
To edit the user group, make the necessary changes to the name and comment information, and click
Submit.
•
To change the Roles assigned to the user group, click the Role Management tab, make the necessary
changes to the roles, and click Submit.
•
To change the Domains assigned to the user group, click the Domain Management tab, make the
necessary changes to the domains, and click Submit.
Viewing User Groups
To view all user groups, choose Admin > AAA > User Groups from the WAAS Central Manager GUI.
The User Groups window displays all the user groups in the management database. From this window,
you can also create groups as described in the “Creating a New User Group” section on page 8-18.
Cisco Wide Area Application Services Configuration Guide
8-20
OL-26579-01
CH A P T E R
9
Creating and Managing IP Access Control Lists
for WAAS Devices
This chapter describes how to use the Wide Area Application Services (WAAS) Central Manager GUI
to centrally create and manage Internet Protocol (IP) access control lists (ACLs) for your WAAS devices.
This chapter contains the following sections:
•
About IP ACLs for WAAS Devices, page 9-1
•
Creating and Managing IP ACLs for WAAS Devices, page 9-2
•
List of Extended IP ACL Conditions, page 9-7
Note
You must log in to the WAAS Central Manager GUI using an account with admin privileges to view, edit, or
create IP ACL configurations.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
About IP ACLs for WAAS Devices
In a centrally managed WAAS network environment, administrators need to be able to prevent
unauthorized access to various devices and services. IP ACLs can filter packets by allowing you to
permit or deny IP packets destined for a WAAS device.
The WAAS software supports standard and extended ACLs that allow you to restrict access to a WAAS
device. The WAAS software can use the following types of ACLs:
•
Interface ACL—Applied on the built-in, port channel, standby, and inline group interfaces. This
type of ACL is intended to control management traffic (Telnet, SSH, and Central Manager GUI).
The ACL rules apply only to traffic that is destined for the WAE or originates from the WAE, not
WCCP transit traffic. Use the ip access-group interface configuration command to apply an
interface ACL.
•
Interception ACL—Applied globally to the WAAS device. This type of ACL defines what traffic is
to be intercepted. Traffic that is permitted by the ACL is intercepted and traffic that is denied by the
ACL is passed through the WAE. Use the interception access-list global configuration command to
apply an interception ACL. For more information on using interception ACLs, see the “Configuring
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-1
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
Interception Access Control Lists” section on page 5-28.
•
WCCP ACL—Applied on inbound WCCP redirected traffic to control access between an external
server and external clients. The WAE is acting like a firewall. Use the wccp access-list global
configuration command to apply a WCCP ACL.
•
SNMP ACL—Applied on the SNMP agent to control access to the SNMP agent by an external
SNMP server that is polling for SNMP MIBs or SNMP statistics. Use the snmp-server access-list
global configuration command to apply an SNMP ACL.
•
Transaction-logs flow ACL—Applied on the transaction logging facility to restrict the transactions
to be logged. Use the transaction-logs flow access-list global configuration command to apply a
transaction log ACL.
The following examples illustrate how interface ACLs can be used in environments that have WAAS
devices:
•
A WAAS device resides on the customer premises and is managed by a service provider, and the
service provider wants to secure the device for its management only.
•
A WAAS device is deployed anywhere within the enterprise. As with routers and switches, the
administrator wants to limit access to Telnet, SSH, and the WAAS Central Manager GUI to the IT
source subnets.
To use ACLs, you must first configure ACLs and then apply them to specific services or interfaces on
the WAAS device. The following are some examples of how interface ACLs can be used in various
enterprise deployments:
Note
•
An application layer proxy firewall with a hardened outside interface has no ports exposed.
(“Hardened” means that the interface carefully restricts which ports are available for access
primarily for security reasons. Because the interface is outside, many types of attacks are possible.)
The WAAS device’s outside address is globally accessible from the Internet, while its inside address
is private. The inside interface has an ACL to limit Telnet, SSH, and GUI access.
•
A WAE that is using WCCP is positioned on a subnet off the Internet router. Both the WAE and the
router must have IP ACLs. IP access lists on routers have the highest priority followed by IP ACLs
that are defined on the WAEs.
We strongly recommend that you use the WAAS Central Manager GUI instead of the WAAS CLI to
centrally configure and apply ACLs to your WAAS devices. For more information, see the “Creating and
Managing IP ACLs for WAAS Devices” section on page 9-2.
Creating and Managing IP ACLs for WAAS Devices
This section provides guidelines and an example of how to use the WAAS Central Manager GUI to create
and manage IP ACLs for your WAAS devices.
When you create an IP ACL, you should note the following important points:
•
IP ACL names must be unique within the device.
•
IP ACL names must be limited to 30 characters and contain no white space or special characters.
•
Each WAAS Central Manager device can manage up to 50 IP ACLs and a total of 500 conditions
per device.
Cisco Wide Area Application Services Configuration Guide
9-2
OL-26579-01
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
•
When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers
100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain
nonnumeric characters.
•
The WAAS Central Manager GUI allows the association of standard IP ACLs with SNMP and
WCCP. Any device that attempts to access one of these applications associated with an ACL must
be on the list of trusted devices to be allowed access.
•
You can associate any previously configured standard IP ACL with SNMP and WCCP; however, you
can associate an extended IP ACL only with the WCCP application.
•
You can delete an IP ACL, including all conditions and associations with network interfaces and
applications, or you can delete only the IP ACL conditions. Deleting all conditions allows you to
change the IP ACL type if you choose to do so. The IP ACL entry continues to appear in the IP ACL
listing; however, it is in effect nonexistent.
•
If you specify an empty ACL for any of the ACL types used by WAAS, it has the effect of permitting
all traffic.
To use the WAAS Central Manager GUI to create and modify an IP ACL for a single WAE, associate an
IP ACL with an application, and then apply it to an interface on the WAE, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Network > TCP/IP Settings > IP ACL.
The IP ACL window appears. By default, there are no IP ACLs defined for a WAE. The IP ACL window
indicates if there are currently no IP ACLs configured for the WAE.
Step 3
In the taskbar, click the Create a new IP ACL icon.
The Creating New IP ACL window appears. Fill in the fields as follows:
•
In the Name field, enter a name (for example, test1), observing the naming rules for IP ACLs.
By default, this new IP ACL is created as a standard ACL.
Note
•
IP ACL names must be unique within the device, must be limited to 30 characters, and
cannot contain any white spaces or special characters.
If you want to change this default setting and create this new ACL as an extended ACL, choose
Extended from the ACL Type drop-down list.
Step 4
Click Submit to save the IP ACL named test1. IP ACLs without any conditions defined do not appear
on the individual devices.
Step 5
Add conditions to the standard IP ACL named test1 that you just created:
a.
In the taskbar, click the Create New Condition icon.
The Creating New Condition window appears. (See Figure 9-1.)
Note
The number of available fields for creating IP ACL conditions depends on the type of IP
ACL that you have created, either standard or extended.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-3
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
Figure 9-1
b.
Creating a New Condition for an Extended IP ACL Window
Enter values for the properties that are enabled for the type of IP ACL that you are creating, as
follows:
– To set up conditions for a standard IP ACL, go to Step 6.
– To set up conditions for an extended IP ACL, go to Step 7.
Step 6
Set up conditions for a standard IP ACL:
a.
From the drop-down list, choose a purpose (Permit or Deny).
b.
In the Source IP field, enter the source IP address.
c.
In the Source IP Wildcard field, enter a source IP wildcard address.
d.
Click Submit to save the condition.
The Modifying IP ACL window reappears, displaying the condition and its configured parameters
in tabular format.
e.
To add another condition to the IP ACL, repeat the steps.
f.
To reorder your list of conditions from the Modifying IP ACL window, use the Up or Down Arrows
in the Move column, or click a column heading to sort by any configured parameter.
Note
g.
The order of the conditions listed in the WAAS Central Manager GUI becomes the order in
which IP ACLs are applied to the device.
When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries
and the order in which the conditions are listed, click Submit in the Modifying IP ACL window to
commit the IP ACL to the device database.
A green “Change submitted” indicator appears in the lower right corner of the Modifying IP ACL
window to indicate that the IP ACL is being submitted to the device database. Table 9-1 describes
the fields in a standard IP ACL.
Cisco Wide Area Application Services Configuration Guide
9-4
OL-26579-01
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
Table 9-1
Standard IP ACL Conditions
Field
Purpose1
Default Value
Permit
Source IP1
0.0.0.0
Source IP
Wildcard1
255.255.255.255
Description
Specifies whether a packet is to be passed (Permit) or dropped
(Deny).
Number of the network or host from which the packet is being sent,
specified as a 32-bit quantity in 4-part dotted decimal format.
Wildcard bits to be applied to the source, specified as a 32-bit
quantity in 4-part dotted decimal format. Place a 1 in the bit
positions that you want to ignore and identify bits of interest with
a 0.
1. Required field.
Step 7
Set up conditions for an extended IP ACL:
a.
From the drop-down list, choose a purpose (Permit or Deny).
b.
From the Extended Type drop-down list, choose Generic, TCP, UDP, or ICMP. (See Table 9-2.)
Table 9-2
Extended IP ACL Conditions
Field
Purpose1
Default Value
Permit
Extended
Type1
Generic
Description
Specifies whether a packet is to be passed or dropped. Choices are
Permit or Deny.
Specifies the Internet protocol to be applied to the condition.
When selected, the GUI window refreshes with applicable field
options enabled. The options are generic, TCP, UDP, or ICMP.
1. Required field.
After you choose a type of extended IP ACL, various options become available in the GUI,
depending on what type you choose.
c.
In the fields that are enabled for the chosen type, enter the data. (For more information, see Table 9-4
on page 9-8 through Table 9-7 on page 9-10.)
d.
Click Submit to save the condition.
The Modifying IP ACL window reappears, displaying the condition and its configured parameters
in tabular format.
e.
To add another condition to the IP ACL, repeat the steps.
f.
To reorder your list of conditions from the Modifying IP ACL window, use the Up or Down Arrows
in the Move column, or click a column heading to sort by any configured parameter.
Note
g.
The order of the conditions listed in the WAAS Central Manager GUI becomes the order in
which IP ACLs are applied to the device.
When you have finished adding conditions to the IP ACL, and you are satisfied with all your entries
and the order in which the conditions are listed, click Submit in the Modifying IP ACL window to
commit the IP ACL to the device database.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-5
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
Creating and Managing IP ACLs for WAAS Devices
A green “Change submitted” indicator appears in the lower right corner of the Modifying IP ACL
window to indicate that the IP ACL is being submitted to the device database.
Step 8
Step 9
Modify or delete an individual condition from an IP ACL:
a.
Click the Edit icon next to the name of the IP ACL that you want to modify. The Modifying IP ACL
window appears, listing all the conditions that are currently applied to the IP ACL.
b.
Click the Edit Condition icon next to the condition that you want to modify or delete. The
Modifying Condition window appears.
c.
To modify the condition, change any allowable field as necessary.
d.
To delete the condition, click the Trash (Delete IP ACL Condition) icon in the taskbar.
e.
To reorder your list of conditions, use the Up or Down arrows in the Move column, and click
Submit.
Associate a standard IP ACL with SNMP or WCCP:
a.
Click the Edit icon next to the name of the device for which you want to associate a standard IP
ACL with SNMP or WCCP.
b.
Choose Configure > Network > TCP/IP Settings > IP ACL Feature Usage. The IP ACL Feature
Settings window appears.
c.
From the drop-down lists, choose the name of an IP ACL for SNMP or WCCP. (For more details,
see Table 9-3.) If you do not want to associate an IP ACL with one of the applications, choose Do
Not Set.
Table 9-3
WAAS Central
Manager GUI
Parameter
SNMP
WCCP
d.
Step 10
IP ACL Feature Settings
Function
Associates a standard IP ACL with SNMP. This option is supported for WAAS
devices that are operating as a WAE or a WAAS Central Manager device.
Associates any IP ACL with WCCP Version 2. This option is only supported for
WAAS devices that are operating as a WAE and not as a WAAS Central Manager
device. WCCP is only supported on WAEs; it is not supported on a WAAS
Central Manager device.
Click Submit to save the settings.
Apply an IP ACL to an interface:
a.
Click the Edit icon next to the name of the device for which you want to apply an IP ACL to an
interface on the WAE.
b.
Choose Configure > Network > Network Interfaces.
The Network Interfaces window for the device appears. This window displays all the interfaces
available on that device.
c.
Click the Edit icon next to the name of the interface to which you want to apply an IP ACL. The
Network Interface settings window appears.
d.
From the Inbound ACL drop-down list at the bottom of the window, choose the name of an IP ACL.
e.
From the Outbound ACL drop-down list, choose the name of an ACL.
Cisco Wide Area Application Services Configuration Guide
9-6
OL-26579-01
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
The only network interface properties that can be altered from the WAAS Central Manager GUI are
the inbound and outbound IP ACLs. All other property values are populated from the device
database and are read-only in the WAAS Central Manager GUI.
Step 11
Click Submit to save the settings.
Step 12
To use an IP ACL to define the traffic that should be intercepted, see the “Configuring Interception
Access Control Lists” section on page 5-28.
Step 13
(Optional) Delete an IP ACL:
a.
Click the Edit icon next to the name of the device that has the IP ACL that you want to delete.
b.
Choose Configure > Network > TCP/IP Settings > IP ACL.
c.
Click the Edit icon next to the name of the IP ACL that you want to delete (for example, test1).
The Modifying IP ACL window appears. If you created conditions for the IP ACL, you have two
options for deletion:
– Delete ACL—Removes the IP ACL, including all conditions and associations with network
interfaces and applications.
– Delete All Conditions—Removes all the conditions, while preserving the IP ACL name.
d.
To delete the entire IP ACL, click the large Trash (Delete ACL) icon in the taskbar. You are
prompted to confirm your action. Click OK. The record is deleted.
e.
To delete only the conditions, click the small Delete All Conditions Trash/List icon in the taskbar.
When you are prompted to confirm your action, click OK. The window refreshes, conditions are
deleted, and the ACL Type field becomes available.
To define an IP ACL from the CLI, you can use the ip access-list global configuration command, and to
apply the IP ACL to an interface on the WAAS device, you can use the ip access-group interface
configuration command. To configure the use of an IP ACL for SNMP, you can use the snmp-server
access-list global configuration command. To specify an IP ACL that the WAE applies to the inbound
WCCP redirected traffic that it receives, you can use the wccp access-list global configuration
command. To configure an interception ACL, you can use the interception access-list global
configuration command.
List of Extended IP ACL Conditions
When you define a condition for an extended IP ACL, you can specify the Internet protocol to be applied
to the condition (as described in Step 7 in the “Creating and Managing IP ACLs for WAAS Devices”
section on page 9-2).
The list of extended IP ACL conditions are as follows:
•
Generic (See Table 9-4.)
•
TCP (See Table 9-5.)
•
UDP (See Table 9-6.)
•
ICMP (See Table 9-7.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-7
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
Table 9-4
Field
Extended IP ACL Generic Condition
Default Value
Description
Permit
Specifies whether a packet is to be passed (Permit) or
dropped (Deny).
Extended Type1
Generic
Matches any Internet protocol.
Protocol
ip
Internet protocol (gre, icmp, ip, tcp, or udp). To match
any Internet protocol, use the keyword ip.
Source IP1
0.0.0.0
Number of the network or host from which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Purpose
1
Source IP Wildcard1 255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Destination IP
0.0.0.0
Number of the network or host to which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Destination IP
Wildcard
255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
1. Required field.
Table 9-5
Field
Extended IP ACL TCP Condition
Default Value
Description
Permit
Specifies whether a packet is to be passed (Permit) or
dropped (Deny).
Extended Type1
TCP
Matches the TCP Internet protocol.
Established
Unchecked (false)
When checked, a match with the ACL condition occurs
if the TCP datagram has the ACK or RST bits set,
indicating an established connection. Initial TCP
datagrams used to form a connection are not matched.
Source IP1
0.0.0.0
Number of the network or host from which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Purpose
1
Source IP Wildcard1 255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Source Port 1
Decimal number or name of a TCP port. Valid port
numbers are 0 to 65535. Valid TCP port names are as
follows: ftp, ftp-data, https, mms, netbios-dgm,
netbios-ns, netbios-ss, nfs, rtsp, ssh, telnet, and www.
0
Cisco Wide Area Application Services Configuration Guide
9-8
OL-26579-01
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
Table 9-5
Extended IP ACL TCP Condition (continued)
Field
Default Value
Description
Source Operator
range
Specifies how to compare the source ports against
incoming packets. Choices are <, >, ==, !=, or range.
Source Port 2
65535
Decimal number or name of a TCP port. See Source
Port 1.
Destination IP
0.0.0.0
Number of the network or host to which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Destination IP
Wildcard
255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Destination Port 1
0
Decimal number or name of a TCP port. Valid port
numbers are 0 to 65535. Valid TCP port names are as
follows: ftp, ftp-data, https, mms, netbios-dgm,
netbios-ns, netbios-ss, nfs, rtsp, ssh, telnet, and www.
Destination Operator range
Specifies how to compare the destination ports against
incoming packets. Choices are <, >, ==, !=, or range.
Destination Port 2
Decimal number or name of a TCP port. See Destination
Port 1.
65535
1. Required field.
Table 9-6
Extended IP ACL UDP Condition
Field
Default Value
Description
Permit
Specifies whether a packet is to be passed (Permit) or
dropped (Deny).
Extended Type1
UDP
Matches the UDP Internet protocol.
Established
—
Not available for UDP.
0.0.0.0
Number of the network or host from which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Purpose
1
Source IP
1
Source IP Wildcard1 255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Source Port 1
0
Decimal number or name of a UDP port. Valid port
numbers are 0 to 65535. Valid UDP port names are as
follows: bootpc, bootps, domain, mms, netbios-dgm,
netbios-ns, netbios-ss, nfs, ntp, snmp, snmptrap, tacacs,
tftp, and wccp.
Source Operator
range
Specifies how to compare the source ports against
incoming packets. Choices are <, >, ==, !=, or range.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-9
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
Table 9-6
Extended IP ACL UDP Condition (continued)
Field
Default Value
Description
Source Port 2
65535
Decimal number or name of a UDP port. See Source
Port 1.
Destination IP
0.0.0.0
Number of the network or host to which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Destination IP
Wildcard
255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Destination Port 1
0
Decimal number or name of a UDP port. Valid port
numbers are 0 to 65535. Valid UDP port names are as
follows: bootpc, bootps, domain, mms, netbios-dgm,
netbios-ns, netbios-ss, nfs, ntp, snmp, snmptrap, tacacs,
tftp, and wccp.
Destination Operator range
Specifies how to compare the destination ports against
incoming packets. Choices are <, >, ==, !=, or range.
Destination Port 2
Decimal number or name of a UDP port. See Destination
Port 1.
65535
1. Required field.
Table 9-7
Extended IP ACL ICMP Condition
Field
Purpose
1
Extended Type1
Source IP
1
Default Value
Description
Permit
Specifies whether a packet is to be passed (Permit) or
dropped (Deny).
ICMP
Matches the ICMP Internet protocol.
0.0.0.0
Number of the network or host from which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Source IP Wildcard1 255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Destination IP
0.0.0.0
Number of the network or host to which the packet is
being sent, specified as a 32-bit quantity in 4-part dotted
decimal format.
Destination IP
Wildcard
255.255.255.255
Wildcard bits to be applied to the source, specified as a
32-bit quantity in 4-part dotted decimal format. Place a 1
in the bit positions that you want to ignore and identify
bits of interest with a 0.
Cisco Wide Area Application Services Configuration Guide
9-10
OL-26579-01
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
Table 9-7
Extended IP ACL ICMP Condition (continued)
Field
ICMP Param Type
1
Default Value
Description
None
Choices are None, Type/Code, or Msg.
None—Disables the ICMP Type, Code, and Message
fields.
Type/Code—Allows ICMP messages to be filtered by
ICMP message type and code. Also enables the ability to
set an ICMP message code number.
Msg—Allows a combination of type and code to be
specified using a keyword. Activates the ICMP message
drop-down list. Disables the ICMP Type field.
ICMP Message1
administrativelyprohibited
Allows a combination of ICMP type and code to be
specified using a keyword chosen from the drop-down
list.
ICMP Type1
0
Number from 0 to 255. This field is enabled when you
choose Type/Code.
Use ICMP Code1
Unchecked
When checked, enables the ICMP Code field.
ICMP Code1
0
Number from 0 to 255. Message code option that allows
ICMP messages of a particular type to be further filtered
by an ICMP message code.
1. Required field.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
9-11
Chapter 9
Creating and Managing IP Access Control Lists for WAAS Devices
List of Extended IP ACL Conditions
Cisco Wide Area Application Services Configuration Guide
9-12
OL-26579-01
CH A P T E R
10
Configuring Other System Settings
This chapter describes how to perform other system tasks such as setting the system clock, modifying
the default system configuration settings, and enabling alarm overload detection, after you have done a
basic configuration of your WAAS device. This chapter also describes how to register and manage
WAAS Express devices.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
Modifying Device Properties, page 10-1
•
Managing Software Licenses, page 10-3
•
Enabling the Inetd RCP and FTP Services, page 10-4
•
Configuring Date and Time Settings, page 10-5
•
Configuring Secure Store Settings, page 10-10
•
Modifying the Default System Configuration Properties, page 10-17
•
Configuring the Web Application Filter, page 10-20
•
Configuring Faster Detection of Offline WAAS Devices, page 10-21
•
Configuring Alarm Overload Detection, page 10-23
•
Configuring the E-mail Notification Server, page 10-24
•
Using IPMI over LAN, page 10-24
•
Managing WAAS Express Devices, page 10-27
Modifying Device Properties
The WAAS Central Manager GUI allows you to make the following changes to the properties of a WAE
device:
•
Rename the device
•
Assign a new location to the device
•
Assign an IP address to be used for management traffic to the device
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-1
Chapter 10
Configuring Other System Settings
Modifying Device Properties
•
Deactivate or activate the device
You can also use the WAAS Central Manager GUI to check the status of a device to determine if it is
online, pending, or inactive.
You can only rename a WAAS Central Manager device from the GUI.
To modify a device’s properties, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose device-name > Activation.
The Device Activation window appears with fields for editing the properties of the selected device.
For a WAAS Central Manager device, the only fields that you can change in this window are the name
and NetBIOS name of the device. In addition, the device IP address and role are displayed.
Step 3
Under the General Configuration heading, set or modify the following device properties:
•
To change the hostname of the device, enter a new name in the Name field. This name must conform
to the following rules:
– The name must use only alphanumeric characters and hyphens (-).
– The first and last character must be a letter or a digit.
– Maximum length is 30 characters.
– Names are case insensitive.
– The following characters are considered illegal and cannot be used when naming a device:
@, #, $,%, ^, &, *, (), |, \””/, <>.
•
To activate or deactivate the device, check or uncheck the Activate check box.When this box is
checked, the device is activated for centralized management through the WAAS Central Manager
GUI.
You can also click the Deactivate icon in the task bar to deactivate the device. Deactivating a device
allows you to replace the device in the event of a hardware failure without losing all of its
configuration settings.
•
To change the NetBIOS name of the device, enter the new NetBIOS name for the device in the
provided field. The NetBIOS name must not consist of only numbers; it must include some letters.
This field is not displayed for WAAS Express devices.
Step 4
Under the Locality heading, set or change the location by choosing a new location from the Location
drop-down list. To create a location for this device, see the “Creating Locations” section on page 3-10.
Step 5
Under the Management Interface Configuration with NAT heading, configure the NAT settings using the
following fields:
•
Check the Use WAE’s primary IP Address check box to enable the WAAS Central Manager to use
the IP address configured on the primary interface of the device to communicate with devices in the
WAAS network that are behind a NAT firewall. This check box is not displayed for WAAS Express
devices.
•
Allow the WAAS Central Manager to communicate with devices in the WAAS network that are
behind the NAT firewall using an explicitly configured IP address, by entering the IP address of the
device in the Management IP field. You also need to enter this address in scenarios where the
primary interface for a WAE is set to an inline group interface and management traffic is configured
on a separate IP address (either on a secondary IP address on the same inline group interface or on
a built-in interface).
Cisco Wide Area Application Services Configuration Guide
10-2
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing Software Licenses
•
In the Port field, enter the port number for the management IP address. If the HTTPS server
configured on a WAAS Express device is using a different port than the default of 443, configure
the same port here.
Note
If the WAAS Central Manager cannot contact a device using the primary IP address, it attempts
to communicate using the Management IP address.
Step 6
In the Comments field, enter any comments that you want to appear for this device.
Step 7
Click Submit.
Managing Software Licenses
WAAS software version 4.1.1 introduces software licenses that enable specific WAAS optimization and
acceleration features. A software license must be installed and configured before the features that it
enables will operate.
Table 10-1 lists the software licenses that may be purchased and the features that each license enables.
Table 10-1
WAAS Software Licenses
License
Description
Transport
Enables basic DRE, TFO, and LZ optimization. Cannot be configured if the
Enterprise license is configured.
Enterprise
Enables the EPM, HTTP, MAPI, NFS, SSL, CIFS, SMB, ICA, and Windows
Print application accelerators, the WAAS Central Manager, and basic DRE, TFO,
and LZ optimization. Cannot be configured if the Transport license is configured.
Video
Enables the video application accelerator. Requires the Enterprise license to be
configured first.
Virtual-Blade
Enables the virtualization feature. Requires the Enterprise license to be
configured first.
Licenses are installed and managed only on individual WAE devices, not device groups. Not all licenses
are supported on all devices. A WAAS Central Manager device requires only the Enterprise license and
no other licenses can be configured.
Note
WAAS Express licenses are managed by using the router CLI command license install, not from the
WAAS Central Manager. WAAS Express devices do not use the same kind of licenses as WAAS devices
do. They use a single license that enables the WAAS Express optimization feature.
To add a license to a WAE from the WAAS Central Manager, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. (Do not choose a Central
Manager device because you must use the CLI to manage licenses on Central Managers.)
Step 2
Choose Admin > History > License Management.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-3
Chapter 10
Configuring Other System Settings
Enabling the Inetd RCP and FTP Services
Step 3
Check the check box next to each license that you want to add.
Step 4
Click Submit.
To add licenses from the CLI, you can use the license add EXEC command.
To remove licenses from the CLI, you can use the clear license EXEC command.
To display the status of all licenses from the CLI, you can use the show license EXEC command.
The setup utility also configures licenses when you first set up a new WAAS device.
Enabling the Inetd RCP and FTP Services
Remote Copy Protocol (RCP) lets you download, upload, and copy configuration files between remote
hosts and a switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol,
RCP uses TCP, which is connection oriented. Inetd (an Internet daemon) is a program that listens for
connection requests or messages for certain ports and starts server programs to perform the services
associated with those ports. RCP copies files between devices.
RCP is a subset of the UNIX rshell service, which allows UNIX users to execute shell commands on
remote UNIX systems. It is a UNIX built-in service. This service uses TCP as the transport protocol and
listens for requests on TCP port 514. RCP service can be enabled on WAAS devices that use WAAS
software.
To enable RCP and FTP services on a WAAS device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Network > Network Services. The Network Services window appears.
Step 3
Check the Enable Rcp Service check box to enable Inetd RCP services. By default, this option is
disabled.
Note
The Inetd daemon listens for FTP, RCP, and TFTP services. For Inetd to listen to RCP requests,
it must be explicitly enabled for RCP service.
Step 4
Check the Enable FTP Service check box to enable the Inetd FTP service. By default, this option is
disabled.
Step 5
Click Submit to save your changes.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default or device group settings. You can also revert
to the previously configured settings by clicking the Reset button. The Reset button is visible only when
you have applied default or group settings to change the current device settings but you have not yet
submitted the changes.
If you try to leave this window without saving the modified settings, a warning dialog box prompts you
to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
Cisco Wide Area Application Services Configuration Guide
10-4
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Date and Time Settings
Configuring Date and Time Settings
This section explains how to configure date and time settings for your WAAS network devices and
contains the following topics:
•
Configuring NTP Settings, page 10-5
•
Configuring Time Zone Settings, page 10-5
Configuring NTP Settings
The WAAS Central Manager GUI allows you to configure the time and date settings using a Network
Time Protocol (NTP) host on your network. NTP allows the synchronization of time and date settings
for the different geographical locations of the devices in your WAAS network, which is important for
proper system operation and monitoring. On each WAAS device, be sure to set up an NTP server to keep
the clocks synchronized.
To configure NTP settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Date/Time > NTP. The NTP Settings window appears.
Step 3
Check the Enable check box to enable NTP settings. By default, this option is disabled.
Step 4
In the NTP Server field, enter a hostname or IP address.
Step 5
Click Submit.
Note
Unexpected time changes can result in unexpected system behavior. We recommend reloading the
system after configuring an NTP server or changing the system clock.
Configuring Time Zone Settings
If you have an outside source on your network that provides time services (such as a Network Time
Protocol [NTP] server), you do not need to set the system clock manually. When manually setting the
clock, enter the local time.
Note
Two clocks exist in the system: the software clock and the hardware clock. The software uses the
software clock. The hardware clock is used only at startup to initialize the software clock.
To configure the time zone on a device or device group, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Date/Time > Time Zone. The Time Zone Settings window appears.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-5
Chapter 10
Configuring Other System Settings
Configuring Date and Time Settings
Step 3
To configure a standard time zone, follow these steps:
a.
Under the Time Zone Settings section, click the Standard Time Zone radio button. The default is
UTC (offset = 0) with no summer time configured. When you configure a standard time zone, the
system is automatically adjusted for the UTC offset, and the UTC offset need not be specified.
The standard convention for time zones uses a Location/Area format in which Location is a
continent or a geographic region of the world and Area is a time zone region within that location.
b.
From the drop-down list, choose a location for the time zone. (For an explanation of the
abbreviations in this list, see Table 10-2.)
The window refreshes, displaying all area time zones for the chosen location in the second
drop-down list.
c.
Choose an area for the time zone. The UTC offset is automatically set for standard time zones.
Summer time is built-in for some standard time zones (mostly time zones within the United States),
and will result an automatic change in the UTC offset during summer time. For a list of standard
time zones that can be configured and their UTC offsets, see Table 10-3.
Step 4
Step 5
To configure a customized time zone on the device, follow these steps:
a.
Under the Time Zone Settings section, click the Customized Time Zone radio button.
b.
In the Customized Time Zone field, specify the name of the time zone. The time zone entry is
case-sensitive and can contain up to 40 characters including spaces. If you specify any of the
standard time zone names, an error message is displayed when you click Submit.
c.
For UTC Offset, choose the + or – sign from the first drop-down list to specify whether the
configured time zone is ahead or behind UTC. Also, choose the number of hours (0–23) and minutes
(0–59) offset from UTC for the customized time zone. The range for the UTC offset is from –23:59
to 23:59, and the default is 0:0.
To configure customized summer time, follow these steps under the Customized Summer Time Savings
section.
Note
a.
You can specify a customized summer time for both standard and customized time zones.
To configure absolute summer time, click the Absolute Dates radio button.
You can configure a start date and end date for summer time in absolute dates or recurring dates.
Absolute date settings apply only once and must be set every year. Recurring dates apply repeatedly
for many years.
b.
In the Start Date and End Date fields, specify the month (January through December), day (1–31),
and year (1993–2032) on which summer time must start and end in mm/dd/yyyy format. Make sure
that the end date is always later than the start date.
Alternatively, click the Calendar icon next to the Start Date and End Date fields to display the Date
Time Picker popup window. By default the current date is highlighted in yellow. In the Date Time
Picker popup window, use the left or right arrow icons to choose the previous or following years, if
required. Choose a month from the drop-down list. Click a day of the month. The chosen date is
highlighted in blue. Click Apply. Alternatively, click Set Today to revert to the current day. The
chosen date will be displayed in the Start Date and End Date fields.
c.
To configure recurring summer time, click the Recurring Dates radio button.
d.
From the Start Day drop-down list, choose a day of the week (Monday-Sunday) to start.
Cisco Wide Area Application Services Configuration Guide
10-6
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Date and Time Settings
Step 6
e.
From the Start Week drop-down list, choose an option (first, 2nd, 3rd, or last) to set the starting
week. For example, choose first to configure summer time to recur beginning the first week of the
month or last to configure summer time to recur beginning the last week of the month.
f.
From the Start Month drop-down list, choose a month (January–December) to start.
g.
From the End Day drop-down list, choose a day of the week (Monday–Sunday) to end.
h.
From the End Week drop-down list, choose an option (first, 2nd, 3rd, or last) to set the ending
week. For example, choose first to configure summer time to end beginning the first week of the
month or last to configure summer time to stop beginning the last week of the month.
i.
From the End Month drop-down list, choose a month (January–December) to end.
From the Start Time drop-down lists, choose the hour (0–23) and minute (0–59) at which daylight saving
time should start. From the End Time drop-down lists, choose the hour (0–23) and minute (0–59) at
which daylight saving time should end.
Start Time and End Time fields for summer time are the times of the day when the clock is changed to
reflect summer time. By default, both start and end times are set at 00:00.
Step 7
In the Offset field, specify the minutes offset from UTC (0–1439). (See Table 10-3.)
The summer time offset specifies the number of minutes that the system clock moves forward at the
specified start time and backward at the end time.
Step 8
Click the No Customized Summer Time Configured radio button to not specify a summer or daylight
saving time for the corresponding time zone.
Step 9
Click Submit to save the settings.
A “Click Submit to Save” message appears in red next to the Current Settings line when there are
pending changes to be saved after you have applied default or device group settings. You can also revert
to the previously configured settings by clicking the Reset button. The Reset button is visible only when
you have applied default or group settings to change the current device settings but have not yet
submitted the changes.
If you attempt to leave this window without saving the modified settings, a warning dialog box prompts
you to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
Table 10-2
Time Zone
CET
CST6CDT
EET
EST
EST5EDT
GB
GB-Eire
GMT
HST
MET
MST
MST7MDT
NZ
NZ-CHAT
Timezone Location Abbreviations
Expansion
Central European Time
Central Standard/Daylight Time
Eastern European Time
Eastern Standard Time
Eastern Standard/Daylight Time
Great Britain
Great Britain/Ireland
Greenwich Mean Time
Hawaiian Standard Time
Middle European Time
Mountain Standard Time
Mountain Standard/Daylight Time
New Zealand
New Zealand, Chatham Islands
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-7
Chapter 10
Configuring Other System Settings
Configuring Date and Time Settings
Table 10-2
Timezone Location Abbreviations (continued)
Time Zone
PRC
PST8PDT
ROC
ROK
UCT
UTC
WET
W-SU
Table 10-3
Expansion
People’s Republic of China
Pacific Standard/Daylight Time
Republic of China
Republic of Korea
Coordinated Universal Time
Coordinated Universal Time
Western European Time
Middle European Time
Timezone—Offset from UTC
Time Zone
Africa/Algiers
Africa/Cairo
Africa/Casablanca
Africa/Harare
Africa/Johannesburg
Africa/Nairobi
America/Buenos_Aires
America/Caracas
America/Mexico_City
America/Lima
America/Santiago
Atlantic/Azores
Atlantic/Cape_Verde
Asia/Almaty
Asia/Baghdad
Asia/Baku
Asia/Bangkok
Asia/Colombo
Asia/Dacca
Asia/Hong_Kong
Asia/Irkutsk
Asia/Jerusalem
Asia/Kabul
Asia/Karachi
Asia/Katmandu
Asia/Krasnoyarsk
Asia/Magadan
Asia/Muscat
Offset from UTC
(in hours)
+1
+2
0
+2
+2
+3
–3
–4
–6
–5
–4
–1
–1
+6
+3
+4
+7
+6
+6
+8
+8
+2
+4.30
+5
+5.45
+7
+11
+4
Cisco Wide Area Application Services Configuration Guide
10-8
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Date and Time Settings
Table 10-3
Timezone—Offset from UTC (continued)
Time Zone
Asia/New Delhi
Asia/Rangoon
Asia/Riyadh
Asia/Seoul
Asia/Singapore
Asia/Taipei
Asia/Tehran
Asia/Vladivostok
Asia/Yekaterinburg
Asia/Yakutsk
Australia/Adelaide
Australia/Brisbane
Australia/Darwin
Australia/Hobart
Australia/Perth
Australia/Sydney
Canada/Atlantic
Canada/Newfoundland
Canada/Saskatchewan
Europe/Athens
Europe/Berlin
Europe/Bucharest
Europe/Helsinki
Europe/London
Europe/Moscow
Europe/Paris
Europe/Prague
Europe/Warsaw
Japan
Pacific/Auckland
Pacific/Fiji
Pacific/Guam
Pacific/Kwajalein
Pacific/Samoa
US/Alaska
US/Central
US/Eastern
US/East–Indiana
US/Hawaii
Offset from UTC
(in hours)
+5.30
+6.30
+3
+9
+8
+8
+3.30
+10
+5
+9
+9.30
+10
+9.30
+10
+8
+10
–4
–3.30
–6
+2
+1
+2
+2
0
+3
+1
+1
+1
+9
+12
+12
+10
–12
–11
–9
–6
–5
–5
–10
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-9
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
Table 10-3
Time Zone
US/Mountain
US/Pacific
Timezone—Offset from UTC (continued)
Offset from UTC
(in hours)
–7
–8
UTC was formerly known as Greenwich Mean Time (GMT). The offset time (number of hours ahead or
behind UTC) as displayed in the table is in effect during winter time. During summer time or daylight
saving time, the offset may be different from the values in the table and is calculated and displayed
accordingly by the system clock.
Configuring Secure Store Settings
Secure store encryption provides strong encryption and key management for your WAAS system. The
WAAS Central Manager and WAE devices use secure store encryption for handling passwords,
managing encryption keys, and for data encryption.
This section contains the following topics:
•
Secure Store Overview, page 10-10
•
Enabling Secure Store Encryption on the Central Manager, page 10-12
•
Enabling Secure Store Encryption on a Standby Central Manager, page 10-13
•
Enabling Secure Store Encryption on a WAE Device, page 10-13
•
Changing Secure Store Passphrase Mode, page 10-14
•
Changing the Secure Store Encryption Key and Password, page 10-15
•
Resetting Secure Store Encryption on a Central Manager, page 10-16
•
Disabling Secure Store Encryption on a WAE Device, page 10-17
Secure Store Overview
With secure store encryption on the Central Manager or a WAE device, the WAAS system uses strong
encryption algorithms and key management policies to protect certain data on the system. This data
includes encryption keys used by applications in the WAAS system, CIFS accelerator passwords for
prepositioning, user login passwords, NAM credentials, and certificate key files.
Secure store encryption on the Central Manager is always enabled and uses a password that is
auto-generated or user-provided. This password is used to generate the key encryption key according to
secure standards. The WAAS system uses the key encryption key to encrypt and store other keys
generated on the Central Manager or WAE devices. These other keys are used for WAAS functions
including disk encryption, SSL acceleration, or to encrypt and store CIFS accelerator credentials, and
user passwords.
Data on the Central Manager is encrypted using a 256-bit key encryption key generated from the
password and using SHA1 hashing and an AES 256-bit algorithm. When secure store is enabled on a
WAE device the data is encrypted using a 256-bit key encryption key generated using SecureRandom, a
cryptographically strong pseudorandom number generator.
Cisco Wide Area Application Services Configuration Guide
10-10
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
Secure store encryption on a Central Manager uses one of the following modes:
•
Auto-generated passphrase mode—The passphrase is automatically generated by the Central
Manager and used to open the secure store after each system reboot. This is the default mode for
new Central Manager devices or after the system has been reinstalled.
•
User-provided passphrase mode—The passphrase is supplied by the user and must be entered after
each system reboot to open the secure store. You can switch to this mode, and systems upgraded
from versions prior to 4.4.1, with secure store initialized, are configured in this mode after
upgrading to 4.4.1 or later.
To implement secure store your system must meet the following requirements:
•
You must have a Central Manager configured for use in your network.
•
Your WAE devices must be registered with the Central Manager.
•
Your WAE devices must be online (have an active connection) with the Central Manager. This
requirement applies only if you are enabling secure store on WAE devices.
•
All Central Managers and WAE devices must be running WAAS software version 4.0.19 or higher.
To implement strong store encryption, follow these steps:
Step 1
Enable strong storage encryption on your primary Central Manager. See Enabling Secure Store
Encryption on the Central Manager.
Step 2
Enable strong storage encryption on any standby Central Managers. See Enabling Secure Store
Encryption on a Standby Central Manager.
Step 3
Enable strong storage encryption on WAE devices or WAE device groups. See Enabling Secure Store
Encryption on a WAE Device. (Secure store must be enabled on the Central Manager before you enable
it on the WAE devices.)
You can enable secure store independently on the Central Manager and on the WAE devices. To ensure
full protection of your encrypted data, enable secure store on both the Central Manager and the WAE
devices. You must enable secure store on the Central Manager first.
Note
When you reboot the Central Manager, if secure store is in user-provided passphrase mode, you must
manually open secure store encryption. All services that use the secure store (disk encryption, CIFS
prepositioning, SSL acceleration, AAA, and so on) on the remote WAE devices do not operate properly
until you enter the secure store password on the Central Manager to open secure store encryption.
Note the following considerations regarding the secure store:
•
Passwords stored in the Central Manager database are encrypted using strong encryption techniques.
•
CIFS prepositioning credentials are encrypted using the strong encryption key on the Central
Manager and the WAE devices.
•
Certificate key files are encrypted using the strong encryption key on the Central Manager.
•
If a primary Central Manager fails, secure store key management is handled by the standby Central
Manager. (Secure store mode must be enabled manually on the standby Central Manager.)
•
Backup scripts back up the secure store passphrase mode (user-provided or auto-generated) of the
device at the time of backup. Backup and restore are supported only on the Central Manager.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-11
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
•
If you have a backup made when the secure store was in user-provided passphrase mode and you
restore it to a system where the secure store is in auto-generated passphrase mode, you must enter
the user passphrase to proceed with the restore. After the restore, the system is in user-provided
passphrase mode. If you have a backup made when the secure store was in auto-generated
passphrase mode and you restore it to a system where the secure store is in user-provided passphrase
mode, you do not need to enter a password. After the restore, the system is in auto-generated
passphrase mode.
•
When you enable secure store on a WAE device, the system initializes and retrieves a new
encryption key from the Central Manager. The WAE uses this key to encrypt data such as CIFS
prepositioning credentials and information on the disk (if disk encryption is also enabled).
•
When you reboot the WAE after enabling secure store, the WAE retrieves the key from the Central
Manager automatically, allowing normal access to the data that is stored in WAAS persistent
storage. If key retrieval fails, a critical alarm is raised and secure store should be reopened manually.
Until secure store is reopened, the WAE rejects configuration updates from the Central Manager if
the updates contain CIFS preposition, dynamic share, or user configuration. Also, the WAE does not
include preposition configuration in the updates that it sends to the Central Manager.
•
While secure store encrypts certain system information, it does not encrypt the data on the hard
drives. To protect the data disks, you must enable disk encryption separately. See the “Enabling Disk
Encryption” section on page 16-30.
Enabling Secure Store Encryption on the Central Manager
Secure store is enabled by default on a new Central Manager, with a system-generated password that
opens the secure store after the system boots. You do not need to do anything to enable secure store.
If a Central Manager is configured in user-provided passphrase mode, you must manually open the
secure store after the system boots. To open secure store encryption on the Central Manager, follow these
steps:
Step 1
From the WAAS Central Manager menu, choose Admin > Secure Store. The Configure CM Secure
Store window appears.
Step 2
Enter the secure store passphrase in the Current passphrase field under Open Secure Store.
Step 3
Click the Open button.
The secure store is opened. Data is encrypted using the key derived from the password.
To open the secure store from the CLI, use the cms secure-store open EXEC command.
Note
Whenever you reboot a Central Manager that is configured in user-provided passphrase mode, you must
reopen the secure store manually. All services that use the secure store (disk encryption, CIFS
prepositioning, SSL acceleration, AAA, and so on) on the remote WAE devices do not operate properly
until you enter the secure store password on the Central Manager to reopen the secure store. Switch to
auto-generated passphrase mode to avoid having to reopen the secure store after each reboot.
Cisco Wide Area Application Services Configuration Guide
10-12
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
Note
When you enable secure store on the primary Central Manager in user-provided passphrase mode, you
should enable secure store on the standby Central Manager as well. See Enabling Secure Store
Encryption on a Standby Central Manager, page 10-13.
You can check the status of secure store encryption by entering the show cms secure-store command.
Enabling Secure Store Encryption on a Standby Central Manager
Note
A standby Central Manager provides limited encryption key management support. If the primary Central
Manager fails, the standby Central Manager provides only encryption key retrieval to the WAE devices
but does not provide new encryption key initialization. Do not enable disk encryption or secure store on
WAE devices when the primary Central Manager is not available.
The secure store passphrase mode on the primary Central Manager is replicated to the standby Central
Manager (within the standard replication time). If the primary Central Manager is switched to
auto-generated passphrase mode, the standby Central Manager secure store changes to the open state. If
the primary Central Manager is switched to user-provided passphrase mode or the passphrase is changed,
the standby Central Manager secure store changes to the initialized but not open state and an alarm is
raised. You must manually open the secure store on the standby Central Manager.
To enable secure store encryption on a standby Central Manager when the primary Central Manager is
in user-provided passphrase mode, open the secure store on the primary Central Manager and then use
the CLI to execute the cms secure-store open EXEC mode command on the standby Central Manager:
Step 1
Enable secure store encryption on the primary Central Manager. See the “Enabling Secure Store
Encryption on the Central Manager” section on page 10-12.
Step 2
Wait until the standby Central Manager replicates the data from the primary Central Manager.
The replication should occur in 60 seconds (default) or as configured for your system.
Step 3
Enter the cms secure-store open command on the standby Central Manager to activate secure store
encryption.
The standby Central Manager responds with the “please enter pass phrase” message.
Step 4
Type the password and press Enter.
The standby Central Manager encrypts the data using secure store encryption.
Note
Repeat Steps 3 and 4 for each standby Central Manager on your system.
You can check the status of secure store encryption by entering the show cms secure-store command.
Enabling Secure Store Encryption on a WAE Device
To enable secure store encryption on a WAE device, follow these steps:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-13
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Note
The secure store status must be the same for all WAE devices in a device group. Either all WAE
devices in the group must have secure store enabled, or all must have secure store disabled.
Before you add a WAE device to a device group, set its secure store status to match the others.
See the “Working with Device Groups” section on page 3-2.
Step 2
Choose Configure > Security > Secure Store. The Secure Store Settings window appears
Step 3
Check the Initialize CMS Secure Store box. (The Open CMS Secure Store box will be checked
automatically.)
Step 4
Click Submit to activate secure store encryption.
A new encryption key is initialized on the Central Manager, and the WAE encrypts the data using secure
store encryption.
To enable secure store from the CLI, use the cms secure-store init EXEC command.
Note
If you have made any other CLI configuration changes on a WAE within the datafeed poll rate time
interval (5 minutes by default) before executing the cms secure-store command, those prior
configuration changes are lost and you must redo them.
Note
When you enable or disable secure store on a device group, the changes do not take effect on all WAE
devices simultaneously. When you view the WAE devices be sure to give the Central Manager enough
time to update the status of each WAE device.
Changing Secure Store Passphrase Mode
The secure store can operate either in user-provided or auto-generated passphrase mode and you can
switch between these modes.
To change from user-provided to auto-generated passphrase mode, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > Secure Store.
Step 2
In the Switch to CM auto-generated passphrase mode area, enter the password in the Current passphrase
field.
Step 3
Click the Switch button.
Step 4
Click OK in the confirmation message that appears.
The secure store is changed to auto-generated passphrase mode and remains in the open state.
To change from auto-generated to user-provided passphrase mode, follow these steps:
Cisco Wide Area Application Services Configuration Guide
10-14
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
Step 1
From the WAAS Central Manager menu, choose Admin > Secure Store.
Step 2
In the Switch to User-provided passphrase mode area, enter a password in the New passphrase field and
reenter the password in the Confirm passphrase field.
The password must conform to the following rules:
•
Be 8 to 64 characters in length
•
Contain characters only from the allowed set: A-Za-z0-9~%'!#$^&*()|;:,"<>/
•
Contain at least one digit
•
Contain at least one lowercase and one uppercase letter
Step 3
Click the Switch button.
Step 4
Click OK in the confirmation message that appears.
The secure store is changed to user-provided passphrase mode and remains in the open state. If you have
a standby Central Manager, you must manually open its secure store (see the “Enabling Secure Store
Encryption on a Standby Central Manager” section on page 10-13).
To change secure store passphrase mode from the CLI, use the cms secure-store mode EXEC command.
Note
Whenever you reboot a Central Manager that is configured in user-provided passphrase mode, you must
reopen the secure store manually. All services that use the secure store (disk encryption, CIFS
prepositioning, SSL acceleration, AAA, and so on) on the remote WAE devices do not operate properly
until you enter the secure store password on the Central Manager to reopen the secure store. Switch to
auto-generated passphrase mode to avoid having to reopen the secure store after each reboot.
Changing the Secure Store Encryption Key and Password
The secure store encryption password is used by the Central Manager to generate the encryption key for
the encrypted data. If the Central Manager is configured for user-provided passphrase mode, you can
change the password.
To change the password and generate a new encryption key on the Central Manager, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > Secure Store.
Step 2
In the Change Secure Store passphrase area, in the Current passphrase field, enter the current password.
Step 3
In the New passphrase field, enter the new password.
The password must conform to the following rules:
•
Be 8 to 64 characters in length
•
Contain characters only from the allowed set: A-Za-z0-9~%'!#$^&*()|;:,"<>/
•
Contain at least one digit
•
Contain at least one lowercase and one uppercase letter
Step 4
In the Confirm passphrase field, enter the new password again.
Step 5
Click the Change button.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-15
Chapter 10
Configuring Other System Settings
Configuring Secure Store Settings
The WAAS device reencrypts the stored data using a new encryption key derived from the new password.
To change the password and generate a new encryption key on the Central Manager from the CLI, use
the cms secure-store change EXEC command.
To generate a new encryption key for a WAE device from the WAAS Central Manager, follow these
steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > Secure Store.
Step 3
Check the Change CMS Secure Store box and then click Submit.
A new encryption key is generated in the Central Manager. The Central Manager replaces the encryption
key in the WAE with the new key. The WAE re-encrypts the stored data using the new encryption key.
To configure the secure store encryption key from the CLI, use the cms secure-store change EXEC
command.
Resetting Secure Store Encryption on a Central Manager
You can reset the secure store if you reload the Central Manager and you cannot open the secure store
because it is configured in user-provided passphrase mode and you forget the secure store password. This
procedure deletes all encrypted data, certificate and key files, and key manager keys. The secure store is
reinitialized, configured in auto-generated passphrase mode, and opened.
To reset secure store encryption on a Central Manager, follow these steps:
Step 1
At the primary Central Manager CLI, enter the cms secure-store reset command to reset secure store
encryption.
Step 2
Wait until the standby Central Manager replicates the data from the primary Central Manager.
The replication should occur in 60 seconds (default) or as configured for your system.
Step 3
Enter the cms secure-store reset command on the standby Central Manager if secure store is in the
initialized and open state.
Step 4
From the primary Central Manager, reset all user account passwords, CIFS credentials, and NAM
credentials.
For information on resetting user passwords, see the “Changing the Password for Another Account”
section on page 8-7. For information on resetting dynamic share passwords, see the “Creating Dynamic
Shares for the CIFS Accelerator” section on page 12-9. For information on resetting preposition
passwords, see the “Creating a New Preposition Directive” section on page 12-12. For information on
resetting NAM credentials, see the “Configuring the Basic Setup” section on page 15-3.
Step 5
On each WAE registered to the Central Manager, follow these steps:
a.
If secure store is initialized and open, from the Central Manager, clear secure store (see the
“Disabling Secure Store Encryption on a WAE Device” section on page 10-17). Or, from the CLI,
enter the cms secure-store clear EXEC command.
Cisco Wide Area Application Services Configuration Guide
10-16
OL-26579-01
Chapter 10
Configuring Other System Settings
Modifying the Default System Configuration Properties
b.
From the Central Manager, initialize secure store (see the “Enabling Secure Store Encryption on a
WAE Device” section on page 10-13) or from the CLI, enter the cms secure-store init EXEC
command. (This step is needed only if you performed step 5a.)
c.
Enter the crypto pki managed-store initialize command and restart the SSL accelerator.
d.
If disk encryption is enabled, from the Central Manager, disable disk encryption (see the “Enabling
Disk Encryption” section on page 16-30) or from the CLI, enter the no disk encrypt enable global
configuration command.
e.
If disk encryption had been enabled before step 5d, reload the device. After the reload, reenable disk
encryption and reload the device again.
Note
Step 6
If the WAE is reloaded before doing Step 5, disk encryption, SSL acceleration, and secure store
does not function properly. In this case, you must restore the WAE to factory defaults.
From the primary Central Manager, reimport all certificate and key files for all the accelerated and
peering services which are configured on the WAEs.
Disabling Secure Store Encryption on a WAE Device
To disable secure store encryption on a WAE device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > Secure Store. The Secure Store Settings window appears.
Step 3
Check the Clear CMS Secure Store box and then click Submit to disable secure store encryption and
return to standard encryption.
You can also enter the cms secure-store clear command to disable secure store encryption and return to
standard encryption.
To disable secure store on a WAE from the CLI, use the cms secure-store clear EXEC command.
Note
Secure store cannot be disabled on a Central Manager.
Modifying the Default System Configuration Properties
The WAAS software comes with preconfigured system properties that you can modify to alter the default
behavior of the system.
Table 10-4 describes the system configuration properties that you can modify.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-17
Chapter 10
Configuring Other System Settings
Modifying the Default System Configuration Properties
Table 10-4
Descriptions for System Configuration Properties
System Property
Description
cdm.remoteuser.deletionDaysLim Maximum number of days since their last login after which
it
external users will be deleted from the WAAS Central Manager
database. For example, if cdm.remoteuser.deletionDaysLimit is
set to 5, external users will be deleted from the database if the
difference between their last login time and the current time is
more than 5 days. The default is 60 days. External users are users
that are defined in an external AAA server and not in the WAAS
Central Manager. Any reports scheduled by such users are also
deleted when the users are deleted.
cdm.session.timeout
Timeout in minutes of a WAAS Central Manager GUI session. The
default is 10 minutes. If the session is idle for this length of time,
the user is automatically logged out.
DeviceGroup.overlap
Status of whether a device can belong to more than one device
group. The default is true (devices can belong to more than one
device group).
System.datafeed.pollRate
Poll rate between a WAAS (or WAAS Express) device and the
WAAS Central Manager (in seconds). The default is 300 seconds.
System.device.recovery.key
Device identity recovery key. This property enables a device to be
replaced by another node in the WAAS network.
System.guiServer.fqdn
Scheme to use (IP address or FQDN) to launch the Device
Manager GUI.
System.healthmonitor.collectRate Collect and send rate in seconds for the CMS device health (or
status) monitor. If the rate is set to 0, the health monitor is
disabled. The default is 120 seconds.
System.lcm.enable
Local and central management feature (enable or disable). This
property allows settings that are configured using the local device
CLI or the WAAS Central Manager GUI to be stored as part of the
WAAS network configuration data. The default is true. If this
property is set to false (disabled), configuration changes made on
a local device will not be communicated to the Central Manager
and configurations done in the Central Manager will overwrite
local device configurations. This setting applies to both WAAS
and WAAS Express devices.
System.monitoring.collectRate
Rate at which a WAE collects and sends the monitoring report to
the WAAS Central Manager (in seconds). For a WAAS Express
device, this is the rate at which the Central Manager collects the
monitoring data from the WAAS Express device. The default is
300 seconds (5 minutes). Reducing this interval impacts the
performance of the WAAS Central Manager device.
System.monitoring.dailyConsolid Hour at which the WAAS Central Manager consolidates hourly
ationHour
and daily monitoring records. The default is 1 (1:00 a.m.).
System.monitoring.enable
WAAS and WAAS Express statistics monitoring (enable or
disable). The default is true.
System.monitoring.maxDevicePe Maximum number of devices for which monitoring is supported in
rLocation
location level reports. The default is 25.
Cisco Wide Area Application Services Configuration Guide
10-18
OL-26579-01
Chapter 10
Configuring Other System Settings
Modifying the Default System Configuration Properties
Table 10-4
Descriptions for System Configuration Properties (continued)
System Property
Description
System.monitoring.maxReports
Maximum number of completed or failed report instances to store
for each custom report. The default is 10 report instances.
System.monitoring.monthlyCons
olidationFrequency
How often (in days) the WAAS Central Manager consolidates
daily monitoring records into monthly records. If this setting is set
to 1, the WAAS Central Manager checks if consolidation needs to
occur every day, but only performs consolidation if there is enough
data for consolidation to occur. The default is 14 days.
When a monthly data record is created, the corresponding daily
records are removed from the database. Consolidation occurs only
if there is at least two calendar months of data plus the
consolidation frequency days of data. This ensures that the WAAS
Central Manager always maintains daily data records for the past
month and can display data on a day level granularity for the last
week.
For example, if data collection starts on February 2nd, 2006 and
System.monitoring.monthlyConsolidationFrequencyis set to 14,
then the WAAS Central Manager checks if there is data for the past
two calendar months on the following days: Feb 16th, March 2nd,
March 16th, and March 30th. No consolidation will occur because
there is not enough data on these days.
On April 13th, however, two calendar months of data exists. The
WAAS Central Manager then consolidates data for the month of
February and deletes the daily data records for that month.
System.monitoring.recordLimitD Maximum number of days of monitoring data to maintain in the
ays
system. The default is 1825 days.
System.monitoring.timeFrameSet Default time frame to be used for plotting all the charts. Settings
tings
saved by the user will not be changed. The default is Last Hour.
System.registration.autoActivatio Status of the automatic activation feature, which automatically
n
activates WAAS and WAAS Express devices that are registered to
the Central Manager. The default is true (devices are automatically
registered).
System.rpc.timeout.syncGuiOper
ation
Timeout in seconds for the GUI synchronization operations for the
Central Manager to WAE connection. The default is 50 seconds.
System.security.maxSimultaneou
sLogins
Maximum number of concurrent WAAS Central Manager sessions
permitted for a user. Specify 0 (zero, the default) for unlimited
concurrent sessions. A user must log off the Central Manager to
end a session. If a user closes the browser without logging off, the
session is not closed until after it times out after 120 minutes (the
timeout is not configurable). If the number of concurrent sessions
permitted also is exceeded for that user, there is no way for that
user to regain access to the Central Manager GUI until after the
timeout expires. This setting does not affect CLI access to the
Central Manager device.
System.security.webApplicationF Status of the web application filter, which rejects any javascript,
ilter
SQL, or restricted special characters in input. The default is false.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-19
Chapter 10
Configuring Other System Settings
Configuring the Web Application Filter
Table 10-4
Descriptions for System Configuration Properties (continued)
System Property
Description
System.standby.replication.maxC Maximum number of statistics data records (in thousands) that
ount
will be replicated to a standby Central Manager. The range is 10
to 300. The default is 200 (200,000 records). We do not
recommend increasing this number.
System.standby.replicationTimeo Maximum number of seconds to wait for replication to a standby
ut
Central Manager. The range is 300 to 3600 seconds. The default is
900 seconds. We do not recommend decreasing this timeout.
To view or modify the value of a system property, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Global > System Properties. The Config
Properties window appears.
Step 2
Click the Edit icon next to the system property that you want to change. The Modifying Config Property
window appears.
Step 3
From a drop-down list, enter a new value or choose a new parameter, depending on the system property
that you want to change.
Step 4
Click Submit to save the settings
Configuring the Web Application Filter
Web Application Filter is a security feature that protects the WAAS Central Manager GUI against
Cross-Site Scripting (XSS) attacks. XSS security issues can occur when an application sends data that
originates from a user to a web browser without first validating or encoding the content, which can allow
malicious scripting to be executed in the client browser, potentially compromising database integrity.
This security feature verifies that all application parameters sent from WAAS users are validated and/or
encoded before populating any HTML pages.
This section contains the following topics:
•
Enabling the Web Application Filter, page 10-20
•
Security Verification, page 10-21
Enabling the Web Application Filter
To enable the Web Application Filter, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Global > System Properties. The Config
Properties window appears.
Note
You cannot enable this feature using the CLI. This feature is disabled by default.
Cisco Wide Area Application Services Configuration Guide
10-20
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Faster Detection of Offline WAAS Devices
Step 2
Click the Edit icon next to the system.security.webApplicationFilter entry.
The Modifying Config Property window appears.
Step 3
Choose true from the Value drop-down list to enable this feature.
A confirmation message appears to advise Central Manager and Device Manager users to log out and
then back in after enabling this feature.
Step 4
Click OK and then Submit.
Step 5
Log out and then back in again.
Security Verification
The Web Application Filter feature verifies security using two methods, input verification and
sanitization. Input validation validates all input data before accepting data. Sanitization prevents
malicious configuration and scripts already present in the data from getting executed.
This section contains the following topics:
•
Input Validation, page 10-21
•
Sanitization, page 10-21
Input Validation
Input validation scans all data that is input to the Central/Device Manager database and is only
configurable by the admin user.
Any input submitted using the Central Manager GUI that is suspicious of XSS is blocked. Blocked input
results in a warning.
Input data is checked against the following XSS filter rules:
•
Input is rejected if it contains a semicolon (;)
•
Input is rejected if it is enclosed in angle brackets (<>)
•
Input is rejected if it can be indirectly used to generate the above tags (&#60, &#62, %3c, %3e)
Sanitization
The sanitizer prevents malicious configuration and scripts from getting executed in the browser when
there is an XSS attack on the database. Sanitization is not configurable by the user.
Configuration data coming from the Central Manager that is suspect for XSS is shown in red on the
Device Groups > All Device Groups page.
Configuring Faster Detection of Offline WAAS Devices
You can detect offline WAAS devices more quickly if you enable the fast detection of offline devices. A
WAAS device is declared as offline when it has failed to contact the WAAS Central Manager for a
getUpdate (get configuration poll) request for at least two polling periods. (See the “About Faster
Detection of Offline Devices” section on page 10-22 for more information about this feature.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-21
Chapter 10
Configuring Other System Settings
Configuring Faster Detection of Offline WAAS Devices
To configure fast detection of offline WAAS devices, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Global > Fast Device Offline Detection.
The Configure Fast Offline Detection window appears.
Note
The fast detection of offline devices feature is in effect only when the WAAS Central Manager
receives the first UDP heartbeat packet and a getUpdate request from a device.
Step 2
Check the Enable check box to enable the WAAS Central Manager to detect the offline status of devices
quickly.
Step 3
In the Heartbeat Rate (Seconds) field, specify how often devices should transmit a UDP heartbeat packet
to the WAAS Central Manager. The default is 30 seconds.
Step 4
In the Heartbeat Fail Count field, specify the number of UDP heartbeat packets that can be dropped
during transmission from devices to the WAAS Central Manager before a device is declared offline. The
default is 1.
Step 5
In the Heartbeat UDP Port field, specify the port number using which devices will send UDP heartbeat
packets to the primary WAAS Central Manager. The default is port 2000.
The Maximum Offline Detection Time field displays the product of the failed heartbeat count and
heartbeat rate.
Maximum Offline Detection Time = Failed heartbeat count * Heartbeat rate
If you have not enabled the fast detection of offline devices feature, then the WAAS Central Manager
waits for at least two polling periods to be contacted by the device for a getUpdate request before
declaring the device to be offline. However, if you enable the fast detection of offline devices feature,
then the WAAS Central Manager waits until the value displayed in the Maximum Offline Detection Time
field is exceeded.
If the WAAS Central Manager receives the Cisco Discovery Protocol (CDP) from a device, then the
WAAS Central Manager GUI displays the device as offline after a time period of 2* (heartbeat rate) *
(failed heartbeat count).
Step 6
Note
Click Submit.
Any changes to the Configure Fast WAE offline detection page in the Central Manager could result in
devices temporarily appearing to be offline. Once the configuration changes are propagated to the
devices, they show as online again.
About Faster Detection of Offline Devices
Communication between the WAAS device and WAAS Central Manager using User Datagram Protocol
(UDP) allows faster detection of devices that have gone offline. UDP heartbeat packets are sent at a
specified interval from each device to the primary WAAS Central Manager in a WAAS network. The
primary WAAS Central Manager tracks the last time that it received a UDP heartbeat packet from each
device. If the WAAS Central Manager has not received the specified number of UDP packets, it displays
Cisco Wide Area Application Services Configuration Guide
10-22
OL-26579-01
Chapter 10
Configuring Other System Settings
Configuring Alarm Overload Detection
the status of the nonresponsive devices as offline. Because UDP heartbeats require less processing than
a getUpdate request, they can be transmitted more frequently, and the WAAS Central Manager can detect
offline devices much faster.
You can enable or disable this feature, specify the interval between two UDP packets, and configure the
failed heartbeat count. Heartbeat packet rate is defined as the interval between two UDP packets. Using
the specified heartbeat packet rate and failed heartbeat count values, the WAAS Central Manager GUI
displays the resulting offline detection time as a product of heartbeat rate and failed heartbeat count. If
the fast detection of offline devices is enabled, the WAAS Central Manager detects devices that are in
network segments that do not support UDP and uses getUpdate (get configuration poll) request to detect
offline devices.
By default, the feature to detect offline devices more quickly is not enabled.
Configuring Alarm Overload Detection
WAAS devices can track the rate of incoming alarms from the Node Health Manager. If the rate of
incoming alarms exceeds the high-water mark (HWM), then the WAAS device enters an alarm overload
state. This situation occurs when multiple applications raise alarms at the same time to report error
conditions. When a WAAS device is in an alarm overload state, the following occurs:
•
SNMP traps for subsequent alarm raise and clear operations are suspended. The trap for the raise
alarm-overload alarm and the clear alarm-overload alarm are sent; however, traps related to alarm
operations between the raise alarm-overload alarm and the clear alarm-overload alarm operations
are suspended.
•
Alarm overload raise and clear notifications are not blocked. The alarm overload state is
communicated to SNMP and the Configuration Management System (CMS). However, in the alarm
overload state, SNMP and the CMS are not notified of individual alarms. The information is only
available by using the CLI.
•
The WAAS device remains in an alarm overload state until the rate of incoming alarms decreases to
the point that the alarm rate is less than the low-water mark (LWM).
•
If the incoming alarm rate falls below the LWM, the WAAS device comes out of the alarm overload
state and begins to report the alarm counts to SNMP and the CMS.
When the WAAS device is in an alarm overload state, the Node Health Manager continues to record the
alarms being raised on the WAAS device and keeps a track of the incoming alarm rate. Alarms that have
been raised on a WAAS device can be listed using the show alarm CLI commands that are described in
the Cisco Wide Area Application Services Command Reference.
To configure alarm overload detection for a WAAS device (or device group), follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Monitoring > Alarm Overload Detection. The Alarm Overload Detection
Settings window appears.
Step 3
Uncheck the Enable Alarm Overload Detection check box if you do not want to configure the WAAS
device (or device group) to suspend alarm raise and clear operations when multiple applications report
error conditions. This check box is checked by default.
Step 4
In the Alarm Overload Low Water Mark (Clear) field, enter the number of incoming alarms per second
below which the WAAS device comes out of the alarm overload state.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-23
Chapter 10
Configuring Other System Settings
Configuring the E-mail Notification Server
The low-water mark is the level up to which the number of alarms must drop before alarms can be
restarted. The default value is 1. The low-water mark value should be less than the high-water mark
value.
Step 5
In the Alarm Overload High Water Mark (Raise) field, enter the number of incoming alarms per second
above which the WAAS device enters the alarm overload state. The default value is 10.
Step 6
Click Submit to save the settings.
To configure alarm overload detection from the CLI, you can use the alarm overload-detect global
configuration command.
Configuring the E-mail Notification Server
You can schedule reports to be generated periodically, and when they are generated, a link to the report
can be e-mailed to one or more recipients. (For details, see the “Managing Reports” section on
page 17-43.)
To enable e-mail notification, you must configure e-mail server settings for the WAAS Central Manager
by following these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name. You must choose a Central
Manager device.
Step 2
Choose Configure > Monitoring > Email Notification. The Configure Email Server Details window
appears.
Step 3
In the Mail Server Hostname field, enter the hostname of the SMTP e-mail server that is to be used to
send e-mail.
Note
Only SMTP mail servers are supported. If any other type of mail server is configured, the email
notification fails.
Step 4
In the Mail Server Port field, enter the port number. The default is port 25.
Step 5
In the Server Username field, enter a valid e-mail account username.
Step 6
In the Server Password field, enter the password for the e-mail account.
Step 7
In the From Address field, enter the e-mail address shown as the sender of the e-mail notification.
Step 8
Click Submit.
Using IPMI over LAN
Intelligent Platform Management Interface (IPMI) over LAN provides remote platform management
service for WAVE-294/594/694/7541/7571/8541 appliances. IPMI is an open standard technology that
defines how administrators monitor system hardware and sensors, control system components, and
retrieve logs of important system events to conduct remote management and recovery. IPMI runs on the
Baseboard Management Controller (BMC) and operates independently of WAAS. After IPMI over LAN
Cisco Wide Area Application Services Configuration Guide
10-24
OL-26579-01
Chapter 10
Configuring Other System Settings
Using IPMI over LAN
is set up and enabled on WAAS, authorized users can access BMC remotely even when WAAS becomes
unresponsive or the device is powered down but connected to a power source. You can use an IPMI v2
compliant management utility, such as ipmitool or OSA SMbridge, to connect to the BMC remotely to
perform IPMI operations.
The IPMI over LAN feature provides the following remote platform management services:
•
Supports the power on, power off, and power cycle of the WAAS appliance.
•
Monitors the health of the WAAS hardware components by examining Field Replaceable Unit
(FRU) information and reading sensor values.
•
Retrieves logs of important system events to conduct remote management and recovery.
•
Provides serial console access to the WAAS appliance over the IPMI session.
•
Support for IPMI Serial over LAN (SoL)—IPMI SoL enables a remote user to access a WAAS
appliance through a serial console through an IPMI session.
IPMI over LAN and IPMI SoL features can be configured using CLI commands and include the
following:
•
Configuring IPMI LAN interface
•
Configuring IPMI LAN users
•
Configuring security settings for remote IPMI access
•
Enabling/disabling IPMI over LAN
•
Enabling/disabling IPMI SoL
•
Restoring the default settings for the BMC LAN channel
•
Displaying the current IPMI over LAN and IPMI SoL configurations
For more information on configuring IPMI over LAN, see the “Configuring BMC for Remote Platform
Management” section on page 10-26.
BMC Firmware Update
IPMI over LAN requires that a specific BMC firmware version be installed on the device. The minimum
supported BMC firmware versions are:
•
WAVE-294/594/694—48a
•
WAVE-7541/7571/8541—26a
WAAS appliances shipped from the factory with WAAS version 4.4.5 or later do have the correct
firmware installed. If you are updating a device that was shipped with an earlier version of WAAS
software, you must update the BMC firmware, unless it was updated previously.
To determine if you are running the correct firmware version, use the show bmc info command. The
following example displays the latest BMC firmware version installed on the device (48a here):
wave# show bmc info
Device ID
Device Revision
Firmware Revision
IPMI Version
Manufacturer ID
Manufacturer Name
Product ID
Product Name
Device Available
Provides Device SDRs
Additional Device Support
:
:
:
:
:
:
:
:
:
:
:
32
1
0.48
2.0
5771
Unknown (0x168B)
160 (0x00a0)
Unknown (0xA0)
yes
no
<<<<< version 48
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-25
Chapter 10
Configuring Other System Settings
Using IPMI over LAN
Sensor Device
SDR Repository Device
SEL Device
FRU Inventory Device
Aux Firmware Rev Info
:
0x0b
0x0c
0x08
0x0a
. . .
<<<<< a
If a BMC firmware update is needed, you can download it from cisco.com at the Wide Area Application
Service (WAAS) Firmware download page (registered customers only). The firmware binary image is
named waas-bmc-installer-48a-48a-26a-k9.bin.
You can use the following command to update the firmware from the image file that is available through
FTP on your network:
copy ftp install ip-address remotefiledir waas-bmc-installer-48a-48a-26a-k9.bin
The update process automatically checks the health status of the BMC firmware. If BMC firmware
corruption is detected, BMC is recovered during the BMC firmware update procedure. The complete
update process can take several minutes and the device may appear unresponsive but do not interrupt the
process or power cycle the device. After the update is complete, you must reload the device.
After the device reboots, you can verify the firmware version by using the show bmc info command.
BMC recovery and BMC firmware update restores the factory defaults on the BMC and all the current
IPMI over LAN configurations are erased.
If BMC firmware corruption happens, a critical alarm is raised.
Configuring BMC for Remote Platform Management
This section describes the minimum steps needed to enable IPMI over LAN and IPMI SoL to conduct
remote platform management. This section includes the following topics:
•
Enabling IPMI Over LAN
•
Enabling IPMI SoL
Enabling IPMI Over LAN
To enable IPMI over LAN, perform the following steps using the bmc lan command:
Step 1
Change the default BMC LAN IP address.
Step 2
Change the password for the BMC default user, which is user 2.
Step 3
Enable IPMI over LAN.
Step 4
Access the BMC from a remote client over IPMI session v2.0 using the username and password for the
number 2 user. The default cipher suite used to access the BMC is 3, which specifies
RAKP-HMAC-SHA1 authentication, HMAC-SHA1-96 integrity, and AES-CBC-128 encryption
algorithms.
Step 5
To access the BMC over a IPMI session v1.5, change the user 2 IPMI-session-version setting from v2.0
to v1.5.
Cisco Wide Area Application Services Configuration Guide
10-26
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Enabling IPMI SoL
To enable IPMI SoL, perform the following steps:
Step 1
On the WAAS device, configure and enable IPMI over Lan (IoL).
Step 2
On the remote client make sure that the BMC user can do IoL operations successfully over IPMI session
v2.0.
Step 3
On the remote client, change the baud-rate of the terminal to match the WAAS console baud rate of 9600
bps.
Step 4
On the WAAS device, enable IPMI SoL.
Step 5
On the remote client, if the IPMI management tool is ipmitool, check the SoL payload status of the
specific BMC user with the following command:
ipmitool -I lanplus -H bmc-ip-address -U bmc-user-name sol payload status 1 bmc-user-userid
For example:
# ipmitool -I lanplus -H 2.1.4.70 -U user3 sol payload status 1 3
Password:
User 3 on channel 1 is disabled
Step 6
If the SoL payload is disabled for this user, enable the SoL payload for this user with the following
command:
ipmitool -I lanplus -H bmc-ip-address -U bmc-user-name sol payload enable 1 bmc-user-userid
For example:
# ipmitool -I lanplus -H 2.1.4.70 -U user3 sol payload enable 1 3
Password:
# ipmitool -I lanplus -H 2.1.4.70 -U user3 sol payload status 1 3
Password:
User 3 on channel 1 is enabled
Step 7
On the remote client, use the following command to open the serial console to the WAAS device:
ipmitool -I lanplus -H bmc-ip-address -U bmc-user-name sol activate
Step 8
On the remote client, you have now entered the console session of the WAAS device. When you are done,
use the ~. escape character to terminate the connection.
Managing WAAS Express Devices
You can use the WAAS Central Manager to manage WAAS Express devices, which are Cisco ISR G2
routers deployed with the WAAS Express software. The WAAS Express software implements a subset
of the WAAS appliance functionality, providing basic optimization and HTTP accelerator express, CIFS
accelerator express, and SSL accelerator express. The Central Manager menu displays a subset of the
full menu when a WAAS Express device is selected as the context.
The Central Manager and a WAAS Express device communicate using the HTTPS protocol. To establish
communication between a WAAS Central Manager and a WAAS Express device, you must register the
WAAS Express device with the Central Manager. Using the Central Manager GUI to register a WAAS
Express device is a more simplified method than using the CLI.
•
Registering a WAAS Express Device Using the GUI, page 10-28
•
Registering a WAAS Express Device Using the CLI, page 10-29
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-27
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Registering a WAAS Express Device Using the GUI
To register a WAAS Express device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Admin > Security > WAAS Express > Registration.
The WAAS Express Registration window appears. (See Figure 10-1.)
Note
To register a WAAS Express device using the Central Manager GUI, SSH must be enabled on
the WAAS Express device.
Figure 10-1
WAAS Express Registration
Step 2
Configure the login credentials by entering the username, password, and enable password.
Step 3
Enter the HTTP Authentication, local or AAA.
Step 4
Enter the WAAS Express IP addresses to register. The IP address, hostname, and status are displayed in
the Registration Status table.
You may also upload a CSV file that contains a list of IP addresses to register. To upload a list, check
the Upload file check box and either browse to the file or enter the filename. Each IP address must be on
a separate line.
Step 5
Select the Central Manager IP address option, either default or NAT.
Step 6
Click the Register button and verify that the registration status was successful.
You may view the results in the log file: /local/local1/errlog/waasx-audit.log
Cisco Wide Area Application Services Configuration Guide
10-28
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Step 7
The final step is to install a permanent WAAS software license. This function is not supported using the
Central Manager GUI. You must obtain and copy the WAAS license to a location accessible to the
license command on the WAAS Express device.
The following is an example of the license command used on the WAAS Express device to install the
WAAS license:
waas-express#license install ftp://infra/licenses/FHH122500AZ_20100811190225615.lic
This example uses FTP to get and install the license but there are various options available for this
command. Choose one that best suits your deployment.
Registering a WAAS Express Device Using the CLI
You can register the WAAS Express device with the Central Manager using the CLI by completing the
steps outlined in Table 10-5.
Table 10-5
Checklist for Registering a WAAS Express Device using the CLI
Task
1. Configure a username and password.
Additional Information and Instructions
The same username and password are configured on the WAAS Express
device and the Central Manager, so the Central Manager can log in to the
WAAS Express device for management purposes.
For more information, see the “Configuring a User” section on page 10-30.
2.
3.
Import the primary Central Manager
administrative server certificate into the
WAAS Express device.
Configure a WAAS Express device
certificate.
The WAAS Express device requires the Central Manager certificate for
secure HTTPS server communication.
For more information, see the “Importing the Central Manager Certificate”
section on page 10-31.
The Central Manager device requests this WAAS Express certificate for
secure HTTPS server communication.
For more information, see the “Configuring a WAAS Express Device
Certificate” section on page 10-32.
Enable the secure HTTP server with user Enables the Central Manager and WAAS Express device to communicate.
authentication.
For more information, see the “Enabling the HTTP Secure Server on the
WAAS Express Device” section on page 10-32.
5. Install a permanent WAAS software
Allows the WAAS Express software to operate on the router.
license.
For more information, see the “Installing a License on the WAAS Express
Device” section on page 10-33.
6. Configure an NTP server.
Keeps the time synchronized between the WAAS Express device and the
Central Manager.
4.
For more information, see the “Configuring an NTP Server” section on
page 10-33.
7.
Register the WAAS Express device with
the Central Manager.
Registers the WAAS Express device with the Central Manager.
For more information, see the “Registering the WAAS Express Device”
section on page 10-34.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-29
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
The following sections describe these steps in detail.
Configuring a User
The first step in setting up your WAAS Express device and Central Manager to communicate is to
configure the same user on the WAAS Express device and the Central Manager.
To configure a user, follow these steps:
Step 1
Log in to the WAAS Express device CLI.
Step 2
Configure a local user with privilege level 15 on the WAAS Express device by using the username IOS
configuration command:
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#username cisco privilege 15 password 0 cisco
waas-express(config)#exit
Alternatively, you can configure an external TACACS+ or RADIUS user; see details after this procedure.
Step 3
Save the running configuration:
waas-express#write memory
Building configuration...
[OK]
Step 4
From the WAAS Central Manager menu, choose Admin > Security > WAAS Express > Global
Credentials. The WAAS Express Global Credentials window appears.
On the Central Manager, you can define global WAAS Express credentials that apply to all WAAS
Express devices, or you can define credentials at the device group or individual device level. This
procedure shows how to configure global credentials. To configure device group or individual device
credentials, you must first complete the WAAS Express registration process and then configure this
setting for a WAAS Express device group or device. Device and device group credentials have
precedence over global credentials.
Step 5
In the Username field, enter the same username that you defined on the WAAS Express device.
Note
The username field is optional if you are not using local or AAA authentication for the HTTP
server on the WAAS Express device; that is, if you use the default HTTP server configuration of
ip http authentication enable. (See the “Enabling the HTTP Secure Server on the WAAS
Express Device” section on page 10-32.)
Step 6
In the Password field, enter the same password that you defined on the WAAS Express device.
Step 7
Click Submit.
Note
Changing the WAAS Express credentials on the Central Manager does not change the configuration on
the WAAS Express device. It affects only the credentials that are stored on the Central Manager.
To configure an external TACACS+ user on the WAAS Express device, use the following configuration
commands on the WAAS Express device:
Cisco Wide Area Application Services Configuration Guide
10-30
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#aaa new-model
waas-express(config)#aaa authentication login default group tacacs+
waas-express(config)#aaa authorization exec default group tacacs+
waas-express(config)#tacacs-server host host-ip
waas-express(config)#tacacs-server key keyword
To configure an external RADIUS user on the WAAS Express device, use the following configuration
commands on the WAAS Express device:
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#aaa new-model
waas-express(config)#aaa authentication login default group radius
waas-express(config)#aaa authorization exec default group radius
waas-express(config)#radius-server host host-ip
waas-express(config)#radius-server key keyword
The external authentication server for TACACS+ or RADIUS must be Cisco ACS 4.x or 5.x.
Importing the Central Manager Certificate
The next step is to import the certificate from the Central Manager into the WAAS Express device.
To import the certificate, follow these steps:
Step 1
Log in to the Central Manager CLI.
Step 2
Display the administrative certificate by using the show crypto EXEC command:
waas-cm#show crypto certificate-detail admin
...
-----BEGIN CERTIFICATE----TIICezCCAeSgAwIBAgIEVwMK8zANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ0wCwYD
VQQLEwRDTkJVMRswGQYDVQQKExJDaXNjbyBTeXN0ZW1zLCBJbmMxHjAcBgNVBAMT
FWRvYy13YWFzLWNtLmNpc2NvLmNvbTAeFw0wODA3MjQxOTMwMjNaFw0xMzA3MjMx
OTMwMjNaMIGBMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxDTALBgNVBAsTBENOQlUxGzAZBgNVBAoTEkNpc2NvIFN5
c3RlbXMsIEluYzEeMBwGA1UEAxMVZG9jLXdhYXMtY20uY2lzY28uY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy10xBfsUDTh5imYwkkterx/IqkNQO7KB/
M0wqIK2j4zj4BpR1ztKaFyEtGjqGpxPBQ54V9EHGmGUljx/Um9PORk3AXyWoUsDf
o0T2Z94FL5UoVUGzUia6/xiUrPCLNf6BLBDGPQg970QtZSU+DYUqjYHzDgv6yXFt
viHARbhZdQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADKF7aIeQ+Uh4Y2zZJwlaIF7
ON+RqDvtyy4DNerEN9iLI4EFO/QJ+uhChZZU8AKR8u3OnLPSNtNck33OWwMemcOd
QGhnsMtiUq2VuSh+A3Udm+sMLFguCw5RmJvqKTrj3ngAsmDBW3uaK0wkPGp+y3+0
2hUYMf+mCrCOwBEPfs/M
-----END CERTIFICATE-----
Step 3
Copy the certificate text, which is the part in between the BEGIN CERTIFICATE and END
CERTIFICATE lines in the output.
Step 4
Log in to the WAAS Express device CLI.
Step 5
Configure a certificate for the Central Manager:
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#crypto pki trustpoint wcm
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-31
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
waas-express(ca-trustpoint)#enrollment terminal pem
waas-express(ca-trustpoint)#exit
waas-express(config)#crypto pki authenticate wcm
Enter the base 64 encoded CA certificate.
End with a blank line or the word “quit” on a line by itself
Step 6
Paste in the certificate that you copied from the Central Manager in Step 3.
Configuring a WAAS Express Device Certificate
The WAAS Express device needs a certificate that is requested by the Central Manager when
establishing HTTPS communication. This procedure describes how to configure a persistent self-signed
certificate on the router, but you can also use a CA signed certificate.
To configure a WAAS Express device certificate, follow these steps:
Step 1
Log in to the WAAS Express device CLI.
Step 2
Create a self-signed certificate on the router:
Note
Due to CSCsy03412, you must configure ip domain name name before enrolling the certificate.
If you do not configure ip domain name, IOS regenerates the self-signed certificate upon reload
and this affects the communication with the WAAS Central Manager.
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#crypto pki trustpoint local
waas-express(ca-trustpoint)#enrollment selfsigned
waas-express(ca-trustpoint)#subject-alt-name routerFQDN
waas-express(ca-trustpoint)#exit
waas-express(config)#crypto pki enroll local
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: yes
Enter Interface name or IP Address[]: 10.10.10.25
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
If the WAAS Express device certificate changes after the WAAS Express device is registered with the
Central Manager, you must reimport the certificate into the Central Manager. For details, see the
“Reimporting WAAS Express Certificate” section on page 10-34.
Enabling the HTTP Secure Server on the WAAS Express Device
The Central Manager and a WAAS Express device communicate using the HTTPS protocol. You must
enable the HTTP secure server on the WAAS Express device.
To enable the HTTP secure server, follow these steps:
Cisco Wide Area Application Services Configuration Guide
10-32
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Step 1
On the WAAS Express device, enable the HTTP secure server:
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#ip http secure-server
Step 2
Configure authentication for the HTTP server for a local user as follows:
waas-express(config)#ip http authentication local
If you are using external TACACS+ or RADIUS user authentication, configure authentication for the
HTTP server as follows:
waas-express(config)#ip http authentication aaa
Note
If you do not configure local or AAA authentication for the HTTP server, only the enable password is
used for authentication. (The default is ip http authentication enable, which uses only the enable
password and no username.) If this default configuration is used, it is not necessary to define a username
credential for the WAAS Express device on the Central Manager. (See the “Configuring a User” section
on page 10-30.)
Installing a License on the WAAS Express Device
The WAAS Express device requires a license to operate the WAAS Express software.
To install a permanent WAAS license, follow these steps:
Step 1
Obtain and copy the WAAS license to a location accessible to the license command on the WAAS
Express device.
Step 2
On the WAAS Express device, install the WAAS license:
waas-express#license install ftp://infra/licenses/FHH122500AZ_20100811190225615.lic
This example uses FTP to get and install the license but there are various options available for this
command. Choose one that best suits your deployment.
Step 3
Save the running configuration:
waas-express#write memory
Building configuration...
[OK]
Configuring an NTP Server
It is important to keep the time synchronized between devices in your WAAS network. You should
already have an NTP server configured for the Central Manager (see the “Configuring NTP Settings”
section on page 10-5).
To configure an NTP server for the WAAS Express device, on the WAAS Express device use the
ntp server global configuration command, as follows:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-33
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
waas-express#config t
Enter configuration commands, one per line. End with CNTL/Z.
waas-express(config)#ntp server 10.10.10.55
Registering the WAAS Express Device
The final step in setting up a WAAS Express device with the Central Manager is to register the device.
You will need to know the IP address of the Central Manager.
To register a WAAS Express device with the Central Manager, follow these steps:
Step 1
On the WAAS Express device, register with the Central Manager:
waas-express#waas cm-register https://CM_IP_Address:8443/wcm/register
In the URL for this command, specify the Central Manager IP address as indicated. Be sure to include a
colon and the port number of 8443.
If a permanent WAAS license is not installed on the WAAS Express device, you must accept the terms
of the evaluation license to continue. The evaluation license is valid for 60 days.
Step 2
Save the running configuration:
waas-express#write memory
Building configuration...
[OK]
After the successful registration of the WAAS Express device in the Central Manager, the Central
Manager initially shows the device on the Manage Devices page with a management status of Pending
and a license status of Active. After the Central Manager retrieves the device configuration and status,
the management status changes to Online and the license status changes to Permanent (or Evaluation,
Expires in x weeks y days).
Reimporting WAAS Express Certificate
If the WAAS Express device certificate changes after you have registered the WAAS Express device with
the Central Manager, you must reimport a matching certificate into the Central Manager.
To reimport a WAAS Express device certificate, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Admin > Security > WAAS Express Certificate. The Modifying WAAS Express device
certificate window appears, as shown in Figure 10-2.
The Certificate Info tab shows the certificate information for the WAAS Express device. The Certificate
in PEM Encoded Format tab shows the certificate in PEM format. You can copy the certificate from this
tab to use in the paste operation in the next step.
Cisco Wide Area Application Services Configuration Guide
10-34
OL-26579-01
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Figure 10-2
Step 3
Step 4
Modifying WAAS Express Device Certificate Window
Import this certificate into the Central Manager by selecting one of the following radio buttons that are
shown in both tabs:
•
Upload PEM file—Click Browse and locate the PEM file containing the certificate.
•
Paste PEM-encoded certificate—Paste the PEM encoded certificate in the text field that appears.
Click Submit.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
10-35
Chapter 10
Configuring Other System Settings
Managing WAAS Express Devices
Cisco Wide Area Application Services Configuration Guide
10-36
OL-26579-01
CH A P T E R
11
Using the WAE Device Manager GUI
This chapter describes how to use the WAE Device Manager GUI, which is a separate interface from the
WAAS Central Manager GUI. The WAE Device Manager is a web-based management interface that
allows you to control and monitor an individual WAE device in your network.The WAAS Central
Manager device does not have a WAE Device Manager interface. In many cases, the same device settings
are found in both the WAE Device Manager and the WAAS Central Manager GUI. For this reason, we
recommend that you always configure device settings from the WAAS Central Manager GUI if possible.
When you change device settings in the WAE Device Manager, the changes are propagated to the WAAS
Central Manager and override the group settings for that device. If you later decide that you want the
group settings to override the settings that you configured from the WAE Device Manager, you can use
the group override features in the WAAS Central Manager GUI. For more information, see the
“Overriding Group Configuration Settings” section on page 3-7.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
Launching the WAE Device Manager, page 11-1
•
A Quick Tour of the WAE Device Manager, page 11-2
•
WAE Management Workflow, page 11-3
•
Managing a Cisco WAE, page 11-3
•
Managing a CIFS Accelerator Device, page 11-19
•
Monitoring the WAE, page 11-22
•
Monitoring the WAE, page 11-22
•
Viewing WAE Logs, page 11-27
Launching the WAE Device Manager
Each WAAS device is managed separately using the WAE Device Manager web-based interface. You can
launch the WAE Device Manager remotely from any location on the WAAS network using Internet
Explorer (required).
To launch the WAE Device Manager, go to https://Device_IP_Address:8443/mgr
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-1
Chapter 11
Using the WAE Device Manager GUI
A Quick Tour of the WAE Device Manager
The Login window of the WAE Device Manager appears. Enter your username and password in the fields
provided and click Login. The default username is admin and the default password is default.
The WAE Device Manager interface appears. (See Figure 11-1.)
Figure 11-1
WAE Device Manager Interface
A Quick Tour of the WAE Device Manager
The WAE Device Manager is divided into two sections. The area on the left displays the navigation area.
The area on the right displays information about the options that you have selected from the navigation
area.
The navigation area allows you to navigate the management screens for different WAE components. The
navigation area includes the following options:
•
Cisco WAE—Allows you to start and stop the WAE components, register and unregister the WAE,
back up and restore configuration files, and use various WAE utilities. For more information, see the
“Managing a Cisco WAE” section on page 11-3.
•
CifsAO—Allows you to monitor preposition tasks, view CIFS device statistics, and view the log.
For more information, see the “Managing a CIFS Accelerator Device” section on page 11-19.
The CifsAO option only appears if you have enabled the transparent CIFS accelerator on this WAAS
device. For more information, see the “Enabling and Disabling the Global Optimization Features”
section on page 13-3.
The options in the navigation area include suboptions, which when selected, display additional tabs in
the display area. Mandatory fields in the display area are indicated with an asterisk. If you click Save
without entering a value in a mandatory field, an error message is displayed. Click the Back link to return
to the window where the error occurred.
Information displayed in tables can be sorted by clicking the column headers. Clicking the header a
second time sorts the information in reverse order.
Cisco Wide Area Application Services Configuration Guide
11-2
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
WAE Management Workflow
As you navigate in the WAE Device Manager, your current location is always displayed across the top
of the display area.
To log out of the WAE Device Manager, click the
Note
icon on the upper-right side of the display area.
JavaScripts, cookies, and popup windows must be enabled in the web browser to use the WAE Device
Manager.
WAE Management Workflow
After WAEs have been deployed and registered (as described in the Cisco Wide Area Application
Services Quick Configuration Guide), use the WAE Device Manager to perform the following actions:
•
Start and stop components as described in the “Starting and Stopping Components” section on
page 11-5.
•
Register and unregister the WAE as described in the “Registering and Unregistering a WAE” section
on page 11-6.
•
Back up and restore configuration files as described in the “Backing Up the Configuration Files”
section on page 11-6.
•
Configure Windows authentication as described in the “Configuring Windows Authentication”
section on page 11-10.
•
Define component-specific notification recipients as described in the “Defining Notification
Settings” section on page 11-15.
•
Run WAE maintenance utilities as described in the “Utilities Option” section on page 11-17.
•
View the details, current status, and history of preposition tasks performed on CIFS devices as
described in the “Preposition Option” section on page 11-20.
•
View SNMP-generated information and graphs about each WAE component as described in the
“Monitoring the WAE” section on page 11-22.
•
View the logs for each WAE component as described in the “Viewing WAE Logs” section on
page 11-27.
Managing a Cisco WAE
You use the Cisco WAE menu item in the navigation area to perform basic operations such as viewing
the status of WAE components and stop or start components on the WAE. Figure 11-2 shows the Cisco
WAE Control window.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-3
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Figure 11-2
Cisco WAE Control Window
The Cisco WAE menu item includes the following options:
•
Control—Enables you to control the WAE and its components as described in the “Control Option”
section on page 11-4.
•
Configuration—Enables you to perform basic configuration tasks as described in the “Configuration
Option” section on page 11-8.
•
Utilities—Enables you to run various maintenance utilities on the WAE as described in the “Utilities
Option” section on page 11-17.
•
Monitoring—Enables you to view tables and graphs about the CPU and disk utilization in the WAE
as described in the “Monitoring the WAE” section on page 11-22.
•
Logs—Enables you to view event logs for various WAE subsystems as described in the “Viewing
WAE Logs” section on page 11-27.
Control Option
The Control option displays the following tabs:
•
Components—Enables you to view the working status of each WAE component. You can start, stop,
and restart any component. For more information, see the “Starting and Stopping Components”
section on page 11-5.
•
Registration—Enables you to register or unregister the WAE with the WAAS Central Manager. For
more information, see the “Registering and Unregistering a WAE” section on page 11-6.
•
Backup—Enables you to download and save WAE configuration files and to restore these files back
to the WAE, if required. For more information, see the “Backing Up the Configuration Files” section
on page 11-6 and the “Restoring the Configuration Files” section on page 11-7.
Cisco Wide Area Application Services Configuration Guide
11-4
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Starting and Stopping Components
The Components tab enables you to view which components are running and which components are not,
and allows you to start, stop, and restart components.
From this tab you can click Refresh to update the status of each component and update the WAE Device
Manager interface to reflect recent changes made to the device from the WAAS Central Manager GUI.
For example, if the device is configured to be a transparent CIFS accelerator device while you are logged
into the WAE Device Manager, that change is not reflected until you either click Refresh or log in again
to the WAE Device Manager.
Note
If a component is not running, most of its configuration can be performed offline. However, any
configuration changes made to the component will take effect only after it is restarted.
Note
Do not stop or start a component if the device is not registered to a WAAS Central Manager.
To start and stop components, follow these steps:
Step 1
In the Components tab of the Cisco WAE Control window, choose the component that you want to
activate and click Start.
After a few seconds, a green checkmark
is running, as shown in Figure 11-3.
Figure 11-3
•
Components Tab—Starting Components
To stop a component, choose the component from the list and click Stop.
After a few seconds, a red
running.
•
appears next to the selected component, indicating its status
appears next to the selected component, indicating that it is no longer
To restart a WAE component, choose the component from the list and click Restart.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-5
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
•
To display the current status of the WAE components, click Refresh.
Registering and Unregistering a WAE
The Registration tab enables you to register the WAE with the specified WAAS Central Manager or
unregister the WAE. After the WAE is registered, you can view and manage it from the WAAS Central
Manager GUI.
To register the WAE, follow these steps:
Step 1
In the Cisco WAE Control window, click the Registration tab. (See Figure 11-4.)
Figure 11-4
Cisco WAE Control —Registration Tab
Step 2
In the Central Host field, verify that the address of the WAAS Central Manager is displayed. If no
address appears in this field, then the WAE is not registered with a Central Manager.
Step 3
Click Register to register the WAE.
The “Registration will update the WAE properties in the WAAS Central Manager. Are you sure?”
message is displayed. Click OK. If successful, the “Appliance registered successfully” message is
displayed.
Step 4
Click Unregister to unregister the Cisco WAE.
If successful, the “Appliance unregistered successfully” message is displayed.
Note
When you unregister a WAE, any policies defined for it in the WAAS Central Manager GUI are
removed.
Backing Up the Configuration Files
The Backup tab enables you to back up and restore the configuration files of the WAE.
Cisco Wide Area Application Services Configuration Guide
11-6
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
To back up the WAE configuration, follow these steps:
Step 1
In the Cisco WAE Control window, click the Backup tab. (See Figure 11-5.)
Figure 11-5
Cisco WAE Control —Backup Tab
Step 2
In the Download configuration backup area, click Download.
Step 3
In the File Download window, click Save.
Step 4
In the Save As window, browse to where you want to save the file. You can also change the filename.
Step 5
Click Save.
The WAE configuration files are downloaded to the selected destination folder and stored in a single,
compressed file.
For information about restoring files from a backup, see the “Restoring the Configuration Files” section
on page 11-7.
Restoring the Configuration Files
The Backup tab enables you to restore the configuration files of the WAE. Restoring the configuration
returns the WAE to its previous state when the backup was performed.
To restore the configuration files, follow these steps:
Step 1
In the Restore configuration from backup area, click Browse to navigate to the location of the backup
file that you want to restore.
Step 2
Click Upload to restore the selected configuration files.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-7
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Note
After the upload is completed, the WAE will be reloaded.
Configuration Option
The Configuration option for the Cisco WAE menu item displays the following tabs:
•
SNMP—Allows you to enable event MIB and logging traps on the WAE. For more information, see
the “Configuring SNMP Settings” section on page 11-8.
•
Networking—Allows you to view WAE settings defined during initial device setup described in the
Cisco Wide Area Application Services Quick Configuration Guide. For more information, see the
“Viewing Network Settings” section on page 11-9.
•
Windows Authentication—Allows you to define the settings required by the WAE for Windows
authentication to enable device login and CLI configuration. For more information, see the
“Configuring Windows Authentication” section on page 11-10.
•
Notifier—Allows you to define the e-mail address to which notifications are sent when alerts are
generated by the WAE. For more information, see the “Defining Notification Settings” section on
page 11-15.
Configuring SNMP Settings
The SNMP tab allows you to configure the SNMP settings on the Cisco WAE. To configure the SNMP
settings, click the SNMP tab in the Configuration window. The SNMP tab appears. (See Figure 11-6.)
Figure 11-6
WAE Configuration—SNMP Tab
This tab allows you to configure the following settings:
•
SNMP community—Sets the SNMP community string for read access, which is used as a password
for authentication when accessing the SNMP agent of the WAE.
•
SNMP community (R/W)—Sets the SNMP community string for read/write access, which is used
as a password for authentication when accessing the SNMP agent of the WAE.
Cisco Wide Area Application Services Configuration Guide
11-8
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
•
Enable event MIB traps—Allows the WAE to send event MIB traps to the SNMP host specified in
the SNMP notification host field.
•
Enable logging traps—Enables logging traps on the device.
•
SNMP notification host—Enter the IP address or hostname of your SNMP host so that the WAE can
send MIB and logging traps to the host.
Click Save after making any changes to this page, or click Cancel to disregard your changes so that they
do not take effect.
Viewing Network Settings
The Networking tab (see Figure 11-7) enables you to view the connection parameters between the WAE
and the LAN.
To view the WAE connection settings, click the Networking tab in the Configuration window.
Figure 11-7
Cisco WAE Configuration—Networking Tab
The Networking tab contains the following information:
•
Network connection flags—The network status flags.
•
Mode—The duplex and speed of the connection.
•
Machine name—The hostname of the WAE.
•
DHCP—Whether a DHCP server is available on the network.
•
IP Address
•
Net mask
•
Default Gateway
•
DNS Server 1
•
DNS Server 2
•
Domain Name
•
MAC Address
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-9
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
•
Time Zone
Configuring Windows Authentication
The WAAS Central Manager GUI and the WAE Device Manager use Pluggable Authentication Modules
(PAM) for user login authentication. Administrative users defined in the WAAS Central Manager GUI
are distributed to the WAE Device Managers. Administrative user authentication is performed only upon
login to the WAAS Central Manager GUI or the WAE Device Manager. Each WAE has a default GUI
and CLI user with the username admin and password default. This user account cannot be deleted, but
the password can be changed.
Note
In situations where the CLI user account information conflicts with the management GUI configuration,
the management GUI configuration will overwrite any conflicting CLI user account information at the
time of configuration distribution. A warning is displayed to CLI users after configuring CLI user
account settings to inform users of this behavior.
This section contains the following topics:
•
Understanding Login Authentication and Authorization Through the Local Database, page 11-10
•
Supported Authentication Methods, page 11-10
•
LDAP Server Signing, page 11-11
•
Setting Up Windows Authentication, page 11-11
•
Checking the Status of Windows Authentication, page 11-13
Understanding Login Authentication and Authorization Through the Local Database
Local user authentication and authorization use locally configured usernames and passwords to
authenticate administrative user login attempts. The login and passwords are local to each WAE.
By default, local user login authentication is enabled as the primary authentication method. You can
disable local user login authentication only after enabling one or more of the other administrative login
authentication methods. However, when local user login authentication is disabled, and you disable all
other administrative login authentication methods, local user login authentication is reenabled
automatically.
Windows Domain authentication is another user login authentication method. You can use the console,
Telnet, FTP, SSH, or HTTP (WAAS Central Manager and WAE Device Manager interfaces) to
authenticate Windows Domain users.
Supported Authentication Methods
When you enable Windows authentication on your WAE, you can configure additional settings that make
the authentication process of your users, WAE, and services more secure when they register with the
domain controller.
CIFS supports the following Windows authentication methods on the WAE:
•
NTLMv2 authentication—A Windows authentication protocol that is built into most Windows
operating systems.
•
Kerberos—A Windows authentication protocol that uses secret-key cryptography and is built into
Windows 2003 Server.
Cisco Wide Area Application Services Configuration Guide
11-10
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Note
Windows domain authentication is not performed unless a Windows domain server is configured on the
WAAS device. If the device is not successfully registered, authentication and authorization do not occur.
WAAS supports authentication by a Windows domain controller running only on Windows Server 2000
or Windows Server 2003.
If you are using NTLM authentication, the Windows domain server must be installed with the option to
support pre-Windows 2000 operating systems. (On the installation Permissions screen of the Windows
server dcpromo wizard, select “Permissions compatible with pre-Windows 2000 server operating
systems.”)
LDAP Server Signing
Lightweight Directory Access Protocol (LDAP) server signing is a configuration option of the Microsoft
Windows Server’s Network security settings. This option controls the signing requirements for LDAP
clients such as the WAE. LDAP signing is used to verify that an intermediate party did not tamper with
the LDAP packets on the network and to guarantee that the packaged data comes from a known source.
The WAAS software supports login authentication with Windows 2003 domains when the LDAP server
signing requirements option for the Domain Security Policy has been set to “Require signing.” LDAP
server signing allows the WAE to join the domain and authenticate users securely.
Note
When you configure your Windows domain controller to require an LDAP signature, you must also
configure LDAP server signing on the WAE from the CLI by using the smb-conf section "global" name
"ldap ssl" value "yes" global configuration command. You cannot enable this option using the WAE
Device Manager interface. For information on using the smb-conf command, see the Cisco Wide Area
Application Services Command Reference.
Setting Up Windows Authentication
The Windows Authentication tab allows you to configure the security settings on the WAE.
To configure Windows Authentication, follow these steps:
Step 1
Log into the WAE Device Manager.
Step 2
In the Configuration window, click the Windows Authentication tab.
The Window Authentication window appears. (See Figure 11-8.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-11
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Figure 11-8
Step 3
Cisco WAE Configuration—Windows Authentication Tab
Enter the NetBIOS name.
The NetBIOS name cannot exceed 15 characters nor contain special characters.
Note
Step 4
By default, the NetBIOS name field is automatically populated with the hostname of the file
engine. If this hostname changes, the NetBIOS field is not automatically updated with the new
name.
Enter the workgroup or domain name in the short name format, and check the NT Domain check box if
the workgroup/domain is a Windows NT 4 domain.
For example, if your domain name is cisco.com, the short name format is cisco. If your workgroup or
domain is a Windows 2000 or Windows 2003 domain, do not check the NT Domain check box.
If the NT Domain check box is checked, the domain name and short name format can contain a period
(.), but be careful not to enter the fully qualified name for the NT domain.
Step 5
Enter the IP address or hostname for the WINS server that you are using.
Step 6
Check the Use NTLMv2 authentication check box to enable NTLMv2 authentication.
Note
Enable NTLMv2 support only if all clients have their security policy set to “Send NTLMv2
responses only/Refuse LM and NTLM.” Using NTLM v2 when the clients do not require it could
cause authentication to fail.
Cisco Wide Area Application Services Configuration Guide
11-12
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Step 7
Check the Windows authentication for WAFS Management login check box to use Windows Domain
to authenticate Telnet, FTP, console, SSH, and user interface (WAAS Central Manager GUI and WAE
Device Manager) logins to CIFS (WAFS).
When you add users through the WAAS Central Manager GUI, you are given the option to configure
users as local users who have their login password stored on the WAE. Local users are authenticated by
the WAE, but nonlocal users are commonly verified using Windows Domain authentication.
Step 8
If you are using Kerberos authentication, check the Kerberos enabled check box and then specify the
following information:
•
The fully qualified name of the Kerberos realm. All Windows 2000 domains are also Kerberos
realms, but the realm name is always the all uppercase version of the domain name.
•
The fully qualified name or IP address of the Key Distribution Center. You can also specify a port
using the following format: ip address or name:port number. For example, 10.10.10.2:88.
•
The organizational unit.
You can only enable Kerberos authentication if at least one of the boxes described in Step 7 is checked.
After you enable Kerberos, make sure that the clock on your WAE is within 5 minutes of the clock on
your domain controller. Otherwise, your domain controller will refuse to use Kerberos for
authentication.
If you are using a Windows 2000 (with SP4) or Windows 2003 (with SP1) domain controller, you should
enable Kerberos authentication.
Step 9
If your domain controller has been configured to require LDAP server signing, you need to use the
WAAS CLI to enable LDAP server signing on the WAE by using the smb-conf section "global" name
"ldap ssl" value "yes" global configuration command. For information on using the smb-conf
command, see the Cisco Wide Area Application Services Command Reference.
Step 10
Check the Register WAE with Domain Controller check box.
Note
You need to register the WAE with the domain controller whenever you enable or disable
Kerberos, enable Windows authentication, or change the NetBios name, workgroup, or Kerberos
realm.
A series of fields display under the check box. Enter the following information in these fields:
•
Domain controller (enter the name, not the IP address).
You can only enter the NetBios name of the domain controller when Kerberos is disabled. If
Kerberos is enabled, you can enter the fully qualified domain name of the domain controller.
Step 11
•
Domain administrator username (enter the username, domain\username, or domain+username).
•
Domain administrator password.
Click Save.
The Windows Authentication settings are saved, and the WAE is registered with the domain controller.
Step 12
Verify if Windows Authentication is working correctly. See the “Checking the Status of Windows
Authentication” section on page 11-13.
Checking the Status of Windows Authentication
After you enable Windows Authentication, you can check the status of Windows Authentication and
view the results of built-in tests that can help you resolve authentication issues.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-13
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
A Windows Authentication problem can occur if you incorrectly configure the settings described in the
“Setting Up Windows Authentication” section on page 11-11. Problems can also occur if the
configuration of your domain controller changes.
The Authentication Details window shows the following information:
•
A list of winbind Authentication tests
•
The results of each test
•
A pass or fail indicator
•
Troubleshooting tips to help you resolve why a test failed
To check the status of Windows Authentication, follow these steps:
Step 1
On the Windows Authentication tab, click Show authentication status.
A message appears that explains the authentication status could take a while to display and that the
WAE’s performance could be impacted while the authentication status is being obtained.
Step 2
In the message dialog box, click OK to proceed or click Cancel to not display the authentication details.
If you clicked OK, the Authentication Details window appears. (See Figure 11-9.)
Figure 11-9
Step 3
Authentication Details Window
Check the Authentication status field at the top of the window.
If the status field displays “OK,” then Windows Authentication is functioning correctly. If this field
displays “Not OK,” then proceed to the next step.
Step 4
View the status of each test, and resolve any failures using the provided troubleshooting tips.
Table 11-1 describes these tests.
Cisco Wide Area Application Services Configuration Guide
11-14
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Table 11-1
Authentication Test Descriptions
Test
wbinfo -t
Description
Verifies that the workstation trust account created when the Samba server is
added to the Windows domain is working.
wbinfo -a
Tests the domain credentials based on the specified username and password. To
run this test, enter the appropriate username and password, and then click
Refresh. Wait for the test results to be displayed.
wbinfo -D
Shows information from Samba about the domain.
wbinfo --sequence Shows the sequence numbers of all known domains.
Time skew
Shows the time offset between the WAE and the KDC server. The time offset
must be within 5 minutes; otherwise, the Windows KDC server refuses to use
Kerberos for authentication. You can use the WAAS CLI to configure the time on
the WAE.
This test is performed only when Kerberos authentication is enabled.
Step 5
Click Refresh to ensure that all the tests complete successfully.
Defining Notification Settings
The Notifier tab allows you to define the e-mail address to which notifications are sent when alerts are
generated by the WAE.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-15
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
To define notification settings, follow these steps:
Step 1
In the Configuration window, click the Notifier tab. (See Figure 11-10.)
Figure 11-10
Notifier Tab
Step 2
In the Email address field, enter the address to which notifications about this WAE are sent.
Step 3
In the Mail server host name field, enter the name of the mail server host.
Step 4
In the Time period field, enter the time interval for notifications to accumulate until they are sent through
e-mail and choose the relevant time unit from the drop-down list (min or sec).
Step 5
From the Notify Level drop-down list, choose the minimum event severity level for generating
notifications.
Step 6
In the Mail server port field, enter the port number for connecting with the mail server.
Step 7
Check the Login to server check box if the WAE must log in to the mail server to send notifications. If
this option is selected, additional fields are enabled.
Step 8
In the Server username field, enter the username for accessing the mail server.
Step 9
In the Server password field, enter the password for accessing the mail server.
Step 10
In the From field, enter the text that should appear in the From field of each e-mail notification.
Step 11
In the Subject field, enter the text that should appear as the subject of each notification.
Step 12
From the SNMP Notify Level drop-down list, choose the minimum event severity level for generating
SNMP notifications.
Step 13
Click Save.
Cisco Wide Area Application Services Configuration Guide
11-16
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Utilities Option
The Utilities option displays the following tabs:
•
Support—Allows you to dump WAE data to an external location for support purposes. For more
information, see the “Running Support Utilities” section on page 11-17.
•
WAFS Cache Cleanup—Allows you to remove all files from the CIFS (WAFS) cache. For more
information, see the “Running the Cache Cleanup Utility” section on page 11-18.
•
File Server Rename—Allows you to rename a file server in the CIFS (WAFS) cache. For more
information, see the “Running the File Server Rename Utility” section on page 11-19.
Running Support Utilities
The Support tab displays product information about the WAE, including the WAAS software version and
build number running on the device.
The Support tab also allows you to download a system report that provides a snapshot of the current state
of the WAE and its operation, including the configuration log files of various components. You can send
this report to Cisco Technical Support (TAC) if you need assistance.
Note
Downloading a full system report can impact the performance of the WAE. For this reason, we
recommend downloading the system report during nonpeak hours or limiting the date range of the report.
To download the system report, follow these steps:
Step 1
In the Utilities window, click the Support tab.
The Support window appears. (See Figure 11-11.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-17
Chapter 11
Using the WAE Device Manager GUI
Managing a Cisco WAE
Figure 11-11
Step 2
Step 3
Utilities—Support Tab
In the System Report area, choose one of the following radio buttons:
•
Full to download a full system report.
•
Specify Date: to download a report for the time range that you specify (default is the past 7 days).
Click Estimate size to view the size of the report.
The actual size of the report may vary from the estimate. If the estimated size is large, you may want to
specify a smaller time frame and download multiple smaller reports to minimize the stress on the WAE.
Step 4
Click Download.
A message informs you that downloading the report can affect the performance of all services on the
device.
Step 5
Click OK to start the collection process.
Step 6
In the File Download window, click Save.
Step 7
In the Save As window, browse to where you want to save the file. (You can also change the filename.)
Click Save. The file is saved in tar gzip format.
Running the Cache Cleanup Utility
The WAFS Cache Cleanup tab enables you to remove all files from the CIFS device cache.
To run the cache cleanup utility, follow these steps:
Step 1
In the Utilities window, click the WAFS Cache Cleanup tab.
The WAFS Cache Cleanup window appears. (See Figure 11-12.)
Cisco Wide Area Application Services Configuration Guide
11-18
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a CIFS Accelerator Device
Figure 11-12
Step 2
Utilities—WAFS Cache Cleanup Tab
Click Run to erase the contents of the cache.
Running the File Server Rename Utility
The File Server Rename tab enables you to change the resource location for all resources of a given file
server name on the WAAS device. This function changes the file server name for the files in the CIFS
cache.
To run the file server rename utility, follow these steps:
Step 1
If the CifsAO component is running, stop it as described in the “Starting and Stopping Components”
section on page 11-5.
Step 2
In the Utilities window, click the File Server Rename tab.
Step 3
In the Current File Server name field, enter the current name.
Step 4
In the New File Server name field, enter the new name and click Run for the new name to take effect.
Note
Do not specify the name of another existing cached file server in the New File Server name field.
If you do specify an existing name as the new name, the cached contents of this file server are
overwritten with the cached contents of the file server you are renaming.
Managing a CIFS Accelerator Device
The CifsAO option in the navigation area allows you to monitor preposition tasks, view CIFS device
statistics, and view the log. The CifsAO option appears only if you are using transparent CIFS
accelerator mode.
The CifsAO option includes the following menu items:
•
Preposition—Allows you to monitor the progress of preposition policies created in the WAAS
Central Manager GUI. In addition, you can optionally terminate preposition tasks. For more
information, see the “Preposition Option” section on page 11-20.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-19
Chapter 11
Using the WAE Device Manager GUI
Managing a CIFS Accelerator Device
•
Monitoring—Allows you to view CIFS (WAFS) device statistics in tables and graphs as described
in the “Monitoring the Cisco WAE Component” section on page 11-24.
•
Logs—Allows you to view the event log related to the CIFS accelerator. For more information, see
the “Viewing Cisco WAE Logs” section on page 11-28.
Preposition Option
The Preposition option allows you to view the details and current status of preposition policies created
in the WAAS Central Manager GUI. These policies define which files are proactively placed in the
WAAS device cache according to a prearranged schedule. Prepositioning enables system administrators
to strategically place large, frequently accessed files at the network edge during off-peak hours,
increasing efficiency and providing end users with quick first-time access of those files.
You can view information such as the root directory containing the files being prepositioned, the
schedule for each policy, and the status of the most recent task for each policy. You can also view a
detailed task history for each policy, and manually terminate any tasks in progress.
To view preposition policies for this device, follow these steps:
Step 1
In the navigation area, click Preposition.
The CifsAO > Preposition window appears. (See Figure 11-13.)
Figure 11-13
CifsAO Preposition Window
The Preposition window contains a table that displays all the preposition policies assigned to this CIFS
Edge device. For each policy, the following information is displayed:
•
ID—ID number of the selected policy.
•
Description—Descriptive name assigned to the policy.
•
Root Directory—Source directory for the content being prepositioned.
•
Schedule—Defined schedule for the policy.
•
Started—When this policy was last invoked by the system.
•
Duration—Elapsed time of the latest task.
•
Status—Current status of the policy, updated every time the refresh button is clicked. If the task
defined by the policy is currently being run, its status is In Progress. A preposition task in progress
can be terminated.
•
Termination reason—Reason the policy was terminated.
Cisco Wide Area Application Services Configuration Guide
11-20
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Managing a CIFS Accelerator Device
Step 2
Choose a policy in the table and click View to view a detailed task history (iterations of a selected
policy).
The Preposition Task Details window appears. (See Figure 11-14.)
Figure 11-14
Preposition Task Details Window
The top half of the Preposition Policy window displays the following details about the selected policy:
•
Create Date—When the policy was created.
•
Last Modified—When the policy was last modified.
•
Total size—Limit placed on the total size of the files being prepositioned, if any.
•
Min file size—Minimum size of files in the root directory (and subdirectories if they are part of the
preposition policy) that are affected by the policy.
•
Max file size—Maximum size of files in the root directory (and subdirectories if they are part of the
preposition policy) that are affected by the policy.
•
Perform on—Which files to preposition from the selected location—those files that have changed
since the last preposition, those files changed during a defined interval, or all files.
The lower half of the Preposition Policy window contains a table that displays the most recent tasks
performed by the selected policy (up to the last 10 iterations), including the following information:
•
Total data—Total amount of data to be transferred by the policy.
•
# matching files—Number of files matching the defined filter of the policy.
•
Amount copied—Total amount of data copied by the policy during its most recent run. (This amount
may be less than the amount in the Total data field if the policy is currently in progress, or if the
policy did not complete its run, for example, due to time constraints placed on its operation.)
•
# files copied—Number of files copied by the policy during its most recent run.
•
Throughput—Throughput achieved by the policy in kilobits per second (Kbps).
•
Termination reason—Reason that the policy was terminated, if relevant. Policies can be terminated
due to time or space constraints placed on the policy or to a decision by the administrator to
manually terminate its operation.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-21
Chapter 11
Using the WAE Device Manager GUI
Monitoring the WAE
Step 3
Click Close to return to the Policies window.
Note
To update the information displayed in the Policies window, click Refresh.
Terminating a Preposition Task
You can terminate a preposition task that is in progress at any time. This action does not delete the
preposition policy that generated the task; the system will still perform the task described by the policy
when the next scheduled time arrives.
Note
Do not terminate a preposition task if the device is not registered to a WAAS Central Manager.
To terminate a preposition task, follow these steps:
Step 1
In the Policies window, select a preposition policy with a status of In Progress and click Terminate. A
confirmation message is displayed.
Step 2
Click Yes to terminate the task. If you click View to display the Preposition Policy window, the table that
displays the task history contains a message indicating that the latest task was terminated by the
administrator.
Monitoring the WAE
The Monitoring option available for the Cisco WAE and transparent CIFS accelerator components
enables you to view detailed tables that describe the current state of the WAE. It also provides graphs
that display historical data about the selected components. These graphs enable you to track WAE
statistics for a day, week, month, or an entire year.
Note
WAE statistics and graphs are generated by the freeware MRTG utility. For details, go to
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/.
The monitoring options differ for each WAE component as described in Table 11-2.
Table 11-2
Monitoring Options by Component
Component
Monitored Statistics
Cisco WAE
CPU and disk drive utilization
Transparent CIFS accelerator
CIFS traffic and cache
This section contains the following topics:
•
Monitoring Graphs, page 11-23
•
Monitoring the Cisco WAE Component, page 11-24
Cisco Wide Area Application Services Configuration Guide
11-22
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Monitoring the WAE
•
Monitoring a Transparent CIFS Accelerator, page 11-25
Monitoring Graphs
The WAAS software generates four historical graphs for each monitored statistic. Each graph presents
a different range of time for the selected data as follows:
•
Daily—Displays data for the past 24 hours. Each data point represents a 5-minute average.
•
Weekly—Displays data for the past seven days. Each data point represents a 30-minute average.
•
Monthly—Displays data for the past five weeks. Each data point represents a 2-hour average.
•
Yearly—Displays data for the past 12 months. Each data point represents a one-day average.
The maximum value over the given time period and the current value for the statistic being monitored is
also displayed below each of these graphs.
Viewing Options
You can view an index window of the daily graphs for all the monitored statistics available for a
component, or you can view the four historical graphs for a particular statistic (for example, cache
utilization) at once.
Figure 11-15 shows a sample screen when a user chooses to view the index graphs.
Figure 11-15
Sample Index Graph Window
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-23
Chapter 11
Using the WAE Device Manager GUI
Monitoring the WAE
Tip
Each graph in an index window acts as a link. Clicking on the graph displays all four historical graphs
for the selected statistic. For example, clicking the Request Optimization graph in the index graphs
window displays the daily, weekly, monthly and yearly Request Optimization historical graphs. Clicking
the Back button in the browser returns you to the index graphs.
Figure 11-16 shows a sample screen when a user chooses to view the historical graphs for a particular
statistic.
Figure 11-16
Note
Sample Historical Graph Window
Graphs can be printed using the Print command in your browser.
Monitoring the Cisco WAE Component
The Monitoring option for the Cisco WAE component displays a table with the statistics monitored on
a WAE. From this table, you can display historical graphs that indicate the central processing unit (CPU)
utilization and disk drive utilization on the WAE.
CPU utilization is a measure of the amount of bandwidth used by the CPU versus the total bandwidth
available. The amount is expressed as a percentage. Disk drive utilization is a measure of the amount of
disk space that is being used on all disk drives versus the total disk space available. This amount is also
expressed as a percentage.
Cisco Wide Area Application Services Configuration Guide
11-24
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Monitoring the WAE
To monitor the WAE component, follow these steps:
Step 1
In the navigation area, click Monitoring under the Cisco WAE menu item.
The Cisco WAE Monitoring window appears. (See Figure 11-17.)
Figure 11-17
Step 2
Cisco WAE Monitoring Window
Do one of the following:
•
Choose the statistic that you want to view (by clicking in its row), and then click View to display a
popup window that contains the historical graphs for that statistic.
•
Click View All to display the index window with the daily graphs for both statistics on the WAE
component.
Monitoring a Transparent CIFS Accelerator
The Monitoring option displays the following tabs:
Note
•
CIFS—Displays data about the status of the CIFS protocol and the selected device.
•
Cache—Displays data about the device cache.
•
Graphs—Displays a list of graphs that are available for the device.
The SNMP parameters displayed in the CIFS and Cache tabs are contained in a special MIB file.
To monitor a transparent CIFS accelerator follow these steps:
Step 1
In the navigation area, click Monitoring under the CifsAO menu.
The Monitoring window appears and the CIFS tab is displayed.
The CIFS tab displays the following CIFS-related information:
•
Total Time Saved—Total time saved by CIFS acceleration.
•
Total KBytes read—Total number of kilobytes read by clients (both through the cache and remotely)
from this device using the CIFS protocol.
•
Total KBytes written—Total number of kilobytes written by clients to this device using the CIFS
protocol.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-25
Chapter 11
Using the WAE Device Manager GUI
Monitoring the WAE
•
Remote requests count—Total number of client CIFS requests that were forwarded remotely over
the WAN. The name of this statistic is a link that you can use to display its historical graphs (without
first going to the Graphs tab). Local requests are also shown on these graphs.
•
Local requests count—Total number of client CIFS requests handled locally by this device. The
name of this statistic is a link that you can use to display its historical graphs (without first going to
the Graphs tab). Remote requests are also shown on these graphs.
•
Total remote time—Total amount of time, in milliseconds, spent by this device to process all client
CIFS requests that were sent remotely over the WAN.
•
Total local time—Total amount of time, in milliseconds, spent by this device to process all client
CIFS requests that were handled locally.
•
Connected sessions count—Total number of CIFS sessions connected on this device. The name of
this statistic is a link that you can use to display its daily, weekly, monthly, and yearly graphs
(without first going to the Graphs tab).
•
Open files count—Total number of open CIFS files on this device. The name of this statistic is a link
that you can use to display its daily, weekly, monthly, and yearly graphs (without first going to the
Graphs tab).
•
CIFS Command Statistics—Table of statistics on CIFS commands. For each command type, the
table lists the total number of requests, the number of remote requests, the number of asynchronous
requests, the average time in milliseconds spent by this device to process each request that was
handled locally, and the average time in milliseconds spent by this device to process each request
that was sent remotely over the WAN.
To reset the CIFS statistics, click the Reset CIFS Statistics button below the table.
Step 2
Click the Cache tab.
The Cache tab displays the following information:
•
Maximum cache disk size—Maximum amount of disk space (in gigabytes) allocated to the CIFS
device cache.
•
Current cache disk usage—Current amount of disk space (in kilobytes) used by the CIFS device
cache. The name of this statistic is a link that you can use to display its historical graphs (without
first going to the Graphs tab).
•
Maximum cache resources—Maximum number of resources (files and directories) allowed in the
CIFS device cache.
•
Current cache resources—Current number of resources contained in the CIFS device cache. The
name of this statistic is a link that you can use to display its historical graphs (without first going to
the Graphs tab).
•
Evicted resources count—Number of resources that have been evicted from the cache since the
device was started.
•
Last eviction time—Time when a cache eviction last occurred.
•
Cache size high watermark—Percentage of disk usage that causes the CIFS device to begin evicting
resources.
•
Cache size low watermark—Percentage of disk usage that causes the CIFS device to stop evicting
resources.
•
Cache resources high watermark—Percentage of total cache resources that causes the CIFS device
to begin evicting resources.
•
Cache resources low watermark—Percentage of total cache resources that causes the CIFS device
to stop evicting resources.
Cisco Wide Area Application Services Configuration Guide
11-26
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Viewing WAE Logs
•
Last evicted resource age—Amount of time that the last-evicted resource spent in the CIFS device
cache.
•
Last evicted resource access time—Last time that the last-evicted resource was accessed.
Viewing WAE Logs
You can view event information logged by the Cisco WAE and the CifsAO components. The event
information available varies based on the component that you are viewing.
This section contains the following topics:
•
WAE Logs, page 11-27
•
Viewing Cisco WAE Logs, page 11-28
WAE Logs
You can configure what you want displayed for each log file and save the log to a file locally as described
in the following sections:
•
Setting Display Criteria, page 11-27
•
Viewing Log Entries, page 11-28
•
Saving Log File Information, page 11-28
Setting Display Criteria
All WAE logs allow you to set the criteria for the data that you want to display as shown in Figure 11-18.
Figure 11-18
WAE Log Data Criteria
To set the criteria for viewing log information, follow these steps:
Step 1
Choose the beginning date (year, month, and day) and time (hour and minutes using a 24-hour clock
format) from the From drop-down list.
Step 2
Choose the ending date (year, month, and day) and time (hour and minutes using a 24-hour clock format)
from the To drop-down list.
Step 3
(Optional) Choose the minimum severity level of events to display from the Log Level drop-down list.
By choosing the minimum severity level, all events with a severity level greater than that specified are
displayed. The default is All.
Step 4
(Optional) Choose the number of events (one per line) to appear on a single page of the log from the
Lines drop-down list.
The default is 100 events.
Step 5
(Optional) Enter a filter string by which the log can be further filtered.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-27
Chapter 11
Using the WAE Device Manager GUI
Viewing WAE Logs
Step 6
Click Update.
Viewing Log Entries
Each log entry contains the date and time that the event occurred, the severity level of the event, and a
description containing the log message. The log message format varies based on the type of event.
The severity level of an event indicates the seriousness of the event. Six choices are defined and provide
the follow information:
•
All—Displays events of all severity levels.
•
Debug—Indicates events have occurred that match those specified for debugging purposes.
•
Info—Indicates an event occurred regarding the proper operation of the component. No user action
is required with this type of event.
•
Warning—Indicates a minor problem occurred on a component. The component should be able to
overcome the incident without user intervention.
•
Error—Indicates a problem occurred that affected the proper operation of the component. User
intervention is likely required.
•
Fatal—Indicates a severe problem occurred on a component that may have caused it to stop
operating. User intervention is required.
Saving Log File Information
You can save a log as a text file and download it to your local drive.
To save a log as a text file, follow these steps:
Step 1
Set up your log with the date range and time frame that you want to save, using the From and To
drop-down lists. (See the “Setting Display Criteria” section on page 11-27.)
Step 2
Set up the severity level of the events you want to view.
For more information, see the “Setting Display Criteria” section on page 11-27.
Step 3
Click Update.
Step 4
Click Download.
The File Download window appears.
Step 5
Click Save in the File Download window.
Step 6
Specify the directory where you want to save the log file.
Step 7
Click OK.
Viewing Cisco WAE Logs
Each WAE component generates its own log files.
The Cisco WAE component generates these logs:
Cisco Wide Area Application Services Configuration Guide
11-28
OL-26579-01
Chapter 11
Using the WAE Device Manager GUI
Viewing WAE Logs
•
Manager log—Displays events related to the WAE Device Manager and WAAS Central Manager
GUI components, such as configuration changes and WAE registrations and notifications that other
WAE components were started or stopped.
•
WAFS Watchdog log—Displays events related to the watchdog utility, which monitors the other
application files inside the WAE and restarts them, if necessary.
The CIFS accelerator generates one log that displays all events related to CIFS accelerator operation.
To view Cisco WAE and CIFS accelerator logs, follow these steps:
Step 1
In the navigation area, click the Logs option under the Cisco WAE or CifsAO component.
Figure 11-19 shows the Logs window for the Cisco WAE component.
Figure 11-19
Cisco WAE Component Logs Window
Step 2
If you selected the Cisco WAE, click the Manager or WAFS Watchdog tab to choose the log that you
want to view.
Step 3
Set up your display criteria using the From, To, Level, and Lines drop-down lists. (See the “Setting
Display Criteria” section on page 11-27.)
Step 4
(Optional) Set a filter on the log so that only events containing specific words or phrases are displayed
by entering the relevant free text in the Filter text box.
Step 5
Click Update. The Logs window is refreshed according to your selected criteria.
Note
Navigation arrows (
) appear at the bottom of each log window when the
number of events is greater than the number of lines selected per window.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
11-29
Chapter 11
Using the WAE Device Manager GUI
Viewing WAE Logs
Cisco Wide Area Application Services Configuration Guide
11-30
OL-26579-01
CH A P T E R
12
Configuring File Services
This chapter describes how to configure file services, which allows branch office users to more
efficiently access data stored at centralized data centers. The file services feature overcomes the WAN
latency and bandwidth limitations by caching data on Edge WAEs near branch office users. WAAS file
services uses either the CIFS or SMB application accelerators.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
About File Services, page 12-1
•
Overview of File Services Features, page 12-3
•
Preparing for File Services, page 12-7
•
Configuring File Services, page 12-8
About File Services
Enterprises today have remote offices in different parts of the country and around the world. Typically,
these remote offices have their own file servers to store and manage the data needed by their local users.
The problem with this method of operation is that it is costly to purchase, manage, and upgrade file
servers at each remote office. A great deal of resources and manpower must be dedicated to maintaining
these file servers, and especially to protect the data in case of server failure. To achieve the required level
of data assurance, the remote office must devote resources to back up the data at the remote site and
physically move it to a secure location, often at a considerable distance from the site. If you multiply
this scenario by tens, hundreds, and thousands of remote offices, and you can see that this approach to
enterprise data management not only raises costs exponentially, it also greatly increases the risks to
critical data.
The logical solution in this scenario is to move all of the enterprise’s important data to a central location
containing the facilities, trained personnel, and storage mass required to manage the data properly. By
having a data center provide backup and other storage management facilities, the enterprise can achieve
better utilization of both personnel and storage, as well as a higher level of data assurance and security.
The WAN between the enterprise’s data center and its remote offices tends to be unreliable and slow,
with limited bandwidth and high latency. In addition, the WAN creates other obstacles to the
implementation of the data center solution.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-1
Chapter 12
Configuring File Services
About File Services
One obstacle is created by the file server protocols that operate over the WAN. Common Internet File
System (CIFS), which is the file server protocol for Windows, was designed to operate over a LAN.
Every file operation generates several exchanges of protocol messages between the client and the file
server. This situation is usually not noticeable on the LAN, but quickly causes high latency over the
WAN. Occasionally, this high latency breaks the file server protocol altogether.
Even in cases where the file server protocol is managing to function correctly over the WAN, there are
typically long delays between each transaction. These delays can often cause timeouts in user
applications such as word processing programs, image editing programs, and design tools, which stops
them from functioning correctly.
All of these problems—unreliable WANs, file system protocol compatibility, and user application
compatibility—contribute to an unfriendly work environment that negatively affects the user experience
and diminishes productivity.
The WAAS file services feature overcomes the WAN latency and bandwidth limitations by caching data
on Edge WAEs near the user. This data caching method allows branch office users to access centralized
data at LAN-like speeds over the WAN. The solution is based on several key concepts:
•
Use the WAN as little as possible—By minimizing the number of operations that need to traverse
the WAN, WAAS effectively shields users from many of the obstacles that WANs create.
•
Use the WAN optimally—The file services feature uses sophisticated caching, compression, and
network optimization technologies, which enable the system to use the WAN optimally.
•
Preserve file system protocol semantics—Although WAAS software uses its own proprietary
protocol over the WAN, it leaves the complete semantics of the standard file system protocol
commands intact. This is essential to preserve the correctness and coherency of the data in the
network.
•
Make the solution transparent to users—The best solutions are the ones that do their jobs unnoticed,
without interfering with end users’ operations or forcing users to change their ways of doing
business. The WAAS file services solution does not require any software installations, either on the
server side or at the client, and does not require the user to learn anything new. Users derive all the
benefits of having a secure data center without needing to change any of their work habits.
By using the WAAS file services feature, enterprises can consolidate their file servers to a data center
that provides the facilities, IT personnel, and storage devices required to manage the data properly.
Figure 12-1 shows a typical deployment scenario after WAAS file services have been set up.
Figure 12-1
WAAS File Services Solution
Branch office
Data center
Core WAE
CIFS FS
WAN
T1, 120 ms RT
192.168.2.0
Domain
Controller
Edge WAE
CIFS client
CIFS FS
192.168.29.0
Domain
Controller
WAAS Central
Manager
154634
CIFS client CIFS client CIFS client
Cisco Wide Area Application Services Configuration Guide
12-2
OL-26579-01
Chapter 12
Configuring File Services
Overview of File Services Features
Overview of File Services Features
This section provides an overview of the WAAS file services features and contains the following topics:
•
Automatic Discovery, page 12-3
•
Data Coherency, page 12-3
•
Data Concurrency, page 12-5
•
Prepositioning, page 12-5
•
Microsoft Interoperability, page 12-6
To accelerate CIFS traffic, you can use one of the following two accelerators:
•
CIFS—The CIFS accelerator was introduced in WAAS version 4.1.1, relies on automatic discovery,
transparently accelerates CIFS traffic, supports prepositioning of files, and requires no
configuration. This accelerator also supports the Windows Print accelerator, which accelerates print
traffic between clients and a Windows print server. The CIFS accelerator is enabled by default.
Supports the SMB 1.0 protocol for CIFS traffic.
•
SMB—The SMB accelerator, introduced in WAAS version 5.0.1, relies on automatic discovery,
transparently accelerates CIFS traffic, and does not support prepositioning or the Windows Print
accelerator. This accelerator has configuration options that you can fine-tune for specific needs.
Supports the SMB 1.0, 2.0, and 2.1 protocols for CIFS traffic and signed SMB traffic.
The CIFS and SMB accelerators are not compatible and only one can be enabled on a WAE. Enabling
one automatically disables the other.
Peer WAEs must both use the same accelerator (CIFS or SMB) because the two different accelerators do
not interoperate. They can coexist in the same WAAS network, but only on separate devices that are not
peers.
Note
Legacy mode WAFS is no longer supported beginning with WAAS version 4.4.1. Legacy WAFS users
must migrate to the CIFS or SMB accelerator before upgrading.
Automatic Discovery
The automatic discovery feature allows you to enable CIFS without having to register individual file
servers in the WAAS Central Manager. With the automatic discovery feature, WAAS attempts to
automatically discover and connect to a new file server when a CIFS request is received.
Data Coherency
WAAS software ensures data integrity across the system by using two interrelated features – coherency,
which manages the freshness of the data, and concurrency, which controls the access to the data by
multiple clients.
Maintaining multiple copies of data files in multiple locations increases the likelihood that one or more
of these copies will be changed, causing it to lose consistency or coherency with the others. Coherency
semantics are used to provide guarantees of freshness (whether the copy is up-to-date or not) and the
propagation of updates to and from the origin file server.
The WAAS software applies the following coherency semantics to its built-in coherency policies:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-3
Chapter 12
Configuring File Services
Overview of File Services Features
•
Strict CIFS behavior for intra-site—Users of the same cache are always guaranteed standard, strict
CIFS coherency semantics.
•
Cache validation on CIFS open—In CIFS, the File Open operation is passed through to the file
server. For coherency purposes, WAAS software validates the freshness of the file on every file
open, and invalidates the cached file if a new version exists on the file server.
WAAS software validates data by comparing the time stamp of a file in the cache to the time stamp
of the file on the file server. If the time stamps are identical, the cached copy on the Edge WAE is
considered valid and the user is permitted to open the file from the Edge WAE cache.
If the time stamps are different, the Edge WAE removes the file from its cache and requests a fresh
copy from the file server.
•
Proactive cache updating—WAAS software supports the use of change notifications in CIFS
environments as a way to keep cached data on the Edge WAEs up-to-date.
When a client makes a change to a directory or file, the Edge WAE sends a change notification to
the file server. The file server then sends to all the Edge WAEs a change notification that includes a
list of the modified directories and files. Upon receiving the change notification, each Edge WAE
checks its cache and invalidates the directories and files listed in the notification, and then updates
its cache with the latest versions.
For example, if a user edits an existing Word document and saves the changes to the Edge WAE
cache, the Edge WAE sends a change notification to the file server so it knows that the file has been
modified. The Edge WAE then sends the changed sections to the file server, and the file server
proactively sends change notifications to the other Edge WAEs in the network. These Edge WAEs
then update their cache so the file is consistent across all access points.
This process also applies when you rename a directory, add a new subdirectory, rename a file, or
create a new file in a cached directory.
•
Flush on CIFS close—In CIFS, the File Close operation forces all write buffers to be flushed to the
file server, and the Close request is only granted after all updates have been propagated to the file
server. From a coherency standpoint, the combination of validate on file open and flush on file close
ensures that well-behaved applications, such as Microsoft Office, operate in session semantics. The
Open, Lock, Edit, Unlock, and Close commands are guaranteed to work correctly on the WAAS
network.
•
Age-based validation on directories (CIFS)—Directories are associated with a preconfigured age.
When the age expires, the Edge WAE cache revalidates the directory.
When a user first attempts to view the contents of a directory, the Edge WAE enables the file server
to perform the authorization check using the directory’s access control list (ACL), which contains
the user and group permissions. The Edge WAE monitors which directories the user has accessed
and whether the file server permitted that access. If the user tries to access the same directory again
during a short period of time (aging period), the Edge WAE does not contact the file server and
instead uses the cached permissions to determine if the user should be provided access. After the
aging period expires, the Edge WAE contacts the file server to refresh the cached permission of the
user.
This authorization process prevents users from accessing directories and files in the cache that they
do not have permission to access on the file server.
Cisco Wide Area Application Services Configuration Guide
12-4
OL-26579-01
Chapter 12
Configuring File Services
Overview of File Services Features
Data Concurrency
Concurrency control is important when multiple users access the same cached data to read, or write, or
both. Concurrency control synchronizes this access by establishing and removing file system locks. This
file-locking feature ensures data integrity and provides the following benefits:
•
Enables a client to aggressively cache file data so it does not have to rely on retrieving data from the
remote file server.
•
Provides a performance boost in many applications running on existing CIFS client
implementations.
•
Preserves data integrity because only one user at a time can make changes to a section of a file.
WAAS software supports the CIFS oplocks feature, which allows a user to lock a file so the user can
safely read and write data to its local cache instead of using network bandwidth to perform these
functions over the WAN on the file server. By using oplocks, a user can proactively cache read-ahead
data because it knows that no other user is accessing the file so there is no chance the cached data can
become stale. The user can also write data to its local cache and does not need to update the file server
until it closes the file or until another user requests to open the same file.
Oplocks only applies to files. The file server does not grant oplock requests on directories and named
pipes.
File-Locking Process
When a user opens a file, it sends a lock request to the file server. The Edge WAE intercepts and forwards
all lock requests from the user to the file server as well as all responses from the file server to the user.
If no other user has a lock on the file, the file server grants an exclusive lock request so that the user can
safely cache the file.
If a second user requests to open the same file, the following actions occur:
1.
The file server revokes the exclusive file lock obtained by the first user.
2.
The first user performs the following actions:
– Flushes any file changes stored in its cache to the file server. This action ensures that the second
user opening the file receives the latest information from the file server.
– Deletes any of its read-ahead buffers for the file because that data is no longer guaranteed to
remain up-to-date now that a second user will open the file.
3.
The file server allows the second user to open the file.
Prepositioning
The prepositioning feature allows system administrators to proactively “push” frequently used files from
the central storage into the cache of selected Edge WAEs. This operation provides users with faster
first-time file access, and makes more efficient use of available bandwidth. You create preposition
directives from the WAAS Central Manager GUI.
When an end user attempts to open a file that is not found in the Edge WAE cache, the Edge WAE
retrieves it across the WAN from the file server where it is stored. Prepositioning is a feature that allows
administrators to push large, frequently accessed files from file servers to selected Edge WAE caches
according to a predefined schedule. Through the proper use of prepositioning, administrators can allow
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-5
Chapter 12
Configuring File Services
Overview of File Services Features
users to benefit from cache-level performance even during first-time access of these files. Prepositioning
improves WAN bandwidth utilization by transferring heavy content when the network is otherwise idle
(for example, at night), which frees up bandwidth for other applications during the day.
The WAAS Central Manager GUI allows administrators to create multiple, overlapping preposition
policies (each with its own schedule), a list of target Edge WAEs, and defined time and size constraints.
Prepositioning includes the ability to configure multiple roots. See the “Creating a New Preposition
Directive” section on page 12-12.
Note
Only the CIFS accelerator supports prepositioning.
Microsoft Interoperability
The WAAS file services feature interoperates with these Microsoft CIFS features:
•
Active Directory for user authentication and authorization
•
Offline folders in Microsoft CIFS
•
Microsoft DFS infrastructure
•
Windows shadow copy for shared folders, as described in the “Windows Shadow Copy for Shared
Folders” section on page 12-6)
Windows Shadow Copy for Shared Folders
WAAS file services support the Shadow Copy for Shared Folders feature that is part of the Windows
Server 2003/2008 operating system. This feature uses the Microsoft Volume Shadow Copy Service to
create snapshots of file systems so that users can easily view previous versions of folders and files.
In a WAAS environment, users view shadow copies in the same way they would in a native Windows
environment by right-clicking a folder or file from the cache and choosing Properties > Previous
Version.
For more information about Shadow Copy for Shared Folders, including the limitations of the feature,
refer to your Microsoft Windows Server 2003/2008 documentation.
Users can perform the same tasks when accessing a shadow copy folder on the Edge WAE as they can
in the native environment on the file server. These tasks include the following:
•
Browsing the shadow copy folder
•
Copying or restoring the contents of the shadow copy folder
•
Viewing and copying files in the shadow copy folder
The Shadow Copy for Shared Folders feature does not support the following tasks:
•
Renaming or deleting a shadow copy directory
•
Renaming, creating, or deleting files in a shadow copy directory
Supported Servers and Clients
WAAS supports Shadow Copy for Shared Folders on the following file servers:
•
Windows Server 2008 and Windows Server 2008 R2
•
Windows Server 2003 (with and without SP1)
Cisco Wide Area Application Services Configuration Guide
12-6
OL-26579-01
Chapter 12
Configuring File Services
Preparing for File Services
•
NetApp Data ONTap versions 6.5.2, 6.5.4, 7.0, and 7.3.3
•
EMC Celerra versions 5.3, 5.4, and 5.6
WAAS supports Shadow Copy for Shared Folders for the following clients:
Note
•
Windows 7
•
Windows Vista
•
Windows XP Professional
•
Windows 2000 (with SP3 or later)
•
Windows 2003
Windows 2000 and Windows XP (without SP2) clients require the Previous Versions Client to be
installed to support Shadow Copy for Shared Folders.
Preparing for File Services
Before enabling file services on your WAEs, ensure that you complete the following tasks:
Note
•
If you want to configure multiple devices with the same settings, ensure that you have created a
device group that contains all the devices you want to enable with file services. For information on
creating device groups, see Chapter 3, “Using Device Groups and Device Locations.”
•
Identify the file servers that you want to export, and refer to Table 12-1 to verify that these file
servers can operate with WAAS software. Other file servers may operate with WAAS, but only those
listed in the table were tested. The file server must support opportunistic locking (oplocks) and CIFS
notifications.
The CIFS application accelerator does not support file servers that use the FAT32 file system. You can
use the policy rules to exclude any FAT32 file servers from CIFS accelerator optimization.
Table 12-1
Tested File Servers
Vendor
Product
Version
Dell
PowerVault
715N
Network Appliance
FAS3140
ONTAP 7.3.3
FAS940
ONTAP 7.0.1R.1
FAS270
ONTAP 7.0.1R.1
FAS250
ONTAP 7.0.1R.1
F760
6.5.2R1P16
F85
6.4.5
Celerra NS702
5.4.17.5
Celerra NS702
5.4.14-3
Celerra NS700
5.6.42-5
Celerra NS501
5.3.12-3
EMC
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-7
Chapter 12
Configuring File Services
Configuring File Services
Table 12-1
Tested File Servers
Vendor
Product
Version
Dell
PowerVault
715N
Microsoft
Windows NT 4.0
Windows Server 2000
No service pack, SP1, SP3, and SP4
Windows Server 2003
Windows Server 2008
Novell
2
RedHat
No service pack, SP1, SP2, and R2
1
SP1 and R2
6.5
SP-3
Samba
3.0.1.4a
1. With Windows 7 and Vista clients, the CIFS accelerator transparently uses the SMB1 protocol.
2. WAAS supports Novell 6.5 for CIFS optimization, server consolidation, and generic network acceleration for NCP,
eDirectory/NDS, and iPrint. If your Novell file server uses the NFAP option, WAAS can optimize your Novell traffic
at the transport layer as well as at the protocol layer using the WAAS CIFS adapter. NFAP is Novell's Native File Access
Pack that uses the CIFS protocol on top of Novell's NCP (Novell Core Protocol).
Note
Certain combinations of operating systems and file systems on a file server can result in the server
responding with different timestamp precision for different SMB commands. In this situation, you may
not get the highest possible CIFS optimization if the CIFS application accelerator avoids using cached
files with mismatched timestamps in favor of preserving data coherency.
Using File Services on the NME-WAE
If you are running WAAS on a network module that is installed in a Cisco access router, there are specific
memory requirements for supporting file services. The NME-WAE must contain at least 1 GB of RAM
to support file services:
If you try to enable file services and the device does not contain enough memory, the WAAS Central
Manager will display an error message.
You can check the amount of memory that a device contains in the Device Dashboard window. For
details, see the “Device Dashboard Window” section on page 17-8.
Configuring File Services
To accelerate CIFS traffic, you can enable and configure either the CIFS or the SMB accelerators, as
described in the following topics:
•
Configuring the CIFS Accelerator, page 12-8
•
Configuring the SMB Accelerator, page 12-19
Configuring the CIFS Accelerator
The CIFS accelerator relies on automatic discovery and transparently accelerates CIFS traffic with no
configuration needed.
Cisco Wide Area Application Services Configuration Guide
12-8
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
Table 12-2 provides an overview of the steps that you must complete to configure the CIFS accelerator.
Table 12-2
Checklist for Configuring CIFS Accelerator
Task
1. Prepare for file services.
2.
Enable CIFS acceleration.
3.
(Optional) Identify dynamic shares.
Additional Information and Instructions
Provides the tasks that you need to complete before enabling and configuring
file services on your WAAS devices. For more information, see the
“Preparing for File Services” section on page 12-7.
Enables the transparent CIFS accelerator. For more information, see the
“Enabling and Disabling the Global Optimization Features” section on
page 13-3.
Identifies the dynamic shares on an exported file server. If your file server
uses Access Based Enumeration (ABE) to give users different views of the
share, you must configure the dynamic shares on the WAAS Central
Manager.
For more information, see the “Creating Dynamic Shares for the CIFS
Accelerator” section on page 12-9.
4. (Optional) Create a preposition directive. Defines which files are proactively copied from an exported file server to the
Edge WAE cache. For more information, see the “About Preposition
Directives” section on page 12-11.
Creating Dynamic Shares for the CIFS Accelerator
Many file servers use dynamic shares, which allow multiple users to access the same share but then be
automatically mapped to a different directory based on the user’s credentials. Dynamic shares are most
commonly used on file servers to set up user home directories. For example, a directory named Home
can be set up as a dynamic share on a file server so each user accessing that share is automatically
redirected to their own personal directory.
If a file server contains a dynamic share or is using Access Based Enumeration (ABE), you must register
that dynamic share with the WAAS Central Manager as described in this section.
Defining a dynamic share in the WAAS Central Manager allows each user to see a different view of the
share and allows the operation of ABE if it is configured on the Windows Server.
Note
Dynamic share configuration on the WAAS Central Manager overrides any dynamic share configuration
set up directly on the WAE device using the CLI.
Before adding a dynamic share, note the following limitations:
•
Each dynamic share on a file server must be unique.
•
You cannot add a dynamic share if that share has a preposition directive. You must remove the
preposition policy before you can add the dynamic share.
•
You can use the WAAS Central Manager GUI to define any directory as a dynamic share. However,
if a directory is not set up as a dynamic share on the file server, all users will read or write the same
content from the same directory and will not be redirected to different directories based on their
credentials.
To add a dynamic share for CIFS accelerator, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > CIFS File Services > Dynamic Shares.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-9
Chapter 12
Configuring File Services
Configuring File Services
A list of dynamic shares appears. The Dynamic Shares window shows all the dynamic shares configured.
From this window, you can perform the following tasks:
•
Edit the configuration of an existing dynamic share by clicking the Edit icon next to the share. You
can delete the dynamic share, or modify any of the dynamic share settings.
•
Add a new dynamic share definition, as described in the next steps.
Step 2
Click the Create New Dynamic Share icon in the taskbar to add a new dynamic share. The Creating a
new Dynamic Share window appears.
Step 3
In the Name field, enter a name for the dynamic share.
The following characters are not supported in the dynamic share name: / \ : * ? " < > |
From the Assigned Domain drop-down list, choose the WAAS domain that you want to assign to the
dynamic share. Only administrators who are also assigned to this WAAS domain have permission to edit
the dynamic share configuration. The domain does not affect client’s access to the dynamic share.
Note
A WAAS domain is not the same as a DNS domain or Windows domain. For more information
on WAAS domains, see the “Working with Domains” section on page 8-14.
This kind of WAAS domain does not use entities. When defining the WAAS domain, choose None for
the Entity Type. The WAAS domain must be assigned to each WAAS admin user who needs to edit the
dynamic share configuration (see the “Assigning a Domain to a User Account” section on page 8-15).
Step 4
In the File Server field, enter the name or IP address of the file server with the dynamic share.
If you specify the file server name, the edge WAE resolves it to an IP address.
The registered file servers are displayed in a drop-down list.
Step 5
In the User name, Password, and Confirm Password fields, enter the username and password credentials
for the file server. If the username is in a Windows domain, specify the domain name as part of the User
name field, as follows: domain\username.
These credentials are used only to access the file server when you click the Browse button.
Step 6
In the Share Name field, specify the location of the dynamic share by doing one of the following tasks:
•
Enter the name of the dynamic share on the file server. The following characters cannot be used in
the share name: \ / : * ? “ < > |
•
Click Browse next to the Share Name field to navigate to the correct root directory.
Note
The Browse button appears only if you have at least one WAE device with the CIFS
accelerator enabled and registered to the WAAS Central Manager.
Step 7
Ensure that the status of the share is set to enabled. If you change the status to disabled, the share will
not be set up as a dynamic share in your WAAS environment.
Step 8
Click Submit.
The specified directory now functions as a dynamic share on the Edge WAE cache.
Cisco Wide Area Application Services Configuration Guide
12-10
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
About Preposition Directives
A preposition directive allows you to determine which files should be proactively copied from CIFS file
servers to the cache of selected Edge WAEs. Prepositioning enables you to take advantage of idle time
on the WAN to transfer frequently accessed files to selected WAEs, where users can benefit from
cache-level performance even during first-time access of these files.
Prepositioning is supported on automatically discovered file servers in the transparent CIFS accelerator
When defining a preposition directive, you select the Edge WAEs that you want to be prepositioned with
content from the file server, then specify the root directories on the file server to be prepositioned.
Initially, the preposition directive is in the unscheduled state. You must create a schedule that determines
when and how often the content is prepositioned. Because content can be prepositioned on a regular
basis, you can specify whether each new iteration of the task should copy all designated files, or only
those files that have changed over a specified time interval.
In addition, you can specify time and size limits to prevent a preposition task from consuming too much
bandwidth on the WAN or too much space on the Edge WAE cache. We strongly recommend that you
use these limits to optimize network efficiency and prevent misuse of this feature.
When the activation time of a preposition directive arrives, a preposition task starts on the Edge WAE.
Each preposition task can be monitored in the WAAS Central Manager GUI during and after processing.
You can also terminate active preposition tasks if required.
Prepositioning requires that the username and password needed to access the file server be specified.
These items are specified directly in the Creating New Preposition Directive window, as described in the
following procedure.
Note
When preposition updates are sent to the Central Manager, if any preposition file server credentials
cannot be decrypted, all further preposition updates are not sent from the WAE to the Central Manager
and decryption failure error messages are logged in errorlog/cms_log.current. You must reconfigure the
preposition credentials from the CLI.
Prepositioning includes the ability to configure multiple roots. See the “Creating a New Preposition
Directive” section on page 12-12.
When using prepositioning, both branch and data center WAEs are required (the same as for any other
accelerated traffic). The branch WAE retrieves prepositioned files through an optimized connection.
Verify that you have connectivity between the following network entities:
•
Client to branch WAE
•
Branch WAE to data center WAE
•
Branch WAE to file server
•
Data center WAE to file server
You will need to change any ACLs that might be blocking prepositioning traffic.
Note
Though preposition directives can be created and managed by using the CLI, we recommend that you
use the Central Manager GUI because you can manage prepositioning for groups of WAEs from the
Central Manager. If you mix GUI and CLI configuration, unpredictable results can occur because
changes on one device can affect other devices.
The following topics describe how to create and manage a preposition directive:
•
Creating a New Preposition Directive, page 12-12
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-11
Chapter 12
Configuring File Services
Configuring File Services
•
Assigning Edge Devices to a Preposition Directive, page 12-16
•
Creating a New Preposition Schedule, page 12-17
•
Checking the Preposition Status, page 12-18
•
Starting and Stopping Preposition Tasks, page 12-18
Creating a New Preposition Directive
To create a preposition directive, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > CIFS File Services > Preposition.
The Preposition Directives window appears. This window displays the following information about
preposition directives that exist on the system:
•
Preposition Directive—Name of the preposition directive.
•
Type—Whether the preposition directive affects all files (Full) or just those that have changed since
the last preposition task (Differential).
– When the type is Full, all the files that match the other filters of the task and that are found on
the file server are sent to the Edge to be compared with the cache.
– When the type is Differential, only the files that are found as changed since the last successful
preposition are sent to the Edge cache. The time of the last successful preposition is taken from
the Edge device, so ensure that the clock is synchronized with the file server. The first scan is
always a full scan. If you change the preposition task, the last successful scan time is reset.
– When the type is Since, only the files that are found as changed within a specified time period
are sent to the Edge cache.
•
Status—Whether the preposition directive is enabled or disabled.
•
File Server—Name of the exported file server.
From the Preposition Directive window, you can perform the following tasks:
Step 2
•
Edit the configuration of an existing preposition directive by clicking the Edit icon next to the
directive. You can then delete the preposition directive, or modify any of the settings.
•
Add a new preposition directive, as described in the following steps.
Click the Create New Preposition Directive icon in the taskbar to create a new preposition directive.
The Creating New Preposition Directive window appears. (See Figure 12-2.)
Cisco Wide Area Application Services Configuration Guide
12-12
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
Figure 12-2
Creating a New Preposition Directive Window
Step 3
Enter a name for the directive. The double quote (") character is not allowed in the name.
Step 4
From the Status drop-down list, choose either enabled or disabled. Disabled directives are not put into
effect.
Step 5
(Optional) Define the time and size limitations using the provided fields.
Table 12-3 describes the time and size limitation fields.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-13
Chapter 12
Configuring File Services
Configuring File Services
Table 12-3
Preposition Time and Size Limitations
Field
Total Size as % of
Cache Volume
Description
Percentage of the overall Edge WAE cache that prepositioned files can
consume. For example, if you do not want this prepositioning directive to
consume more than 30 percent of a WAE’s cache, enter 30 in this field. The
default value is 5 percent.
The percentage of the cache defined for a preposition task defines the
maximum size that can be prepositioned in a single iteration of the task
regardless of how much is already in the cache.
Max File Size
Min File Size
Duration
When the cache is full, regardless of the reason, prepositioning operates like
on-demand caching: an eviction process begins and the files with the oldest
time-last-accessed values are removed from the cache.
Maximum file size that can be exported. Files that are larger than this value are
not exported to the WAE cache.
Minimum file size that can be exported. Files that are smaller than this value
are not exported to the WAE cache. It is inefficient to preposition files smaller
than 20 KB because these files can be retrieved quickly over the WAN through
normal WAAS.
The default value is 20 KB.
Maximum amount of time it should take WAAS to export the file server. If it
takes WAAS longer than this amount of time to export the file server, WAAS
stops the exporting process before all files are copied to the Edge WAE cache.
If the preposition task does not start at the scheduled start time (for example,
because the Edge and the Core have no connection), the start retries are
counted in the duration.
If you do not specify a value for this field, WAAS takes as much time as needed
to export this file server.
Type
Time filter on the scan process. From the Type drop-down list, choose one of
the following options:
•
All Files—Exports all files to the Edge WAE cache. This is the default
setting.
•
Files changed since last preposition—Exports only the files that have
changed since the last preposition to the Edge WAE cache. This
differential filter is applied from the second iteration of a task execution
onward.
If a new directory is moved to an already prepositioned directory (without
changing its last-modified time), this new directory is not prepositioned
during the next prepositioning session when you choose this option.
•
Files changed since last—Exports only the files that have changed within
the specified time. For example, if you want to push out file updates that
have been made on the file server in the last two hours, enter 2 in the
provided field and choose hour from the drop-down list.
Cisco Wide Area Application Services Configuration Guide
12-14
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
Note
If one of these limits is exceeded during a prepositioning task, the task is terminated and a
message is sent to the Administrator log. Any remaining files are exported the next time the task
is run. If a user requests one of the missing files before this happens, it is fetched over the WAN
through WAAS software as usual.
Step 6
(Optional) Check the Ignore Hidden Directories check box if you want to prevent hidden directories
on the file server from being prepositioned. This check box is unchecked by default. If you leave this
box unchecked, hidden directories are prepositioned.
Step 7
In the File Server field, enter the name of a file server to export. Do not use the double quote (") or
forward slash (/) characters.
Step 8
From the Location drop-down list, choose the device location that will provide browsing services for the
file server; normally this is the data center WAE. For the best browsing performance, specify a location
that is close to the file server. The location is used only for browsing; each edge WAE will retrieve
prepositioned files directly from the file server, not from this location. For more information on defining
locations, see the “Working with Device Locations” section on page 3-9.
Step 9
In the User name, Password, and Confirm Password fields, enter the username and password credentials
for the file server. If the username is in a Windows domain, specify the domain name as part of the User
name field, as follows: domain\username.
The access credentials that you enter must allow read access to the prepositioned root directories and to
their parent directories.
Step 10
(Optional) Check the DSCP value for high priority messages check box if you want to assign a DSCP
marking value to the prepositioning traffic. Choose a DSCP value from the drop-down list or enter a
number from 0–63 in the text field.
DSCP is a field in an IP packet that enables different levels of service to be assigned to the network
traffic. Levels of service are assigned by marking each packet on the network with a DSCP code and
associating a corresponding level of service. DSCP is the combination of IP Precedence and Type of
Service (ToS) fields. For more information, see RFC 2474.
Step 11
In the Root Share and Directories field, enter the directories on the file server that you want to export.
Use any of the following methods to identify a directory:
•
Manually enter one or more directory paths in the following format: protocol://server/share or
server\share. For example, cifs://win12srv/home or win12srv\home. You may enter multiple lines
for multiple directories, with each full directory path on its own line. You cannot specify the root
directory (/) as a root share.
When you define multiple root shares, the preposition sequence that is performed for a single root
configuration is repeated for each root serially.
•
Click the Browse button to browse the directories on the file server. To navigate into a directory,
click the file folder icon to the left of the directory name. Check the check box next to the directory
that you want to export and then click the Select Directory button. The browse window allows you
to choose multiple directories.
The browse function operates best when you choose in the Location drop-down list the location of
the nearest CIFS accelerator to the file server. If you do not choose a location, the browse request is
sent to all devices that have the CIFS accelerator enabled, and the request may time out.
•
Check the Include Sub Directories check box to include all subdirectories under the specified root
directory. If this option is not selected, only the files in the specified root directory are prepositioned
and you cannot select subdirectories when you are browsing.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-15
Chapter 12
Configuring File Services
Configuring File Services
•
Step 12
Narrow the policy definition to a particular type of file by choosing a pattern operator from the File
Name drop-down list and entering the text that describes the pattern in the adjacent text box. For
example, enter ends with .doc. Do not use a space or the following special characters:
|:><"?*/\
Click Submit.
The directive is saved and additional tabs appear at the top of the window.
Assigning Edge Devices to a Preposition Directive
After you create a preposition directive, you need to assign Edge WAEs or device groups to the directive.
This task determines which Edge WAEs will store preposition content in their cache.
Note
Prepositioning includes the ability to configure multiple roots. See the “Creating a New Preposition
Directive” section on page 12-12.
To assign an Edge WAE or device group to a preposition directive, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > CIFS File Services > Preposition.
The Preposition Directives window appears, which lists the preposition directives that exist on the
system.
Step 2
Click the Edit icon next to the preposition directive that you want to assign to an Edge WAE or device
group.
Step 3
Click one of the following tabs at the top of the window:
•
Assign Edge Devices—Allows you to select one or more Edge WAEs to assign to this directive.
•
Assign Edge Groups—Allows you to select a device group to assign to this directive.
The Edge Device Assignments window or the Device Groups Assignments window appears, depending
on the selected option.
For either view, the assignments window lets you filter your view of the items in the list. Filtering
enables you to find items in the list that match the criteria that you set.
Step 4
Choose the Edge WAEs or device groups to assign to this preposition directive by doing either of the
following:
•
Click
•
Click
next to the individual Edge WAE or device group that you want to assign to this directive.
The icon changes to
when selected.
Note
in the taskbar to assign all available Edge WAEs or device groups to this directive.
If a device or device group is offline (identified by ), then you cannot assign that device or
group to this directive. The preposition directive, when assigned to a device group, is applied
only to connected Edge devices in the assigned device group.
When assigning a CIFS accelerator preposition directive to a device group, the directive is
applied only to those devices enabled for CIFS acceleration in the assigned device group.
Step 5
Click Submit.
Cisco Wide Area Application Services Configuration Guide
12-16
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
The icon next to each edge device or device group you selected changes to
Note
.
If the CIFS accelerator is disabled on a WAE, the WAE is removed from any preposition directives to
which it is assigned. Also, the preposition directive is removed from the device’s running configuration.
Creating a New Preposition Schedule
Once you create a preposition directive and assign WAEs to the directive, we recommend you create a
schedule that determines when and how often prepositioning occurs.
For example, you may want to schedule prepositioning to occur at night to minimize the amount of traffic
during business hours. Or you may want to schedule prepositioning to occur on a recurring basis if the
exported data changes often. This will help ensure that the WAEs assigned to this directive have the latest
file updates in their cache.
When a preposition task is scheduled to begin at the same time for multiple Edge WAEs that are located
in different timezones, the task will begin on the Edge WAEs based on the Core WAE timezone. If the
clocks of the Edge WAE and the Core WAE are not synchronized, the task will not start on time.
To create a preposition schedule, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > CIFS File Services > Preposition.
The Preposition Directives window appears, which lists the preposition directives that exist on the
system.
Step 2
Click the Edit icon next to the preposition directive for which you want to create a schedule.
Step 3
Click the Schedule tab at the top of the window.
The Creating New Preposition Schedule window appears. By default, no schedule is configured.
Step 4
Choose one of the following scheduling options:
•
Not Scheduled—Prepositioning is not scheduled at this time.
•
Now—Prepositioning occurs within a few minutes after you submit this schedule.
A Now schedule begins again each time you make a change to the preposition directive and click
the Submit button. A Now schedule also begins again as soon as an edge device that has been
reloaded comes back online.
Step 5
•
Daily—Prepositioning occurs daily at the defined time.
•
Date—Prepositioning occurs at the defined time and date.
•
Weekly—Prepositioning occurs on the selected days of the week at the defined time.
•
Monthly Days—Prepositioning occurs on the selected days of the month at the defined time.
•
Monthly Weekdays—Prepositioning occurs on the defined day (as opposed to a defined date) and
time during the month. For example, you can schedule prepositioning to occur on the second
Tuesday of every month.
Specify a start time for the prepositioning task.
The time is expressed in 24-hour format with 00:00 representing midnight. The time refers to the local
time of the Edge WAE where the data is to be prepositioned. If there are multiple Edge WAEs in different
time zones, the time refers to the local time of the Core WAE.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-17
Chapter 12
Configuring File Services
Configuring File Services
Note
Step 6
You cannot schedule a start time for the Now option.
Click Submit.
The message Changes Submitted appears at the bottom of the window confirming that your schedule was
saved.
Step 7
Verify that the preposition directive completed successfully by checking the preposition status. For more
information, see the “Checking the Preposition Status” section on page 12-18.
Checking the Preposition Status
After you create one or more preposition directives, you can check the status of all the preposition tasks
to ensure they completed successfully. If a task does not complete successfully, then some of the
prepositioned files may have not been successfully copied to the Edge WAE cache.
To check the status of a prepositioning task, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > CIFS File Services > Preposition.
The Preposition Directives window appears, which lists the preposition directives that exist on the
system.
Step 2
Click the Edit icon next to the preposition directive for which you want to check.
Step 3
Click the Preposition Status tab at the top of the window. The Preposition Status window appears.
This page displays the following information:
Step 4
•
WAE—The name of each Edge WAE that received the prepositioned files in its cache.
•
Start Time—The time the preposition task started.
•
Duration—The amount of time in took the preposition task to complete.
•
Amount Copied—The amount of data copied to the WAE cache (in bytes).
•
Status—Whether the preposition task completed successfully.
•
Reason—The reason a preposition task failed.
Ensure that the Status column shows Completed.
If this column shows a failure, look in the Reason column for an explanation that can help you
troubleshoot why the preposition task failed. After resolving the issue, you can schedule the preposition
task to run again now, or wait until the scheduled start time and check the status again later.
Starting and Stopping Preposition Tasks
You can start or stop a preposition task from the Device Manager GUI. For more information, see the
“Preposition Option” section on page 11-20.
Cisco Wide Area Application Services Configuration Guide
12-18
OL-26579-01
Chapter 12
Configuring File Services
Configuring File Services
Configuring the SMB Accelerator
Table 12-2 provides an overview of the steps that you must complete to configure the SMB accelerator.
Table 12-4
Checklist for Configuring SMB Accelerator
Task
1. Prepare for file services.
2.
Enable SMB acceleration.
3.
(Optional) Identify dynamic shares.
Additional Information and Instructions
Provides the tasks that you need to complete before enabling and configuring
file services on your WAAS devices. For more information, see the
“Preparing for File Services” section on page 12-7.
Enables and configures the SMB accelerator. For more information, see the
“Enabling and Disabling the Global Optimization Features” section on
page 13-3.
Identifies the dynamic shares on an exported file server. If your file server
uses Access Based Enumeration (ABE) to give users different views of the
share, you must configure the dynamic shares on the WAAS Central
Manager.
For more information, see the “Creating Dynamic Shares for the SMB
Accelerator” section on page 12-19.
Creating Dynamic Shares for the SMB Accelerator
Many file servers use dynamic shares, which allow multiple users to access the same share but then be
automatically mapped to a different directory based on the user’s credentials. Dynamic shares are most
commonly used on file servers to set up user home directories. For example, a directory named Home
can be set up as a dynamic share on a file server so that each user accessing that share is automatically
redirected to their own personal directory.
If a file server contains a dynamic share or is using Access Based Enumeration (ABE), you must register
that dynamic share with the WAAS Central Manager as described in this section.
Defining a dynamic share in the WAAS Central Manager allows each user to see a different view of the
share and allows the operation of ABE if it is configured on the Windows Server.
Note
Dynamic share configuration on the WAAS Central Manager overrides any dynamic share configuration
set up directly on the WAE device using the CLI.
Before adding a dynamic share, note the following limitations:
•
Each dynamic share on a file server must be unique.
•
You can use the WAAS Central Manager GUI to define any directory as a dynamic share. However,
if a directory is not set up as a dynamic share on the file server, all users will read or write the same
content from the same directory and will not be redirected to different directories based on their
credentials.
To add a dynamic share for SMB accelerator, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > File Services > SMB Dynamic Shares.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
12-19
Chapter 12
Configuring File Services
Configuring File Services
A list of dynamic shares appears. The Dynamic Shares window shows all the dynamic shares configured.
From this window, you can perform the following tasks:
•
Edit the configuration of an existing dynamic share by selecting it and clicking the Edit taskbar icon.
•
Delete the dynamic share by selecting it and clicking the Delete taskbar icon.
•
Add a new dynamic share definition, as described in the next steps.
Step 3
Click the Add Dynamic Share taskbar icon to add a new dynamic share. The Dynamic Share window
appears.
Step 4
In the File Server field, enter a valid FQDN or IP address of the file server with the dynamic share.
If you specify the file server name, the WAE resolves it to an IP address.
Step 5
The IP addresses of the registered file servers are displayed in a drop-down list. Choose a file server.
Step 6
In the Share field, specify the location of the dynamic share by doing one of the following tasks:
•
Enter the name of the dynamic share on the file server. The following characters cannot be used in
the share name: \ / : * ? “ < > |
•
Click Browse next to the Share Name field to navigate to the correct root directory.
Note
The Browse button appears only if you have at least one WAE device with the SMB
accelerator enabled and registered to the WAAS Central Manager.
Step 7
Ensure that the status of the share is set to enabled. If you change the status to disabled, the share will
not be set up as a dynamic share in your WAAS environment.
Step 8
Click OK.
The specified directory now functions as a dynamic share on the WAE.
Cisco Wide Area Application Services Configuration Guide
12-20
OL-26579-01
CH A P T E R
13
Configuring Application Acceleration
This chapter describes how to configure the optimization policies on your WAAS system that determine
the types of application traffic that is accelerated over your WAN.
Note
Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central
Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules
(the NME-WAE family of devices), and SM-SRE modules running WAAS.
This chapter contains the following sections:
•
About Application Acceleration, page 13-1
•
Enabling and Disabling the Global Optimization Features, page 13-3
•
Creating a New Traffic Optimization Policy, page 13-49
•
Managing Application Acceleration, page 13-55
About Application Acceleration
The WAAS software comes with over 150 predefined optimization policies that determine the type of
application traffic your WAAS system optimizes and accelerates. These predefined policies cover the
most common type of application traffic on your network. For a list of the predefined policies, see
Appendix A, “Predefined Optimization Policy.”
Each optimization policy contains the following elements:
•
Application definition—Identifies general information about a specific application, such as the
application name and whether the WAAS Central Manager collects statistics about this application.
•
Class Map—Contains a matching condition that identifies specific types of traffic. For example, the
default HTTP class map matches all traffic going to ports 80, 8080, 8000, 8001, and 3128. You can
create up to 512 class maps and 1024 matching conditions.
•
Policy—Combines the application definition and class map into a single policy. This policy also
determines what optimization and acceleration features (if any) a WAAS device applies to the
defined traffic. You can create up to 512 policies. A policy can also contain a differentiated services
code point (DSCP) marking value that is applied to the traffic and that overrides a DSCP value set
at the application or global level.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-1
Chapter 13
Configuring Application Acceleration
About Application Acceleration
You can use the WAAS Central Manager GUI to modify the predefined policies and to create additional
policies for other applications. For more information on creating optimization policies, see the “Creating
a New Traffic Optimization Policy” section on page 13-49. For more information on viewing reports,
restoring policies, monitoring applications, and other functions, see the “Managing Application
Acceleration” section on page 13-55.
Note
All application definitions configured in the WAAS Central Manager are globally applied to all WAAS
devices that register with the WAAS Central Manager, regardless of the device group membership
configuration.
WAAS policies can apply two kinds of optimizations to matched traffic:
•
Layer 4 optimizations that include TFO, DRE, and LZ compression. These features can be applied
to all types of TCP traffic.
•
Layer 7 optimizations that accelerate application-specific protocols. The application accelerators
control these kinds of optimizations.
For a given optimization policy, the DRE feature can use different caching modes (beginning with
software version 4.4.1):
•
Bidirectional—The peer WAEs maintain identical caches for inbound and outbound traffic. This
caching mode is best suited where a significant portion of the traffic seen in one direction between
the peers is also seen in the reverse direction. In software versions prior to 4.4.1, this mode is the
only supported caching mode.
•
Unidirectional—The peer WAEs maintain different caches for inbound and outbound traffic. This
caching mode is best suited where a significant portion of the traffic seen in one direction between
the peers is not seen in the reverse direction.
•
Adaptive—The peer WAEs negotiate either bidirectional or unidirectional caching based on the
characteristics of the traffic seen between the peers.
The predefined optimization policies are configured to use the optimal DRE caching mode, depending
on the typical application traffic, though you can change the mode if you want.
Cisco Wide Area Application Services Configuration Guide
13-2
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Enabling and Disabling the Global Optimization Features
The global optimization features determine if TFO Optimization, Data Redundancy Elimination (DRE),
and Persistent Compression are enabled on a device or device group. By default, all of these features are
enabled. If you choose to disable one of these features, the device will be unable to apply the full WAAS
optimization techniques to the traffic that it intercepts.
In addition, the global optimization features include each of the following application accelerators:
EPM, CIFS, HTTP, MAPI, NFS, SSL, SMB, ICA, and video. By default, all of the application
accelerators are enabled except SMB. Encrypted MAPI is also not enabled by default. The application
accelerators also require specific licenses to operate. For information on installing licenses, see the
“Managing Software Licenses” section on page 10-3.
You must enable the accelerator on both of the peer WAEs at either end of a WAN link for all application
accelerators to operate.
To enable or disable a global optimization feature, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears. (See Figure 13-1.)
Note
For a WAAS Express device, only a subset of the standard features are available. (See
Figure 13-2.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-3
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-1
Enabled Features Window
Figure 13-2 shows the subset of standard features that are available for a WAAS Express device.
Figure 13-2
Enabled Features Window—WAAS Express
For WAAS Express, the following express versions of application accelerators are supported:
Cisco Wide Area Application Services Configuration Guide
13-4
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
CIFS accelerator express (See the “Configuring CIFS Accelerator Express” section on page 13-26)
•
HTTP accelerator express (See the “Configuring HTTP Acceleration” section on page 13-7)
•
SSL accelerator express (See the “Configuring SSL Acceleration” section on page 13-28)
Not all of the properties in the standard WAAS device are available in the WAAS Express version of the
application accelerators.
Note
If you try to enable DRE on a WAAS Express device on which it is not supported, a message
tells you that it is not supported.
The Restore Predefined Settings icon for WAAS Express applies the predefined settings for
HTTP/HTTPS, CIFS, and SSL cipher list and peering service.
Step 3
Place a check next to the optimization features that you want to enable, and uncheck the features that
you want to disable. For a description of each of the optimization features, see the “Key Services of
Cisco WAAS” section on page 1-4.
Step 4
If you check the Data Redundancy Elimination check box, you can click the Advanced Settings link
as a shortcut to the DRE Settings Configuration window. For more information, see the “Configuring
DRE Settings” section on page 13-7.
Step 5
If you check the HTTP Accelerator check box, you can click the Advanced Settings link as a shortcut
to the HTTP Acceleration Configuration window. For more information, see the “Configuring HTTP
Acceleration” section on page 13-7.
Step 6
If you check the Video Accelerator check box, you can click the Advanced Settings link as a shortcut
to the Video Acceleration Configuration window. For more information, see the “Configuring Video
Acceleration” section on page 13-22.
Step 7
If you check the MAPI Accelerator check box, you can click the Advanced Settings link as a shortcut
to the MAPI Acceleration Configuration window. For more information, see the “Configuring MAPI
Acceleration” section on page 13-11.
Step 8
If you check the Encrypted MAPI Traffic Optimization check box, you can click the Mandatory
Encryption Configuration link as a shortcut to the Encrypted Services Configuration window.
Note
The Encrypted MAPI feature is in extended beta trials. You must contact
waas-emapi-cs@external.cisco.com with your Cisco account team on the cc: for approvals
before enabling this feature. Only approved customers will be supported for beta evaluations.
For more information, see the “Configuring Encrypted MAPI Acceleration” section on page 13-12.
Step 9
If you check the CIFS Accelerator check box, you have the following option:
•
Note
Step 10
Windows Print Accelerator—Check this box to accelerate print traffic between clients and a
Windows print server. This accelerator is enabled by default when you enable the CIFS accelerator.
Do not disable Windows Print Acceleration during a client session as this can interfere with the
client's use of print services. If you must disable Windows Print Acceleration, disconnect and
then reestablish the client session.
If you check the SMB Accelerator check box, you can click the Advanced Settings link as a shortcut to
the SMB Acceleration Configuration window. For more information, see the “Configuring SMB
Acceleration” section on page 13-24.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-5
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 11
If you check the ICA Accelerator check box, you can click the Advanced Settings link as a shortcut to
the ICA Acceleration Configuration window. For more information, see the “Configuring ICA
Acceleration” section on page 13-27.
Step 12
In the Advanced Settings area, uncheck the Blacklist Operation feature if you want to disable it. This
feature allows a WAE to better handle situations in which TCP setup packets that have options are
blocked or not returned to the WAE device. This behavior can result from network devices (such as
firewalls) that block TCP setup packets that have options, and from asymmetric routes. The WAE can
keep track of origin servers (such as those behind firewalls) that cannot receive optioned TCP packets
and learns not to send out TCP packets with options to these blacklisted servers. WAAS is still able to
accelerate traffic between branch and data center WAEs in situations where optioned TCP packets are
dropped. We recommend leaving this feature enabled.
Step 13
If you want to change the default Blacklist Server Address Hold Time of 60 minutes, enter the new time
in minutes in the Blacklist Server Address Hold Time field. The valid range is 1 minute to 10080 minutes
(1 week).
When a server IP address is added to the blacklist, it remains there for configured hold time. After that
time, subsequent connection attempts will again include TCP options so that the WAE can redetermine
if the server can receive them. It is useful to retry sending TCP options periodically because network
packet loss may cause a server to be erroneously blacklisted.
You can shorten or lengthen the blacklist time by changing the Blacklist Server Address Hold Time field.
Step 14
Click Submit.
The changes are saved to the device or device group.
To configure TFO optimization, DRE, and persistent compression from the CLI, use the tfo optimize
global configuration command.
To configure EPM acceleration from the CLI, use the accelerator epm global configuration command.
To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.
To configure NFS acceleration from the CLI, use the accelerator nfs global configuration command.
To configure MAPI acceleration from the CLI, use the accelerator mapi global configuration command.
To configure video acceleration from the CLI, use the accelerator video global configuration command.
To configure SSL acceleration from the CLI, use the accelerator ssl global configuration command.
To configure CIFS acceleration from the CLI, use the accelerator cifs and accelerator cifs preposition
global configuration commands.
To configure Windows print acceleration from the CLI, use the accelerator windows-print global
configuration command.
To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.
To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.
To configure the Blacklist Operation feature from the CLI, use the tfo auto-discovery global
configuration command.
To display status and statistics on the application accelerators from the CLI, use the show accelerator
and show statistics accelerator EXEC commands. To display statistics on the Windows print
accelerator, use the show statistics windows-print requests EXEC command.
For details on configuring individual application accelerators, see the following sections:
•
Configuring HTTP Acceleration, page 13-7
Cisco Wide Area Application Services Configuration Guide
13-6
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Configuring MAPI Acceleration, page 13-11
•
Configuring Encrypted MAPI Acceleration, page 13-12
•
Configuring Video Acceleration, page 13-22
•
Configuring CIFS Accelerator Express, page 13-26
•
Configuring SMB Acceleration, page 13-24
•
Configuring ICA Acceleration, page 13-27
•
Configuring SSL Acceleration, page 13-28
•
For CIFS: Chapter 12, “Configuring File Services”
Configuring DRE Settings
To enable DRE settings, check the DRE Settings check box in the Enabled Features window (see
Figure 13-1 on page 13-4).
To configure the DRE auto bypass and load monitor settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > DRE Settings.
The DRE Settings window appears.
Step 3
Check the Enable DRE auto bypass check box to generate an alarm and automatically DRE bypass
application traffic.
Step 4
Check the Enable DRE Load Monitor check box to enable load report.
Step 5
Click Submit.
The changes are saved to the device or device group.
To enable DRE auto bypass from the CLI, use the dre auto-bypass enable global configuration
command.
To enable DRE load monitor from the CLI, use the dre load-monitor report global configuration
command.
Configuring HTTP Acceleration
The HTTP application accelerator accelerates HTTP traffic. SSL traffic that uses HTTPS can be
optimized by both SSL and HTTP optimizations.
The default Web optimization policy is defined to send traffic to the HTTP accelerator. The Web
optimization policy uses the HTTP class map, which matches traffic on ports 80, 8080, 8000, 8001, and
3128. If you expect HTTP traffic on other ports, add the other ports to the HTTP class map.
To enable the HTTP accelerator, check the HTTP Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-7
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
To configure the HTTP acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > HTTP/HTTPS Settings.
The HTTP Acceleration Settings window appears. (See Figure 13-3.)
Note
For WAAS Express, the HTTP acceleration settings are the same but the fields are laid out
differently in the HTTP/HTTPS Settings window.
Figure 13-3
Step 3
HTTP Acceleration Settings Window
Check the Enable HTTP metadatacache caching check box to enable the WAE to cache HTTP header
(metadata) information. The default setting is enabled.
This box must be checked to enable any of the other settings in the Metadata Cache Settings area. If this
box is not checked, no header caching is done.
For details on HTTP metadata caching, see the “About HTTP Metadata Caching” section on page 13-9.
Step 4
Check the Enable HTTPS metadatacache caching check box to enable the WAE to cache HTTPS
header (metadata) information (HTTP as payload in SSL traffic). The default setting is checked
(enabled).
For details on HTTP metadata caching, see the “About HTTP Metadata Caching” section on page 13-9.
Step 5
In the Maximum age of a cache entry field, enter the maximum number of seconds to retain HTTP header
information in the cache. The default is 86400 seconds (24 hours). Valid time periods range from
5–2592000 seconds (30 days).
Cisco Wide Area Application Services Configuration Guide
13-8
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 6
In the Minimum age of a cache entry field, enter the minimum number of seconds to retain HTTP header
information in the cache. The default is 60 seconds. Valid time periods range from 5 to 86400 seconds
(24 hours).
Step 7
Check the Enable local HTTP 301 redirect messages check box to enable the WAE to cache and locally
serve HTTP 301 messages. The default setting is checked.
Step 8
Check the Enable local HTTP 401 Authentication-required messages check box to enable the WAE
to cache and locally serve HTTP 401 messages. The default setting is checked.
Step 9
Check the Enable local HTTP 304 Not-Modified messages check box to enable the WAE to cache
HTTP 200 and 304 messages and locally serve HTTP 304 messages. The default setting is checked.
Step 10
To configure specific file extensions to which metadata caching is to be applied, enter the file extensions
in the File extension filters field at the far right. Separate multiple extensions with a comma (for
example: jpeg, gif, png) and do not include the dot at the beginning of the file extension. Click the
<< Add button to add the entered file extensions to the active list, which is shown to the left. You can
enter a maximum of 20 file extensions.
To remove an extension from the list, select it in the active list and click the >> Delete button.
By default, no file extension filters are defined and therefore metadata caching applies to all file types.
Step 11
Check the Suppress server compression for HTTP and HTTPS check box to configure the WAE to
suppress server compression between the client and the server. The default setting is checked.
By checking this box, you are telling the WAE to remove the Accept-Encoding value from HTTP and
HTTPS request headers, preventing the web server from compressing HTTP and HTTPS data that it
sends to the client. This allows the WAE to apply its own compression to the HTTP and HTTPS data,
typically resulting in much better compression than the web server for most files. For some file types
that rarely change, such as .css and .js files, this setting is ignored and web server compression is
allowed.
Step 12
Check the Enable DRE Hints for HTTP and HTTPS check box to send DRE hints to the DRE module
for improved DRE performance. The DRE hint feature is enabled by default.
Step 13
Click Submit.
The changes are saved to the device or device group.
To configure HTTP acceleration from the CLI, use the accelerator http global configuration command.
To show the contents of the metadata cache, use the show cache http-metadatacache EXEC command.
To clear the metadata cache, use the clear cache http-metadatacache EXEC command.
To enable or disable specific HTTP accelerator features for specific clients or IP subnets, use the HTTP
accelerator subnet feature. For more details, see the “Using an HTTP Accelerator Subnet” section on
page 13-10.
About HTTP Metadata Caching
The metadata caching feature allows the HTTP accelerator in the branch WAE to cache particular server
responses and respond locally to clients. The following server response messages are cached:
•
HTTP 200 OK (Applies to If-None-Match and If-Modified-Since requests)
•
HTTP 301 redirect
•
HTTP 304 not modified (Applies to If-None-Match and If-Modified-Since requests)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-9
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
HTTP 401 authentication required
Metadata caching is not applied in the following cases:
Note
•
Requests and responses that are not compliant with RFC standards
•
URLs over 255 characters
•
301 and 401 responses with cookie headers
•
HEAD method is used
•
Pipelined transactions
The metadata caching feature is introduced in WAAS version 4.2.1, but version 4.2.1 is needed only on
the branch WAE. This feature can interoperate with an HTTP accelerator on a data center WAE that has
a lower version.
Using an HTTP Accelerator Subnet
The HTTP accelerator subnet feature allows you to selectively enable or disable specific HTTP
optimization features for specific IP subnets by using ACLs. This feature can be applied to the following
HTTP optimizations: HTTP metadata caching, HTTPS metadata caching, DRE hints, and suppress
server compression.
To define IP subnets, use the ip access-list global configuration command. Refer to this command in the
Cisco Wide Area Application Services Command Reference for information on configuring subnets. You
can use both standard and extended ACLs.
To configure a subnet for an HTTP accelerator feature, follow these steps:
Step 1
Enable the global configuration for all the HTTP accelerator features that you want to use.
Step 2
Create an IP access list to use for a subnet of traffic.
WAE(config)# ip access-list extended md_acl
WAE(config-ext-nacl)# permit ip 1.1.1.0 0.0.0.255 any
WAE(config-ext-nacl)# permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
WAE(config-ext-nacl)# exit
Step 3
Associate the ACL with a specific HTTP accelerator feature. Refer to the accelerator http global
configuration command in the Cisco Wide Area Application Services Command Reference for
information on associating an ACL with an HTTP accelerator feature.
WAE(config)# accelerator http metadatacache access-list md_acl
In this example, the HTTP metadata cache feature applies to all the connections that match the
conditions specified in the extended access-list md_acl.
In the following example, the HTTP suppress-server-encoding feature applies to all the connections that
match the conditions specified in the standard access-list 10.
WAE(config)# ip access-list standard 10
WAE(config-std-nacl)# permit 1.1.1.0 0.0.0.255
WAE(config-std-nacl)# exit
WAE(config)# accelerator http suppress-server-encoding accesslist 10
Cisco Wide Area Application Services Configuration Guide
13-10
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
For the features (DRE hints and HTTPS metadata cache in this example) that do not have an ACL
associated with them, the global configuration is used and they are applicable to all the connections.
Configuring MAPI Acceleration
The MAPI application accelerator accelerates Microsoft Outlook Exchange traffic that uses the
Messaging Application Programming Interface (MAPI) protocol. Microsoft Outlook 2000–2010 clients
are supported. Clients can be configured with Outlook in cached or noncached mode; both modes are
accelerated.
Secure connections that use message authentication (signing) are not accelerated, and MAPI over HTTP
is not accelerated.
Note
Microsoft Outlook 2007 and 2010 have encryption enabled by default. You must disable encryption to
benefit from the MAPI application accelerator.
The EPM application accelerator must be enabled for the MAPI application accelerator to operate. EPM
is enabled by default. Additionally, the system must define an optimization policy of type EPM, specify
the MAPI UUID, and have an Accelerate setting of MAPI. This policy, MAPI for the
Email-and-Messaging application, is defined by default.
EPM traffic, such as MAPI, does not normally use a predefined port. If your Outlook administrator has
configured Outlook in a nonstandard way to use a static port, you must create a new basic optimization
policy that accelerates MAPI traffic with a class map that matches the static port that was configured for
Outlook.
Note
If the WAE becomes overloaded with connections, the MAPI application accelerator continues to
accelerate MAPI connections by using internally reserved connection resources. If the reserved
resources are also exceeded, new MAPI connections are passed through until connection resources
become available.
To enable the MAPI accelerator, check the MAPI Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
To configure MAPI acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > MAPI Settings.
The MAPI Acceleration Settings window appears. (See Figure 13-4.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-11
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-4
Step 3
MAPI Acceleration Settings Window
In the Reserved Pool Size Maximum Percent field, enter the maximum percent of connections to
restrict the maximum number of connections reserved for MAPI optimization during TFO overload. It
is specified as a percent of the TFO connection limit of the platform. Valid percent ranges from 5%-50%.
The default is 15%, which would reserve approximately 0.5 connection for each client-server
Association Group (AG) optimized by the MAPI accelerator.
The client maintains at least one AG per server it connects to with an average of about 3 connections per
AG. For deployments that observe a greater average number of connections per AG, or where TFO
overload is a frequent occurrence, a higher value for reserved pool size maximum percent is
recommended.
Reserved connections would remain unused when the device is not under TFO overload. Reserved
connections are released when the AG terminates.
Step 4
Click Submit. The changes are saved to the device or device group.
Configuring Encrypted MAPI Acceleration
The Encrypted MAPI acceleration feature provides WAN optimization for secure MAPI application
protocols using MS-Kerberos security protocol and Windows Active Directory identity for
authentication of clients and/or servers in the domain.
Note
The Encrypted MAPI feature is in extended beta trials. You must contact
waas-emapi-cs@external.cisco.com with your Cisco account team on the cc: for approvals before
enabling this feature. Only approved customers will be supported for beta evaluations.
This section contains the following topics:
•
Task Flow for Configuring Encrypted MAPI, page 13-13
•
Configuring Encrypted MAPI Settings, page 13-13
•
Configuring a Machine Account Identity, page 13-15
•
Creating and Configuring a User Account, page 13-17
•
Configuring Microsoft Active Directory, page 13-18
•
Managing Domain Identities and Encrypted MAPI State, page 13-20
Cisco Wide Area Application Services Configuration Guide
13-12
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Task Flow for Configuring Encrypted MAPI
To configure Encrypted MAPI traffic acceleration, complete the tasks listed in Table 13-1. These tasks
must be performed on both data center and branch WAEs unless specifically noted as not required (or
optional).
Table 13-1
Tasks for Configuring Encrypted MAPI
Task
1. Configure DNS Settings.
2.
Configure NTP Settings.
3.
Verify WAE devices are registered and
online with the WAAS Central Manager.
4.
Configure SSL Peering Service.
5.
Verify WAN Secure mode is enabled.
6.
Configure windows domain settings and
perform domain join.
(The domain join function automatically
creates the machine account in Active
Directory.)
Additional Information and Instructions
To configure DNS settings, see the “Configuring the
DNS Server” section on page 6-26.
To synchronize the time with Active Directory, see the
“Configuring NTP Settings” section on page 10-5.
To verify WAE devices are registered and online with
the WAAS Central Manager, see the “Devices
Window” section on page 17-6.
To configure SSL Peering Service, see the
“Configuring SSL Peering Service” section on
page 13-43.
To verify WAN Secure mode is enabled, use the
show accelerator wansecure EXEC command.
To configure Windows Domain Server Authentication
settings, see the “Configuring Windows Domain
Server Authentication Settings” section on page 7-17
section.
Note that performing a domain join of the WAE is not
required on branch WAE devices.
7. Configure domain identities (for machine To configure a machine account identity, see the
account and optional user accounts).
“Configuring a Machine Account Identity” section on
page 13-15.
(Optional) To create a user account and configure a
user account identity, see the “Creating and
Configuring a User Account” section on page 13-17.
8.
Enable Windows Domain Encrypted
Service.
9.
Enable Encrypted MAPI Traffic
Optimization.
Note that configuring domain identities is not required
on branch WAE devices.
To enable the Windows Domain Encrypted Service,
navigate to the Configure > Security > Windows
Domain > Encrypted Services page and check the
Enable Encrypted Service check box.
To enable Encrypted MAPI Traffic, see the “Enabling
and Disabling the Global Optimization Features”
section on page 13-3.
Configuring Encrypted MAPI Settings
To configure Encrypted MAPI acceleration, follow these steps:
Step 1
Configure DNS Settings.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-13
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The WAAS DNS server must be part of the DNS system of Windows Active Directory domains to
resolve DNS queries for traffic encryption.
To configure DNS settings, see the “Configuring the DNS Server” section on page 6-26.
Step 2
Configure NTP Settings to synchronize the time with Active Directory.
The WAAS device has to be in synchronization with Active Directory for Encrypted MAPI acceleration.
The WAAS NTP server must share time synchronization with the Active Directory Domain Controllers
domains for which traffic encryption is desired. Out of sync time will cause Encrypted MAPI
acceleration to fail.
To synchronize the time with Active Directory, see the “Configuring NTP Settings” section on
page 10-5.
Step 3
Verify WAE devices are registered and online with the WAAS Central Manager.
To verify WAE devices are registered and online with the WAAS Central Manager, see the “Devices
Window” section on page 17-6.
Step 4
Configure SSL Peering Service.
Note
SSL accelerator must be enabled and in the running state.
To configure SSL Peering Service, see the “Configuring SSL Peering Service” section on page 13-43.
Step 5
Verify WAN Secure mode is enabled.
The default mode is Auto. You can verify the state of WAN Secure mode using the following EXEC
command:
show accelerator wansecure
If necessary, you can change the state of WAN Secure using the following global configuration
command:
accelerator mapi wansecure-mode {always | auto | none}
Step 6
Configure windows domain settings and perform domain join. (Domain join automatically creates the
machine account in Active Directory.)
Note
Performing a domain join of the WAE is not required on branch WAE devices.
Note
This step is optional on data center WAEs if only user accounts are used for domain identity
configuration in the next step.
To configure Windows Domain Server Authentication settings, see the “Configuring Windows Domain
Server Authentication Settings” section on page 7-17 section.
Note
Step 7
You must use Kerberos authentication for Encrypted MAPI Acceleration. NTLM authentication
method is not supported.
Configure domain identities. (Not required for branch WAEs.)
Cisco Wide Area Application Services Configuration Guide
13-14
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
You must have at least one account configured, either user or machine, that is configured with a domain
identity. Each device can support up to 5 domain identities,1 machine account identity and 4 user account
identities. This allows a WAAS device to accelerate up to 5 domain trees. You must configure a domain
identity for each domain with an exchange server that has clients to be accelerated.
a.
Configure the machine account identity.
A machine account for the core device was automatically created during the join process in the
Windows Domain Server authentication procedure in the previous step. If you are using a machine
account, a machine account identity must be configured for this account.
Each device only supports one machine account identity.
To configure a machine account identity, see the “Configuring a Machine Account Identity” section
on page 13-15.
b.
Create and configure optional user accounts.
You may utilize up to four optional user accounts for additional security. Multiple user accounts
provide greater security than having all of the core devices using a single user account. You are
required to configure a user account identity for each user account, whether you are utilizing an
existing user account or creating a new one.
To create a user account and configure a user account identity, see the “Creating and Configuring a
User Account” section on page 13-17.
Step 8
Step 9
Enable Windows Domain Encrypted Service. (Enabled by default.)
a.
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
b.
From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The
Encrypted Services window appears.
c.
Check the Enable Encrypted Service check box.
d.
Click Submit to save your changes.
Enable Encrypted MAPI Traffic Optimization.
From the Enabled Features window, check the Encrypted MAPI Traffic Optimization check box (the
MAPI Accelerator check box must also be checked), and click Submit. Encrypted MAPI traffic
optimization is disabled by default.
Note
The Encrypted MAPI feature is in extended beta trials. You must contact
waas-emapi-cs@external.cisco.com with your Cisco account team on the cc: for approvals
before enabling this feature. Only approved customers will be supported for beta evaluations.
For more information on the Enabled Features window, see the “Enabling and Disabling the Global
Optimization Features” section on page 13-3.
Configuring a Machine Account Identity
To configure an identity for a machine account, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-15
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The
Encrypted Services window appears.
Step 3
Click the Add Domain Identity button to add a machine account domain identity. (See Figure 13-6.)
Every WAAS device to be accelerated must have a domain identity.
Figure 13-5
a.
Select Machine Account from the Account Type drop-down list.
Note
b.
Windows Domain Join must be completed before creating the machine account domain
identity.
Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain
space, ?, |), not exceeding 32 characters.
Note
Step 4
Add Domain Identity—Machine Account
The domain identity must have sufficient privileges in the Windows Domain Active
Directory to replicate the desired domain information to optimize encrypted traffic. To
configure privileges, see the “Configuring Microsoft Active Directory” section on
page 13-18.
Click OK. The domain identity appears in the Encrypted Services Domain Identities list. (See
Figure 13-6.)
Cisco Wide Area Application Services Configuration Guide
13-16
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-6
Encrypted Services—Domain Identity
To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain
encrypted-service global configuration command and the show windows-domain encrypted-service
EXEC command.
Creating and Configuring a User Account
To create a user account and configure a user account identity, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears. (See Figure 13-7.)
Figure 13-7
Step 3
Encrypted Services
Click the Add Domain Identity button to add a user account domain identity. The Domain Identity
window appears. (See Figure 13-8.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-17
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-8
a.
Select user account from the Account Type drop-down list.
b.
Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain
space, ?, |), not exceeding 32 characters.
c.
Enter username and password information.
d.
Enter the domain name.
e.
Enter the Kerberos realm.
Note
Step 4
Add Domain Identity—User Account
The domain identity must have sufficient privileges in the Windows Domain Active Directory to
replicate the desired domain information to optimize encrypted traffic. To configure privileges,
see the “Configuring Microsoft Active Directory” section on page 13-18.
Click OK. The domain identity appears in the Encrypted Services Domain Identities list.
To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain
encrypted-service global configuration command and the show windows-domain encrypted-service
EXEC command.
Configuring Microsoft Active Directory
To grant Cisco WAAS permission to accelerate Exchange encrypted email sessions, follow these steps:
Step 1
Using an account with Domain Administrator privileges, launch the Active Directory Users and
Computers application.
Step 2
Create a new group.
Note
a.
This group is for accounts that WAAS will use to optimize Exchange traffic. Normal users and
computers should not be added to this group.
Right-click the Organizational Unit (OU) to contain the new group and choose New > Group.(See
Figure 13-9.)
Cisco Wide Area Application Services Configuration Guide
13-18
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-9
b.
Active Directory—Add Group
Enter a name in the Group name fields and select the following attributes:
– Group scope: Universal
– Group type: Security
c.
Step 3
Click OK.
Configure the permissions required by WAAS.
a.
In the Active Directory Users and Computers application window, select View >
Advanced Features from the menu bar.
b.
Right-click on the root of the domain and choose Properties.
c.
Select the Security tab. (See Figure 13-10.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-19
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-10
Active Directory—Security Tab
d.
Click Add in the Group or User Names section.
e.
Enter the name of the new group that you created in this procedure in the Enter the object names to
select field and click OK to add the new group to the list.
f.
Select the new group in the Group or user names list and set the following permissions to Allow:
– Replicating Directory Changes
– Replicating Directory Changes All
g.
Step 4
Click OK.
Add an account to the group.
User or workstation (computer) accounts must be added to the new group for WAAS Exchange
Encrypted email optimization.
a.
Right-click on the account you want to add and select the Member Of tab.
b.
Click Add.
c.
Choose the new group you created and click OK.
Active Directory permissions configuration is complete.
Managing Domain Identities and Encrypted MAPI State
This section contains the following topics:
•
Editing an Existing Domain Identity, page 13-21
Cisco Wide Area Application Services Configuration Guide
13-20
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Deleting an Existing Domain Identity, page 13-21
•
Disabling Encrypted MAPI, page 13-22
•
Encrypted MAPI Acceleration Statistics, page 13-22
Editing an Existing Domain Identity
You can modify the attributes of an existing domain identity on a WAAS device, if needed.
Note
If the password for a user account has been changed in Active Directory, you must edit the user account
domain identity on the WAAS device to match the new Active Directory password.
The following restrictions apply:
•
For a machine account identity, only the state of the domain identity (enabled or disabled) can be
modified from a WAAS device.
•
For a user account identity, only the state of the domain identity (enabled or disabled) and the
password can be modified from a WAAS device.
To change the password for a user account domain identity on a WAAS device when the password for
the account in Active Directory has changed, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
Select the user account domain identity to modify and click the Edit icon.
The Domain Identity window appears.
Step 4
Change the password in the password field. The password should be the same as the password for the
account in Active Directory.
Step 5
Click OK.
Deleting an Existing Domain Identity
To delete a domain identity on a WAAS device, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
Select one or more domain identities to delete and click the Delete icon to remove the domain identity
configured on the WAAS device.
A warning message appears if the domain identity is being used for optimizing encrypted traffic.
Step 4
Click OK to accept or Cancel to abort the procedure.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-21
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Disabling Encrypted MAPI
To disable Encrypted MAPI, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Disable Encrypted Service.
a.
From the menu, choose Configure > Security > Windows Domain > Encrypted Services.
The Encrypted Services window appears.
Step 3
b.
Uncheck the Enable Encrypted Service check box.
c.
Click Submit to save your changes.
Disable Encrypted MAPI Traffic Optimization.
a.
From the menu, choose Configure > Acceleration > Enabled Features.
The Enabled Features window appears.
b.
Uncheck the Encrypted MAPI Traffic Optimization check box.
c.
Click Submit to save your changes.
Encrypted MAPI Acceleration Statistics
To view statistics for Encrypted MAPI connections, see the “Using Predefined Reports to Monitor
WAAS” section on page 17-35 and see the MAPI acceleration reports.
Configuring Video Acceleration
The video application accelerator accelerates Windows Media live video broadcasts that use RTSP over
TCP. The video accelerator automatically splits one source video stream from the WAN into multiple
streams to serve multiple clients on the LAN.
The video accelerator automatically causes the client that is requesting a UDP stream to do a protocol
rollover to use TCP (if both the client and server allow TCP).
The default RTSP class map for the Streaming optimization policy is defined to send traffic to the video
accelerator.
By default, the video accelerator sends any unaccelerated video traffic to be handled by the negotiated
standard TCP optimization policy unless the video accelerator is explicitly configured to drop such
traffic. You can choose to drop all unaccelerated video traffic or only traffic that is unaccelerated due to
an overload condition.
To enable the video accelerator, check the Video Accelerator check box in the Enabled Features window
(see Figure 13-1 on page 13-4).
To configure the video acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Video Settings.
Cisco Wide Area Application Services Configuration Guide
13-22
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The Video Acceleration Configuration window appears. (See Figure 13-11.)
Figure 13-11
Video Acceleration Configuration Window
Step 3
In the Client First Message Reception Timeout field, enter the number of seconds to wait for the first
message from the client and the first response from the server, after the connection is accepted by the
video accelerator, before timing out the connection. Valid values range from 10–180 seconds. The
default is 60.
Step 4
In the drop-down list, choose which unaccelerated video traffic to drop, as follows:
•
All—Drop all video traffic that is not being accelerated due to an unsupported transport or format,
or overload. All Windows Media video-on-demand traffic and all non-Windows Media RTSP traffic
is dropped.
•
Overload Only—Drop all video traffic that is not being accelerated due to an accelerator overload
only.
•
None—Handle unaccelerated video connections with the negotiated TCP optimization policy. (The
traffic is not dropped.)
Note
Under some conditions, the video accelerator is not registered with the policy engine, such as
when there is no valid license or in certain error conditions. If you configure the video
accelerator to drop all unaccelerated video traffic, the policy engine drops all video traffic (even
traffic that would have been accelerated if the video accelerator had been properly registered
with the policy engine).
Step 5
Check the Enable transaction logs check box to enable transaction logging. This feature will generate
a large amount of logging data. This box is unchecked by default. Click the More Settings link to go to
the Windows Media Transaction Log Settings configuration page.
Step 6
Check the Enable log forwarding check box to enable forwarding of Windows Media logs to the
upstream Windows Media Server. This box is checked by default.
Step 7
In the Client Idle Connection timeout field, enter the maximum number of seconds to wait after the
initial client request, while the client connection is idle, before timing out the connection. Valid values
range from 30–300 seconds. The default is 60.
Step 8
Click Submit.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-23
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
The changes are saved to the device or device group.
To configure video acceleration from the CLI, use the accelerator video global configuration command.
Configuring SMB Acceleration
The SMB application accelerator handles optimizations of file server operations. It can be configured to
perform the following file server optimizations:
•
Read Ahead optimization—The SMB accelerator performs a read-ahead optimization on files that
use the oplock feature. When a client sends a read request for a file, it is likely that it may issue more
read requests for the same file. To reduce the use of network bandwidth to perform these functions
over the WAN on the file server, the SMB accelerator performs read-ahead optimization by
proactively reading more file data than what has been initially requested by the client.
•
Directory listing optimization—A significant portion of the traffic on the network is for retrieving
directory listings. The SMB accelerator optimizes directory listings from the file server through
prefetching. For directory prefetching, a request from the client is expanded to prefetch up to 64 KB
of directory listing content. The SMB accelerator buffers the pre-fetched directory listing data until
the client has requested all the data. If the directory listing size exceeds 64 KB then a subsequent
request from the client is expanded by the SMB accelerator again to prefetch content up to 64 KB.
This continues until all the entries of the directory are returned to the client.
•
Metadata optimization—The SMB accelerator optimizes fetching metadata from the file server
through metadata prefetching. Additional metadata requests are tagged along with the client request
and are sent to the file server to prefetch more information levels than what was requested by the
client.
•
Named Pipe optimization—The SMB accelerator optimizes frequent requests from Windows
Explorer to the file server to retrieve share, server, and workstation information. Each of these
requests involves a sequence of operations that include opening and binding to the named pipe,
making the RPC request, and closing the named pipe. Each operation incurs a round trip to the file
server. To reduce the use of network bandwidth to perform these functions over the WAN on the file
server, the SMB accelerator optimizes the traffic on the network by caching named pipe sessions and
positive RPC responses.
•
Write optimization—The SMB accelerator performs write optimization by speeding up the write
responses to the client by acknowledging the Write requests to the client whenever possible and, at
the same time, streaming the Write request over the WAN to the server.
•
Not-Found Metadata caching—Applications sometimes send requests for directories and files that
do not exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams
(ADS) of the file it finds. With negative Not-Found (NF) metadata caching, the full paths to those
nonexistent directories and files are cached so that further requests for the same directories and files
get local denies to save the round-trips of sending these requests to the file servers.
•
DRE-LZ Hints—The SMB accelerator provides DRE hints to improve system performance and
resources utilization. At the connection level, the SMB accelerator uses the BEST_COMP latency
sensitivity level for all connections, as it gives the best compression. At the message level, the SMB
accelerator provides message-based DRE hints for each message to be transmitted over the WAN.
•
Microsoft optimization—The SMB accelerator optimizes file operations for Microsoft applications
by identifying lock request sequences for file name patterns supported by Microsoft Office
applications.
Cisco Wide Area Application Services Configuration Guide
13-24
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Invalid FID optimization—The SMB accelerator optimizes SMB2 clients by locally denying
attempts to access files with invalid file handle values instead of sending such requests to the file
servers.
•
Batch Close optimization—The SMB accelerator performs asynchronous file close optimizations on
SMB2 traffic.
To enable the SMB accelerator, check the SMB Accelerator check box in the Enabled Features window.
Note
The CIFS accelerator and SMB accelerator are mutually exclusive. Both of these cannot be enabled at
the same time.
To configure the SMB acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > SMB Settings.
The SMB Optimization Bypass Settings window appears. (See Figure 13-12.)
Figure 13-12
Step 3
Step 4
SMB Accelerator Configuration Window
In the Highest Dialect Optimized drop-down list, choose the highest dialect to optimize. The available
options are:
•
NTLM 0.12 or NTLM 1.0
•
SMB 2.0
•
SMB 2.1
In the Highest Dialect Optimized Exceed Action drop-down list, choose the action for the dialects that
are higher than the one chosen as the highest dialect to optimize, as follows:
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-25
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
Handoff—If the negotiated dialect is higher than the chosen highest dialect to optimize, the
connection is handed off to the generic accelerator.
•
Mute—The dialects higher than the one chosen as the highest dialect to optimize are removed from
the negotiation list.
Step 5
In the Bypass File Name Pattern text box, enter the patterns for the file names that you want the SMB
accelerator to bypass optimization for. The files whose names match the specified expressions are not
optimized.
Step 6
Check the Read Ahead Optimization check box to enable the SMB to optimize the quantity of
read-ahead data from the file. The SMB performs a read-ahead optimization only when the file is opened
using the ops lock feature. This box is checked by default.
Step 7
Check the Meta Data Optimization check box to enable metadata optimization. This box is checked by
default.
Step 8
Check the Named Pipe Optimization check box to enable named pipe optimization by caching named
pipe sessions and positive RPS responses. This box is checked by default.
Step 9
Check the Write Optimization check box to enable the write optimization by speeding up the write
responses to the client. This box is checked by default
Step 10
Check the Microsoft Office Optimization check box to enable optimizations for all versions of
Microsoft Office. The SMB accelerator does not perform read-ahead, write optimization, and lock-ahead
for Microsoft Office if this optimization is disabled. This box is checked by default.
Step 11
Check the ‘Not Found’ Cache Optimization check box to enable caching pathnames of files not found.
This box is checked by default.
Step 12
Check the Invalid FID Optimization check box to enable optimization of handling files with invalid
file handle values. This box is checked by default.
Step 13
Check the Batch Close Optimization check box to enable asynchronous file close optimizations. This
box is checked by default.
Step 14
Click Submit to save the changes.
To configure SMB acceleration from the CLI, use the accelerator smb global configuration command.
Configuring CIFS Accelerator Express
The CIFS application accelerator express handles optimizations of file server operations on a WAAS
Express device. It interoperates with either the standard CIFS accelerator or the standard SMB
accelerator on a standard WAAS device.
CIFS accelerator express can be configured to perform the following file server optimizations:
•
Write optimization—CIFS accelerator express performs write optimization by speeding up the write
responses to the client by acknowledging the Write requests to the client whenever possible and, at
the same time, streaming the Write request over the WAN to the server.
•
Read Ahead optimization—CIFS accelerator express performs a read-ahead optimization on files
that use the oplock feature. When a client sends a read request for a file, it is likely that it may issue
more read requests for the same file. To reduce the use of network bandwidth to perform these
functions over the WAN on the file server, the SMB accelerator performs read-ahead optimization
by proactively reading more file data than what has been initially requested by the client.
Cisco Wide Area Application Services Configuration Guide
13-26
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
•
ADS Negative Cache—Applications sometimes send requests for directories and files that do not
exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams (ADS) of
the file it finds. With ADS Negative caching, the full paths to those nonexistent directories and files
are cached so that further requests for the same directories and files get local denies to save the
round-trips of sending these requests to the file servers.
To enable CIFS accelerator express, check the CIFS Accelerator Express check box in the Enabled
Features window.
To configure the CIFS accelerator express settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > CIFS Settings.
The CIFS Optimization Bypass Settings window appears.
Step 3
Check the Write Optimization check box to enable the write optimization by speeding up the write
responses to the client. This box is checked by default
Step 4
Check the Read Ahead Optimization check box to enable CIFS accelerator express to optimize the
quantity of read-ahead data from the file. CIFS accelerator express performs a read-ahead optimization
only when the file is opened using the ops lock feature. This box is checked by default.
Step 5
Check the ADS Negative Cache check box to enable caching pathnames of files not found. This box is
checked by default.
Step 6
Click Submit to save the changes.
To configure CIFS accelerator express from the CLI, use the accelerator cifs global configuration
command.
Configuring ICA Acceleration
The ICA application accelerator provides WAN optimization on a WAAS device for ICA (Independent
Computing Architecture) traffic which is used to access a virtual desktop infrastructure (VDI). This is
done through a process that is both automatic and transparent to the client and server.
ICA acceleration is enabled on a WAAS device by default.
To enable the ICA accelerator, check the ICA Accelerator check box in the Enabled Features window
(see Figure 13-13 on page 13-28).
To configure the ICA acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > ICA Settings.
The ICA Acceleration Configuration window appears. (See Figure 13-11.)
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-27
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-13
Step 3
In the WAN Secure Mode drop-down list, choose the mode, as follows:
•
None—Disables WAN Secure mode for ICA.
•
Always—Enables WAN Secure mode ICA. This is the default.
Note
Step 4
ICA Acceleration Configuration Window
The state of WAN Secure mode in both Branch WAE and Data Center WAE must match for
connections to get optimized with the ICA accelerator.
Click Submit.
The changes are saved to the device or device group.
To configure ICA acceleration from the CLI, use the accelerator ica global configuration command.
To verify the status of WAN Secure mode from the CLI, use the show accelerator wansecure EXEC
command.
Configuring SSL Acceleration
The SSL application accelerator optimizes traffic on Secure Sockets Layer (SSL) encrypted connections.
If SSL acceleration is not enabled, the WAAS software DRE optimizations are not very effective on SSL
encrypted traffic. The SSL application acceleration enables WAAS to decrypt and apply optimizations
while maintaining the security of the connection.
Note
On a WAAS Express device, only SSL cipher list, SSL certificate authorities, and SSL peering service
configuration is supported.
Note
The SSL accelerator does not optimize protocols that do not start their SSL/TLS handshake from the
very first byte. The only exception is HTTPS going through a proxy (where the HTTP accelerator detects
the start of SSL/TLS). In this case, both HTTP and SSL accelerators optimize the connection.
The SSL application accelerator supports SSL Version 3 (SSLv3) and Transport Layer Security
Version 1 (TLSv1) protocols. TLSv1.1 and TLSv1.2 protocols are not supported.
Table 13-2 provides an overview of the steps you must complete to set up and enable SSL acceleration.
Cisco Wide Area Application Services Configuration Guide
13-28
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Table 13-2
Checklist for Configuring SSL Acceleration
Task
Additional Information and Instructions
1. Prepare for configuring SSL acceleration. Identifies the information that you need to gather before configuring SSL
acceleration on your WAAS devices. For more information, see the
“Preparing to Use SSL Acceleration” section on page 13-29.
2. Enable secure store, the Enterprise
Describes how to set up Central Manager secure store, how to enable the
License, and SSL acceleration.
Enterprise License, and how to enable SSL acceleration. Secure store mode
is required for secure handling of the SSL encryption certificates and keys.
For more information, see the “Enabling Secure Store, the Enterprise
License, and SSL Acceleration” section on page 13-30.
3. Enable SSL application optimization.
Describes how to activate the SSL acceleration feature. For more
information, see the “Enabling and Disabling the Global Optimization
Features” section on page 13-3.
4. Configure SSL acceleration settings.
(Optional) Describes how to configure the basic setup of SSL acceleration.
For more information, see the “Configuring SSL Global Settings” section on
page 13-31.
5. Create and manage cipher lists.
(Optional) Describes how to select and set up the cryptographic algorithms
used on your WAAS devices. For more information, see the “Working with
Cipher Lists” section on page 13-35.
6. Set up CA certificates.
(Optional) Describes how to select, import, and manage certificate authority
(CA) certificates. For more information, see the “Working with Certificate
Authorities” section on page 13-37.
7. Configure SSL management services.
(Optional) Describes how to configure the SSL connections used between
the Central Manager and WAE devices. For more information, see the
“Configuring SSL Management Services” section on page 13-41.
8. Configure SSL peering service.
(Optional) Describes how to configure the SSL connections used between
peer WAE devices for carrying optimized SSL traffic. For more information,
see the “Configuring SSL Peering Service” section on page 13-43.
9. Configure and enable SSL accelerated
Describes how to add, configure, and enable services to be accelerated by the
services.
SSL application optimization feature. For more information, see the “Using
SSL Accelerated Services” section on page 13-45.
Preparing to Use SSL Acceleration
Before you configure SSL acceleration, you should know the following information:
•
The services that you want to be accelerated on the SSL traffic
•
The server IP address and port information
•
The public key infrastructure (PKI) certificate and private key information, including the certificate
common name and certificate authority signing information
•
The cipher suites supported
•
The SSL versions supported
Figure 13-14 shows how the WAAS software handles SSL application optimization.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-29
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-14
SSL Acceleration Block Diagram
Admin Browser
CM Administration
Admin Service
Central Manager
CM to Branch WAE
Management Service
Branch WAE
SSL Service - TCP connection carrying SSL
traffic on a well known TCP Prot (e.g. 443)
CM to Data Center WAE
Management Service
WAE to WAE
Peering Service
Data Center WAE
Common Name =
hr.analog.com
WAN1
Branch WAN
Router
Client to Server
Accelerated Service
Data Center WAN
Router
Client to Data Center SSL
Session
Server
Core to Server SSL
Session
SSL Data
SSL Sessions
TCP Session
243495
Client
When you configure SSL acceleration, you must configure SSL accelerated service on the server-side
(Data Center) WAE devices. The client-side (Branch) WAE needs to have its secure store initialized and
unlocked/opened, but does not need to have the SSL accelerated service configured. However, the SSL
accelerator must be enabled on both Data Center and Branch WAEs for SSL acceleration services to
work. The WAAS Central Manager provides SSL management services and maintains the encryption
certificates and keys.
Enabling Secure Store, the Enterprise License, and SSL Acceleration
Before you can use SSL acceleration on your WAAS system, you must perform the following steps:
Step 1
Enable secure store encryption on the Central Manager.
To enable secure store encryption, see the “Configuring Secure Store Settings” section on page 10-10.
Step 2
Enable the Enterprise license.
To enable the Enterprise license, see the “Managing Software Licenses” section on page 10-3.
Step 3
Enable SSL acceleration on devices.
To enable the SSL acceleration feature, see the “Enabling and Disabling the Global Optimization
Features” section on page 13-3.
Cisco Wide Area Application Services Configuration Guide
13-30
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
If the SSL accelerator is already running, you must wait 2 datafeed poll cycles when registering a new
WAE with a Central Manager before making any configuration changes, otherwise the changes may not
take effect.
Configuring SSL Global Settings
To configure the basic SSL acceleration settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Global Settings.
The SSL Global Settings window appears (see Figure 13-15).
Figure 13-15
Step 3
SSL Global Settings Window
To configure a device to use the SSL settings from a particular device group, choose the device group
from Select a Device Group drop-down list located in SSL global settings toolbar. A device can either
use its own SSL settings, or SSL settings from a device group. However, it is not possible to configure
a device to use SSL settings from multiple device groups.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-31
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 4
In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3
protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to accept both
SSL3 and TLS1 SSL protocols.
Step 5
(Optional) Set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation:
a.
In the OCSP Revocation check drop-down list, select the OCSP revocation method.
Choose ocsp-url SSL accelerator to use OCSP responder specified in the OCSP Responder URL
field to check the revocation status of certificates. Choose ocsp-cert-url to use the OCSP responder
URL specified in the Certificate Authority certificate that signed the certificate.
b.
If the Ignore OCSP failures check box is enabled, the SSL accelerator will treat the OCSP
revocation check as successful if it did not get a definite response from the OCSP responder.
Step 6
In the Cipher List field, choose a list of cipher suites to be used for SSL acceleration. For more
information, see the “Working with Cipher Lists” section on page 13-35.
Step 7
Choose a certificate/key pair method (see Figure 13-16).
Figure 13-16
Configuring Service Certificate and Private Key
•
Click Generate Self-signed Certificate Key to have the WAAS devices use a self-signed
certificate/key pair for SSL.
•
Click Import Existing Certificate Key to upload or paste an existing certificate/key pair.
•
Click Export Certificate Key to export the current certificate/key pair.
•
Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair.
The certificate signing request (CSR) is used by the Certificate Authority to generate a new
certificate.
The file that you import or export must be in either a PKCS12 format or a PEM format.
For service certificate and private key configuration steps, see the “Configuring a Service Certificate and
Private Key” section on page 13-32.
Step 8
Click Submit.
Configuring a Service Certificate and Private Key
To configure a service certificate and private key, follow these steps:
Step 1
To generate a self-signed certificate and private key (see Figure 13-17), follow these steps:
Cisco Wide Area Application Services Configuration Guide
13-32
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-17
Step 2
Self-Signed Certificate and Private Key
a.
Check the Mark private key as exportable check box to export this certificate/key in the WAAS
Central Manager and device CLI later.
b.
Fill in the certificate and private key fields.
To import an existing certificate or certificate chain and, optionally, private key (see Figure 13-18),
follow these steps:
Note
WAAS SSL feature only supports RSA signing/encryption algorithm and keys.
Figure 13-18
a.
Importing Existing Certificate or Certificate Chain
Check the Mark private key as exportable check box to export this certificate/key in the WAAS
Central Manager and device CLI later.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-33
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
b.
To import existing certificate or certificate chain and private key, perform one of the following:
•
Upload certificate and key in PKCS#12 format (also as Microsoft PFX format)
•
Upload certificate and private key in PEM format
•
Paste certificate and private key PEM content
If the certificate and private key are already configured, you can update the certificate only. In this
case, the Central Manager constructs the certificate and private key pair using the imported
certificate and current private key. This functionality can be used to update an existing self-signed
certificate to one signed by the Certificate Authority, or to update an expiring certificate.
The Central Manager allows importing a certificate chain consisting of an end certificate that must
be specified first, a chain of intermediate CA certificates that sign the end certificate or intermediate
CA certificate, and end with a root CA.
The Central Manager validates the chain and rejects it if the validity date of the CA certificate is
expired, or the signing order of certificates in the chain is not consequent.
c.
Step 3
Enter a pass-phrase to decrypt the private key, or leave this field empty if the private key is not
encrypted.
To export a configured certificate and private key (see Figure 13-19), follow these steps:
Figure 13-19
a.
Enter the encryption pass-phrase.
b.
Export current certificate and private key in either PKCS#12 or PEM formats. In case of PEM format
both certificate and private key are included in single PEM file.
Note
Step 4
Export Certificate and Key
Central Manager will not allow exporting certificate and private key if the certificate and key
were marked as non-exportable when they were generated or imported.
To generate a certificate signing request from a current certificate and private key (see Figure 13-20),
follow these steps:
Cisco Wide Area Application Services Configuration Guide
13-34
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-20
Generate Certificate Signing Request
To update the current certificate with one signed by the Certificate Authority:
a.
Generate PKCS#10 certificate signing request.
b.
Send generated certificate signing request to Certificate Authority to generate and sign certificate.
c.
Import certificate received from the Certificate Authority using the Importing existing certificate
and optionally private key option.
Note
The size of the key for a generated certificate request is the same as the size of the key in the
current certificate.
Working with Cipher Lists
Cipher lists are sets of cipher suites that you can assign to your SSL acceleration configuration. A cipher
suite is an SSL encryption method that includes the key exchange algorithm, the encryption algorithm,
and the secure hash algorithm.
To configure a cipher list, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Cipher Lists.
The SSL Cipher Lists window appears (see Figure 13-21).
Note
For a WAAS Express device, the SSL Cipher Lists window shows the same name and cipher
fields but in a slightly different format.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-35
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-21
Step 3
SSL Cipher Lists Window
Click Create to add a new cipher list.
The Creating New SSL Cipher List window appears (see Figure 13-22).
Note
For a WAAS Express device, click Add Cipher List to add a new cipher list.
Figure 13-22
Creating New SSL Cipher List Window
Step 4
Type a name for your cipher list in the Cipher List Name field.
Step 5
Click Add Cipher to add cipher suites to your cipher list.
Note
For a WAAS Express device, select the ciphers you wish to add. Skip to Step 12.
Cisco Wide Area Application Services Configuration Guide
13-36
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 6
Choose the cipher suite that you want to add in the Ciphers field.
Note
Step 7
If you are establishing an SSL connection to a Microsoft IIS server, do not select a DHE-based
cipher suite.
Choose the priority for the selected cipher suite in the Priority field.
Note
When SSL peering service is configured, the priority associated with a cipher list on a core
device takes precedence over the priority associated with a cipher list on an edge device.
Step 8
Click Add to include the selected cipher suite on your cipher list, or click Cancel to leave the list as it is.
Step 9
Repeat Step 5 through Step 8 to add more cipher suites to your list as desired.
Step 10
(Optional) To change the priority of a cipher suite, check the cipher suite check box and then use the up
or down arrow buttons located below the cipher list to prioritize.
Note
The client-specified order for ciphers overrides the cipher list priority assigned here if the cipher
list is applied to an accelerated service. The priorities assigned in this cipher list are only
applicable if the cipher list is applied to SSL peering and management services.
Step 11
(Optional) To remove a cipher suite from the list, check the cipher suite’s box and then click Delete.
Step 12
Click Submit when you are done configuring the cipher list.
Note
For a WAAS Express device, click OK to save the cipher list configuration.
SSL configuration changes will not be applied on the device until the security license has been
enabled on the device.
Working with Certificate Authorities
The WAAS SSL acceleration feature allows you to configure the Certificate Authority (CA) certificates
used by your system. You can use one of the many well-known CA certificates that is included with
WAAS or import your own CA certificate.
To manage your CA certificates, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Certificate Authorities.
The SSL CA Certificate List window appears (see Figure 13-23).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-37
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, the SSL CA Certificate List window shows the same Name, Issued
To, Issuer, Expiry Date fields but in a slightly different format.
There is also an Aggregate Settings field configurable as Yes or No. To finish the procedure for
WAAS Express, skip to Step 4.
Figure 13-23
Step 3
Step 4
SSL CA Certificate List Window
Add one of the preloaded CA certificates that is included with WAAS as follows:
a.
Click Well-known CAs.
b.
Choose the pre-existing CA certificate you want to add and click Import. The CA certificate that
you selected is added to the list on the SSL CA Certificate List display.
Add your own CA certificate as follows:
a.
Click Create. The Creating New CA Certificate window appears (see Figure 13-24).
Note
For a WAAS Express device, click Add CA to add your own CA certificate. Enter the name
and the URL, then click Get CA Certificate. Skip to Step 6.
Cisco Wide Area Application Services Configuration Guide
13-38
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-24
Creating New CA Certificate Window
b.
Type a name for the certificate in the Certificate Name field.
c.
(Optional) Type a description of the CA certificate in the Description field.
d.
Choose disabled in the Revocation check drop-down list to disable OCSP revocation of certificates
signed by this CA. Check the Ignore OCSP failures check box to mark revocation check successful
if the OCSP revocation check failed.
e.
Add the certificate information by choosing on of the following methods:
– Upload PEM File
If you are uploading a file, it must be in a Privacy Enhanced Mail (PEM) format. Browse to the
file that you want to use and click Upload.
– Paste PEM Encoded Certificate
If you are pasting the CA certificate information, paste the text of the PEM format certificate
into the Paste PEM Encoded certificate field.
– Get CA Certificate using SCEP
This option automatically configures the certificate authority using Simple Certificate
Enrollment Protocol. If you are using the automated certificate enrollment procedure, enter the
CA URL and click Get Certificate. The contents of the certificate is displayed in text and PEM
formats.
To complete the automated certificate enrollment procedure, you must configure the SSL auto
enrollment settings in the “SSL Auto Enrollment” section on page 13-40.
f.
Click Submit to save your changes.
Step 5
(Optional) To remove a Certificate Authority from the list, select it and then click the Delete icon located
in the toolbar.
Step 6
Click Submit when you are done configuring the CA certificate list.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-39
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, click OK to save the CA certificate configuration.
SSL Auto Enrollment
The WAAS SSL acceleration feature allows you to enroll certificates automatically for a device (or
device group) using SCEP. Once the CA certificate his been obtained, SSL auto enrollment settings must
be configured.
Note
You must configure the applicable certificate authority before configuring auto enrollment settings.
To configure SSL auto enrollment settings, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Security > SSL > Auto Enrollment.
The SSL Auto Enrollment Settings window appears (see Figure 13-25).
Figure 13-25
Step 3
SSL Auto Enrollment Settings Window
Configure the following CA settings:
•
CA URL
•
CA—Select the appropriate CA from the list
•
Challenge Password
Cisco Wide Area Application Services Configuration Guide
13-40
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
Step 4
CA, CA URL, and challenge password settings are mandatory for enabling SSL auto enrollment.
Configure the following Certificate Signing Request settings:
•
Common Name
•
Organization and Organization Unit
•
Location, State, and Country
•
Email-Id
Step 5
Configure the key size: 512, 768, 1024, 1536, or 2048
Step 6
Check the Enable Enroll box.
Step 7
Click Submit.
You can then check the enrollment status in the Machine Certificate section on the SSL Global Settings
page and on the Alerts page.
Configuring SSL Management Services
SSL management services are the SSL configuration parameters that affect secure communications
between the Central Manager and the WAE devices (see Figure 13-14 on page 13-30). The
certificate/key pairs used are unique for each WAAS device, and so SSL management services can only
be configured for individual devices, not device groups.
To configure SSL management services, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Security > Management Service.
The Management Services window appears (see Figure 13-26).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-41
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-26
Step 3
SSL Management Services Window
In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3
protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both
SSL3 and TLS1 SSL protocols.
Note
Management service SSL version and cipher settings configured for the WAAS Central Manager
are also applied to SSL connections between the WAAS Central Manager and the browser of the
user.
Primary and standby Central Managers must share a common management service version or
cipher list. Changing the management service version and cipher list settings may result in a loss
of connectivity between primary Central Manager and standby Central Manager and WAE
devices.
Table 13-3 shows the cipher lists supported with Internet Explorer and Mozilla Firefox:
Table 13-3
Cipher Lists Supported with Internet Explorer and Mozilla Firefox
Cipher
Internet Explorer
Firefox
dhe-rsa-with-aes-256-cbc-sha
Supported in IE7/Vista
Supported
rsa-with-aes-256-cbc-sha
Supported in IE7/Vista
Supported
dhe-rsa-with-aes-128-cbc-sha
Supported in IE7/Vista
Supported
rsa-with-aes-128-cbc-sha
Supported in IE7/Vista
Supported
dhe-rsa-with-3des-ede-cbc-sha
Not enabled by default
Supported
rsa-with-3des-ede-cbc-sha
Not enabled by default
Supported
rsa-with-rc4-128-sha
Supported
Supported
Cisco Wide Area Application Services Configuration Guide
13-42
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Table 13-3
Cipher Lists Supported with Internet Explorer and Mozilla Firefox
Cipher
Internet Explorer
Firefox
rsa-with-rc4-128-md5
Supported
Supported
dhe-rsa-with-des-cbc-sha
Not Supported
Not enabled by default
rsa-export1024-with-rc4-56-sha
Supported
Not enabled by default
rsa-export1024-with-des-cbc-sha
Supported
Not enabled by default
dhe-rsa-export-with-des40-cbc-sha
Not Supported
Not Supported
rsa-export-with-des40-cbc-sha
Not Supported
Not Supported
rsa-export-with-rc4-40-md5
Supported
Supported
Note
Both Mozilla Firefox and Internet Explorer support SSLv3 and TLSv1 protocols, however
TLSv1 may not be enabled by default. Therefore, you need to enable it in your browser.
Configuring ciphers or protocols that are not supported in your browser will result in connection
loss between the browser and the Central Manager. If this occurs, configure the Central Manager
management service SSL settings to the default in the CLI to restore the connection.
Some browsers, such as Internet Explorer, do not correctly handle a change of SSL version and
cipher settings on the Central Manager, which can result in the browser showing an error page
after submitting changes. If this occurs, reload the page.
Step 4
In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration. See the “Working
with Cipher Lists” section on page 13-35 for additional information.
Configuring SSL Peering Service
SSL peering service configuration parameters control secure communications established by the SSL
accelerator between WAE devices while optimizing SSL connections (see Figure 13-14 on page 13-30).
The peering service certificate and private key is unique for each WAAS device and can only be
configured for individual devices, not device groups.
To configure SSL peering service, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name.
Step 2
Choose Configure > Security > Peering Service.
The Peering Service window appears (see Figure 13-27).
Note
For a WAAS Express device, the Peering Service window shows a subset of the fields in the
standard Peering Service window in a slightly different format.
Cipher list Priority setting and Disable revocation check of peer certificates option are not
applicable to WAAS Express.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-43
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-27
Step 3
SSL Peering Service Window
In the SSL Version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL
protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1
for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL
protocols.
Note
For a WAAS Express device, only SSL3 and TLS1 are supported for the SSL Version.
Step 4
To enable verification of peer certificates check Enable Certificate Verification check box. If certificate
verification is enabled, WAAS devices that use self-signed certificates will not be able to establish
peering connections to each other and, thus, not be able to accelerate SSL traffic.
Step 5
Check the Disable revocation check for this service check box to disable OCSP certificate revocation
checking.
Note
Step 6
For a WAAS Express device, this option is not applicable.
In the Cipher List pane, choose a list of cipher suites to be used for SSL acceleration between the WAE
device peers, or choose Inherited to use the cipher list configured in SSL global settings.
Note
For a WAAS Express device, the list of cipher suites to be used for SSL acceleration is shown
in the Cipher List pane.
See the “Working with Cipher Lists” section on page 13-35 for additional information.
Step 7
Click Submit.
Cisco Wide Area Application Services Configuration Guide
13-44
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Note
For a WAAS Express device, SSL configuration changes will not be applied on the device until
the security license has been enabled on the device.
Using SSL Accelerated Services
After you have enabled and configured SSL acceleration on your WAAS system, you must define at least
one service to be accelerated on the SSL path. To configure SSL accelerated services, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > SSL Accelerated Services.
Step 3
To delete an accelerated service, select the service and click Delete.
Step 4
Click Create to define a new accelerated service. A maximum of 128 accelerated services are allowed.
The Basic SSL Accelerated Services Configuration window appears (see Figure 13-28).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-45
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-28
SSL Accelerated Services—Basic Window
Step 5
Type a name for the service in the Service Name field.
Step 6
To enable this accelerated service, check the In service check box.
Step 7
To enable client version rollback check, check the Client version rollback check check box.
Enabling the client version rollback check does not allow connections with an incorrect client version to
be optimized.
Step 8
(Optional) Type a description of the service in the Description field.
Step 9
From the Server drop-down list, choose IP Address, Hostname, or Domain as the SSL service endpoint
type. Type the server IP address, hostname, or domain of the accelerated server. Use the keyword Any
to specify any server IP address. A maximum of 32 IP addresses, 32 hostnames, and 32 domains are
allowed.
Note
Hostname and domain server address types are supported only when using WAAS software
version 4.2.x or later. Server IP address keyword Any is supported only when using WAAS
Software version 4.2.x or later.
Cisco Wide Area Application Services Configuration Guide
13-46
OL-26579-01
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Step 10
Type the port associated with the service to be accelerated. Click Add to add each address. If you specify
a server hostname, the Central Manager resolves the hostname to the IP address and adds it to the Server
IP/Ports table.
Step 11
Click Delete to remove an IP address from the list.
Step 12
Choose a certificate and key pair method (see Figure 13-29).
Figure 13-29
Configuring Service Certificate and Private Key
•
Click Generate Self-signed Certificate Key to have the WAAS devices use a self-signed
certificate/key pair for SSL.
•
Click Import Existing Certificate Key to upload or paste an existing certificate/key pair.
•
Click Export Certificate Key to export the current certificate/key pair.
•
Click Generate Certificate Signing Request to renew or replace the existing certificate/key pair.
The certificate signing request (CSR) is used by the Certificate Authority to generate a new
certificate.
The file that you import or export must be in either a PKCS12 format or a PEM format.
For service certificate and private key configuration steps, see the “Configuring a Service Certificate and
Private Key” section on page 13-32.
Note
Step 13
If you change the certificate or key for an existing SSL accelerated service, you must uncheck
the In service check box and click Submit to disable the service, then wait 5 minutes and check
the In service check box and click Submit to reenable the service. Alternatively, at the WAE,
you can use the no inservice SSL accelerated service configuration command, wait a few
seconds, and then use the inservice command. If you are changing the certificate or key for
multiple SSL accelerated services, you can restart all accelerated services by disabling and then
reenabling the SSL accelerator.
Click the Advanced Settings tab to configure SSL parameters for the service. The Advanced SSL
Accelerated Services Configuration window appears (see Figure 13-30).
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-47
Chapter 13
Configuring Application Acceleration
Enabling and Disabling the Global Optimization Features
Figure 13-30
SSL Accelerated Services—Advanced Window
Step 14
(Optional) In the SSL version field, choose the type of SSL protocol to use, or choose Inherited to use
the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose
TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1
SSL protocols.
Step 15
(Optional) In the Cipher List field, choose a list of cipher suites to be used for SSL acceleration between
the WAE device peers, or choose Inherited to use the cipher list configured in SSL global settings. For
more information, see the “Working with Cipher Lists” section on page 13-35.
Step 16
(Optional) To set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation,
follow these steps:
a.
To enable verification of client certificate check, check the Verify client certificate check box.
b.
Check the Disable revocation check for this service check box to disable OCSP client certificate
revocation checking.
c.
To enable verification of server certificate check, check the Verify server certificate check box.
d.
Check the Disable revocation check for this service check box to disable OCSP server certificate
revocation checking.
Note
If the server and client devices are using self-signed certificates and certificate verification is
enabled, WAAS devices will not be able to accelerate SSL traffic.
Cisco Wide Area Application Services Configuration Guide
13-48
OL-26579-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Step 17
Click Submit when you have finished configuring the SSL accelerated service.
Creating a New Traffic Optimization Policy
Table 13-4 provides an overview of the steps that you must complete to create a new traffic optimization
policy.
Table 13-4
Checklist for Creating a New Optimization Policy
Task
1. Prepare for creating an optimization
policy.
2.
Create an application definition.
3.
Create an optimization policy.
Additional Information and Instructions
Provides the tasks you need to complete before creating a new optimization
policy on your WAAS devices. For more information, see the “Preparing to
Create an Optimization Policy” section on page 13-49.
Identifies general information about the application you want to optimize,
such as the application name and whether the WAAS Central Manager
collects statistics about this application. For more information, see the
“Creating an Application Definition” section on page 13-50.
Determines the type of action your WAAS device or device group performs
on specific application traffic. This step requires you to do the following:
•
Create application class maps that allow a WAAS device to identify
specific types of traffic. For example, you can create a condition that
matches all traffic going to a specific IP address.
•
Specify the type of action your WAAS device or device group performs
on the defined traffic. For example, you can specify that WAAS should
apply TFO and LZ compression to all traffic for a specific application.
For more information, see the “Creating an Optimization Policy” section on
page 13-51.
Preparing to Create an Optimization Policy
Before you create a new optimization policy, complete the following preparation tasks:
•
Review the list of optimization policies on your WAAS system and make sure that none of these
policies already cover the type of traffic you want to define. To view a list of the predefined policies
that come bundled with the WAAS system, see Appendix A, “Predefined Optimization Policy.”
•
Identify a match condition for the new application traffic. For example, if the application uses a
specific destination or source port, you can use that port number to create a match condition. You
can also use a source or destination IP address for a match condition.
•
Identify the device or device group that requires the new optimization policy. We recommend you
create optimization policies on device groups so the policy is consistent across multiple WAAS
devices.
Cisco Wide Area Application Services Configuration Guide
OL-26579-01
13-49
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Creating an Application Definition
The first step in creating an optimization policy is to set up an application definition that identifies
general information about the application, such as the application name and whether you want the WAAS
Central Manager to collect statistics about the application. You can create up to 255 application
definitions on your WAAS system.
To create an application definition, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Configure > Acceleration > Applications.
The Applications window appears, which displays a list of all applications on your WAAS system. It also
lists the device or device group from which it gets the settings. From this window, you can perform the
following tasks:
•
Select an application and click the Edit icon in the task bar to modify or click the Delete icon in the
task bar to delete.
•
Determine if your WAAS system is collecting statistics on an application. The Enable Statistics
column displays Yes if statistics are being collected for the application.
•
Create a new application as described in the steps that follow.
Click the Add Application icon in the taskbar. The Application window appears.
Step 2
Enter a name for this application.
The name cannot contain spaces and special characters.
Step 3
(Optional) Enter a comment in the Comments field.
The comment you enter appears in the Applications window.
Step 4
Check the Enable Statistics check box to allow the WAAS Central Manager to collect data for this
application. To disable data collection for this application, uncheck this box.
The WAAS Central Manager GUI can display statistics for up to 25 applications and 25 class maps. An
error message is displayed if you try to enable more than 25 statistics for either. However, you can use
the WAAS CLI to view statistics for all applications that have policies on a specific WAAS device. For
more information, refer to the Cisco Wide Area Application Services Command Reference.
If you are collecting statistics for an application and decide to disable statistics collection, then reenable
statistics collection at a later time, the historical data will be retained, but a gap in data will exist for the
time period when statistics collection was disabled. An application cannot be deleted if there is an
optimization policy using it. However, if you delete an application that you had collected statistics for,
then later recreate the application, the historical data for the application will be lost. Only data since the
recreation of the application will be displayed.
Note
Step 5
The WAAS Central Manager does not start collecting data for this application until you finish
creating the entire optimization policy.
Click OK.
The application definition is saved and is displayed in the application list.
Cisco Wide Area Application Services Configuration Guide
13-50
OL-26579-01
Chapter 13
Configuring Application Acceleration
Creating a New Traffic Optimization Policy
Creating an Optimization Policy
After you create an application definition, you need to create an optimization policy that determines the
action a WAAS device takes on the specified traffic. For example, you can create an optimization policy
that makes a WAAS device apply TCP optimization and compression to all application traffic that travels
over a specific port or to a specific IP address. You can create up to 512 optimization policies on your
WAAS system.
The traffic matching rules are contained in the application class map. These rules, known as match
conditions, use Layer 2 and Layer 4 information in the TCP header to identify traffic.
To create an optimization policy, follow these steps:
Step 1
From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups >
device-group-name).
Step 2
Choose Configure > Acceleration > Optimization Policies.
The Optimization Policies window appears. (See Figure 13-31.)
Note
For a WAAS Express device, the Optimization Policies window shows a subset of the fields in
the standard Optimization Policies window.
Enable Service Policy option, DSCP option, and the Protocol column in the list of policy rules
are not applicable to WAAS Express.
Figure 13-31
Optimization Policies Window
This window displays information about all optimization policies that reside on the selected device or
device group and the position of each policy. The position determines the order in which WAAS refers
to that policy when determining how to handle application traffic. To change the position of a policy, see
the “Modifying the Position of an Optimization Policy” section on page 13-59. This window also
displays the class map, source and destination IP addresses, source and destination ports, protocol,
application, action, and accelerate assigned to each policy.
Cisco Wide Area Applicat