Cisco WAAS, My favorite Cisco Product




A guide on WCCP Interception

Hi Guys!

The Cisco WAAS is my favorite Cisco Product, there I said it. No it is true, I think it’s the best thing since sliced bread, it works INCREDIBLY well as evidenced by a video (http://www.youtube.com/watch?v=wHOw1E8Npmo) I made a while ago showing just how good this product is.

I am so disappointed that this product is not part of CCIE DC, because it is just an incredible product that deserves more attention!

Anyway, I am getting quite a few deployments of it recently and in order to enjoy the benefits of WAAS, it has to be able to intercept! In the article below I attempt to cover some of the common methods of interception. 

The Interception methods can be basically boiled down to three separate methods, I am not going to go through the full detail of every single one here, but hopefully a bit more than the actual Cisco Documentation itself! For the most definitive guide on WAAS I have ever seen, go ahead and get yourself these books (Please use my links below if you enjoy my blog as this way I will get a amazon gift card and can buy myself some more Drum stuff J)






Interception Methods:
  •       Inline Interception
  •      WCCP Interception
  •      Policy-based-routing interception
In this article I am going to assume you know the basics of these interception methods, this is more of a “gotcha’s” article to help explain some of the more difficult aspects.

Inline Interception

This method of interception is the simplest to deploy and is recommended whenever possible, it involves inserting the WAAS in the path between your WAN and LAN at an office (so for example, between the uplink of your switch to your router)

A few quick pointers that might help you with inline interception:
·        
  •  The link light for an inline interface (LAN or WAN) will NOT come up unless both the WAN and LAN links are plugged in.
  • ·         The inline interface supports full offline passthrough, so you really don’t have to worry about the device being a single point of failure.
  • ·         If you can’t see any inline interfaces, make sure you have set your interception method in your WAE with:
Interception-method inline
·         You can exclude particular VLAN’s from being intercepted with:
Int inlinegroup 1/0
 No Inline vlan 200 (or the ID of whichever VLAN you wish to exclude from interception)

Inline itself is fairly straight forward. Be careful to make sure that where possible the interface is gigabit, ensure that no duplexing errors are occurring otherwise you will actually receive WORSE performance!

WCCP Interception
WCCP Interception is by far the most potentially complicated, WCCP has a few restrictions that you should know about before continuing:
  • ·         ASA’s do NOT support WCCP for services 61 and 62, only for web-proxy, I found this out the hard way and it lead to lots of heart ache for me
WCCP allows you to place the WAE in an off-path location from the traffic being intercepted and allows you to support complicated topologies, this very strength however makes it a little complicated to configure.
There are three separate WCCP settings that you should know about as they will directly affect your use of WCCP

Let’s quickly chat about what exactly WCCP is doing for us: WCCP is a method of telling a device that as traffic arrives in to a particular interface, we want it to forward that traffic to another host instead of forwarding the traffic as per its routing table.
So how exactly can the router perform that action? How can the router redirect the traffic?

This is called the redirection method or forwarding method, and there are two basic ways the router can perform it:

L2 and GRE.


The first method, L2, simply says that as the packet comes in, I will rewrite the destination MAC to equal the MAC of the target WAE (or whatever other device is subscribed via WCCP).
This is the method you must use with hardware-based switching platforms like the 3750/3560 and infact is the only method supported.
The GRE Method can be used for more complicated topologies, in the GRE method the original packet is actually encapsulated inside a GRE packet and sent to the WAE Device, this allows the packet to traverse other hops and support more complicated topologies as you can imagine. This is the only method you can use if your WAE is not directly attached to the router or switch having WCCP interception performed on it (But we will get to that later with a super handy table J)
The picture below (from cisco.com) illustrates this concept further:


http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/images/chalktalk06200802.gif
OK, so now my packet has arrived at my WAE, I have inspected it and it looks wonderful, I have performed some optimization magic to the packet and am now ready to send it on to it’s actual target.
The method’s we can use are called the “return” methods.
The first method, L2 return simply changes the destination MAC of the frame back to the WCCPv2 router that sent it the traffic, the interface that the traffic is returned on must not be the same as the interface where redirection is being performed. This is the simplest method and works quite effectively, but the device must be directly connected to the router.

The second method, IP-Forwarding, uses the ip default gateway of the WAE module to forward the return traffic, the issue with this method is if your WAE is on the same subnet as the traffic being redirected, because as the traffic is returned, the router will look up the details in WCCP and re-forward the traffic back to the WAE Again, therefore this method is only suitable is the WAE is on it’s own dedicated subnet.

The third and final method is Generic GRE, or WCCP GRE Encapsulated traffic (The only difference between WCCP GRE and Generic GRE is that Generic GRE needs a bit more setup on the router, but is also done in hardware on SOME platforms, the table below will help illustrate when to use Generic GRE over WCCP GRE)

In this method, just like in the original forwarding GRE method, the traffic is encapsulated inside a GRE header, this method supports the most complicated topologies.

The final configuration item for WCCP is the use of an assignment method, WCCP Supports multiple devices attached to the same router in order to provide load balancing and redundancy, but this is beyond the scope of this document and will not be detailed here.  All you need to know in simpler deployments for WAAS is that some platforms only support MASK assignment if you want the load balancing done in hardware (which obviously you do)

Please note the terminology and syntax used here applies for WAAS version 5.0 and above
Device and Topology
Interception Method
assignment Method
Redirect Method
Return Method
Redirect Exclude in?
Service 61 and 62 Locations
WAE (Any WAE, vWAAS, WAE Module or Appliance)  is on own dedicated subnet which is directly connected to router, using a ISR Software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE or L2
Ip-forwarding or L2
NO (Unless using WAE Module)
61 on LAN IN, 62 on WAN IN
WAE (Any WAE, vWAAS, WAE Module or Appliance)  is on same subnet as end users/servers/accelerated traffic subnet, using a ISR Software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE
WCCP-GRE
No
(Unless using WAE Module)
61 on WAN OUT, 62 on WAN IN
WAE (Any WAE, vWAAS, WAE Module or Appliance) is on a dedicated subnet, more than a hop away from Clients being accelerated and the actual router being configured for WCCP is more than a hop away, using a software series router (ISR, ISR G2)
WCCP
Mask or hash
Generic GRE
WCCP-GRE
No
(Unless using WAE Module)
62 on WAN in, 61 on LAN in
Any WAE on same subnet as traffic being accelerated with a hardware-based Router (ASR1000 for example) or a catalyst 3750/4500 Switch
NOT SUPPORTED
N/A
N/A
N/A
N/A

Any WAE on dedicated subnet, directly connected to same router that is performing WCCP redirection with a hardware-based router (ASR 1000)
WCCP
Mask ONLY
L2
IP forwarding
No
61 on LAN in 62 On WAN In
Any WAE on dedicated subnet directly connected to same switch that is performing WCCP Redirection with a hardware based Switch (Catalyst 3750
WCCP
Mask ONLY
L2
IP forwarding
No
61 on LAN in 62 On WAN In

For more esoteric based configurations, see the helpful document from Cisco below:


Policy Based Routing
So let’s say for some reason you cannot do WCCP or inline, your only remaining option is policy based routing, policy-based routing has a few restrictions but will work as an absolute last resort.
You must ensure that your WAE is directly connected to the device you are performing the next hop manipulation on.  The WAE must be on a dedicated subnet it cannot be on the same subnet as the users you are accelerating
To configure policy based routing, you would do something like:
Access-list redirect permit tcp any any
Route-map redirect permit 50
 Match ip address redirect
Set ip next-hop
!
Int fa0/1
 LAN LINK
 Ip policy route-map redirect
!
Int fa0/0
WAN LINK
Ip policy route-map redirect
!
The configuration above will get the traffic to redirect to your WAE, the WAE will then return the traffic via it’s default gateway.

I hope these tables and configuration options help someone out there!


Again, I Cannot recommend the WAAS book by Cisco Press enough!


2 comments:

  1. Great post. Never realized inline was an option. Thanks for the clarification on some of these other points. I'm not a WAAS expert but have to touch them every now and again.

    ReplyDelete

Popular old posts.