Configuring Cisco WAAS on a SRE

Overview

In an earlier blog post, I had installed Cisco UCS on a Services Ready Engine (SRE). The SRE being just a server inside of an Integrated Services Router (ISR); in our case, it is a SRE-900 in the 3945 Generation 2 ISR. One of the available software packages to install on the SRE is Cisco’s very own WAAS. WAAS stands for Wide Area Application Services and accelerates traffic through TCP flow optimization, data redundancy elimination, compression, SSL optimization, and application-level optimization for web, email, and file sharing. Check this page for Cisco’s diagrams and details on how WAAS does this. Now that you know what WAAS is and how it runs on an SRE, let’s get into the configuration.

Understanding the SRE Interfaces

The SRE has three interfaces — two are internal (on the router backplane) and one is external:

Number in Diagram	SM-SRE Interface	Interface Numbering
1	Service-Module Interface to Router	SMx/0
2	Service-Module Interface to MGF	SMx/1
3	External Interface	Application Dependent

The MGF interface is not supported in WAAS, so just forget he’s there. You can use the external interface for management; we tried, but the layer 3 link between our router and the switch to which the WAAS interface connected caused a loop preventing acceleration.

Installing the WAAS Software

This section assumes you have a new SRE with no WAAS software on it at all. If you are just upgrading WAAS, you can use the Central Manager or the WAAS CLI instead of these steps. First, verify that the router is running IOS 15.0(1)M1 or later. Cisco recommends 15.0(1)M3 as of this writing. To download the latest WAAS software, navigate to Cisco’s downloads section. You’ll see two versions of the software; the NPE version stands for Non-Payload Encryption and is for use in countries where disk encryption is not permitted. Once you’ve downloaded the zip file, copy it to an FTP server and extract it. Six files will be extracted:

WAAS‐4.2.1‐K9.bin.srebootloader (Boot Loader)
WAAS‐4.2.1‐K9.bin.install.sre.header (TCL file signature)
WAAS‐4.2.1‐K9.bin.install.sre (TCL file)
WAAS‐4.2.1‐K9.bin (WAAS package)
WAAS‐4.2.1‐K9.key (WAAS application key)
WAAS‐4.2.1‐K9.installer

Now, configure the networking on the router for the SRE:

interface SM1/0
description WAAS
ip unnumbered Vlan1
service-module ip address 192.168.13.15 255.255.255.0
service-module ip default-gateway 192.168.13.1
ip route 192.168.13.15 255.255.255.255 SM1/0

Note that if you’re using the external interface on the WAAS, instead of “service-module ip address x.x.x.x y.y.y.y” use “service-module external ip address x.x.x.x y.y.y.y”. With the configuration above you won’t be able to manage the SRE using the “service-module sm1/0 session” command as we didn’t configure the backplane to talk to the SRE. Instead, you’ll be able to access the service-module using telnet or SSH.

Next, install the software on the SRE:

Router# service‐module sm1/0 install url
ftp://username:passwd@ftpserver/directory/waas‐accelerator‐4.2.3.9‐k9.bin

As the install progresses (about 10-15 minutes total), you can verify the status by executing “service-module sm1/0 status”.

Configuring the WAAS SRE

If you setup IP addresses to allow backplane communication, then execute “service-module sm1/0 session” to gain access to the WAAS SRE. Otherwise, telnet/SSH to the IP address you defined (in our case, 192.168.13.15). The first time you login, the username is “admin” and the password is “default”. Once you’re in, execute these commands:

restore factory‐default
device mode application‐accelerator
!
hostname clt-waas
central‐manager address 192.168.0.239
!
! Note: use Gi1/0 if using internal interface, otherwise use Gi2/0 if using external interface:
interface GigabitEthernet 1/0
ip address 192.168.13.15 255.255.255.0
!
primary‐interface GigabitEthernet 1/0
ip default‐gateway 192.168.13.1
!
ip name‐server 192.168.10.2
ip domain‐name varrow.com
ntp server 192.5.41.41
clock timezone EST -5 0
!
clear license Transport
license add Enterprise
!
cms enable

Now the SRE is configured. If it can’t reach the Central Manager, it’ll hang for a few minutes until it times out. Execute “show ip route” on the WAAS to make sure it has the correct default-gateway. Also run some pings and telnets to make sure you have connectivity between the WAAS and the Central Manager. You should be able to login to your Central Manager now and see the WAAS SRE under My Devices.

Configuring WCCP

For our deployment, we configured the default method: WCCP GRE Redirect along with Hash assignment. We entered the following configuration on the WAAS SRE:

wccp router-list 1 192.168.13.1
wccp tcp-promiscuous router-list-num 1
wccp version 2
egress-method negotiated-return intercept-method wccp

Next, we needed to identify which traffic to accelerate. We entered these commands on the ISR:

! define the access-list for traffic to omit from acceleration and traffic to permit for acceleration
ip access-list extended WAAS-Traffic_RemotetoDC
remark WAAS WCCP Mgmt Redirect List – Bidirectional
remark Deny VoIP Control Traffic
deny tcp any any eq 1300
deny tcp any any eq 2428
deny tcp any any eq 2000
deny tcp any any eq 2001
deny tcp any any eq 2002
deny tcp any any eq 2443
deny tcp any any eq 1718
deny tcp any any eq 1719
deny tcp any any eq 1720
deny tcp any any eq 5060
deny tcp any any range 11000 11999
remark Deny MGT Traffic
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq 8443
remark Deny Routing
deny tcp any any eq bgp
remark Deny Authentication Traffic
deny tcp any any eq tacacs
remark Accelerate All Traffic Over WAN
permit tcp any any
! note that we opted to accelerate all traffic going back to the DC (permit tcp any any)

Once we defined which traffic to accelerate, we enabled WCCP globally on the router:

ip wccp 61 redirect-list WAAS-Traffic_RemotetoDC
ip wccp 62 redirect-list WAAS-Traffic_RemotetoDC

Finally, we enabled WCCP on the relevant layer 3 interfaces where client-server traffic flow is expected. Note below that on the branch router, WCCP 61 is applied to the LAN interface. This will be swapped at the data center side where WCCP 61 will be applied to the WAN interface. Only complete this step once the aforementioned steps have been completed on the neighboring WAAS SRE.

interface GigabitEthernet0/1
description LAN
ip wccp 61 redirect in
!
interface Serial0/1/0
description T1 to Data Center
ip wccp 62 redirect in
!
interface Serial0/0/0.100 point-to-point
description MPLS to Data Center
ip wccp 62 redirect in

If you login to the Central Manager, it now should show traffic that is being accelerated.

On the data center side, we created one access-list to define acceleration traffic and will add subnets to it as we add WAAS accelerators to remote sites:

ip access-list extended WAAS-Traffic_DCtoRemote
remark WAAS WCCP Mgmt Redirect List – Bidirectional
remark Deny VoIP Control Traffic
deny tcp any any eq 1300
deny tcp any any eq 2428
deny tcp any any eq 2000
deny tcp any any eq 2001
deny tcp any any eq 2002
deny tcp any any eq 2443
deny tcp any any eq 1718
deny tcp any any eq 1719
deny tcp any any eq 1720
deny tcp any any eq 5060
deny tcp any any range 11000 11999
remark Deny MGT Traffic
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq 8443
remark Deny Routing
deny tcp any any eq bgp
remark Deny Authentication Traffic
deny tcp any any eq tacacs
remark Accelerate CLT Office to Data Center
permit tcp 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
permit tcp 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255
permit tcp 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
permit tcp 192.168.13.0 0.0.0.255 192.168.0.0 0.0.0.255
remark Accelerate Data Center to CLT Office
permit tcp 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit tcp 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
permit tcp 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
permit tcp 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
!
ip wccp 61 redirect-list WAAS-Traffic_DCtoRemote
ip wccp 62 redirect-list WAAS-Traffic_DCtoRemote
!
interface GigabitEthernet0/1
description Data Center LAN
ip wccp 62 redirect in
!
interface Serial0/0/0
description T1 to CLT Office
ip wccp 61 redirect in
!
interface Serial0/1/0.100 point-to-point
description MPLS to CLT Office
ip wccp 61 redirect in

Conclusion

And that’s all there is to it! Needless to say, we could have tweaked the configuration to accelerate only certain protocols or only traffic destined for certain subnets. My next post will detail how to deploy vWAAS, a VM acting as Central Manager.

– Andrew

Like this:

Be the first to like this post.

About this entry

You’re currently reading “Configuring Cisco WAAS on a SRE,” an entry on Andrew Travis's Blog

Published:: March 30, 2011 / 9:14 am

Category:: Cisco

Tags:: Cisco, cisco waas, isr, sre, waas, wan acceleration

Deploying vWAAS « Andrew Travis's Blog 3.30.11 / 10am

[...] I blogged about deploying WAAS on a SRE. In our deployment, we used vWAAS to manage the WAAS appliances. vWAAS, as the v would imply, is a [...]

Claudio Oliveira 8.30.11 / 10am

Hi Andrew!

Thanks a lot!

Really helped!

Paulo 1.4.12 / 1pm

To act as a Central Manager, may we use a Cisco 3945 ISR 2 running the SRE 900?

supergoop 1.5.12 / 7am

Paulo, I don’t believe you can use the SRE as the Central Manager as you could on a WAE appliance. For the SREs, you have to deploy Central Manager as a server (or virtual appliance in the case of vCM).

Andrew

1. Paulo 1.5.12 / 10am
  
  Thank You.

Paulo 1.5.12 / 6am

and finally, may another Cisco 3945 ISR 2 running the SRE 900 play the CORE role?

Andrew Travis's Blog

Configuring Cisco WAAS on a SRE

Overview

Understanding the SRE Interfaces

Installing the WAAS Software

Configuring the WAAS SRE

Configuring WCCP

Conclusion

Like this:

About this entry

6 Comments

Leave a Reply Cancel reply

About

Categories

Recently

Follow “Andrew Travis's Blog”