INDEX passthrough Numerics TFO only 10 Gigabit Ethernet interfaces modifying 13-53 13-53 TFO with DRE (Adaptive Cache) 6-7 13-53 TFO with DRE (Bidirectional Cache) 13-53 TFO with DRE (Unidirectional Cache) TFO with LZ compression A types configuring AAA-based management systems charts default 1-6 TCP adaptive buffering settings TCP settings 7-4 for WAEs 13-62 7-2 local database description 13-60 overview of accelerators enabling 7-12 TACACS+ overview 13-55 7-14 Windows domain ov
Index application definition creating devices to more than one device group audit trail logs 13-49 application list, viewing viewing 13-55 application policy creating default feature values 13-50 restoring defaults 13-57 configuring 7-12, 7-14 authorization default feature values applications monitoring 7-2 authentication servers 13-58 13-48 autodiscover 13-57, 17-2 AppNav 7-4 1-20 autoregistration adding and removing devices AppNav Cluster DHCP server requirements 4-30 4-1 AppN
Index coherency C age-based validation CDP compression, about configuring 6-26 cdp enable command cdp run command 1-6 conditions 5-40 modifying or deleting from IP ACLs 5-40 congestion windows, about Central Manager.
Index debug command impact of assigning to multiple groups 17-60 default status, restoring overriding device group settings 16-11 deleting accounts 8-6 device groups locations roles 16-34 topology 17-40 viewing group assignments 3-6 viewing information for 3-10 Devices window 8-13 software files user groups interface-level 17-4 rebooting diagnostic tests 16-34 configuring recovering from 3-5 disk encryption 3-4 creation process configuring extended object cache monitoring 3-7
Index DSCP 13-54 F global default 13-57 failover, for administrative login authentication dynamic shares creating for CIFS accelerator 12-9 creating for SMB accelerator 12-19 fast offline detection about 10-22 configuring 10-21 file locking, about E 12-5 File Server Rename utility edge WAE, about supported egress methods file services 5-29 email server settings for reports enable command about 10-24 12-8 1-8 1-8 preparing for optimization and accelerators 12-7 SMB configuratio
Index hardware devices supported high bandwidth WAN link IP access control lists.
Index licenses match condition, creating 10-3 line console carrier detection configuring load balancing maximum segment size viewing 1-22, 5-12, 6-13 local CLI accounts, about configuring 8-4 7-10 MIBs supported 3-9 creating 3-10 deleting 3-10 viewing 18-4 MIB traps configuring using the WAE Device Manager location tree migration, data 2-28 recovering from configuring system logging message priority levels transaction log format transaction logging viewing device logs applications
Index Network Time Protocol.
Index remote login router controlling access configuring WCCP transparent redirection on 7-7 5-6 reports configuring email server settings Connections Statistics creating custom customizing editing 17-40 17-44 preposition reports 17-35 Topology 17-42 host keys 17-40 17-45 rescue system image configuring disabling 17-42 16-34 application policies 13-57 WAE devices 10-12 disk encryption 11-7 10-13 16-30 enabling secure store 16-9 16-10 16-11 retransmit time multiplier 10-10 sel
Index SMB accelerator standby Central Manager configuring SNMP switching to primary 12-19 standby groups 1-23 asset tag setting of interfaces 18-24 community settings assigning physical interfaces 18-12 configuring using the WAE Device Manager contact settings enabling configuring 11-8 static IP addresses 18-13 enabling SNMP agent 11-5 2-9 static IP routes 18-11 enabling traps 18-14 configuring group settings 18-21 statistics, collecting host settings 6-6 starting WAE compone
Index TACACS+ server configuring taskbar icons traceroute track command 7-14 5-41 traffic statistics collection, enabling 1-15 TCP traffic statistics report congestion windows parameter settings retransmit timer slow start transaction logging 6-23 configuring 6-21 log format 6-23 viewing connections 17-54 B-1 defining SNMP 17-60 enabling 1-5 TCP promiscuous mode service 5-6 18-16 18-14 triggers defining SNMP 2-24 Telnet services enabling 17-53 traps 17-40 TCP initial window
Index deleting domains domains starting and stopping 8-16 virtual interfaces 8-14 managing modifying 8-7 modifying and deleting VLAN ID check assigning to creating 5-44 VPATH interception 8-10 viewing 5-45 VLAN support 8-12 modifying and deleting virtual interface configuration VPATH interception 8-8 user groups 8-17 8-18 assigning to domains W benefits 8-19 1-19 interfaces creating 8-18 deleting 8-20 backing up viewing 8-20 restoring UTC offsets 10-8 upgrading 1-10
Index WAAS interfaces CLI WCCP-based routing advanced configuration for a router 1-18 WAAS Central Manager GUI WAE Device Manager GUI advantages and disadvantages 1-10 configuration guidelines 1-17 WAAS networks network planning for WAAS services, about configuring 2-11 2-10 Windows Authentication 2-18 checking the status in the WAE Device Manager 11-13 1-4 WAAS TCP Traceroute 17-61 configuring in the Central Manager WAE Device Manager 7-17 configuring using the WAE Device Manager 1-1
Index Cisco Wide Area Application Services Configuration Guide IN-14 OL-26579-01
Preface This preface describes who should read the Cisco Wide Area Application Services Configuration Guide, how it is organized, and its document conventions.
Preface Chapter Title Description Chapter 4 Configuring AppNav Describes how to configure your WAAS network using the AppNav deployment model. Chapter 5 Configuring Traffic Interception Describes the WAAS software support for intercepting all TCP traffic in an IP-based network. Chapter 6 Configuring Network Settings Describes how to configure interfaces and basic network settings like DNS and CDP.
Preface Chapter Title Description Chapter 18 Configuring SNMP Monitoring Describes how to configure SNMP traps, recipients, community strings and group associations, user security model groups, and user access permissions. Appendix A Predefined Optimization Policy Lists the predefined applications and classifiers that WAAS will either optimize or pass through based on the policies that are provided with the system. Appendix B Transaction Log Format Describes the transaction log format.
Preface Tip Means the following information will help you solve a problem. Tips might not be troubleshooting or even an action, but could help you save time.
Preface Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Preface Cisco Wide Area Application Services Configuration Guide xxii OL-23593-01
REVIEW DRAFT—CISCO CONFIDENTIAL CH A P T E R 1 Introduction to Cisco WAAS This chapter provides an overview of the Cisco WAAS solution and describes the main features that enable WAAS to overcome the most common challenges in transporting data over a wide area network. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Cisco WAAS helps enterprises meet the following objectives: • Provide branch office employees with LAN-like access to information and applications across a geographically distributed network. • Migrate application and file servers from branch offices into centrally managed data centers. • Minimize unnecessary WAN bandwidth consumption through the use of advanced compression algorithms.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Table 1-1 Cisco WAAS Solution (continued) WAN Issue WAAS Solution Poor link utilization TCP optimization features improve network throughput by reducing the number of TCP errors sent over the WAN and maximizing the TCP window size that determines the amount of data that a client can receive at one time.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL • Establishes an optimized connection with the branch WAE. If the data center WAE has optimization disabled, then an optimized connection will not be established and the traffic passes over the network unoptimized. In an AppNav deployment, an AppNav Controller intercepts the traffic in the data center and distributes it to a WAAS node that establishes an optimized connection with the branch WAE.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL • BIC TCP, page 1-6 Windows Scaling Windows scaling allows the receiver of a TCP packet to advertise that its TCP receive window can exceed 64 KB. The receive window size determines the amount of space that the receiver has available for unacknowledged data. By default, TCP headers limit the receive window size to 64 KB, but Windows scaling allows the TCP header to specify receive windows of up to 1 GB.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL BIC TCP Binary Increase Congestion (BIC) TCP is a congestion management protocol that allows your network to recover more quickly from packet loss events. When your network experiences a packet loss event, BIC TCP reduces the receiver’s window size and sets that reduced size as the new value for the minimum window.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL contains application proxies that can respond to messages locally so that the client does not have to wait for a response from the remote server. The application proxies use a variety of techniques including caching, command batching, prediction, and resource prefetch to decrease the response time of remote applications.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Note • Video—Accelerates Windows Media live video broadcasts that use RTSP over TCP. The video accelerator automatically splits one source video stream from the WAN into multiple streams to serve multiple clients on the LAN. The video accelerator automatically causes a client requesting a UDP stream to do a protocol rollover to use TCP (if both the client and server allow TCP).
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL • Prepositioning—Allows system administrators to proactively “push” frequently used files from the central file server into the cache of selected WAEs, which provides users with faster first-time file access, and makes more efficient use of available bandwidth. Prepositioning is supported only by the CIFS application accelerator.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL These services eliminate the need for a separate hardware print server in the branch office. WAAS print services are available for Windows clients and work with any IP-based network printer. Virtualization The WAAS software allows you to configure a virtual blade, which allows you to add services running in their own operating environments to your WAAS system.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Note You cannot enable optimization and application acceleration services on a WAE that has been configured as a WAAS Central Manager. The purpose of the WAAS Central Manager is to configure, monitor, and manage the WAEs in your network.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Note A user must log off the Central Manager to end a session. If a user closes the browser or connection without logging off, the session is not closed until after it times out (in 10 minutes by default, up to a possible maximum of 120 minutes).
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL • Menu bar—The top level contains menus that allow you to choose the context. The lower level contains menus that group the WAAS Central Manager functions available within the chosen context. For more information, see the “WAAS Central Manager Menus” section on page 1-14. • Taskbar—Contains labeled icons that perform various functions depending on the content shown in the dashboard.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL • Entity name—The first menu in the lower level of the menu bar shows the name of the chosen device group, device, AppNav Cluster, or location. • Context menus—The top level of the menu bar contains menus that allow you to switch easily to any entity in any context.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Table 1-2 Menu Descriptions Menu Description Dashboard or Device, Device group, AppNav Cluster, or Location name In the global context, allows you to go to the dashboard for your WAAS network. Configure Allows you to configure WAAS services and settings. Monitor Allows you to see network traffic and other charts and reports to monitor the health and performance of your WAAS network.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Table 1-3 Taskbar Icon Descriptions (continued) Taskbar Icon Function Devices and Device Group Icons (Activate All Inactive Devices) Activates all the inactive WAAS and WAAS Express devices in your WAAS network. For more information, see the “Activating All Inactive WAAS Devices” section on page 1-34.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Table 1-3 Taskbar Icon Descriptions (continued) Taskbar Icon Function (Delete All) Deletes all WAAS elements of a particular type, such as IP ACL conditions. (Display All Devices) Displays all WAE devices or device groups. (Configure Dashboard Display) Allows you choose which charts to display in the Device Dashboard window.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL In some situations, you might need to use the WAE Device Manager GUI to perform certain tasks. For example, starting, stopping, and restarting the CIFS accelerator service can only be performed from the WAE Device Manager GUI and not from the WAAS Central Manager GUI. For more information about the tasks you can perform from the WAE Manager, see Chapter 1, “Using the WAE Device Manager GUI.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL • EXEC mode—For setting, viewing, and testing system operations. This mode is divided into two access levels: user and privileged. To use the privileged access level, enter the enable command at the user access level prompt, then enter the privileged EXEC password when you see the password prompt.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Autodiscovery of WAAS Devices Cisco WAAS includes an autodiscovery feature that enables WAEs to automatically locate peer WAEs on your network. After autodiscovering a peer device, the WAEs can terminate and separate the LAN-to-WAN TCP connections and add a buffering layer to resolve the differing speeds.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Optimized Read and Write Caching The common file services feature in Cisco WAAS maintains files locally, close to the clients. Changes made to files are immediately stored in the local branch WAE, and then streamed to the central file server. Files stored centrally appear as local files to branch users, which improves access performance.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Inline Interception Support Direct inline traffic interception is supported on WAEs with a Cisco WAE Inline Network Adapter or Interface Module installed. Inline interception of traffic simplifies deployment and avoids the complexity of configuring WCCP or PBR on the routers. An inline WAE transparently intercepts traffic flowing through it or bridges traffic that does not need to be optimized.
Chapter 1 Introduction to Cisco WAAS Benefits of Cisco WAAS REVIEW DRAFT—CISCO CONFIDENTIAL Because the software must perform each disk write operation against two disk drives, the filesystem write performance may be affected. • Disk Hot-Swap Support—WAAS for RAID-1 allows you to hot-swap the disk hardware. RAID-5 also allows you to hot-swap the disk hardware after the RAID array is shut down. For the disk removal and replacement procedures for RAID systems, see Chapter 1, “Maintaining Your WAAS System.
Chapter 1 Introduction to Cisco WAAS Overview of the WAAS Interfaces REVIEW DRAFT—CISCO CONFIDENTIAL Cisco Wide Area Application Services Configuration Guide 1-24 OL-26579-01
CH A P T E R 1 Planning Your WAAS Network This chapter describes general guidelines, restrictions, and limitations that you should be aware of before you set up your Wide Area Application Services (WAAS) network. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE and WAVE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS, and vWAAS instances.
Chapter 1 Planning Your WAAS Network Checklist for Planning Your WAAS Network • Mesh deployments—In a mesh deployment, any location may host both clients and servers and the clients may access any number of local or remote servers. • Hierarchical deployments—In a hierarchical deployment, the servers are located in multiple regional, national data centers and are accessed by the different clients.
Chapter 1 Planning Your WAAS Network Checklist for Planning Your WAAS Network • For security purposes, plan to change the predefined password for the predefined superuser account immediately after you have completed the initial configuration of a WAE. For more information, see “WAAS Login Authentication and Authorization” section on page 1-26. • Determine if you need to create any additional administrative accounts for a WAAS device.
Chapter 1 Planning Your WAAS Network Site and Network Planning • Determine the major applications for your WAAS network. Verify whether the predefined application definition policies cover these applications and whether you should add policies if your applications are not covered by these predefined policies. For a list of the predefined application definition policies, see Appendix 1, “Predefined Optimization Policy.
Chapter 1 Planning Your WAAS Network Site and Network Planning • Windows Network Integration, page 1-5 • UNIX Network Integration, page 1-6 • CIFS-Related Ports in a WAAS Environment, page 1-6 • Firewalls and Directed Mode, page 1-7 • Firewalls and Standby Central Managers, page 1-7 • Performance Tuning for High WAN Bandwidth Branch Offices, page 1-7 Windows Network Integration To successfully integrate WAAS devices into the Windows environment, you might need to make certain preparations on b
Chapter 1 Planning Your WAAS Network Site and Network Planning UNIX Network Integration Before the initial configuration of a WAAS device, you need to know the following parameters: • DNS server and DNS domain. • NIS server parameters (if applicable). • On the data center WAE side, a browsing UID or GID with file-server directory traversal (read-only) privileges. This UID or GID, which is usually set up as a domain or service user, is required for browsing when defining coherency policies.
Chapter 1 Planning Your WAAS Network Site and Network Planning Some organizations close port 139 on their networks to minimize security risks associated with this port. If your organization has closed port 139 for security reasons, you can configure your WAAS network to bypass port 139.
Chapter 1 Planning Your WAAS Network About Autoregistration and WAEs About Autoregistration and WAEs Autoregistration automatically configures network settings and registers WAEs with the WAAS Central Manager device. On startup, devices running WAAS software (with the exception of the WAAS Central Manager device itself) automatically discover the WAAS Central Manager device and register with it. You do not need to manually configure the device.
Chapter 1 Planning Your WAAS Network About Autoregistration and WAEs • Domain-name (option 15) • Domain-name-servers (option 6) • Host-name (option 12) In contrast, interface-level DHCP requires only subnet-mask (option 1) and routers (option 3) for an offer to be considered valid; domain-name (option 15), domain-name-servers (option 6), and host-name (option 12) are optional.
Chapter 1 Planning Your WAAS Network Identifying and Resolving Interoperability Issues If you do not have a DHCP server configured, or you have a DCHP server but do not want to use the autoregistration feature, then manually configure the following network settings with the interactive setup utility or CLI, then register the WAEs with the WAAS Central Manager device.
Chapter 1 Planning Your WAAS Network Identifying and Resolving Interoperability Issues Unicode Support Limitations The following are Unicode support limitations: • Usernames cannot contain Unicode characters. • When defining policies for coherency, and so on, you cannot use Unicode characters in the Description field. • File server names cannot contain Unicode characters.
Chapter 1 Planning Your WAAS Network Identifying and Resolving Interoperability Issues • DSCP/IP precedence (TOS)—Supported under WAAS because WAAS copies the settings of incoming packets on to the outgoing packets from WAAS back to the router. If the packets are not colored at connection establishment time (for TCP packets), there might be a delay in propagating the settings because WAAS does not poll these settings periodically. The packets are eventually colored properly.
Chapter 1 Planning Your WAAS Network Identifying and Resolving Interoperability Issues periodically to identify flow changes. However, the WAAS system expects packets to appear in the sequence of packets belonging to class C1, followed by a sequence of C2, and so forth, so that a polling method is sufficient to track such dynamic changes.
Chapter 1 Planning Your WAAS Network Identifying and Resolving Interoperability Issues WAAS Support of the Cisco IOS Provisioning, Monitoring, and Management The Cisco IOS AutoQoS feature is supported by the WAAS software but requires additional configuration. This feature is closely connected with NBAR support because the AutoQoS feature uses NBAR to discover the various flows on the network.
Chapter 1 Planning Your WAAS Network WAAS Devices and Device Mode • Network Address Translation (NAT) is supported. However, payload-based NAT is not supported. WAAS and MPLS MPLS is partially supported by the WAAS software. WCCP does not know how to operate with packets that are tagged with MPLS labels. Consequently, inside the cloud, WCCP redirection will not function (for example, WCCP redirection will not work for intermediate WAEs).
Chapter 1 Planning Your WAAS Network WAAS Devices and Device Mode For example, after you use the WAAS CLI to specify the basic network parameters for the designated WAAS Central Manager (the WAAS device named waas-cm) and assign it a primary interface, you can use the device mode configuration command to specify its device mode as central-manager.
Chapter 1 Planning Your WAAS Network WAAS Devices and Device Mode wae(config)# exit wae# copy run start wae# reload Proceed with reload?[confirm]yes Proceed with clean WCCP shutdown?[confirm]yes WCCP clean shutdown initiated Waiting for shutdown ok (1 seconds) . Press ^C to skip waiting WCCP clean shutdown wait time expired Shutting down all services, will timeout in 15 minutes. reload in progress .. Step 4 Log into the WAE after it finished rebooting.
Chapter 1 Planning Your WAAS Network Calculating the Number of WAAS Devices Needed Calculating the Number of WAAS Devices Needed When the threshold value of an operational system aspect is exceeded, Cisco WAAS may not meet its expected service level. This situation might result in degraded performance.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection Supported Methods of Traffic Redirection In a WAAS network, traffic between the clients in the branch offices and the servers in the data center can be redirected to WAEs for optimization, redundancy elimination, and compression. Traffic is intercepted and redirected to WAEs based on policies that have been configured on the routers.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection You can serially cluster WAE devices (not AppNav Controllers) in inline mode to provide higher availability in the event of a device failure. If the current optimizing device fails, the second WAE device in the cluster provides the optimization services. Deploying WAE devices in a serial inline cluster for the purposes of scaling or load balancing is not supported.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection router stops redirecting packets to the WAE. When you use WCCP Version 2, the branch WAE is not made a single point of failure for the WAAS services. The router or ANC can also load balance the traffic among a number of branch WAEs.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection Configuring WCCP or PBR Routing for WAAS Traffic The primary function of WAAS is to accelerate WAN traffic. In general, WAAS accelerates TCP traffic. WAAS uses a symmetric approach for application optimization. A WAE that has application-specific and network-specific intelligence is placed on each side of the WAN. These WAEs are deployed out of the data path in both the branch office and the data center.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection Table 1-1 Router interface Router Interfaces for WCCP or PBR Traffic Redirection to WAEs Description Edge-Router1 A Edge LAN interface (ingress interface) that performs redirection on the outbound traffic. B Tertiary interface (separate physical interface) or a subinterface off of the LAN port on Edge-Router1. Used to attach Edge-WAE1 to Edge-Router1 in the branch office.
Chapter 1 Planning Your WAAS Network Supported Methods of Traffic Redirection By default, the IP Protocol 6 is specified for the TCP promiscuous mode service. Consequently, the routers that have been configured to the TCP promiscuous mode service will intercept and redirect all TCP traffic destined for any TCP port to the local WAE.
Chapter 1 Planning Your WAAS Network Access Lists on Routers and WAEs Note The WCCP GRE return and generic GRE egress methods allow you to place WAEs on the same VLAN or subnet as clients and servers. For information on configuring these egress methods, see the “Configuring Egress Methods for WCCP Intercepted Connections” section on page 1-29.
Chapter 1 Planning Your WAAS Network WAAS Login Authentication and Authorization Note IP ACLs that are applied on interfaces, and WCCP ACLs, always take precedence over any interception ACLs and WAAS application definitions that have been defined on the WAE. Interception ACLs on WAEs You can configure an interception ACL to control what incoming traffic across all interfaces is to be intercepted by a WAE device.
Chapter 1 Planning Your WAAS Network Logically Grouping Your WAEs WAAS Administrator Accounts In a centrally managed WAAS network, administrator accounts can be created for access to the WAAS Central Manager and, independently, for access to the WAEs that are registered with the WAAS Central Manager.
Chapter 1 Planning Your WAAS Network Data Migration Process In smaller WAAS deployments where all WAEs can be configured with the same settings, you may only need to create one general device group. This practice allows you to configure settings for the group, then apply those settings consistently across all your WAEs. Note The AllWAASGroup and AllWAASExpressGroup are default device groups that automatically contain all WAAS and WAAS Express devices.
Chapter 1 Planning Your WAAS Network Data Migration Process • The migration size must be less than the cache size of the branch WAE.
Chapter 1 Planning Your WAAS Network Data Migration Process Cisco Wide Area Application Services Configuration Guide 1-30 OL-26579-01
CH A P T E R 1 Using Device Groups and Device Locations This chapter describes the types of device groups supported by the WAAS software and how to create groups that make it easier to manage and configure multiple devices at the same time. This chapter also discusses how to use device locations. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups (the default AllWAASGroup and the new device group you create). If you only want a device to belong to a device group that you create, make sure that you remove the device from the default AllWAASGroup. WAAS Express devices automatically join the default AllWAASExpressGroup device group when they are registered with the Central Manager. WAAS devices and WAAS Express devices cannot be mixed in the same device group.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups Table 1-1 Checklist for Creating a Device Group (continued) Task 3. Assign devices to the device group. Additional Information and Instructions Assigns devices to the group so they can inherit the group settings. For more information, see the “Assigning Devices to a Configuration Device Group” section on page 1-5.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups Step 9 (Optional) Customize the menu options for this device group by completing the following steps. Use this feature to remove from view any configuration windows that you do not need for that particular device group: a. Click the Select pages to hide from table of contents for this device group arrow. A list of windows in the WAAS Central Manager GUI appears. Step 10 b.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups Assigning Devices to a Configuration Device Group After you create a configuration device group, you need to assign devices to the group. The WAAS Central Manager GUI provides two methods to assign devices to a configuration group. You can either select the device first, then assign a group to the device, or you can select the device group first, then assign devices to the group.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups Deleting a Device Group To delete a device group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Device Groups > device-group-name. The Modifying Device Group window appears. Step 2 In the taskbar, click the Delete Device Group icon. You are prompted to confirm your decision to delete the device group. Step 3 To confirm your decision, click OK.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups This window displays the following information about each device group: • Type of device group (WAAS Configuration Group or WAAS Express Configuration Group). • Any comments that were entered when the device group was created. From this window, you can perform the following tasks: • Create a new device group. For more information, see the “Creating a New Device Group” section on page 1-3.
Chapter 1 Using Device Groups and Device Locations Working with Device Groups Step 2 Click the Force Group Settings icon in the taskbar. The WAAS Central Manager GUI displays the following message: The action will apply all settings configured for this device group to all the WAEs/WAAS Express assigned to it. Do you wish to continue? Step 3 To force group settings across all devices in the device group, click OK. Step 4 Click Submit.
Chapter 1 Using Device Groups and Device Locations Working with Device Locations Note Step 4 The Override Group Settings icon only appears on configuration windows that have been modified on the associated device group. Make the necessary changes to the configuration window, and click Submit. The device is now configured with settings that are different from the device group it belongs to.
Chapter 1 Using Device Groups and Device Locations Working with Device Locations You assign a device to a location when you activate the device as described in the “Modifying Device Properties” section on page 1-1.
Chapter 1 Using Device Groups and Device Locations Working with Device Locations Step 2 In the taskbar, click the Delete Location icon. You are asked to confirm your decision to delete the location. Step 3 To confirm the action, click OK. The location is deleted. Viewing the Location Tree The location tree represents the network topology you configured when you assigned a parent to each location.
Chapter 1 Using Device Groups and Device Locations Working with Device Locations Cisco Wide Area Application Services Configuration Guide 1-12 OL-26579-01
CH A P T E R 1 Configuring AppNav This chapter describes how to configure Cisco WAAS AppNav, which is a hardware and software solution that simplifies network integration of WAN optimization and overcomes challenges with provisioning, visibility, scalability, asymmetry, and high availability.
Chapter 1 Configuring AppNav Information About AppNav • AppNav Controller Group (ANCG)—A group of AppNav Controllers within one service context that together provide the necessary intelligence for handling asymmetric flows and providing high availability. The ANCG is configured on the ANC. An ANCG can have up to eight ANCs.
Chapter 1 Configuring AppNav Information About AppNav • In-path—The ANC is physically placed between one or more network elements, enabling traffic to traverse a bridge group configured on the device in inline mode. • Off-path—The ANC works with the network infrastructure to intercept traffic through the Web Cache Communication Protocol (WCCP). The ANC provides the same features in both in-path and off-path deployments. In either case, only ANCs participate in interception from the switch or router.
Chapter 1 Configuring AppNav Information About AppNav Interfaces on the AppNav Controller Interface Module can have three functions: • Interception—Used to receive traffic intercepted from the network and egress traffic to the network. The interception interface is implied based on the AppNav Controller placement and does not require explicit configuration for this function. • Distribution—Used to distribute traffic to the WNs and receive egressed traffic from the WNs.
Chapter 1 Configuring AppNav Information About AppNav For example, you can use this kind of matching to classify all traffic from a peer device that serves one branch office. • 3-tuple of source IP, and/or destination IP, and/or destination port (matches traffic from a specific application). For example, you can use this kind of matching to classify all HTTP traffic that uses port 80.
Chapter 1 Configuring AppNav Information About AppNav The AppNav policy is specific to each ANC, though typically all ANCs in a cluster have the same policy. Each ANC consults its AppNav policy to determine which WNG to use for a given flow. Different ANCs in a cluster can have different AppNav policies, which allows you to customize distribution in certain cases.
Chapter 1 Configuring AppNav Information About AppNav Figure 1-3 Flow Distribution Using Site and Application Affinity Site A Site B Site C Site D Site E Site F WAN AppNav Cluster ANC-1 ANC-2 WNG-1 WNG-2 WNG-3 WNG-4 WN-1 WN-3 WN-5 WN-7 WN-2 WN-4 WN-6 WN-8 Site A Site B HTTP SSL WN-9 333465 Sites C, D, E, F All other apps The following sections provide more details about these topics: • Site Affinity, page 1-7 • Application Affinity, page 1-8 Site Affinity Site affinity give
Chapter 1 Configuring AppNav Information About AppNav You can also identify sites using source IP addresses or subnets in the class map, if you know what IP addresses are used in the site and keep the policy configuration consistent with site IP addresses. However, we recommend that you use peer device IDs in configuring site affinity. Note A peer ID-based class map works only for matching flows that carry the WAAS auto discovery TCP options.
Chapter 1 Configuring AppNav Prerequisites for AppNav Deployment • epmap—Matches traffic for destination port 135 • HTTP—Matches traffic for destination ports 80, 3128, 8000, 8080, and 8088 • HTTPS—Matches traffic for destination port 443 • MAPI—Matches traffic for the MS RPC MAPI application (dynamic port assignment) • NFS—Matches traffic for destination port 2049 • RTSP—Matches traffic for destination ports 554 and 8554 • class-default—Matches any TCP traffic (this class map cannot be edite
Chapter 1 Configuring AppNav Configuring an AppNav Cluster – 32 WNGs • All ANCs in an ANCG must have the same set of ANCs and WNGs in their configuration. • All WNs in one WNG must have identical optimization policies configured on them. • AppNav class maps and policies can be configured only at the cluster level, not at the device level, from the Central Manager. At the device level, class maps and policies may only be viewed.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster 3. (Optional) Configure AppNav class maps. This step is necessary only if you want to customize the default class map configuration. The system adds several default class maps that match traffic corresponding to most of the application accelerators and a class-default class map that matches all traffic. See the “Configuring AppNav Class Maps” section on page 1-19. 4. (Optional) Configure an AppNav policy.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster – Configure the device mode as AppNav Controller. – Configure the IP address and netmask of the built-in management port. – Configure the built-in management port as the primary interface. – Configure the other network and basic settings (default gateway, DNS, NTP server, and so forth). – Register the device with the Central Manager by entering the Central Manager IP address.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster – Configure the other network and basic settings (default gateway, DNS, NTP server, and so forth). – Register the device with the Central Manager by entering the Central Manager IP address. WAAS Node Step 1 Connect a built-in Ethernet port to the switch/router port for the management interface. Step 2 Use the device setup command to configure the following settings: – Configure the device mode as Application Accelerator.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster The following sections describe the interface configurations used by each of the four predefined deployment models.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Detailed Steps To create a new AppNav Cluster by using the wizard, follow these steps: Step 1 From the WAAS Central Manager menu, choose AppNav Clusters > All AppNav Clusters. The Manage AppNav Clusters window appears. Step 2 Click the AppNav Cluster Wizard icon in the taskbar of the Manage AppNav Clusters area. The Cluster Wizard window appears.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Click Finish if you are using inline interception (and you are done) or click Next if you are using WCCP interception (and continue with the following steps for WCCP). Step 8 (Optional) Configure the WCCP settings for the ANC. This screen does not appear if you are configuring an inline cluster. For details about configuring WCCP, see the “Configuring WCCP on WAEs” section on page 1-11. a.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Configuring Interfaces with the Graphical Interface Wizard You can easily configure interfaces on AppNav Controller Interface Modules that are installed in devices that are part of an AppNav Cluster by using the graphical interface wizard (see Figure 1-4). Figure 1-4 Graphical Interface Wizard The graphical interface wizard appears when you are editing the settings for a WN or ANC in the AppNav Cluster context.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster • Create Standby—To create a new standby group with this interface. This choice displays a pane where you can configure the standby group number, description, IP address, netmask, and shutdown status. • To PortChannel n—To add this interface to an existing port channel, where n is the port channel number. • To Standby n—To add this interface to an existing standby group, where n is the standby group number.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster – Delete Bridge n—To delete the bridge group. Use the Cluster Interface drop-down list to select the interface to be used for intra-cluster traffic (between the ANCs and WNs). To enable swapping of client and WAAS device source IP address fields in intra-cluster traffic, check the Enable swapping of source IP address in intra-cluster traffic check box.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster • Site—Matches traffic from particular WAAS peer devices, for site affinity. Continue with Step 8. • Custom—Mixes application and site affinity. Matches traffic for a particular application from one specific peer WAAS device. Continue with Step 9. • Any TCP—Matches any TCP traffic as a catch-all classifier. If you choose this type, there are no other fields to set. Click OK to finish and return to the class maps list.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 9 a. Use the filter settings in the Show drop-down list to filter the device list as needed. You can use a quick filter, show all devices, or show all assigned devices. b. Check the box next to each device that you want to match traffic from. You can check the box next to the column titles to select all devices and uncheck it to deselect all devices. If any one of the selected devices is matched, the class is considered matched. c.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster d. Click OK to save the class map and return to the class maps configuration window. Configuring Rules Within an AppNav Policy To configure rules in an AppNav policy, follow these steps: Step 1 From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name. Step 2 Choose Configure > AppNav Cluster > AppNav Policies. The AppNav Policy window appears.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 5 From the AppNav Class-Map drop-down list, choose the class map to which this policy rule applies. If you want to edit the class map, click Edit, or if you want to create a new class map, click Create New. The workflow is the same as described in the “Configuring AppNav Class Maps” section on page 1-19. Step 6 From the Distribute To drop-down list, choose the distribution action to apply to the class map.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster b. Click the Add Policy Rule taskbar icon. A new row is added, showing fields for configuring the rule. Step 11 Note c. From the Class-Map drop-down list, choose the class map to which this rule applies. d. From the Distribute To drop-down list, choose the distribution action to apply to the class map.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster From the Manage AppNav Policies pane, you can perform the following tasks: • Use the filter settings in the Show drop-down list to filter the policy list as needed. You can use a quick filter or show all policies. • Edit a policy and configure the ANCs to which it applies by selecting it and clicking the Edit taskbar icon. • Delete a policy by selecting it and clicking the Delete taskbar icon.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 9 Click OK to save the policy and return to the Manage AppNav Policies pane. Step 10 Click Close to return to the policy configuration window. Step 11 Add policy rules to the new policy as described in the “Configuring Rules Within an AppNav Policy” section on page 1-22. Configuring WAAS Node Optimization Policy The WAAS node optimization policy controls how traffic that is distributed to the WAAS nodes is optimized.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 4 In the Name field, enter a new name for the cluster if you want to rename it. Step 5 (Optional) In the Description field, enter the cluster description. Use only letters and numbers, up to a maximum of 200 characters. Step 6 (Optional) In the Authentication Key and Confirm Authentication Key fields, enter an authentication key that is used to authenticate communications between the WAAS devices in the cluster.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 11 d. To offload connections passed through due to an intermediate WN, check the Due to intermediate WAAS node check box. The default is checked. e. If some of the WNs use different pass-through offload settings, you can synchronize the settings on all WNs to match the configuration shown here by checking the Synchronize settings on all devices check box. This check box is shown only if the settings on some WNs are different.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 8 In the graphical interface view, configure interfaces on the AppNav Controller Interface Module as needed. For details on how to use the wizard, see the “Configuring Interfaces with the Graphical Interface Wizard” section on page 1-17. Step 9 From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 5 In the graphical interface view, configure interfaces on the AppNav Controller Interface Module as needed. For details on how to use the wizard, see the “Configuring Interfaces with the Graphical Interface Wizard” section on page 1-17. Step 6 From the Cluster Interface drop-down list, select the interface to be used for intra-cluster traffic.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Adding an ANC to a Cluster To add a new ANC to an AppNav Cluster, follow these steps: Step 1 Configure basic device and network settings on the new ANC, and ensure that the device mode is set to appnav-controller. Step 2 From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name. Step 3 Click the AppNav Controllers tab below the topology diagram. Step 4 Click the Add AppNav Controller taskbar icon.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster k. Click Next to save the settings and continue with the next ANC you are adding. If this is the last ANC being added, click Finish. After a convergence waiting period of up to two minutes, the new ANCs are available in the cluster for traffic interception and distribution. Traffic interception on the new ANCs is prevented until the devices have fully joined the cluster.
Chapter 1 Configuring AppNav Configuring an AppNav Cluster Step 6 Configure the WNG and interfaces for each WN device you are adding. a. From the WAAS Node Group drop-down list, choose the WNG to which you want to add the new WNs. The list shows defined WNGs. b. Click Next. c. Use the Cluster Interface Wizard graphical interface to configure the WN interfaces. For details on using this wizard, see the “Configuring Interfaces with the Graphical Interface Wizard” section on page 1-17. d.
Chapter 1 Configuring AppNav Monitoring an AppNav Cluster Step 5 (Optional) Power down the WN. Adding a New WAAS Node Group to the Cluster To add a new WNG to a cluster, follow these steps: Step 1 From the WAAS Central Manager menu, choose AppNav Clusters > cluster-name. Step 2 Click the WAAS Node Groups tab below the topology diagram. Step 3 Click the Add WAAS Node Group taskbar icon. The Add WAAS Node Group pane appears. Step 4 In the Name field, enter the name of the WNG.
Chapter 1 Configuring AppNav Monitoring an AppNav Cluster Figure 1-5 AppNav Cluster Topology and Status To zoom in or out on the topology diagram, click the + or – magnifying glass icons in the taskbar. You can also click on the diagram and drag it within the window to reposition it. To change the cluster settings, edit any of the fields below the topology diagram and click Submit. To see all ANCs, click the AppNav Controllers tab below the diagram.
Chapter 1 Configuring AppNav Monitoring an AppNav Cluster • Yellow—Degraded (overloaded, joining cluster, or has other noncritical operational issues) • Red—Critical (one or more processes is in a critical state) • Gray—Disabled • Black—Unknown status The colored lines between each device show the status of the link between devices: • Green—Operational with no error conditions • Red—Link is down • Black—Unknown status An orange triangle warning indicator is shown on any device for which the
Chapter 1 Configuring AppNav Monitoring an AppNav Cluster • (WN only) Optimization tab that lists the application accelerators and their status • Alarms tab that lists pending alarms on the device • Interfaces tab that lists the device interfaces and status. You can filter the list by choosing a filter type from the drop-down list above the interface list, entering filter criteria, and clicking the filter icon.
Chapter 1 Configuring AppNav Monitoring an AppNav Cluster You can display flow distribution information from the CLI by using the show appnav-controller flow-distribution EXEC command. Another troubleshooting tool that you can use to trace connections is the WAAS Tcptraceroute tool. For details, see the “Using WAAS TCP Traceroute” section on page 1-61.
CH A P T E R 1 Configuring Traffic Interception This chapter describes how to configure interception of TCP traffic in an IP-based network, based on the IP and TCP header information and how to redirect the traffic to WAAS devices.
Chapter 1 Configuring Traffic Interception Information About Interception Methods to a local WAE can be a router using WCCP Version 2 or PBR to redirect traffic to the local WAE or a Layer 4 to Layer 7 switch (for example, the Catalyst 6500 series Content Switching Module [CSM] or Application Control Engine [ACE]). Alternately, you can intercept traffic directly by using the inline mode with a WAE that has a Cisco WAE Inline Network Adapter or Interface Module.
Chapter 1 Configuring Traffic Interception Information About WCCP Interception If a WAE device is behind a firewall that prevents traffic optimization, you can use the directed mode of communicating between peer WAEs over the WAN. For details, see the “Configuring Directed Mode” section on page 1-27. Information About WCCP Interception The WAAS software uses the WCCP standard, Version 2 for redirection.
Chapter 1 Configuring Traffic Interception Information About WCCP Interception Additionally, limit the amount of bandwidth that can be received on the LAN-side interface of the router, to help the router keep its interface queues less congested and provide better performance and lower CPU utilization. Set the maximum interface bandwidth on the router to no more than 10 times the WAN bandwidth capacity.
Chapter 1 Configuring Traffic Interception Information About WCCP Interception • After enabling WCCP on the router, you must configure the TCP promiscuous mode service on the router and the WAE, as described in the Cisco Wide Area Application Services Quick Configuration Guide.
Chapter 1 Configuring Traffic Interception Configuring Advanced WCCP Features on Routers – Each VRF instance has independent assignment, redirection, and return methods. • In a WAAS AppNav deployment, enable WCCP only on the ANC devices that are intercepting traffic and distributing it to the optimizing WAAS nodes (WNs). Configure WNs that are part of the AppNav Cluster with the appnav-controller interception method.
Chapter 1 Configuring Traffic Interception Configuring Advanced WCCP Features on Routers Figure 1-1 Service Groups with WCCP Version 2 Internet 1 2 3 1 Clients requesting file services 3 Branch WAEs 2 Cisco routers 4 WAE service group 159091 4 If you have a group of branch WAEs, the WAE that is seen by all the WCCP Version 2-enabled routers and that has the lowest IP address becomes the lead branch WAE.
Chapter 1 Configuring Traffic Interception Configuring Advanced WCCP Features on Routers All ports receiving redirected traffic that are configured as members of the same WCCP service group share the following characteristics: • They have the same hash or mask parameters, as configured with the WAAS Central Manager (the “Configuring or Viewing the WCCP Settings on WAEs” section on page 1-17) or the WAAS CLI (the wccp service-number mask global configuration command).
Chapter 1 Configuring Traffic Interception Configuring Advanced WCCP Features on Routers Note When you add a new router to an existing WCCP router farm or WCCP service group, the new router will reset existing connections. Until WCCP reestablishes path redirections and assignments, packets are sent directly to the client (as expected).
Chapter 1 Configuring Traffic Interception Configuring Advanced WCCP Features on Routers The ip wccp global configuration command and the ip wccp redirect interface configuration command are the only commands required to start redirecting requests to the WAE using WCCP. To instruct an interface on the WCCP-enabled router to check for appropriate outgoing packets and redirect them to a WAE, use the ip wccp redirect interface configuration command.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs The following example configures the loopback interface, exits configuration mode, and saves the running configuration to the startup configuration: Router(config)# interface Loopback0 Router(config-if)# ip address 111.111.111.111 255.255.255.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Note In a WAAS AppNav deployment, only the ANCs are included in the service group and are load balanced by the routers. The routers do not send traffic to the optimizing WAEs (WNGs); instead, ANCs distribute traffic to the optimizing WNGs. You can use load balancing to balance the traffic load across multiple WAEs.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Destination IP address hashing guarantees that a single WAE caches a given file server. This method, which allows a local coherency directive to be safely applied to the file server content (provided that no other collaboration on the content occurs), improves performance and WAN link and disk utilization. This method may distribute the load unevenly because of uneven activity on a file server.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs (DRE) compression performance. Also, mask assignment on the Catalyst 6500 series switches uses the ACL TCAM. When combined with WCCP redirect lists, mask assignment can use a large portion of the TCAM. To minimize TCAM usage, use a mask with fewer care bits. Given these considerations, beginning with WAAS version 4.2.1, the default mask has been changed from src-ip-mask 0x1741 and dst-ip-mask 0x0 (in 4.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs For example, WCCP filters the packets to determine which redirected packets have been returned from the branch WAE and which ones have not. WCCP does not redirect the ones that have been returned because the branch WAE has determined that the packets should not be processed. WCCP Version 2 returns packets that the branch WAE does not service to the same router from which they were transmitted.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs a. If the WAE decides to accept the request, it sends a TCP SYN ACK packet to the client. In this response packet, the WAE uses the IP address of the original destination (origin server) that was specified as the source address so that the WAE can be invisible (transparent) to the client; it pretends to be the destination that the TCP SYN packet from the client was trying to reach. b.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Configuring or Viewing the WCCP Settings on WAEs This section describes how to configure or view WCCP settings on WAEs that are configured as application accelerators and are not part of an AppNav Cluster (WAEs that are part of an AppNav Cluster use only the appnav-controller interception method).
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Figure 1-3 Step 3 Interception Configuration Window for WAE Check the current settings for the chosen device: • To keep the current settings and to close the window, click Cancel. • To remove the current settings, click the Remove Settings taskbar icon. • To modify the current settings, change the current setting as described in the rest of this procedure.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Step 4 From the Interception Method drop-down list, choose wccp to enable the WCCP interception method. If you change this setting from any setting other than None, you must click the Submit button to update the window with the proper fields for configuring WCCP. (The Interception Method drop-down list is not shown for devices using WAAS versions earlier than 5.0.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Step 9 (Optional) From the Assignment Method drop-down list, choose the type of WAE load-balancing assignment method to use (for more information, see the “Information About Load Balancing and WAEs” section on page 1-11): • Choose Hash to use the hash method (the default for devices using WAAS versions earlier than 5.0). Follow Steps 10 and 11 to define how the hash works, and skip to Step 13 because the mask settings are not used.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs (The Return Method drop-down list is shown only for devices using WAAS versions earlier than 5.0. For later WAAS versions, the return method is set the same as the redirect method.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs By default, weights are not assigned and the traffic load is distributed evenly between the WAEs in a service group. f. In the Password field, specify the password to be used for secure traffic between the WAEs within a cluster and the router for a specified service. Be sure to enable all other WAEs and routers within the cluster with the same password. Passwords must not exceed eight characters in length.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Figure 1-4 Step 3 Interception Configuration Window for ANC Check the current settings for the chosen device: • To keep the current settings and to close the window, click Cancel. • To remove the current settings, click the Remove Settings taskbar icon. • To modify the current settings, change the current setting as described in the rest of this procedure.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Note Ensure that the routers used in the WCCP environment are running a version of the Cisco IOS software that also supports the WCCP Version 2. Note If you use the Central Manager to disable WCCP on a WAAS device, the Central Manager immediately shuts down WCCP and closes any existing connections, ignoring the setting configured by the wccp shutdown max-wait global configuration command.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs If the WAE detects that its configured mask is not the same as advertised by one or more routers in the farm, it is not allowed to join the farm and a major alarm is raised (“Configured mask mismatch for WCCP”). This alarm can occur when a WAE is trying to join a farm that already has other WAEs and these other WAEs are configured with a different mask.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Note Step 11 For information about how to use the CLI to specify the service group password on a router, see the “Setting a Service Group Password on a Router” section on page 1-10. Click Submit to save the settings.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs • The maximum wait time (specified through the Shutdown Delay field in the WCCP Configuration Settings window or with the wccp shutdown max-wait command [by default, 120 seconds]) has elapsed for WCCP Version 2. During a clean shutdown of WCCP, the WAE continues to service the flows that it is handling, but it starts to bypass new flows.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Configuring Interception Access Control Lists You can configure an interception ACL to control what incoming traffic across all interfaces is to be intercepted by an ANC or WAE device (on an ANC, the interception ACL is called an AppNav Controller interception ACL). Packets that are permitted by the ACL are intercepted by the device, and packets that are denied by the ACL are passed through without processing.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs it after you submit this page. If you type in this field, the drop-down list of displayed ACLs is filtered to show only entries beginning with entered text. This field is shown only on devices configured in appnav-controller mode. If you need to create or edit an ACL, click the Go to IP ACL link to take you to the IP ACL configuration window (this is the Configure > Network > TCP/IP Settings > IP ACL page).
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs The default egress method is L2. This egress method sends optimized data out through a Layer 2 connection to the router. This method is available only if the redirect method is also set to WCCP L2, and is not available on devices using WAAS versions earlier than 5.0. The router must also support Layer 2 redirect.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs Note For devices with WAAS versions earlier than 5.0, WCCP Version 2 is capable of negotiating the redirect method and the return method for intercepted connections. The WAAS software supports WCCP GRE and WCCP Layer 2 as WCCP-negotiated return methods. If WCCP negotiates a WCCP Layer 2 return, the WAE defaults to using IP forwarding as the egress method.
Chapter 1 Configuring Traffic Interception Configuring WCCP on WAEs If you have only one WAE in the farm, you can use a point-to-point tunnel, however, ensure that the router is configured with no other tunnel that has the same tunnel source as the WAE tunnel. Note On the Catalyst 6500 series switch with the Supervisor Engine 32 or 720, do not configure more than one GRE tunnel (multipoint or point-to-point) with the same tunnel source interface, otherwise, high switch CPU load can result.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Note The tunnel interface is enabled for IP by provisioning an IP address, which allows it to process and forward transit packets. If you do not want to provision an IP address, the tunnel must be IP enabled by making it an IP unnumbered interface. This restricts the tunnel to be a point-to-point tunnel.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception You can enable PBR to establish a route that goes through WAAS for some or all packets. WAAS proxy applications receive PBR-redirected traffic in the same manner as WCCP redirected traffic, as follows: 1. In the branch office, define traffic of interest on the branch office router (Edge-Router1) as follows: a. Specify which traffic is of interest to the LAN interface (ingress interface) on Edge-Router1.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Example of Using PBR or WCCP Version 2 for Transparent Redirection of All TCP Traffic to WAEs Data center (10.10.11.0/24) Branch office (10.10.10.0/24) Clients C A Edge-Router1 B WAN D F Core-Router1 E 1.1.1.100 Edge-WAE1 File servers and application servers PBR or WCCP Version 2 PBR or WCCP Version 2 2.2.2.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Note The commands that are used to configure PBR on a router, can vary based on the Cisco IOS release installed on the router. For information about the commands that are used to configure PBR for the Cisco IOS release that you are running on your routers, see the appropriate Cisco IOS configuration guide.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Core-Router1(config)# ip access-list extended 102 b. On Core-Router1, specify which traffic is of interest to its LAN interface: • For example, mark any IP/TCP traffic sourced from any local device (for example, traffic sourced from any file server or application server in the data center) on any TCP port to any destination as interesting: Core-Router1(config-ext-nac1)# permit tcp 10.10.11.0 0.0.0.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Note d. The ip address command option matches the source or destination IP address that is permitted by one or more standard or extended access lists. Specify how the matched traffic should be handled. In the following example, Edge-Router1 is configured to send the packets that match the specified criteria to the next hop, which is Edge-WAE1 that has an IP address of 1.1.1.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Edge-Router1(config)# interface FastEthernet0/0.10 b. Specify that the LAN router interface should use the WAAS-EDGE-LAN route map for PBR: Edge-Router1(config-if)# ip policy route-map WAAS-EDGE-LAN c. Enter interface configuration mode: Edge-Router1(config-if)# interface Serial0 d.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception To verify whether the WAE is CDP visible to a device that has been configured to use PBR, enter the show cdp neighbors command on the device. If the WAE is CDP visible to the device, the WAE will be listed in the output of the show cdp neighbors command.
Chapter 1 Configuring Traffic Interception Using Policy-Based Routing Interception Step 3 Configure the route map to use IP SLA tracking instance number 1 to verify the availability of the next-hop WAE (for example, the branch WAE named Edge-WAE1 that has an IP address of 1.1.1.100): Edge-Router1(config-route-map)# set ip next-hop verify-availability 1.1.1.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Note Step 3 Enter the set ip next-hop verify-availability command for each route map that is configured on this branch office edge router and on the data center’s core router that has also been configured to use PBR to transparently redirect traffic to WAEs.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Note When you install any inline WAE device, you must follow the cabling requirements described in the “Cabling” section of Installing the Cisco WAE Inline Network Adapter or the appropriate platform hardware guide. Any combination of traffic interception mechanisms on peer WAEs is supported. For example, you can use inline interception on the branch WAE and WCCP on the data center WAE.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Note • WAE-674/7341/7371—Support up to two installed four-port Cisco WAE Inline Network Adapters, providing a total of eight inline ports. • WAVE-294—Supports one installed Cisco Interface Module with 2, 4, or 8 ports. • WAVE-594/694/7541/7571/8541—Support one installed Cisco Interface Module with 2, 4, or 8 ports or a Cisco AppNav Controller Interface Module with 4 or 12 ports.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception On WAVE-294/594/694/7541/7571/8541 devices that use Cisco Interface Modules, the Interface Module ports are configured by default for normal standalone operation. If you want to use the device in inline mode, you must configure the ports for inline operation. Enabling inline mode configures all ports for inline operation and converts each pair of ports to an inline group.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Step 6 From the Failover Timeout drop-down list, choose the failover timeout (1, 5 or 25 seconds), which is the number of seconds that the interface should wait before going into bypass mode, after a device or power failure. The default is 1 second. This item appears only for WAVE devices that use Cisco Interface Modules but not for AppNav Controller Interface Modules.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Note If you are configuring a device using a WAAS version earlier than 5.0, choose Configure > Interception > Inline > Inline Interfaces to configure inline interface settings. The configuration window looks different but has similar settings. The Inline Interfaces window appears, listing the inline interface groups available on the device. Step 3 Choose an inline group to configure and click the Edit taskbar icon.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Step 8 Check the Intercept all VLANs check box to enable inline interception on the interface group. Inline interception is enabled by default when the WAE contains a Cisco WAE Inline Network Adapter but must be explicitly enabled on devices with a Cisco Interface Module (see the “Enabling Inline Operation on WAEs” section on page 1-44).
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Note We strongly recommend that you do not use half-duplex connections on the WAE or on routers, switches, or other devices. Half duplex impedes performance and should not be used. Check each Cisco WAE interface and the port configuration on the adjacent device (router, switch, firewall, and WAE) to verify that full duplex is configured.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Step 1 From the WAAS Central Manager menu, choose Devices > device-name. (You cannot enable inline operation from device groups.) Step 2 Choose Configure > Interception > Interception Configuration. The Interception Configuration window appears. Step 3 From the Interception Method drop-down list, choose Inline to enable inline mode. Step 4 Click Submit to enable inline mode and refresh the window with additional settings.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception b. For each VLAN range that you want to include in interception, set the Select Operation Type drop-down list to Add/Include. In the Vlan Range field, enter a comma-separated list of one or more VLAN ranges to include. You can enter the word “native” to include the native VLAN. c. For each VLAN range that you want to exclude from interception, set the Select Operation Type drop-down list to Except/Exclude.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception The inline adapter supports only a single VLAN ID for each inline group interface. If you have configured a secondary address from a different subnet on an inline interface, you must have the same secondary address assigned on the router subinterface for the VLAN. Using IEEE 802.1Q tunneling increases the frame size by 4 bytes when the tag is added.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Step 5 Click Submit. This facility for creating VLAN lists is provided so that you can configure VLAN lists globally. You do not need to use this facility to configure VLANs for an inline interface. You can configure VLANs directly in the inline interface settings window, as described in the “Configuring Inline Interface Settings on WAEs” section on page 1-46.
Chapter 1 Configuring Traffic Interception Using Inline Mode Interception Disabling Peer Optimization Between Serial Inline WAEs To disable peer optimization between WAEs in a serial cluster, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. (You cannot configure peer settings from device groups.) Step 2 Choose Configure > Peers > Peer Settings. The Peer Settings window appears. (See Figure 1-10.
Chapter 1 Configuring Traffic Interception Configuring VPATH Interception on a vWAAS Device To disable serial peer optimization from the CLI, use the no peer device-id global configuration command. To reenable serial peer optimization, use the peer device-id global configuration command. To view the status of all serial cluster pairs registered with the Central Manager, from the WAAS Central Manager menu, choose Configure > Global > Peer Settings.
Chapter 1 Configuring Traffic Interception Configuring AppNav Interception Step 4 On devices using WAAS versions earlier than 5.0, check the Enable VPATH check box to enable VPATH interception on the vWAAS device. This check box is not editable on devices using WAAS versions 5.0 or later. Note Step 5 Only one type of interception can be enabled at a time. Click Submit. To enable VPATH from the CLI, use the interception-method vn-service vpath global configuration command. The default is disabled.
CH A P T E R 1 Configuring Network Settings This chapter describes how to configure basic network settings such as configuring additional network interfaces to support network traffic, creating port channel and standby interfaces, creating bridge interfaces for virtual blades, configuring optimization on WAAS Express interfaces, specifying a default gateway and DNS servers, enabling the Cisco Discovery Protocol (CDP), and configuring the directed mode of operation where peer WAEs exchange traffic using UD
Chapter 1 Configuring Network Settings Configuring Network Interfaces • Configuring Multiple IP Addresses on a Single Interface, page 1-6 • Modifying Ethernet Interface Settings, page 1-7 • Configuring the Default Gateway, page 1-9 • Configuring Port-Channel Settings, page 1-9 • Configuring Interfaces for DHCP, page 1-13 • Modifying Virtual Interface Settings for a vWAAS Device, page 1-14 • Configuring Optimization on WAAS Express Interfaces, page 1-15 • Bridging to a Virtual Blade Interfa
Chapter 1 Configuring Network Settings Configuring Network Interfaces Configuring a Standby Interface In this procedure, you configure a logical interface called a standby interface. After you configure this standby interface, you must associate physical or port-channel interfaces with the standby interface to create the standby group. In the WAAS Central Manager, you create the standby group by assigning two interfaces to the standby group and assigning one as primary.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Configuring a Standby Interface on a Device with Version 5.0 or Later To configure a standby interface for devices with WAAS version 5.0 or later, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose Configure > Network > Network Interfaces. The Network Interfaces window for the device appears. (See Figure 1-1.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 12 In the Assign Interfaces area, check the boxes next to the two interfaces that you want to assign to this standby group and click the Assign taskbar icon. To unassign any assigned interfaces, check each interface that you want to unassign and click the Unassign taskbar icon. If you want to have two port-channel interfaces as members of the standby group, do not assign any interfaces here.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Assigning Physical Interfaces to the Standby Group After you have configured a logical standby interface for a device with a WAAS version earlier than 5.0, you configure the standby group by assigning physical interfaces to the standby group and setting one physical interface as the primary standby interface. The primary interface in the standby group uses the standby group IP address.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose Configure > Network > Network Interfaces. The Network Interfaces listing window appears. Step 3 Choose the physical interface that you want to modify and click the Edit taskbar icon. (For devices using WAAS versions earlier than 5.0, click the Edit icon next to the interface.) The Interface Settings window appears.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 5 (Optional) Check the Use CDP check box to enable the Cisco Discovery Protocol (CDP) on an interface. When enabled, CDP obtains protocol addresses of neighboring devices and discovers the platform of those devices. It also shows information about the interfaces used by your router. Configuring CDP from the CDP Settings window enables CDP globally on all the interfaces.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 11 (Optional) Check the Use DHCP check box to obtain an interface IP address through DHCP. Checking this box hides the IP address and Netmask fields. (For devices with WAAS versions earlier than 5.0, these fields are not hidden but become grayed out.) This configuration item is not supported on AppNav Controller Interface Module ports. Optionally supply a hostname in the Hostname field and a client ID in the Client Id field.
Chapter 1 Configuring Network Settings Configuring Network Interfaces On WAAS devices with versions earlier than 5.0, the default gateway is configured within the interface settings for each interface. Configuring Port-Channel Settings The WAAS software supports the grouping of up to four (eight on AppNav Controller Interface Modules) physical network interfaces into one logical interface called a port channel.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 4 From the Logical Interface Type drop-down list, choose PortChannel and click OK. The window refreshes with fields for configuring the port-channel interface settings. Step 5 From the Port Channel Number drop-down list, choose a number for the interface. Step 6 (Optional) From the Bridge Group Number drop-down list, choose a bridge group number with which to associate this interface, or choose None.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 5 In the Port Channel Number drop-down list, choose the number of the port-channel interface. Up to four port channels are supported, depending on the WAAS device model and installed interface module. Step 6 (Optional) In the Bridge Group Number drop-down list, choose the number of the bridge group to which you want to assign this port-channel interface, if you want to bridge to a virtual blade.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 4 Step 5 Complete the following steps to assign the interface to a port channel: a. In the Port Type To Assign drop-down list, choose PortChannel. b. In the Port Channel Number drop-down list, choose the number of the port channel to which you want to add the physical interface. Click Submit.
Chapter 1 Configuring Network Settings Configuring Network Interfaces A WAAS device sends its configured client identifier and hostname to the DHCP server when requesting network information. You can configure DHCP servers to identify the client identifier information and the hostname information that the WAAS device is sending and then to send back the specific network settings that are assigned to the WAAS device.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Note Interface configurations for slot, port, and port type are set for virtual interfaces during initial startup or by using the WAAS CLI. Some of the fields in the window (port-channel number, autosense, speed, mode, and standby-related fields) are not available because they are not applicable. Step 4 (Optional) In the Description field, optionally enter a description for the interface.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Configuring Optimization on WAAS Express Interfaces WAAS Express device interfaces are configured by using the router CLI, not through the WAAS Central Manager. However, you can enable or disable WAAS optimization on the available interfaces on the router.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 3 Check the Optimization check box for each interface on which you want to enable WAAS optimization. Remove check marks from interfaces on which you want to disable WAAS optimization. You can click Enable All to select all interfaces or click Disable All to deselect all interfaces. Enable WAAS optimization only on WAN interfaces, not LAN interfaces.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 6 From the Protocol drop-down list, choose the ieee protocol type to support a BVI. Step 7 (Optional) In the Description field, enter a description for the interface. Step 8 (Optional) From the Load Interval drop-down list, choose the interval in seconds at which to poll the interface for statistics and calculate throughput. The default is 30 seconds.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Step 6 Click Submit. To create a bridge group from the CLI, you can use the bridge global configuration command. After you create the bridge group, you must create a bridge virtual interface associated with the bridge group. To create the bridge virtual interface, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose Configure > Network > Network Interfaces.
Chapter 1 Configuring Network Settings Configuring Network Interfaces Do not choose a primary interface because a primary interface cannot be assigned to a bridge group. Step 4 In the Description field, optionally enter a description for the interface. Step 5 Leave the Address and Netmask fields empty. Step 6 If the interface is a physical interface, in the Port Type To Assign drop-down list, choose Bridge Group.
Chapter 1 Configuring Network Settings Configuring TCP Settings Step 1 In the Management Interface Settings window, in the Management IP Routes area, click the Create Management IP Route taskbar button. The Management IP Routes window appears. Step 2 In the Destination Network Address field, enter the destination network IP address. Step 3 In the Netmask field, enter the destination host netmask. Step 4 In the Gateway’s IP Address field, enter the IP address of the gateway interface.
Chapter 1 Configuring Network Settings Configuring TCP Settings Because of the complexities involved in TCP parameters, be careful when tuning these parameters. In nearly all environments, the default TCP settings are adequate. Fine-tuning TCP settings is for network administrators with adequate experience and full understanding of TCP operation details.
Chapter 1 Configuring Network Settings Configuring TCP Settings Table 1-1 TCP Settings (continued) TCP Setting Description Keepalive Timeout Length of time that the WAAS device keeps a connection open before disconnecting. The range is 1 to 120 seconds. The default is 90 seconds. Enable Path MTU Discovery Enables discovery of the largest IP packet size allowable between the various links along the forwarding path and automatically sets the correct value for the packet size.
Chapter 1 Configuring Network Settings Configuring TCP Settings sending rate. However, because the sender is not reducing its sending rate in response to network congestion, the sender is not able to make any valid assumptions about the current state of the network. Therefore, in order to avoid congesting the network with an inappropriately large burst of data, the sender implements the slow start algorithm, which reduces the sending rate to one segment per transmission.
Chapter 1 Configuring Network Settings Configuring Static IP Routes IP Path MTU Discovery is useful when a link in a network goes down, which forces the use of another, different MTU-sized link. IP Path MTU Discovery is also useful when a connection is first being established, and the sender has no information about the intervening links. Note IP Path MTU Discovery is a process initiated by the sending device.
Chapter 1 Configuring Network Settings Configuring CDP Settings When you change the setting, you get the following confirmation message: “This option will take effect immediately and will affect the device configuration. Do you wish to continue?” Click OK to continue. Configuring CDP Settings The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured devices. With CDP, each device in a network sends periodic messages to all other devices in the network.
Chapter 1 Configuring Network Settings Configuring Windows Name Services Step 2 Choose Configure > Network > DNS. The DNS Settings window appears. Step 3 In the Local Domain Name field, enter the name of the local domain. You can configure up to three local domain names. Separate items in the list with a space. Step 4 In the List of DNS Servers field, enter a list of DNS servers used by the network to resolve hostnames to IP addresses. You can configure up to three DNS servers.
Chapter 1 Configuring Network Settings Configuring Directed Mode Configuring Directed Mode By default, WAAS transparently sets up new TCP connections to peer WAEs, which can cause firewall traversal issues when a WAAS device tries to optimize the traffic. If a WAE device is behind a firewall that prevents traffic optimization, you can use the directed mode of communicating to a peer WAE.
CH A P T E R 1 Configuring Administrative Login Authentication, Authorization, and Accounting This chapter describes how to configure administrative login authentication, authorization, and accounting for Wide Area Application Services (WAAS) devices.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting About Administrative Login Authentication and Authorization The WAAS software provides the following authentication, authorization, and accounting (AAA) support for users who have external access servers (for example, RADIUS or TACACS+ servers), and for users who need a local access database with AAA features: • Authentication (or login authentication) is the action of determining who the user is.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting About Administrative Login Authentication and Authorization Figure 1-1 Authentication Databases and a WAE 3 4 6 5 2 7 10 10 1 10 10 159092 8 9 1 FTP/SFTP client 6 Windows domain server 2 WAAS Central Manager GUI or WAE Device Manager GUI 7 Console or Telnet clients 3 Third-party AAA servers 8 SSH client 4 RADIUS server 9 WAE that contains a local database and the default primary authenticat
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting About Administrative Login Authentication and Authorization For more information on the default AAA configuration, see the “Default Administrative Login Authentication and Authorization Configuration” section on page 1-4. For more information on configuring AAA, see the “Configuring Administrative Login Authentication and Authorization” section on page 1-5.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Table 1-1 Default Configuration for Administrative Login Authentication and Authorization (continued) Feature Default Value Window domain administrative group There are no predefined administrative groups.
Chapter 1 Configuring Administrative Login Authentication and Authorization • Step 4 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Windows Domain Server Authentication Settings, page 1-17 Specify one or all of the following login authentication configuration schemes that the WAAS device should use to process administrative login requests: • Specify the administrative login authentication scheme. • Specify the administrative login authorization scheme.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization We strongly recommend that you specify the local method as the last method in your prioritized list of login authentication and authorization methods.
Chapter 1 Configuring Administrative Login Authentication and Authorization Figure 1-2 Configuring Administrative Login Authentication, Authorization, and Accounting SSH Configuration Window Step 3 Check the Enable check box to enable the SSH feature. SSH enables login access to the chosen WAAS device (or the device group) through a secure and encrypted channel.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization • To specify Version 1, check the Enable SSHv1 check box. • To specify Version 2, check the Enable SSHv2 check box. Note Step 9 You can enable both SSH Version 1 and Version 2, or you can enable one version and not the other. You cannot disable both versions of SSH unless you disable the SSH feature by unchecking the Enable check box. (See Step 3.
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting If you try to exit this window without saving the modified settings, a warning dialog box prompts you to submit the changes. This dialog box only appears if you are using the Internet Explorer browser.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Configuring Exec Timeout Settings for WAAS Devices To centrally configure the length of time that an inactive Telnet session remains open on a WAAS device or device group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name).
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting A message appears that explains that if a null-modem cable that has no carrier detect pin wired is being used, the WAE may appear unresponsive on the console until the carrier detect signal is asserted. To recover from a misconfiguration, the WAE should be rebooted and the 0x2000 bootflag should be set to ignore the carrier detect setting.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization RADIUS authentication usually occurs when an administrator first logs in to the WAAS device to configure the device for monitoring, configuration, or troubleshooting purposes. RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time.
Chapter 1 Configuring Administrative Login Authentication and Authorization Note Configuring Administrative Login Authentication, Authorization, and Accounting If you configure a RADIUS key on the WAAS device (the RADIUS client), make sure that you configure an identical key on the external RADIUS server. Do not use the following characters: space, backwards single quote (`), double quote ("), pipe (|), or question mark (?).
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time. You can configure one primary and two backup TACACS+ servers; authentication is attempted on the primary server first.
Chapter 1 Configuring Administrative Login Authentication and Authorization Note Configuring Administrative Login Authentication, Authorization, and Accounting This caveat applies even if the WAAS users are using TACACS+ for login authentication. To centrally configure TACACS+ server settings on a WAAS device or device group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name).
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Configuring Windows Domain Server Authentication Settings A Windows domain controller can be configured to control access to the WAAS software services using either a challenge/response or shared secret authentication method.
Chapter 1 Configuring Administrative Login Authentication and Authorization Note Workgroup settings are only required for Windows domain authentication, not for a domain join. You may skip to workgroup settings if you are only preforming a domain join.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Figure 1-5 Note Windows Domain Tab If the related WINS server and the workgroup or domain name have not been defined for the chosen device (or device group), an informational message is displayed at the top of this window to inform you that these related settings are currently not defined, as shown in Figure 1-5.
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting If the auto detection fails, you will need to check the configured domain/DNS configuration and enter them manually. The values can then be submitted. Kerberos version 5 is used for Windows systems running Windows 2000 or higher with users logging in to domain accounts. Note For Kerberos, skip the next step.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Step 13 Register the chosen device (or device group) with the Windows Domain Controller as follows: a. Click the Domain Join tab. (See Figure 1-6.) Figure 1-6 b. Domain Join Tab In the User Name field, enter a username (the domain\username or the domain name plus the username) for the specified Windows Domain Controller.
Chapter 1 Configuring Administrative Login Authentication and Authorization g. Configuring Administrative Login Authentication, Authorization, and Accounting To check the status of the registration request, click the Show Join Status button. The status of domain join for the device (or all of the devices in the device group) is shown. It may take a few moments for the results to be updated. h. If the join request fails, the result is shown in the join status window.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Step 6 (Optional) Enter the administrative username and password in the Administrator Username, Password, and Confirm Password fields. It is not mandatory to enter the username and password, but in some cases, the domain controller requires them to perform the unregistration. Step 7 Click the Leave button.
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting scripts might fail. Install the Certification Authority service on the Microsoft server with the server’s certificate (Programs > Administrative Tools > Certification Authority). Enable the LDAP server signing requirements property on the Microsoft server (Start > Programs > Administrative Tools > Domain Controller Security Policy).
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization Windows domain Radius Tacacs+ enabled (primary) disabled disabled Configuration Authentication: Console/Telnet/Ftp/SSH Session ----------------------------- -----------------------------local enabled (primary) Windows domain enabled (primary) Radius disabled Tacacs+ disabled The WAE is now configured to authenticate Active Directory users.
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting WAE# configure WAE(config)# no authentication login windows-domain enable primary Step 3 Disable LDAP signing on the WAE: WAE(config)# no smb-conf section "global" name "ldap ssl" value "yes" Enabling Administrative Login Authentication and Authorization Schemes for WAAS Devices This section describes how to centrally enable the various administrativ
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization You can configure multiple TACACS+ or RADIUS servers; authentication is attempted on the primary server first. If the primary server is unreachable, then authentication is attempted on the other servers in the TACACS+ or RADIUS farm, in order.
Chapter 1 Configuring Administrative Login Authentication and Authorization Configuring Administrative Login Authentication, Authorization, and Accounting Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Security > AAA > Authentication Methods. The Authentication and Authorization Methods window appears. (See Figure 1-7.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring Administrative Login Authentication and Authorization c. From the Tertiary Login Method drop-down list, choose local, TACACS+, RADIUS, or WINDOWS. This option specifies the method that the chosen device (or the device group) should use for administrative login authentication if both the primary and the secondary methods fail. d.
Chapter 1 Configuring Administrative Login Authentication and Authorization Step 8 Configuring Administrative Login Authentication, Authorization, and Accounting c. From the Tertiary Configuration Method drop-down list, choose local, TACACS+, RADIUS, or WINDOWS. This option specifies the method that the chosen device (or the device group) should use to determine authorization privileges if both the primary and secondary methods fail. d.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring AAA Command Authorization Configuring AAA Command Authorization Command authorization enforces authorization through an external AAA server for each command executed by the CLI user. All commands executed by a CLI user are authorized before they are executed. RADIUS, Windows domain, and local users are not affected.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Configuring AAA Accounting for WAAS Devices Note If you enable AAA accounting for a device, we strongly recommended that you create an IP ACL condition in the first entry position permitting access to the TACACS+ servers to avoid delay while processing the commands. For information on IP ACLs, see Chapter 1, “Creating and Managing IP Access Control Lists for WAAS Devices.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Viewing Audit Trail Logs Table 1-2 GUI Parameter wait-start Do Not Set Event Types for AAA Accounting (continued) Function The WAAS device sends both a start and a stop accounting record to the TACACS+ accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. Accounting is disabled for the specified event.
Chapter 1 Configuring Administrative Login Authentication, Authorization, and Accounting Viewing Audit Trail Logs Cisco Wide Area Application Services Configuration Guide 1-34 OL-26579-01
CH A P T E R 1 Creating and Managing Administrator User Accounts and Groups This chapter describes how to create user accounts and groups from the WAAS Central Manager GUI. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Table 1-1 Account Type Descriptions Account Type Description Roles-based account Allows you to create accounts that manage and configure specific WAAS services. For example, you may want to delegate the configuration of application acceleration to a specific administrator.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Table 1-2 Checklist for Creating a Roles-based Administrator Account (continued) Task Additional Information and Instructions 3. Assign the role to the new account. Assigns the new role to the new account. For more information, see the “Assigning a Role to a User Account” section on page 1-12.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts • Viewing User Accounts, page 1-8 • Unlocking User Accounts, page 1-8 Creating a New Account The first step in setting up an account is to create the account by specifying a username and selecting whether a local CLI account is created at the same time.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Note Step 3 This window can be accessed only by users with administrator-level privileges. In the Username field, enter the user account name. Usernames are case sensitive and cannot contain characters other than letters, numbers, period, hyphen, and underscore. Step 4 Complete the following steps to allow the user to access the WAE Device Manager GUI: a.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Step 9 Assign roles to this new account as described in the “Working with Roles” section on page 1-9 and assign domains as described in the “Working with Domains” section on page 1-14. Modifying and Deleting User Accounts Note Modifying a user account from the CLI does not update the Centralized Management System (CMS) database and the change will not be reflected in the Central Manager GUI.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Note The advantage of initially setting passwords from the WAAS Central Manager GUI is that both the primary and the standby WAAS Central Managers will be synchronized, and GUI users will not have to access the CLI to change their password. To change the password for your own account, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > Security > Password.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Viewing User Accounts To view all user accounts, choose Admin > AAA> Users from the WAAS Central Manager GUI. The User Accounts window displays all the user accounts in the management database. From this window, you can also create new accounts as described in the “Creating a New Account” section on page 1-4.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Step 4 In the Maximum login retries field, enter the maximum number of login attempts to be allowed before the user is locked out. The user remains locked out until cleared by the administrator. To clear a locked-out account, see the “Unlocking User Accounts” section on page 1-8. Step 5 Click Submit to save your changes.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Note Assigning the admin role to a user does not change the user privilege level to 15. The user must also have privilege level 15 in order to perform administrative tasks. Assigning the admin role to a user grants read and write permission to all Device Manager GUI pages.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Table 1-4 lists the services that you can enable for a role. Table 1-4 Description of the WAAS Services Service Home Device Groups Devices AppNav Clusters Locations All Devices Description Allows this role to view, configure, and manage the system dashboard and settings in the Configure, Monitor, and Admin menus of the WAAS Central Manager GUI in the Home (global) context.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Table 1-4 Description of the WAAS Services (continued) Service Monitoring API System Status Description Allows this role to access monitoring APIs through HTTPS requests. For more information, see the Cisco Wide Area Application Services API Reference. Allows this role to access the device Alarms panel.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned roles. The roles assigned to this user account or group will be listed in the Roles section in the Modifying User Account (or Modifying User Group) window. Modifying and Deleting Roles Note The admin user account, by default, is allowed access to all services and cannot be modified.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Working with Domains A WAAS domain is a collection of device groups or WAEs that make up the WAAS network. A role defines which services a user can manage in the WAAS network, but a domain defines the device groups, WAEs, or file server dynamic shares that are accessible and configurable by the user. Note A WAAS domain is not the same as a DNS domain or Windows domain.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Step 7 Assign an entity to this domain as described in the section that follows, “Adding an Entity to a Domain”. If you chose None for the Entity Type, do not assign an entity to the domain, instead, the entity is used in a dynamic share configuration, as described in the “Creating Dynamic Shares for the CIFS Accelerator” section on page 1-9.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Note If the role that you assigned to an account or group has the All Devices or All Device Groups service enabled, you do not need to assign a domain to the account or group. The account or group can automatically access all the devices and/or device groups in the WAAS system. For more information, see Table 1-4 on page 1-11.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Viewing Domains To view the domain configuration for a particular user account or group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > AAA > Users (or Admin > AAA > User Groups). The User Accounts (or User Groups) window appears with all configured user accounts or groups listed.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Creating a New User Group To create a new user group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > AAA > User Groups. The User Groups listing window appears. Step 2 Click the Create New User Groups icon in the taskbar. The Creating New User Group window appears. Step 3 In the Name field, enter the name of the user group.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Step 6 Click Submit. A green tick mark appears next to the assigned roles and a blue cross mark appears next to the unassigned roles. The roles assigned to this user group will be listed in the Roles section in the Modifying User Group window.
Chapter 1 Creating and Managing Administrator User Accounts and Groups Creating and Managing User Accounts Modifying and Deleting a User Group To modify an existing user group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > AAA > User Groups. The User Groups window appears. Step 2 Click the Edit icon next to the user group that you want to modify. The Modifying User Group window appears.
CH A P T E R 1 Creating and Managing IP Access Control Lists for WAAS Devices This chapter describes how to use the Wide Area Application Services (WAAS) Central Manager GUI to centrally create and manage Internet Protocol (IP) access control lists (ACLs) for your WAAS devices.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices Creating and Managing IP ACLs for WAAS Devices • Interception ACL—Applied globally to the WAAS device. This type of ACL defines what traffic is to be intercepted. Traffic that is permitted by the ACL is intercepted and traffic that is denied by the ACL is passed through the WAE. Use the interception access-list global configuration command to apply an interception ACL.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices Creating and Managing IP ACLs for WAAS Devices • Each WAAS Central Manager device can manage up to 50 IP ACLs and a total of 500 conditions per device. • When the IP ACL name is numeric, numbers 1 through 99 denote standard IP ACLs and numbers 100 through 199 denote extended IP ACLs. IP ACL names that begin with a number cannot contain nonnumeric characters.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices Creating and Managing IP ACLs for WAAS Devices Figure 1-1 b. Creating a New Condition for an Extended IP ACL Window Enter values for the properties that are enabled for the type of IP ACL that you are creating, as follows: – To set up conditions for a standard IP ACL, go to Step 6. – To set up conditions for an extended IP ACL, go to Step 7. Step 6 Set up conditions for a standard IP ACL: a.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices Creating and Managing IP ACLs for WAAS Devices Table 1-1 Standard IP ACL Conditions Field Purpose1 Default Value Permit Source IP1 0.0.0.0 Source IP Wildcard1 255.255.255.255 Description Specifies whether a packet is to be passed (Permit) or dropped (Deny). Number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices Creating and Managing IP ACLs for WAAS Devices A green “Change submitted” indicator appears in the lower right corner of the Modifying IP ACL window to indicate that the IP ACL is being submitted to the device database. Step 8 Step 9 Modify or delete an individual condition from an IP ACL: a. Click the Edit icon next to the name of the IP ACL that you want to modify.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions The only network interface properties that can be altered from the WAAS Central Manager GUI are the inbound and outbound IP ACLs. All other property values are populated from the device database and are read-only in the WAAS Central Manager GUI. Step 11 Click Submit to save the settings.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions Table 1-4 Field Extended IP ACL Generic Condition Default Value Description Permit Specifies whether a packet is to be passed (Permit) or dropped (Deny). Extended Type1 Generic Matches any Internet protocol. Protocol ip Internet protocol (gre, icmp, ip, tcp, or udp). To match any Internet protocol, use the keyword ip. Source IP1 0.0.0.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions Table 1-5 Extended IP ACL TCP Condition (continued) Field Default Value Description Source Operator range Specifies how to compare the source ports against incoming packets. Choices are <, >, ==, !=, or range. Source Port 2 65535 Decimal number or name of a TCP port. See Source Port 1. Destination IP 0.0.0.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions Table 1-6 Extended IP ACL UDP Condition (continued) Field Default Value Description Source Port 2 65535 Decimal number or name of a UDP port. See Source Port 1. Destination IP 0.0.0.0 Number of the network or host to which the packet is being sent, specified as a 32-bit quantity in 4-part dotted decimal format. Destination IP Wildcard 255.255.255.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions Table 1-7 Extended IP ACL ICMP Condition (continued) Field ICMP Param Type 1 Default Value Description None Choices are None, Type/Code, or Msg. None—Disables the ICMP Type, Code, and Message fields. Type/Code—Allows ICMP messages to be filtered by ICMP message type and code. Also enables the ability to set an ICMP message code number.
Chapter 1 Creating and Managing IP Access Control Lists for WAAS Devices List of Extended IP ACL Conditions Cisco Wide Area Application Services Configuration Guide 1-12 OL-26579-01
CH A P T E R 1 Configuring Other System Settings This chapter describes how to perform other system tasks such as setting the system clock, modifying the default system configuration settings, and enabling alarm overload detection, after you have done a basic configuration of your WAAS device. This chapter also describes how to register and manage WAAS Express devices. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network.
Chapter 1 Configuring Other System Settings Modifying Device Properties • Deactivate or activate the device You can also use the WAAS Central Manager GUI to check the status of a device to determine if it is online, pending, or inactive. You can only rename a WAAS Central Manager device from the GUI. To modify a device’s properties, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose device-name > Activation.
Chapter 1 Configuring Other System Settings Managing Software Licenses • In the Port field, enter the port number for the management IP address. If the HTTPS server configured on a WAAS Express device is using a different port than the default of 443, configure the same port here. Note If the WAAS Central Manager cannot contact a device using the primary IP address, it attempts to communicate using the Management IP address.
Chapter 1 Configuring Other System Settings Enabling the Inetd RCP and FTP Services Step 3 Check the check box next to each license that you want to add. Step 4 Click Submit. To add licenses from the CLI, you can use the license add EXEC command. To remove licenses from the CLI, you can use the clear license EXEC command. To display the status of all licenses from the CLI, you can use the show license EXEC command. The setup utility also configures licenses when you first set up a new WAAS device.
Chapter 1 Configuring Other System Settings Configuring Date and Time Settings Configuring Date and Time Settings This section explains how to configure date and time settings for your WAAS network devices and contains the following topics: • Configuring NTP Settings, page 1-5 • Configuring Time Zone Settings, page 1-5 Configuring NTP Settings The WAAS Central Manager GUI allows you to configure the time and date settings using a Network Time Protocol (NTP) host on your network.
Chapter 1 Configuring Other System Settings Configuring Date and Time Settings Step 3 To configure a standard time zone, follow these steps: a. Under the Time Zone Settings section, click the Standard Time Zone radio button. The default is UTC (offset = 0) with no summer time configured. When you configure a standard time zone, the system is automatically adjusted for the UTC offset, and the UTC offset need not be specified.
Chapter 1 Configuring Other System Settings Configuring Date and Time Settings Step 6 e. From the Start Week drop-down list, choose an option (first, 2nd, 3rd, or last) to set the starting week. For example, choose first to configure summer time to recur beginning the first week of the month or last to configure summer time to recur beginning the last week of the month. f. From the Start Month drop-down list, choose a month (January–December) to start. g.
Chapter 1 Configuring Other System Settings Configuring Date and Time Settings Table 1-2 Timezone Location Abbreviations (continued) Time Zone PRC PST8PDT ROC ROK UCT UTC WET W-SU Table 1-3 Expansion People’s Republic of China Pacific Standard/Daylight Time Republic of China Republic of Korea Coordinated Universal Time Coordinated Universal Time Western European Time Middle European Time Timezone—Offset from UTC Time Zone Africa/Algiers Africa/Cairo Africa/Casablanca Africa/Harare Africa/Johannesbu
Chapter 1 Configuring Other System Settings Configuring Date and Time Settings Table 1-3 Timezone—Offset from UTC (continued) Time Zone Asia/New Delhi Asia/Rangoon Asia/Riyadh Asia/Seoul Asia/Singapore Asia/Taipei Asia/Tehran Asia/Vladivostok Asia/Yekaterinburg Asia/Yakutsk Australia/Adelaide Australia/Brisbane Australia/Darwin Australia/Hobart Australia/Perth Australia/Sydney Canada/Atlantic Canada/Newfoundland Canada/Saskatchewan Europe/Athens Europe/Berlin Europe/Bucharest Europe/Helsinki Europe/Lond
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings Table 1-3 Time Zone US/Mountain US/Pacific Timezone—Offset from UTC (continued) Offset from UTC (in hours) –7 –8 UTC was formerly known as Greenwich Mean Time (GMT). The offset time (number of hours ahead or behind UTC) as displayed in the table is in effect during winter time.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings Secure store encryption on a Central Manager uses one of the following modes: • Auto-generated passphrase mode—The passphrase is automatically generated by the Central Manager and used to open the secure store after each system reboot. This is the default mode for new Central Manager devices or after the system has been reinstalled.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings • If you have a backup made when the secure store was in user-provided passphrase mode and you restore it to a system where the secure store is in auto-generated passphrase mode, you must enter the user passphrase to proceed with the restore. After the restore, the system is in user-provided passphrase mode.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings Note When you enable secure store on the primary Central Manager in user-provided passphrase mode, you should enable secure store on the standby Central Manager as well. See Enabling Secure Store Encryption on a Standby Central Manager, page 1-13. You can check the status of secure store encryption by entering the show cms secure-store command.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Note The secure store status must be the same for all WAE devices in a device group. Either all WAE devices in the group must have secure store enabled, or all must have secure store disabled. Before you add a WAE device to a device group, set its secure store status to match the others.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings Step 1 From the WAAS Central Manager menu, choose Admin > Secure Store. Step 2 In the Switch to User-provided passphrase mode area, enter a password in the New passphrase field and reenter the password in the Confirm passphrase field.
Chapter 1 Configuring Other System Settings Configuring Secure Store Settings The WAAS device reencrypts the stored data using a new encryption key derived from the new password. To change the password and generate a new encryption key on the Central Manager from the CLI, use the cms secure-store change EXEC command.
Chapter 1 Configuring Other System Settings Modifying the Default System Configuration Properties b. From the Central Manager, initialize secure store (see the “Enabling Secure Store Encryption on a WAE Device” section on page 1-13) or from the CLI, enter the cms secure-store init EXEC command. (This step is needed only if you performed step 5a.) c. Enter the crypto pki managed-store initialize command and restart the SSL accelerator. d.
Chapter 1 Configuring Other System Settings Modifying the Default System Configuration Properties Table 1-4 Descriptions for System Configuration Properties System Property Description cdm.remoteuser.deletionDaysLim Maximum number of days since their last login after which it external users will be deleted from the WAAS Central Manager database. For example, if cdm.remoteuser.
Chapter 1 Configuring Other System Settings Modifying the Default System Configuration Properties Table 1-4 Descriptions for System Configuration Properties (continued) System Property Description System.monitoring.maxReports Maximum number of completed or failed report instances to store for each custom report. The default is 10 report instances. System.monitoring.monthlyCons olidationFrequency How often (in days) the WAAS Central Manager consolidates daily monitoring records into monthly records.
Chapter 1 Configuring Other System Settings Configuring the Web Application Filter Table 1-4 Descriptions for System Configuration Properties (continued) System Property Description System.standby.replication.maxC Maximum number of statistics data records (in thousands) that ount will be replicated to a standby Central Manager. The range is 10 to 300. The default is 200 (200,000 records). We do not recommend increasing this number. System.standby.
Chapter 1 Configuring Other System Settings Configuring Faster Detection of Offline WAAS Devices Step 2 Click the Edit icon next to the system.security.webApplicationFilter entry. The Modifying Config Property window appears. Step 3 Choose true from the Value drop-down list to enable this feature. A confirmation message appears to advise Central Manager and Device Manager users to log out and then back in after enabling this feature. Step 4 Click OK and then Submit.
Chapter 1 Configuring Other System Settings Configuring Faster Detection of Offline WAAS Devices To configure fast detection of offline WAAS devices, follow these steps: Step 1 From the WAAS Central Manager menu, choose Configure > Global > Fast Device Offline Detection. The Configure Fast Offline Detection window appears. Note The fast detection of offline devices feature is in effect only when the WAAS Central Manager receives the first UDP heartbeat packet and a getUpdate request from a device.
Chapter 1 Configuring Other System Settings Configuring Alarm Overload Detection the status of the nonresponsive devices as offline. Because UDP heartbeats require less processing than a getUpdate request, they can be transmitted more frequently, and the WAAS Central Manager can detect offline devices much faster. You can enable or disable this feature, specify the interval between two UDP packets, and configure the failed heartbeat count.
Chapter 1 Configuring Other System Settings Configuring the E-mail Notification Server The low-water mark is the level up to which the number of alarms must drop before alarms can be restarted. The default value is 1. The low-water mark value should be less than the high-water mark value. Step 5 In the Alarm Overload High Water Mark (Raise) field, enter the number of incoming alarms per second above which the WAAS device enters the alarm overload state. The default value is 10.
Chapter 1 Configuring Other System Settings Using IPMI over LAN is set up and enabled on WAAS, authorized users can access BMC remotely even when WAAS becomes unresponsive or the device is powered down but connected to a power source. You can use an IPMI v2 compliant management utility, such as ipmitool or OSA SMbridge, to connect to the BMC remotely to perform IPMI operations.
Chapter 1 Configuring Other System Settings Using IPMI over LAN Sensor Device SDR Repository Device SEL Device FRU Inventory Device Aux Firmware Rev Info : 0x0b 0x0c 0x08 0x0a . . . <<<<< a If a BMC firmware update is needed, you can download it from cisco.com at the Wide Area Application Service (WAAS) Firmware download page (registered customers only). The firmware binary image is named waas-bmc-installer-48a-48a-26a-k9.bin.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Enabling IPMI SoL To enable IPMI SoL, perform the following steps: Step 1 On the WAAS device, configure and enable IPMI over Lan (IoL). Step 2 On the remote client make sure that the BMC user can do IoL operations successfully over IPMI session v2.0. Step 3 On the remote client, change the baud-rate of the terminal to match the WAAS console baud rate of 9600 bps. Step 4 On the WAAS device, enable IPMI SoL.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Registering a WAAS Express Device Using the GUI To register a WAAS Express device, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > Security > WAAS Express > Registration. The WAAS Express Registration window appears. (See Figure 1-1.) Note To register a WAAS Express device using the Central Manager GUI, SSH must be enabled on the WAAS Express device.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Step 7 The final step is to install a permanent WAAS software license. This function is not supported using the Central Manager GUI. You must obtain and copy the WAAS license to a location accessible to the license command on the WAAS Express device.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices The following sections describe these steps in detail. Configuring a User The first step in setting up your WAAS Express device and Central Manager to communicate is to configure the same user on the WAAS Express device and the Central Manager. To configure a user, follow these steps: Step 1 Log in to the WAAS Express device CLI.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices waas-express#config t Enter configuration commands, one per line. End with CNTL/Z.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices waas-express(ca-trustpoint)#enrollment terminal pem waas-express(ca-trustpoint)#exit waas-express(config)#crypto pki authenticate wcm Enter the base 64 encoded CA certificate. End with a blank line or the word “quit” on a line by itself Step 6 Paste in the certificate that you copied from the Central Manager in Step 3.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Step 1 On the WAAS Express device, enable the HTTP secure server: waas-express#config t Enter configuration commands, one per line. End with CNTL/Z.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices waas-express#config t Enter configuration commands, one per line. End with CNTL/Z. waas-express(config)#ntp server 10.10.10.55 Registering the WAAS Express Device The final step in setting up a WAAS Express device with the Central Manager is to register the device. You will need to know the IP address of the Central Manager.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Figure 1-2 Step 3 Step 4 Modifying WAAS Express Device Certificate Window Import this certificate into the Central Manager by selecting one of the following radio buttons that are shown in both tabs: • Upload PEM file—Click Browse and locate the PEM file containing the certificate. • Paste PEM-encoded certificate—Paste the PEM encoded certificate in the text field that appears. Click Submit.
Chapter 1 Configuring Other System Settings Managing WAAS Express Devices Cisco Wide Area Application Services Configuration Guide 1-36 OL-26579-01
CH A P T E R 1 Using the WAE Device Manager GUI This chapter describes how to use the WAE Device Manager GUI, which is a separate interface from the WAAS Central Manager GUI. The WAE Device Manager is a web-based management interface that allows you to control and monitor an individual WAE device in your network.The WAAS Central Manager device does not have a WAE Device Manager interface. In many cases, the same device settings are found in both the WAE Device Manager and the WAAS Central Manager GUI.
Chapter 1 Using the WAE Device Manager GUI A Quick Tour of the WAE Device Manager The Login window of the WAE Device Manager appears. Enter your username and password in the fields provided and click Login. The default username is admin and the default password is default. The WAE Device Manager interface appears. (See Figure 1-1.) Figure 1-1 WAE Device Manager Interface A Quick Tour of the WAE Device Manager The WAE Device Manager is divided into two sections.
Chapter 1 Using the WAE Device Manager GUI WAE Management Workflow As you navigate in the WAE Device Manager, your current location is always displayed across the top of the display area. To log out of the WAE Device Manager, click the Note icon on the upper-right side of the display area. JavaScripts, cookies, and popup windows must be enabled in the web browser to use the WAE Device Manager.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Figure 1-2 Cisco WAE Control Window The Cisco WAE menu item includes the following options: • Control—Enables you to control the WAE and its components as described in the “Control Option” section on page 1-4. • Configuration—Enables you to perform basic configuration tasks as described in the “Configuration Option” section on page 1-8.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Starting and Stopping Components The Components tab enables you to view which components are running and which components are not, and allows you to start, stop, and restart components. From this tab you can click Refresh to update the status of each component and update the WAE Device Manager interface to reflect recent changes made to the device from the WAAS Central Manager GUI.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE • To display the current status of the WAE components, click Refresh. Registering and Unregistering a WAE The Registration tab enables you to register the WAE with the specified WAAS Central Manager or unregister the WAE. After the WAE is registered, you can view and manage it from the WAAS Central Manager GUI. To register the WAE, follow these steps: Step 1 In the Cisco WAE Control window, click the Registration tab. (See Figure 1-4.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE To back up the WAE configuration, follow these steps: Step 1 In the Cisco WAE Control window, click the Backup tab. (See Figure 1-5.) Figure 1-5 Cisco WAE Control —Backup Tab Step 2 In the Download configuration backup area, click Download. Step 3 In the File Download window, click Save. Step 4 In the Save As window, browse to where you want to save the file. You can also change the filename. Step 5 Click Save.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Note After the upload is completed, the WAE will be reloaded. Configuration Option The Configuration option for the Cisco WAE menu item displays the following tabs: • SNMP—Allows you to enable event MIB and logging traps on the WAE. For more information, see the “Configuring SNMP Settings” section on page 1-8.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE • Enable event MIB traps—Allows the WAE to send event MIB traps to the SNMP host specified in the SNMP notification host field. • Enable logging traps—Enables logging traps on the device. • SNMP notification host—Enter the IP address or hostname of your SNMP host so that the WAE can send MIB and logging traps to the host.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE • Time Zone Configuring Windows Authentication The WAAS Central Manager GUI and the WAE Device Manager use Pluggable Authentication Modules (PAM) for user login authentication. Administrative users defined in the WAAS Central Manager GUI are distributed to the WAE Device Managers. Administrative user authentication is performed only upon login to the WAAS Central Manager GUI or the WAE Device Manager.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Note Windows domain authentication is not performed unless a Windows domain server is configured on the WAAS device. If the device is not successfully registered, authentication and authorization do not occur. WAAS supports authentication by a Windows domain controller running only on Windows Server 2000 or Windows Server 2003.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Figure 1-8 Step 3 Cisco WAE Configuration—Windows Authentication Tab Enter the NetBIOS name. The NetBIOS name cannot exceed 15 characters nor contain special characters. Note Step 4 By default, the NetBIOS name field is automatically populated with the hostname of the file engine. If this hostname changes, the NetBIOS field is not automatically updated with the new name.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Step 7 Check the Windows authentication for WAFS Management login check box to use Windows Domain to authenticate Telnet, FTP, console, SSH, and user interface (WAAS Central Manager GUI and WAE Device Manager) logins to CIFS (WAFS). When you add users through the WAAS Central Manager GUI, you are given the option to configure users as local users who have their login password stored on the WAE.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE A Windows Authentication problem can occur if you incorrectly configure the settings described in the “Setting Up Windows Authentication” section on page 1-11. Problems can also occur if the configuration of your domain controller changes.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Table 1-1 Authentication Test Descriptions Test wbinfo -t Description Verifies that the workstation trust account created when the Samba server is added to the Windows domain is working. wbinfo -a Tests the domain credentials based on the specified username and password. To run this test, enter the appropriate username and password, and then click Refresh. Wait for the test results to be displayed.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE To define notification settings, follow these steps: Step 1 In the Configuration window, click the Notifier tab. (See Figure 1-10.) Figure 1-10 Notifier Tab Step 2 In the Email address field, enter the address to which notifications about this WAE are sent. Step 3 In the Mail server host name field, enter the name of the mail server host.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Utilities Option The Utilities option displays the following tabs: • Support—Allows you to dump WAE data to an external location for support purposes. For more information, see the “Running Support Utilities” section on page 1-17. • WAFS Cache Cleanup—Allows you to remove all files from the CIFS (WAFS) cache. For more information, see the “Running the Cache Cleanup Utility” section on page 1-18.
Chapter 1 Using the WAE Device Manager GUI Managing a Cisco WAE Figure 1-11 Step 2 Step 3 Utilities—Support Tab In the System Report area, choose one of the following radio buttons: • Full to download a full system report. • Specify Date: to download a report for the time range that you specify (default is the past 7 days). Click Estimate size to view the size of the report. The actual size of the report may vary from the estimate.
Chapter 1 Using the WAE Device Manager GUI Managing a CIFS Accelerator Device Figure 1-12 Step 2 Utilities—WAFS Cache Cleanup Tab Click Run to erase the contents of the cache. Running the File Server Rename Utility The File Server Rename tab enables you to change the resource location for all resources of a given file server name on the WAAS device. This function changes the file server name for the files in the CIFS cache.
Chapter 1 Using the WAE Device Manager GUI Managing a CIFS Accelerator Device • Monitoring—Allows you to view CIFS (WAFS) device statistics in tables and graphs as described in the “Monitoring the Cisco WAE Component” section on page 1-24. • Logs—Allows you to view the event log related to the CIFS accelerator. For more information, see the “Viewing Cisco WAE Logs” section on page 1-28.
Chapter 1 Using the WAE Device Manager GUI Managing a CIFS Accelerator Device Step 2 Choose a policy in the table and click View to view a detailed task history (iterations of a selected policy). The Preposition Task Details window appears. (See Figure 1-14.) Figure 1-14 Preposition Task Details Window The top half of the Preposition Policy window displays the following details about the selected policy: • Create Date—When the policy was created. • Last Modified—When the policy was last modified.
Chapter 1 Using the WAE Device Manager GUI Monitoring the WAE Step 3 Click Close to return to the Policies window. Note To update the information displayed in the Policies window, click Refresh. Terminating a Preposition Task You can terminate a preposition task that is in progress at any time. This action does not delete the preposition policy that generated the task; the system will still perform the task described by the policy when the next scheduled time arrives.
Chapter 1 Using the WAE Device Manager GUI Monitoring the WAE • Monitoring a Transparent CIFS Accelerator, page 1-25 Monitoring Graphs The WAAS software generates four historical graphs for each monitored statistic. Each graph presents a different range of time for the selected data as follows: • Daily—Displays data for the past 24 hours. Each data point represents a 5-minute average. • Weekly—Displays data for the past seven days. Each data point represents a 30-minute average.
Chapter 1 Using the WAE Device Manager GUI Monitoring the WAE Tip Each graph in an index window acts as a link. Clicking on the graph displays all four historical graphs for the selected statistic. For example, clicking the Request Optimization graph in the index graphs window displays the daily, weekly, monthly and yearly Request Optimization historical graphs. Clicking the Back button in the browser returns you to the index graphs.
Chapter 1 Using the WAE Device Manager GUI Monitoring the WAE To monitor the WAE component, follow these steps: Step 1 In the navigation area, click Monitoring under the Cisco WAE menu item. The Cisco WAE Monitoring window appears. (See Figure 1-17.) Figure 1-17 Step 2 Cisco WAE Monitoring Window Do one of the following: • Choose the statistic that you want to view (by clicking in its row), and then click View to display a popup window that contains the historical graphs for that statistic.
Chapter 1 Using the WAE Device Manager GUI Monitoring the WAE • Remote requests count—Total number of client CIFS requests that were forwarded remotely over the WAN. The name of this statistic is a link that you can use to display its historical graphs (without first going to the Graphs tab). Local requests are also shown on these graphs. • Local requests count—Total number of client CIFS requests handled locally by this device.
Chapter 1 Using the WAE Device Manager GUI Viewing WAE Logs • Last evicted resource age—Amount of time that the last-evicted resource spent in the CIFS device cache. • Last evicted resource access time—Last time that the last-evicted resource was accessed. Viewing WAE Logs You can view event information logged by the Cisco WAE and the CifsAO components. The event information available varies based on the component that you are viewing.
Chapter 1 Using the WAE Device Manager GUI Viewing WAE Logs Step 6 Click Update. Viewing Log Entries Each log entry contains the date and time that the event occurred, the severity level of the event, and a description containing the log message. The log message format varies based on the type of event. The severity level of an event indicates the seriousness of the event. Six choices are defined and provide the follow information: • All—Displays events of all severity levels.
Chapter 1 Using the WAE Device Manager GUI Viewing WAE Logs • Manager log—Displays events related to the WAE Device Manager and WAAS Central Manager GUI components, such as configuration changes and WAE registrations and notifications that other WAE components were started or stopped. • WAFS Watchdog log—Displays events related to the watchdog utility, which monitors the other application files inside the WAE and restarts them, if necessary.
Chapter 1 Using the WAE Device Manager GUI Viewing WAE Logs Cisco Wide Area Application Services Configuration Guide 1-30 OL-26579-01
CH A P T E R 1 Configuring File Services This chapter describes how to configure file services, which allows branch office users to more efficiently access data stored at centralized data centers. The file services feature overcomes the WAN latency and bandwidth limitations by caching data on Edge WAEs near branch office users. WAAS file services uses either the CIFS or SMB application accelerators.
Chapter 1 Configuring File Services About File Services One obstacle is created by the file server protocols that operate over the WAN. Common Internet File System (CIFS), which is the file server protocol for Windows, was designed to operate over a LAN. Every file operation generates several exchanges of protocol messages between the client and the file server. This situation is usually not noticeable on the LAN, but quickly causes high latency over the WAN.
Chapter 1 Configuring File Services Overview of File Services Features Overview of File Services Features This section provides an overview of the WAAS file services features and contains the following topics: • Automatic Discovery, page 1-3 • Data Coherency, page 1-3 • Data Concurrency, page 1-5 • Prepositioning, page 1-5 • Microsoft Interoperability, page 1-6 To accelerate CIFS traffic, you can use one of the following two accelerators: • CIFS—The CIFS accelerator was introduced in WAAS versi
Chapter 1 Configuring File Services Overview of File Services Features • Strict CIFS behavior for intra-site—Users of the same cache are always guaranteed standard, strict CIFS coherency semantics. • Cache validation on CIFS open—In CIFS, the File Open operation is passed through to the file server. For coherency purposes, WAAS software validates the freshness of the file on every file open, and invalidates the cached file if a new version exists on the file server.
Chapter 1 Configuring File Services Overview of File Services Features Data Concurrency Concurrency control is important when multiple users access the same cached data to read, or write, or both. Concurrency control synchronizes this access by establishing and removing file system locks. This file-locking feature ensures data integrity and provides the following benefits: • Enables a client to aggressively cache file data so it does not have to rely on retrieving data from the remote file server.
Chapter 1 Configuring File Services Overview of File Services Features users to benefit from cache-level performance even during first-time access of these files. Prepositioning improves WAN bandwidth utilization by transferring heavy content when the network is otherwise idle (for example, at night), which frees up bandwidth for other applications during the day.
Chapter 1 Configuring File Services Preparing for File Services • NetApp Data ONTap versions 6.5.2, 6.5.4, 7.0, and 7.3.3 • EMC Celerra versions 5.3, 5.4, and 5.6 WAAS supports Shadow Copy for Shared Folders for the following clients: Note • Windows 7 • Windows Vista • Windows XP Professional • Windows 2000 (with SP3 or later) • Windows 2003 Windows 2000 and Windows XP (without SP2) clients require the Previous Versions Client to be installed to support Shadow Copy for Shared Folders.
Chapter 1 Configuring File Services Configuring File Services Table 1-1 Tested File Servers Vendor Product Version Dell PowerVault 715N Microsoft Windows NT 4.0 Windows Server 2000 No service pack, SP1, SP3, and SP4 Windows Server 2003 Windows Server 2008 Novell 2 RedHat No service pack, SP1, SP2, and R2 1 SP1 and R2 6.5 SP-3 Samba 3.0.1.4a 1. With Windows 7 and Vista clients, the CIFS accelerator transparently uses the SMB1 protocol. 2. WAAS supports Novell 6.
Chapter 1 Configuring File Services Configuring File Services Table 1-2 provides an overview of the steps that you must complete to configure the CIFS accelerator. Table 1-2 Checklist for Configuring CIFS Accelerator Task 1. Prepare for file services. 2. Enable CIFS acceleration. 3. (Optional) Identify dynamic shares. Additional Information and Instructions Provides the tasks that you need to complete before enabling and configuring file services on your WAAS devices.
Chapter 1 Configuring File Services Configuring File Services A list of dynamic shares appears. The Dynamic Shares window shows all the dynamic shares configured. From this window, you can perform the following tasks: • Edit the configuration of an existing dynamic share by clicking the Edit icon next to the share. You can delete the dynamic share, or modify any of the dynamic share settings. • Add a new dynamic share definition, as described in the next steps.
Chapter 1 Configuring File Services Configuring File Services About Preposition Directives A preposition directive allows you to determine which files should be proactively copied from CIFS file servers to the cache of selected Edge WAEs. Prepositioning enables you to take advantage of idle time on the WAN to transfer frequently accessed files to selected WAEs, where users can benefit from cache-level performance even during first-time access of these files.
Chapter 1 Configuring File Services Configuring File Services • Assigning Edge Devices to a Preposition Directive, page 1-16 • Creating a New Preposition Schedule, page 1-17 • Checking the Preposition Status, page 1-18 • Starting and Stopping Preposition Tasks, page 1-18 Creating a New Preposition Directive To create a preposition directive, follow these steps: Step 1 From the WAAS Central Manager menu, choose Configure > CIFS File Services > Preposition.
Chapter 1 Configuring File Services Configuring File Services Figure 1-2 Creating a New Preposition Directive Window Step 3 Enter a name for the directive. The double quote (") character is not allowed in the name. Step 4 From the Status drop-down list, choose either enabled or disabled. Disabled directives are not put into effect. Step 5 (Optional) Define the time and size limitations using the provided fields. Table 1-3 describes the time and size limitation fields.
Chapter 1 Configuring File Services Configuring File Services Table 1-3 Preposition Time and Size Limitations Field Total Size as % of Cache Volume Description Percentage of the overall Edge WAE cache that prepositioned files can consume. For example, if you do not want this prepositioning directive to consume more than 30 percent of a WAE’s cache, enter 30 in this field. The default value is 5 percent.
Chapter 1 Configuring File Services Configuring File Services Note If one of these limits is exceeded during a prepositioning task, the task is terminated and a message is sent to the Administrator log. Any remaining files are exported the next time the task is run. If a user requests one of the missing files before this happens, it is fetched over the WAN through WAAS software as usual.
Chapter 1 Configuring File Services Configuring File Services • Step 12 Narrow the policy definition to a particular type of file by choosing a pattern operator from the File Name drop-down list and entering the text that describes the pattern in the adjacent text box. For example, enter ends with .doc. Do not use a space or the following special characters: |:><"?*/\ Click Submit. The directive is saved and additional tabs appear at the top of the window.
Chapter 1 Configuring File Services Configuring File Services The icon next to each edge device or device group you selected changes to Note . If the CIFS accelerator is disabled on a WAE, the WAE is removed from any preposition directives to which it is assigned. Also, the preposition directive is removed from the device’s running configuration.
Chapter 1 Configuring File Services Configuring File Services Note Step 6 You cannot schedule a start time for the Now option. Click Submit. The message Changes Submitted appears at the bottom of the window confirming that your schedule was saved. Step 7 Verify that the preposition directive completed successfully by checking the preposition status. For more information, see the “Checking the Preposition Status” section on page 1-18.
Chapter 1 Configuring File Services Configuring File Services Configuring the SMB Accelerator Table 1-2 provides an overview of the steps that you must complete to configure the SMB accelerator. Table 1-4 Checklist for Configuring SMB Accelerator Task 1. Prepare for file services. 2. Enable SMB acceleration. 3. (Optional) Identify dynamic shares. Additional Information and Instructions Provides the tasks that you need to complete before enabling and configuring file services on your WAAS devices.
Chapter 1 Configuring File Services Configuring File Services A list of dynamic shares appears. The Dynamic Shares window shows all the dynamic shares configured. From this window, you can perform the following tasks: • Edit the configuration of an existing dynamic share by selecting it and clicking the Edit taskbar icon. • Delete the dynamic share by selecting it and clicking the Delete taskbar icon. • Add a new dynamic share definition, as described in the next steps.
CH A P T E R 1 Configuring Application Acceleration This chapter describes how to configure the optimization policies on your WAAS system that determine the types of application traffic that is accelerated over your WAN. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.
Chapter 1 Configuring Application Acceleration About Application Acceleration You can use the WAAS Central Manager GUI to modify the predefined policies and to create additional policies for other applications. For more information on creating optimization policies, see the “Creating a New Traffic Optimization Policy” section on page 1-49.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Enabling and Disabling the Global Optimization Features The global optimization features determine if TFO Optimization, Data Redundancy Elimination (DRE), and Persistent Compression are enabled on a device or device group. By default, all of these features are enabled.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-1 Enabled Features Window Figure 1-2 shows the subset of standard features that are available for a WAAS Express device.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • CIFS accelerator express (See the “Configuring CIFS Accelerator Express” section on page 1-26) • HTTP accelerator express (See the “Configuring HTTP Acceleration” section on page 1-7) • SSL accelerator express (See the “Configuring SSL Acceleration” section on page 1-28) Not all of the properties in the standard WAAS device are available in the WAAS Express version of the application accelerators
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 11 If you check the ICA Accelerator check box, you can click the Advanced Settings link as a shortcut to the ICA Acceleration Configuration window. For more information, see the “Configuring ICA Acceleration” section on page 1-27. Step 12 In the Advanced Settings area, uncheck the Blacklist Operation feature if you want to disable it.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • Configuring MAPI Acceleration, page 1-11 • Configuring Encrypted MAPI Acceleration, page 1-12 • Configuring Video Acceleration, page 1-22 • Configuring CIFS Accelerator Express, page 1-26 • Configuring SMB Acceleration, page 1-24 • Configuring ICA Acceleration, page 1-27 • Configuring SSL Acceleration, page 1-28 • For CIFS: Chapter 1, “Configuring File Services” Configuring DRE Settings
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features To configure the HTTP acceleration settings, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Acceleration > HTTP/HTTPS Settings. The HTTP Acceleration Settings window appears. (See Figure 1-3.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 6 In the Minimum age of a cache entry field, enter the minimum number of seconds to retain HTTP header information in the cache. The default is 60 seconds. Valid time periods range from 5 to 86400 seconds (24 hours). Step 7 Check the Enable local HTTP 301 redirect messages check box to enable the WAE to cache and locally serve HTTP 301 messages. The default setting is checked.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • HTTP 401 authentication required Metadata caching is not applied in the following cases: Note • Requests and responses that are not compliant with RFC standards • URLs over 255 characters • 301 and 401 responses with cookie headers • HEAD method is used • Pipelined transactions The metadata caching feature is introduced in WAAS version 4.2.1, but version 4.2.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features For the features (DRE hints and HTTPS metadata cache in this example) that do not have an ACL associated with them, the global configuration is used and they are applicable to all the connections. Configuring MAPI Acceleration The MAPI application accelerator accelerates Microsoft Outlook Exchange traffic that uses the Messaging Application Programming Interface (MAPI) protocol.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-4 Step 3 MAPI Acceleration Settings Window In the Reserved Pool Size Maximum Percent field, enter the maximum percent of connections to restrict the maximum number of connections reserved for MAPI optimization during TFO overload. It is specified as a percent of the TFO connection limit of the platform. Valid percent ranges from 5%-50%.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Task Flow for Configuring Encrypted MAPI To configure Encrypted MAPI traffic acceleration, complete the tasks listed in Table 1-1. These tasks must be performed on both data center and branch WAEs unless specifically noted as not required (or optional). Table 1-1 Tasks for Configuring Encrypted MAPI Task 1. Configure DNS Settings. 2. Configure NTP Settings. 3.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features The WAAS DNS server must be part of the DNS system of Windows Active Directory domains to resolve DNS queries for traffic encryption. To configure DNS settings, see the “Configuring the DNS Server” section on page 1-26. Step 2 Configure NTP Settings to synchronize the time with Active Directory. The WAAS device has to be in synchronization with Active Directory for Encrypted MAPI acceleration.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features You must have at least one account configured, either user or machine, that is configured with a domain identity. Each device can support up to 5 domain identities,1 machine account identity and 4 user account identities. This allows a WAAS device to accelerate up to 5 domain trees. You must configure a domain identity for each domain with an exchange server that has clients to be accelerated. a.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 2 From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The Encrypted Services window appears. Step 3 Click the Add Domain Identity button to add a machine account domain identity. (See Figure 1-6.) Every WAAS device to be accelerated must have a domain identity. Figure 1-5 a. Select Machine Account from the Account Type drop-down list. Note b.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-6 Encrypted Services—Domain Identity To configure and verify Encrypted Services Domain Identities from the CLI, use the windows-domain encrypted-service global configuration command and the show windows-domain encrypted-service EXEC command.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-8 a. Select user account from the Account Type drop-down list. b. Enter the identity name in the Identity Name field. Alphanumeric characters only (cannot contain space, ?, |), not exceeding 32 characters. c. Enter username and password information. d. Enter the domain name. e. Enter the Kerberos realm.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-9 b. Active Directory—Add Group Enter a name in the Group name fields and select the following attributes: – Group scope: Universal – Group type: Security c. Step 3 Click OK. Configure the permissions required by WAAS. a. In the Active Directory Users and Computers application window, select View > Advanced Features from the menu bar. b.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-10 Active Directory—Security Tab d. Click Add in the Group or User Names section. e. Enter the name of the new group that you created in this procedure in the Enter the object names to select field and click OK to add the new group to the list. f.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • Deleting an Existing Domain Identity, page 1-21 • Disabling Encrypted MAPI, page 1-22 • Encrypted MAPI Acceleration Statistics, page 1-22 Editing an Existing Domain Identity You can modify the attributes of an existing domain identity on a WAAS device, if needed.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Disabling Encrypted MAPI To disable Encrypted MAPI, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Disable Encrypted Service. a. From the menu, choose Configure > Security > Windows Domain > Encrypted Services. The Encrypted Services window appears. Step 3 b. Uncheck the Enable Encrypted Service check box.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features The Video Acceleration Configuration window appears. (See Figure 1-11.) Figure 1-11 Video Acceleration Configuration Window Step 3 In the Client First Message Reception Timeout field, enter the number of seconds to wait for the first message from the client and the first response from the server, after the connection is accepted by the video accelerator, before timing out the connection.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features The changes are saved to the device or device group. To configure video acceleration from the CLI, use the accelerator video global configuration command. Configuring SMB Acceleration The SMB application accelerator handles optimizations of file server operations.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • Invalid FID optimization—The SMB accelerator optimizes SMB2 clients by locally denying attempts to access files with invalid file handle values instead of sending such requests to the file servers. • Batch Close optimization—The SMB accelerator performs asynchronous file close optimizations on SMB2 traffic.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • Handoff—If the negotiated dialect is higher than the chosen highest dialect to optimize, the connection is handed off to the generic accelerator. • Mute—The dialects higher than the one chosen as the highest dialect to optimize are removed from the negotiation list.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features • ADS Negative Cache—Applications sometimes send requests for directories and files that do not exist on file servers. For example, Windows Explorer accesses the Alternate Data Streams (ADS) of the file it finds.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-13 Step 3 In the WAN Secure Mode drop-down list, choose the mode, as follows: • None—Disables WAN Secure mode for ICA. • Always—Enables WAN Secure mode ICA. This is the default. Note Step 4 ICA Acceleration Configuration Window The state of WAN Secure mode in both Branch WAE and Data Center WAE must match for connections to get optimized with the ICA accelerator. Click Submit.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Table 1-2 Checklist for Configuring SSL Acceleration Task Additional Information and Instructions 1. Prepare for configuring SSL acceleration. Identifies the information that you need to gather before configuring SSL acceleration on your WAAS devices. For more information, see the “Preparing to Use SSL Acceleration” section on page 1-29. 2.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-14 SSL Acceleration Block Diagram Admin Browser CM Administration Admin Service Central Manager CM to Branch WAE Management Service Branch WAE SSL Service - TCP connection carrying SSL traffic on a well known TCP Prot (e.g. 443) CM to Data Center WAE Management Service WAE to WAE Peering Service Data Center WAE Common Name = hr.analog.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Note If the SSL accelerator is already running, you must wait 2 datafeed poll cycles when registering a new WAE with a Central Manager before making any configuration changes, otherwise the changes may not take effect.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 4 In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to accept both SSL3 and TLS1 SSL protocols. Step 5 (Optional) Set the Online Certificate Status Protocol (OCSP) parameters for certificate revocation: a.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-17 Step 2 Self-Signed Certificate and Private Key a. Check the Mark private key as exportable check box to export this certificate/key in the WAAS Central Manager and device CLI later. b. Fill in the certificate and private key fields.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features b. To import existing certificate or certificate chain and private key, perform one of the following: • Upload certificate and key in PKCS#12 format (also as Microsoft PFX format) • Upload certificate and private key in PEM format • Paste certificate and private key PEM content If the certificate and private key are already configured, you can update the certificate only.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-20 Generate Certificate Signing Request To update the current certificate with one signed by the Certificate Authority: a. Generate PKCS#10 certificate signing request. b. Send generated certificate signing request to Certificate Authority to generate and sign certificate. c.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-21 Step 3 SSL Cipher Lists Window Click Create to add a new cipher list. The Creating New SSL Cipher List window appears (see Figure 1-22). Note For a WAAS Express device, click Add Cipher List to add a new cipher list. Figure 1-22 Creating New SSL Cipher List Window Step 4 Type a name for your cipher list in the Cipher List Name field.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 6 Choose the cipher suite that you want to add in the Ciphers field. Note Step 7 If you are establishing an SSL connection to a Microsoft IIS server, do not select a DHE-based cipher suite. Choose the priority for the selected cipher suite in the Priority field.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Note For a WAAS Express device, the SSL CA Certificate List window shows the same Name, Issued To, Issuer, Expiry Date fields but in a slightly different format. There is also an Aggregate Settings field configurable as Yes or No. To finish the procedure for WAAS Express, skip to Step 4.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-24 Creating New CA Certificate Window b. Type a name for the certificate in the Certificate Name field. c. (Optional) Type a description of the CA certificate in the Description field. d. Choose disabled in the Revocation check drop-down list to disable OCSP revocation of certificates signed by this CA.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Note For a WAAS Express device, click OK to save the CA certificate configuration. SSL Auto Enrollment The WAAS SSL acceleration feature allows you to enroll certificates automatically for a device (or device group) using SCEP. Once the CA certificate his been obtained, SSL auto enrollment settings must be configured.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Note Step 4 CA, CA URL, and challenge password settings are mandatory for enabling SSL auto enrollment. Configure the following Certificate Signing Request settings: • Common Name • Organization and Organization Unit • Location, State, and Country • Email-Id Step 5 Configure the key size: 512, 768, 1024, 1536, or 2048 Step 6 Check the Enable Enroll box. Step 7 Click Submit.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-26 Step 3 SSL Management Services Window In the SSL version field, choose the type of SSL protocol to use. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Table 1-3 Cipher Lists Supported with Internet Explorer and Mozilla Firefox Cipher Internet Explorer Firefox rsa-with-rc4-128-md5 Supported Supported dhe-rsa-with-des-cbc-sha Not Supported Not enabled by default rsa-export1024-with-rc4-56-sha Supported Not enabled by default rsa-export1024-with-des-cbc-sha Supported Not enabled by default dhe-rsa-export-with-des40-cbc-sha Not Supported
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-27 Step 3 SSL Peering Service Window In the SSL Version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Note For a WAAS Express device, SSL configuration changes will not be applied on the device until the security license has been enabled on the device. Using SSL Accelerated Services After you have enabled and configured SSL acceleration on your WAAS system, you must define at least one service to be accelerated on the SSL path.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-28 SSL Accelerated Services—Basic Window Step 5 Type a name for the service in the Service Name field. Step 6 To enable this accelerated service, check the In service check box. Step 7 To enable client version rollback check, check the Client version rollback check check box.
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Step 10 Type the port associated with the service to be accelerated. Click Add to add each address. If you specify a server hostname, the Central Manager resolves the hostname to the IP address and adds it to the Server IP/Ports table. Step 11 Click Delete to remove an IP address from the list. Step 12 Choose a certificate and key pair method (see Figure 1-29).
Chapter 1 Configuring Application Acceleration Enabling and Disabling the Global Optimization Features Figure 1-30 SSL Accelerated Services—Advanced Window Step 14 (Optional) In the SSL version field, choose the type of SSL protocol to use, or choose Inherited to use the SSL protocol configured in global SSL settings. Choose SSL3 for the SSL version 3 protocol, choose TLS1 for the Transport Layer Security version 1 protocol, or choose All to use both SSL3 and TLS1 SSL protocols.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy Step 17 Click Submit when you have finished configuring the SSL accelerated service. Creating a New Traffic Optimization Policy Table 1-4 provides an overview of the steps that you must complete to create a new traffic optimization policy. Table 1-4 Checklist for Creating a New Optimization Policy Task 1. Prepare for creating an optimization policy. 2. Create an application definition. 3.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy Creating an Application Definition The first step in creating an optimization policy is to set up an application definition that identifies general information about the application, such as the application name and whether you want the WAAS Central Manager to collect statistics about the application. You can create up to 255 application definitions on your WAAS system.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy Creating an Optimization Policy After you create an application definition, you need to create an optimization policy that determines the action a WAAS device takes on the specified traffic. For example, you can create an optimization policy that makes a WAAS device apply TCP optimization and compression to all application traffic that travels over a specific port or to a specific IP address.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy Note If there are version 4.x devices, you can click the Legacy View taskbar icon to view the policies as they appear in a 4.x device. From the Optimization Policies window, you can perform the following tasks: • Configure a description, configure the Enable Service Policy setting, and configure the DSCP setting. This DSCP setting field configures DSCP settings at the device (or device group) level.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy d. Click the Add Match Condition icon to enter the conditions. (See Figure 1-33.) Note Figure 1-33 e. For a WAAS Express device, Protocol and EPM Custom UUID settings are not applicable. Adding a New Match Condition Window Enter a value in one of the destination or source condition fields to create a condition for a specific type of traffic. For example, to match all traffic going to IP address 10.10.10.
Chapter 1 Configuring Application Acceleration Creating a New Traffic Optimization Policy Table 1-5 Action Descriptions Action1 Passthrough Description Prevents the WAAS device from optimizing the application traffic defined in this policy by using TFO, DRE, or compression. Traffic that matches this policy can still be accelerated if an accelerator is chosen from the Accelerate drop-down list. TFO Only Applies a variety of transport flow optimization (TFO) techniques to matching traffic.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration • HTTP Adaptor—Accelerate using the HTTP Accelerator. • MAPI Adaptor—Accelerate using the MAPI Accelerator. • NFS Adaptor—Accelerate using the NFS Accelerator. • Video Adaptor—Accelerate using the Video Accelerator. • ICA Adaptor—Accelerate using the ICA Accelerator. Note Step 8 Step 9 For a WAAS Express device, the available accelerators are CIFS Express and HTTP Express.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration • Restoring Optimization Policies and Class Maps, page 1-58 • Monitoring Applications and Class Maps, page 1-58 • Defining Default DSCP Marking Values, page 1-58 • Modifying the Position of an Optimization Policy, page 1-59 • Modifying the Acceleration TCP Settings, page 1-61 Modifying the Accelerator Load Indicator Threshold To modify the accelerator load indicator threshold for a WAE device or device group, follo
Chapter 1 Configuring Application Acceleration Managing Application Acceleration Viewing a Policy Report To view a report of the policies that reside on each WAE device or device group, follow these steps: Step 1 From the WAAS Central Manager menu, choose Configure > Acceleration > Optimization Policy Report. (See Figure 1-34.) The Policy Report for Devices tab appears.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration Restoring Optimization Policies and Class Maps The WAAS system allows you to restore the predefined policies and class maps that shipped with the WAAS system. For a list of the predefined policies, see Appendix 1, “Predefined Optimization Policy.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration This attribute can be defined at the following levels: • Global—You can define global defaults for the DSCP value for each device (or device group) in the Optimization Policies page for that device (or device group). This value applies to the traffic if a lower level value is not defined. • Policy—You can define the DSCP value in an optimization policy.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration Note For a WAAS Express device, all policies are grouped under the waas_global category. For a list of predefined policies, see Appendix 1, “Predefined Optimization Policy.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration Note Step 6 A default policy which maps to a default class map matching any traffic cannot be deleted. If you determine that a new policy is needed, click the Add Policy taskbar icon to create the policy (see the “Creating an Optimization Policy” section on page 1-51).
Chapter 1 Configuring Application Acceleration Managing Application Acceleration Table 1-6 TCP Settings TCP Setting Description Optimized Side Maximum Segment Size Send Buffer Size Receive Buffer Size Maximum packet size allowed between this WAAS device and other WAAS devices participating in the optimized connection. The default is 1432 bytes. Allowed TCP sending buffer size (in kilobytes) for TCP packets sent from this WAAS device to other WAAS devices participating in the optimized connection.
Chapter 1 Configuring Application Acceleration Managing Application Acceleration • WAE-512—Default BDP is 32 KB • WAE-612—Default BDP is 512 KB • WAE-674 —Default BDP is 2048 KB • WAE-7341 —Default BDP is 2048 KB • WAE-7371 —Default BDP is 2048 KB • All WAVE platforms—Default BDP is 2048 KB If your network provides higher bandwidth or higher latencies are involved, use the following formula to calculate the actual link BDP: BDP [Kbytes] = (link BW [Kbytes/sec] * Round-trip latency [Sec]) When
Chapter 1 Configuring Application Acceleration Managing Application Acceleration To configure the TCP adaptive buffer settings from the CLI, use the tfo tcp adaptive-buffer-sizing global configuration command: WAE(config)# tfo tcp adaptive-buffer-sizing receive-buffer-max 8192 To disable TCP adaptive buffering from the CLI, use the no tfo tcp adaptive-buffer-sizing enable global configuration command. To show the default and configured adaptive buffer sizes, use the show tfo tcp EXEC command.
CH A P T E R 1 Configuring Virtual Blades This chapter describes how to configure virtual blades, which are computer emulators that reside in a WAE or WAVE device. A virtual blade allows you to allocate WAE system resources for use by additional operating systems that you install on the WAE hardware. You can host third-party applications in the isolated environment provided by a virtual blade.
Chapter 1 Configuring Virtual Blades About Virtual Blades Each virtual blade has its own virtualized CPUs, memory, firmware, disk drives, CD drives, and network interface cards. A virtual host bridge controls communications between the virtual blade, your WAAS device, and the rest of your WAAS network. Note When you configure a virtual blade on your WAAS device, system resources are reserved for the virtual blade.
Chapter 1 Configuring Virtual Blades Preparing to Use Virtual Blades Preparing to Use Virtual Blades Note This procedure applies only to WAE-674 devices. Virtual blades are always enabled on WAVE platforms. You cannot disable a virtual blade on a WAVE device. Before you configure and enable a virtual blade on your WAE-674 device, follow these steps: Step 1 Ensure that the Virtual-Blade license is installed on the device. For more information, see the “Managing Software Licenses” section on page 1-3.
Chapter 1 Configuring Virtual Blades Configuring Virtual Blades Configuring Virtual Blades This section describes how to configure a new virtual blade or edit an existing blade. You can configure resources such as the virtual blade number, description, boot method, disk allocation, CPU list, and other parameters. Note that after a virtual blade is initially configured, the only resource parameters that can be changed are memory and the bridged interface.
Chapter 1 Configuring Virtual Blades Configuring Virtual Blades Figure 1-2 Step 4 Virtual Blade Configuration Window Configure the virtual blade system parameters as needed to run your operating system and applications: a. If you are creating a new virtual blade, type the number of the virtual blade that you want to create in the Blade Number field.
Chapter 1 Configuring Virtual Blades Configuring Virtual Blades – Choose disk to read the CD image from an ISO file on the WAAS device hard drive. If you choose disk, click the Browse button and select the ISO file from the /local1/vbs directory. The Browse button is shown only if there are files in the /local1/vbs directory. If you need to copy an ISO file to the /local1/vbs directory, see the “Copying a Disk Image to a Virtual Blade” section on page 1-10.
Chapter 1 Configuring Virtual Blades Configuring Virtual Blades l. In the Virtual CPU Allocation field, choose each CPU to assign to the virtual blade. If you choose multiple CPUs, the CPUs are used in SMP mode. If two CPUs are available, by default odd numbered virtual blades use CPU 1, and even numbered virtual blades use CPU 2.
Chapter 1 Configuring Virtual Blades Enabling and Disabling Virtual Blades • (config-vb) disk to allocate disk space for the virtual blade • (config-vb) interface to bridge a virtual blade interface to a bridge group • (config-vb) memory to allocate system memory for the virtual blade • (config-vb) vnc to disable the VNC server on the virtual blade (it is enabled by default) Installing Paravirtualization Drivers To install paravirtualization drivers, perform the following steps: Step 1 Download
Chapter 1 Configuring Virtual Blades Enabling and Disabling Virtual Blades Step 2 Choose Admin > Virtualization > Actions. The Virtual Blade Actions window appears (see Figure 1-3). Figure 1-3 Step 3 Virtual Blade Actions Window In the Virtual Blade list, choose the virtual blade that you want to enable or disable. The status of the virtual blade is displayed in the Status field. The default selection for the Virtual Blade list is All.
Chapter 1 Configuring Virtual Blades Copying a Disk Image to a Virtual Blade Note The operating system on your virtual blade does not shut down and restart when you reboot a WAAS device. When you reboot a WAE or WAVE device, the WAAS software saves the virtual blade in its current state and then restores that state when the reboot is complete. To enable a virtual blade with the WAAS CLI, use the virtual-blade n start EXEC command. To disable a virtual blade, use the virtual-blade n stop EXEC command.
Chapter 1 Configuring Virtual Blades Backing Up and Restoring a Virtual Blade Step 7 In the Username and Password fields, enter a valid username and password for the FTP server. Step 8 In the Local Filename field, enter the full path and filename where the disk image is to be stored on the WAE device. The directory path must be /local1/vbs/. Step 9 Click Start File Transfer to start the file transfer. File transfer status information is shown in the Status field.
Chapter 1 Configuring Virtual Blades Backing Up and Restoring a Virtual Blade Step 9 In the Virtual Blade No. field, enter the number of the virtual blade that you want to back up. Step 10 In the Disk No. field, enter the number of the virtual blade disk that you want to back up. For backing up a virtual blade running Microsoft Windows Server, always enter 1. Step 11 Click Start File Transfer to start the file transfer.
CH A P T E R 1 Configuring the Network Analysis Module This chapter provides information about the integration of the Cisco Network Analysis Module (NAM) in the WAAS Central Manager and describes how to configure and use the NAM.
Chapter 1 Configuring the Network Analysis Module Guidelines and Limitations • The following configurations are performed: – Enable HTTP or HTTPS – Create an admin web user account. – Create a MonitorView web user account. • Both the WAAS Central Manager and the client computer from which you connect to the Central Manager must be able to access the configured NAM server on the network. For more information, see the Cisco Network Analysis Module Installation and Configuration Guide.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Task Flow for Configuring the NAM This section includes the following topics: • Basic Configuration, page 1-3 • Advanced Configuration, page 1-3 Basic Configuration The basic NAM configuration includes the following tasks: • Configuring the setup (see Configuring the Basic Setup, page 1-3). – Connect to a NAM server by providing the server’s IP address, protocol, and port. – Establish account credentials.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM The Setup window appears. This window allows you to configure the NAM IP address and accounts. Figure 1-1 Step 2 Setup Window In the NAM Server area, provide the following information: – Choose either HTTP or HTTPS depending on the access that was configured during the installation of NAM. – Enter the hostname of the NAM server. – Enter the IP address of the NAM server.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Step 6 In the NAM MonitorView User field, enter the username of an existing collection-view user configured on the NAM server. Step 7 In the NAM MonitorView Password field, enter the password of an existing collection-view user that you specified in Step 3. Step 8 Click the Test Connectivity/Credentials button, to test if the NAM server is accessible and to check if the user credentials that you specified are valid.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Note Classification of received data from data sources to sites is done only after the sites are configured. Any old data from these data sources before the sites were configured are counted under the default 'Unassigned’ site. The site definition is very flexible and can accommodate various scenarios. The site definition is used not only for viewing of data but for data export and data retention as well.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM • Specifying a Site Using Multiple Rules, page 1-7 • Resolving Ambiguity (Overlapping Site Definitions), page 1-7 Specifying a Site Using WAE devices (WAAS Data Sources) For WAAS traffic, you can define a site associated with a WAE device without specifying the site's subnets. Simply select all of the WAAS data sources coming from the WAE device(s) serving that site.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM The following details for the sites display: • Name—Lists the name of the site. • Description—Describes what the site includes. • Rule—Lists the first rule that is assigned to the selected site. If you see periods next to the site rule (...), that means that multiple rules were created for that site. To see the list of all rules, click the quick view icon (after highlighting the site, click the small arrow on the right).
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Step 1 When you click the Detect button at Configure > Network Analysis Module > Basics > Sites > Sites Configuration, the NAM looks for subnets detected within in the past hour. The Subnet Configuration window displays. This window allows you specify the details of the sources in which you like NAM to detect subnets. Step 2 In the Subnet Mask field, enter the subnet mask.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Configuring a WAAS Monitored Server WAAS monitored servers specify the servers from which WAAS devices export traffic flow data to the NAM monitors. To enable WAAS monitoring, you must list the servers to be monitored by the NAM using the WAAS device's flow monitoring. Note The NAM is unable to monitor WAAS traffic until you set up WAAS monitored servers.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Step 1 Choose Configure > Network Analysis Module > Advanced > Classifier/App Sync. The Classifier/App Sync Preferences window appears. The results are displayed under the following categories: • Conflicting classifiers/applications—You can choose one or all the WAAS classifiers/applications for synchronization with the NAM. By default, all the classifier/applications are selected.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM • WAAS The NAM Data Sources window lists the data sources that are configured for that NAM module The fields are as follows: • Device—DATA PORT if it is a local physical port or the IP address of the learned device. • Type—The source of traffic for the NAM. – DATA PORT if it is a local physical port. – WAAS, ERSPAN, or NETFLOW if a data stream is exported from the router, switch, or WAE device.
Chapter 1 Configuring the Network Analysis Module Configuring the NAM Step 6 • Server WAN—Configures the WAE device to export the optimized (WAN side) TCP flows from its servers to the NAM for monitoring. • Server—Configures the WAE device to export the original (LAN side) TCP flows from its servers to the NAM for monitoring. • Passthrough—This setting configures the WAE device to export the TCP flows that are passed through unoptimized.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic Step 1 Choose Configure > Network Analysis Module > Advanced > Data Sources. The data sources appear. Step 2 Choose the WAAS custom data source that you want to delete, and click the Delete button. A confirmation dialog box appears to ensure that you want to delete the selected WAAS monitored server. Step 3 Click OK to delete the WAAS custom data source.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic This section provides information about monitoring your network traffic and analyzing the information presented.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic This filter is now saved and displayed underneath the Interactive Report. You can save up to five filters. Setting up Scheduled Exports You can create a Scheduled Export to have the dashboards extracted regularly and sent to you in CSV or HTML format. You can set up scheduled jobs that will generate a daily report at a specified time, in the specified interval, and then e-mail it to a specified e-mail address.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic Traffic Summary The Top Talkers Summary dashboard allows you to view the Top N Applications, Top N Application Groups, Top N Hosts (In and Out), IP Distribution by Bytes, Top N DSCP, and Top N VLAN that is being monitored on your network. It provides auto-monitoring of traffic from all WAAS devices. You can view the Traffic Summary Dashboard by choosing Monitor > Network Analysis Module > Overview.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic When you choose Monitor > Network Analysis Module > Top Talkers Details, you will see the window that assists you in the predeployment process. Use the Interactive Report window to select the traffic you want to analyze for optimization. The window displays the Top Applications, Top Network Links, Top Clients, and Top Servers. Based on the results, you can then configure the WAAS products to optimize your network.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic Application • In the Application window, you can see the traffic level for a given application over a selected period of time. It is available under the Monitor > Network Analysis Module > Throughput > Application. This window shows you the following: • A graph of application traffic over time. • Top hosts that transmit and receive traffic on that application for the selected time period.
Chapter 1 Configuring the Network Analysis Module Monitoring and Analyzing Traffic Cisco Wide Area Application Services Configuration Guide 1-20 OL-26579-01
CH A P T E R 1 Maintaining Your WAAS System This chapter describes the tasks that you may need to perform to maintain your WAAS system. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software WAAS Central Manager version 5.0.1 can manage WAE devices that are running version 4.2.1 and later releases. Some WAAS Central Manager windows (with new features) are not applicable to WAAS devices that are running a version lower than 5.0.1. If you modify the configuration in such windows, the configuration is saved, but it has no effect on the device until the device is upgraded to version 5.0.1. Note WAAS version 5.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software If you need to downgrade or roll back the WAAS software to a lower version, first downgrade or roll back the WAE devices, then the standby Central Manager (if applicable), and finally the primary Central Manager. For more information about downgrading, see the Release Note for Cisco Wide Area Application Services for your software version.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software Manager, you must install the Universal software file, reload the device, change the device mode to central-manager, and then reload the device again. Additionally, kdump analysis functionality is not included in the Accelerator only image. To configure the software file settings form, follow these steps: Step 1 From the WAAS Central Manager menu, choose Admin > Version Management > Software Update.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software Note During a device reload, any virtual blades running on the device are shut down and may be adversely affected due to a potential incompatibility with the virtualization software. Therefore, you should stop the running images gracefully before reloading. Step 6 (Optional) Enter comments in the field provided. Step 7 Click Submit.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software The Device Dashboard window appears. Step 2 Verify that the device is not already running the version to which you plan to upgrade. Step 3 Click the Update link. The Software Update window appears. Step 4 Choose the software file URL from the Software Files list by clicking the radio button next to the filename. The list displays only software files with an image type of Universal, because you are upgrading a Central Manager device.
Chapter 1 Maintaining Your WAAS System Upgrading the WAAS Software Table 1-2 Upgrade Status Messages (continued) Upgrade Status Message Flash Write in Progress (Completed …) Flash Write Successful Reloading Reload Needed Cancelled Update Failed Condition The write of the device flash memory is being processed. “Completed” indicates the number of megabytes processed. The flash write of the software file has been successful.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System To view the progress of an upgrade, go to the All Devices window (Devices > All Devices) and view the software upgrade status message in the Software Version column. These intermediate messages are also written to the system log on WAAS devices. See Table 1-2 for a description of the upgrade status messages.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Backing Up and Restoring the WAAS Central Manager Database The WAAS Central Manager device stores WAAS network-wide device configuration information in its Centralized Management System (CMS) database. You can manually back up the CMS database contents for greater system reliability.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Type set to I. Sending:PASV Entering Passive Mode (10,86,32,82,112,221) Sending:CWD /incoming CWD command successful. Sending PASV Entering Passive Mode (10,86,32,82,203,135) Sending:STOR cms-db-7-22-2008-17-36_4.1.3.0.1.dump Opening BINARY mode data connection for cms-db-7-22-2008-17-36_4.1.3.0.1.dump. Transfer complete. Sent 18155 bytes Step 3 Restore the CMS database as follows: a.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Note The backup and restore methods described in this section apply only to a WAE device that is not configured as a WAAS Central Manager. For information on backing up the WAAS Central Manager device, see the “Backing Up and Restoring the WAAS Central Manager Database” section on page 1-9.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System An installation that contains only the WAAS flash memory-based software, without the corresponding disk-based software, boots and operates in a limited mode, allowing for further disk configuration before completing a full installation. The .sysimg component is provided for recovery purposes and allows for repair of flash memory only without modifying the disk contents. Note The system image used depends on your device.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Caution Option 8 erases the content from all disk drives in your device. This option performs the following steps: a. Checks that flash memory is formatted to Cisco specifications. If yes, the system continues to step b. If no, the system reformats the flash memory, which installs the Cisco file system, and generates and installs a platform-specific cookie for the hardware. b. Erases data from all drives. c.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System The steps for preparing the USB flash drive differ if you are using a Windows or Mac computer.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Step 7 Enter the command sudo dd if=/path/waas-rescue-cdrom-x.x.x.x-k9.iso of=/dev/diskN bs=1m to install the bootable image on the USB flash drive. (path denotes the folder path to the WAAS ISO file, x.x.x.x denotes the WAAS software version number, and N denotes the number of the USB flash drive node.) Step 8 You may receive a warning message about the sudo command and a prompt to enter your password to proceed.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Step 4 Choose option 2 to prepare the flash memory. This step prepares a cookie for the device and also retrieves the network configuration that was being used by the WAAS software. This network configuration is stored in the flash memory and is used to configure the network when the WAAS software boots up after installation. Step 5 Choose option 3 to install the flash cookie that you prepared in the previous step.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System 1: GigabitEthernet 2/0 enter choice: 0 Using interface GigabitEthernet 1/0 Please enter the local IP address to use for this interface: [Enter IP Address]: 10.1.13.2 Please enter the netmask for this interface: [Enter Netmask]: 255.255.255.240 Please enter the IP address for the default gateway: [Enter Gateway IP Address]: 10.1.13.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System After the module reboots, it is running the newly installed WAAS software. Ensuring RAID Pairs Rebuild Successfully You must ensure that all RAID pairs are done rebuilding before you reboot your WAE device. If you reboot while the device is rebuilding, you risk corrupting the file system.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System After a few seconds, the bootloader pauses and prompts you to enter 1 to boot WAAS, r to boot the rescue image, x to reboot, or 9 to escape to the loader prompt. You have 10 seconds to respond before the normal boot process continues. Step 4 Enter r to boot the rescue image. The rescue image dialog appears and differs depending on whether your WAAS device was initially manufactured with version 4.x or 5.x.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Please enter an interface from the following list: 0: GigabitEthernet 0/0 1: GigabitEthernet 0/1 enter choice: 0 Using interface GigabitEthernet 0/0 Please enter the local IP address to use for this interface: [Enter IP Address]: 172.16.22.22 Please enter the netmask for this interface: [Enter Netmask]: 255.255.255.224 Please enter the IP address for the default gateway: [Enter Gateway IP Address]: 172.16.22.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Copyright (c) 1999-2012 by Cisco Systems, Inc. Cisco Wide Area Application Services (universal-k9) Software Release 5.0.1 (buil d b12 May 28 2012) Version: oe294-5.0.1.12 Compiled 23:23:45 May 28 2012 by damaster Device Id: 50:3d:e5:9c:8f:a5 System was restarted on Tue May 29 16:35:50 2012. System restart reason: called via cli. The system has been up for 8 hours, 10 minutes, 19 seconds.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System This command invokes interactive password configuration. Follow the CLI prompts. Step 6 Save the configuration change: WAE(config)# exit WAE# write memory Step 7 (Optional) Reboot your device: WAE# reload Rebooting is optional; however, you might want to reboot to ensure that the boot flags are reset, and to ensure that subsequent console administrator logins do not bypass the password check.
Chapter 1 Maintaining Your WAAS System Backing Up and Restoring your WAAS System Recovering WAAS Device Registration Information Device registration information is stored both on the device itself and on the WAAS Central Manager. If a device loses its registration identity or needs to be replaced because of a hardware failure, the WAAS network administrator can issue a CLI command to recover the lost information, or in the case of adding a new device, assume the identity of the failed device.
Chapter 1 Maintaining Your WAAS System Performing Disk Maintenance for RAID-1 Systems If the recovery request matches the device record, then the WAAS Central Manager updates the existing record and sends the requesting device a registration response. The replaceable state is cleared so that no other device can assume the same identity. When the WAAS device receives its recovered registration information, it writes it to file, initializes its database tables, and starts.
Chapter 1 Maintaining Your WAAS System Replacing Disks in RAID-5 Systems • If the replacement disk is for disk00, disk02, or disk04 of a RAID pair, the replacement disk must be the same size as the running disk in the array. • If the replacement disk is for disk01, disk03, or disk05 of a RAID pair, then the replacement disk must have the same or greater RAID capacity as the running disk in the array. Compatibility checks, which are part of the hot-swap process, check for capacity compatibility.
Chapter 1 Maintaining Your WAAS System Configuring the Central Manager Role Note Step 9 The ServeRAID controller automatically starts the rebuild operation when it detects the removal and reinsertion of a drive that is part of the logical RAID drive. Wait until the rebuild operation is complete. You can check if the rebuild operation is complete by using the show disks details command in EXEC mode.
Chapter 1 Maintaining Your WAAS System Configuring the Central Manager Role For interoperability, when a standby WAAS Central Manager is used, it must be at the same software version as the primary WAAS Central Manager to maintain the full WAAS Central Manager configuration. Otherwise, the standby WAAS Central Manager detects this status and does not process any configuration updates that it receives from the primary WAAS Central Manager until the problem is corrected.
Chapter 1 Maintaining Your WAAS System Configuring the Central Manager Role WAE(config)# central-manager role standby Step 4 Configure the address of primary Central Manager using the central-manager command: WAE(config)# central-manager address cm-primary-address Step 5 Enable the CMS service using the cms command: WAE(config)# cms enable Converting a Primary Central Manager to a Standby Central Manager To convert a primary Central Manager to a standby Central Manager, follow these steps: Step 1 D
Chapter 1 Maintaining Your WAAS System Configuring the Central Manager Role To return halted WAAS Central Managers to an online status, decide which Central Manager should be the primary device and which should be the standby device.
Chapter 1 Maintaining Your WAAS System Enabling Disk Encryption WAE2# configure WAE2(config)# central-manager role primary WAE(config)# cms enable The CMS service is restarted automatically when you configure a role change.
Chapter 1 Maintaining Your WAAS System Enabling Disk Encryption After you reboot your WAE, the encryption partitions are created using the new key, and any previously existing data is removed from the partition. Any change to the disk encryption configuration, whether to enable or disable encryption, causes the disk to clear its cache. This feature protects sensitive customer data from being decrypted and accessed should the WAE ever be stolen.
Chapter 1 Maintaining Your WAAS System Configuring a Disk Error-Handling Method Configuring a Disk Error-Handling Method Note Configuring and enabling disk error handling is no longer necessary for devices that support disk hot-swap. In WAAS 4.0.13 and later, the software automatically removes from service any disk with a critical error.
Chapter 1 Maintaining Your WAAS System Enabling Extended Object Cache Note If extended object cache is enabled and the device is downgraded to a version prior to 4.2.1, all CIFS cache data, DRE cache data, and virtual blade data is lost. To enable extended object cache using the WAAS Central Manager GUI, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Storage > Extended Object Cache.
Chapter 1 Maintaining Your WAAS System Activating All Inactive WAAS Devices Table 1-4 WAE-674-8G Platform Disk Cache Sizes Extended Object Cache Disabled Extended Object Cache Enabled Disk Partition Virtual Blade Disabled Virtual Blade Enabled Virtual Blade Disabled Virtual Blade Enabled DRE Cache 304 GB 143 GB 143 GB 143 GB CIFS Object Cache 96 GB 96 GB 310 GB 275 GB Virtual Blade -- 210 GB -- 27 GB Table 1-5 shows the usable disk cache sizes for the WAVE-694-16G platform.
Chapter 1 Maintaining Your WAAS System Rebooting a Device or Device Group Step 4 Click Submit. The inactive WAEs are reactivated and placed in the specified location. Rebooting a Device or Device Group Using the WAAS Central Manager GUI, you can reboot a device or device group remotely. To reboot an individual device, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. The device Dashboard appears. Step 2 Click the Reload icon in the Device Info pane.
Chapter 1 Maintaining Your WAAS System Performing a Controlled Shutdown If you are running WAAS on a network module that is installed in a Cisco access router, perform a controlled shutdown from the router CLI by using the service-module integrated-service-engine slot/unit shutdown EXEC command. For more details, see the document Configuring Cisco WAAS Network Modules for Cisco Access Routers.
CH A P T E R 1 Monitoring and Troubleshooting Your WAAS Network This chapter describes the monitoring and troubleshooting tools available in the WAAS Central Manager GUI that can help you identify and resolve issues with your WAAS system. For additional advanced WAAS troubleshooting information, see the Cisco WAAS Troubleshooting Guide for Release 4.1.3 and Later on Cisco DocWiki.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing System Information from the System Dashboard Window • Alarm Panel, page 1-3 • Device Alarms, page 1-4 Figure 1-1 shows the System Dashboard window. Figure 1-1 System Dashboard Window The information displayed in the charts in the System Dashboard window is based on a snapshot of your WAAS network that represents the state of your WAE devices at the end of every two polling periods.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing System Information from the System Dashboard Window • Compression Summary chart—Displays the ten applications with the highest percentage of traffic reduction for the WAAS network for the last hour. The percent calculation excludes pass-through traffic. Numbers shown in charts and graphs are rounded to whole units (KB, MB, or GB), while those displayed in tables are rounded to three decimal places.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing System Information from the System Dashboard Window To acknowledge an active alarm, follow these steps: Step 1 In the alarm panel, check the check box next to the name of the alarm that you want to acknowledge. Step 2 Click the Acknowledge taskbar icon. A dialog box pops up that allows you to enter comments about the alarm. Step 3 Enter a comment and click OK.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Devices Using Alerts Table 1-1 Device Alarms for Reporting Problems Alarm Alarm Severity Device Status Description Device is offline Critical Offline The device has failed to communicate with the WAAS Central Manager. Device is pending Major Pending The device status cannot be determined. This status can appear after a new device is registered but before the first configuration synchronization has been done.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing Device Information Step 3 Choose the troubleshooting tool that you want to use, and click the link. The link takes you to the appropriate window in the WAAS Central Manager GUI. Table 1-2 describes the tools available for device alarms. You can view the Troubleshooting Devices window for all devices by choosing Monitor > Troubleshoot > Alerts from the global context.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing Device Information Figure 1-4 Devices Window This window displays the following information about each device: • Services enabled on the device. See Table 1-3 for a description of these services. • IP address of the device. • Management Status (Online, Offline, Pending, or Inactive). For more information about the status, see the “Device Alarms” section on page 1-4. • Device Status.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing Device Information Table 1-3 Service Descriptions Service Description CM (Primary) The device has been enabled as the primary WAAS Central Manager. For information on primary and standby Central Manager devices, see the “Converting a Standby Central Manager to a Primary Central Manager” section on page 1-28. CM (Standby) The device has been enabled as a standby WAAS Central Manager.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Viewing Device Information Figure 1-5 Device Dashboard Window The Device Dashboard window for a WAAS Express device looks slightly different. It lacks some WAE-specific information and controls. From the Device Dashboard window, you can perform the following tasks: • View charts and graphs about the application traffic processed by the selected WAE device. (No charts or graphs are displayed if a WAAS Central Manager device is selected.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Customizing a Dashboard or Report • Click the Full Update icon to reapply the device configuration from the Central Manager to the device. (Not available on WAAS Express devices.) • Click the Reload icon to reboot the device. (Not available on WAAS Express devices.) • Click the Restore Default Policies icon to restore the default predefined policies on the device.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Customizing a Dashboard or Report Figure 1-6 Report Pane Taskbar icons and controls across the top of the dashboard or report allow you to do the following: • Time Frame—Allows you to choose one of the several common time frames from the drop-down list: – Last Hour—Displays data for the past hour, in five-minute intervals (default). You can change the interval using the System.monitoring.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Customizing a Dashboard or Report When you change the time zone, the change applies globally to all reports. The time zone setting is stored individually for each Central Manager user. • Save—Saves the dashboard or report with its current settings. The next time you view it, it is displayed with these settings. • Save As—Saves the report with its current settings under a new name.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Customizing a Dashboard or Report Chart-type icons at the bottom of individual charts allow you to choose the chart type as follows (not all controls are available in every chart): column chart, line chart, area chart, stacked line chart, stacked area chart. Adding a Chart or Table To add a chart or table to a dashboard or report, follow these steps: Step 1 From the dashboard or report chart panel, click the Customize icon in the taskbar.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Configuring Chart Settings To configure the data presented in a chart, follow these steps: Step 1 Click the Edit icon in the upper right corner of a chart. The Settings window is displayed. Note Step 2 Step 3 Not all settings are available for all chart types.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Note At the device level for WAAS Express devices, only charts for supported accelerators are available. In all charts, pass-through traffic for WAAS Express devices is considered as zero.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Throughput Summary The Throughput Summary chart displays the amount of average and peak throughput for the LAN-to-WAN (outbound) or WAN-to-LAN (inbound) directions depending on the selected tab. The throughput units (kbps, mbps, or gbps) at the left side vary depending on the range. The Peak Throughput series is not applicable for Last Hour graphs. This chart is available only at the device and location levels.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions • HTTP Acceleration Charts, page 1-17 • HTTPS Acceleration Charts, page 1-18 • Video Acceleration Charts, page 1-19 • SSL Acceleration Charts, page 1-20 • MAPI Acceleration Charts, page 1-20 • NFS Acceleration Charts, page 1-22 • SMB Acceleration Charts, page 1-23 • ICA Acceleration Charts, page 1-24 • CIFS Acceleration Charts for WAAS Express, page 1-25 HTTP Acceleration Charts This section describes
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions HTTP: Optimization Count The HTTP Optimization Count chart displays a graph of the number of different kinds of optimizations performed by the HTTP accelerator, which are displayed in different colors. The optimizations included in this chart are fast connection reuse and metadata caching.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions HTTPS: Optimization Count The HTTPS Optimization Count chart displays a graph of the number of different kinds of metadata caching optimizations performed by the HTTPS accelerator, which are displayed in different colors. HTTPS: Optimization Techniques The HTTPS Optimization Techniques pie chart displays the different kinds of optimizations performed by the HTTPS accelerator.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Video: Stream Optimization The Video Stream Optimization chart compares the amounts of traffic incoming from the WAN and outgoing to the LAN. The traffic units (bytes, KB, MB, or GB) at the left side depend on the range.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions MAPI: Acceleration Bypass Reason The MAPI Acceleration Bypass Reason pie chart displays the reasons that encrypted MAPI traffic is not accelerated: acceleration disabled, secret retriever disabled, unsupported cipher, unsupported authentication mechanism, misconfigured domain identity, failure in secret retrieval, general security failure, insufficient system resources, and recovery mode connections.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions MAPI: Current Accelerated Client Sessions The MAPI Current Accelerated Client Sessions pie chart displays the number of encrypted sessions currently being accelerated from different versions (2000, 2003, 2007, and 2010) of the Microsoft Outlook client. Click the Non-Encrypted tab to display the unencrypted session counts.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions NFS: Response Time Optimization The NFS Response Time Optimization chart compares the average time used for local and remote NFS responses. The time units (milliseconds, seconds, or minutes) at the left side depend upon the range. NFS: Versions Detected The NFS Versions Detected pie chart displays the number of NFS messages detected for each NFS version (2, 3, and 4).
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions SMB: Request Optimization The SMB Request Optimization chart displays the percentage of SMB command responses that use the following optimizations: read ahead, metadata, write, and other.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions ICA: Unaccelerated Reasons The ICA Unaccelerated Reasons chart displays the reasons that ICA traffic is bypassed: unrecognized protocol, unsupported client version, CGP session ID unknown, client on denied list, no resource, and other. Click the Dropped tab to display the reasons that ICA traffic is dropped: unsupported client version, I/O error, no resource, AO parsing error, maximum sessions reached, and other.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Optimized Connections Over Time The Optimized Connections Over Time chart displays the number of optimized connections over the selected time period. You can show the number of MAPI reserved connections by checking the MAPI Reserved Connections check box. You can customize the chart by choosing specific applications to include; the default is all traffic.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Top 10 AppNav Policies The Top 10 AppNav Policies pie chart displays the amount of intercepted, distributed, or pass-through traffic processed by the AppNav Cluster or ANC device for the top nine policy rules with the most traffic, depending on which tab you select. Traffic for all other policy rules is grouped together into a tenth category named Other Traffic (shown only if it totals at least 0.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions CPU Utilization The CPU Utilization chart displays the percentage of CPU utilization for the device. This chart is available only when a specific WAAS device is selected. This chart can be added only to the Monitor > Reports > Reports Central > Resource Utilization report page. Disk Utilization The Disk Utilization chart displays the percentage of disk utilization for the device.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions To get the statistics at the system, location, and device group levels, the Original Inbound, Original Outbound, Optimized Inbound, Optimized Outbound, Pass-through Client, and Pass-through Server bytes of all devices are added together. The Reduction % and Effective Capacity values are calculated using these added values of all devices.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions 1. The number in the Pass-Through Traffic column represents the amount of traffic that is passed through that particular WAE (or for a location report, all the devices in the location).
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Table 1-7 HTTPS Acceleration Statistics Table Table Column Description and Formulas Used to Calculate Value Device The device name. (Appears only at the system level.) Start Time and End Time Start and end times for the time period. (Appears only at the device level.) New Connections Handled Reports the number of HTTPS connections handled for the time period.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Table 1-9 MAPI Acceleration Statistics Table Table Column Description and Formulas Used to Calculate Value Device The device name. (Appears only at the system level. WAAS Express devices are not included.) Start Time and End Time Start and end times for the time period. (Appears only at the device level.) New Connections Handled Reports the number of MAPI connections handled for the time period.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Table 1-10 NFS Acceleration Statistics Table Table Column Description and Formulas Used to Calculate Value Avg. Remote Response Time Reports the average time used for remote responses, in milliseconds. % Time Saved Reports the percentage of connection time saved for all aggregated samples. (Down – Up) * 100 / (Down) If(Down != 0) where: Down = (New local request count + New remote request count) * Avg.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Chart and Table Descriptions Table 1-12 SSL Acceleration Statistics Table Table Column Description Device The device name. (Appears only at the system level.) Start Time and End Time Start and end times for the time period. (Appears only at the device level.) New Connections Handled Reports the number of SSL connections handled for the time period.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS Table 1-14 CIFS Acceleration Statistics Table Table Column Description and Formulas Used to Calculate Value Bypassed Connections Reports the number of connections initially received by the CIFS accelerator and then pushed down to the generic accelerator. Total Time Saved Reports the amount of time saved due to CIFS optimization.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS The following predefined reports are available only at the device level: • Optimization – Connections Statistics Report, page 1-40 • Acceleration – CIFS Acceleration Report, page 1-41 (not available for a WAAS Express device) – CIFS Acceleration Report for WAAS Express, page 1-42 (available only for a WAAS Express device) • Platform (not available at the WAAS Express device level) – Resource Utilizati
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS • Compression Summary, page 1-15 • Traffic Summary Over Time, page 1-16 • Compression Summary Over Time, page 1-15 • Throughput Summary, page 1-16 (included only at the device and location levels) • Traffic Summary Table, page 1-29 HTTP Acceleration Report The HTTP Acceleration report displays the HTTP acceleration statistics.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS SSL Acceleration Report The SSL Acceleration report displays the SSL acceleration statistics.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS • SMB: Effective WAN Capacity, page 1-23 • SMB: Connection Details, page 1-23 • SMB: Request Optimization, page 1-24 • SMB: Response Time Savings, page 1-24 • SMB: Client Average Throughput, page 1-23 • SMB: Versions Detected, page 1-24 • SMB Acceleration Statistics Table, page 1-33 ICA Acceleration Report The ICA Acceleration report displays the ICA acceleration statistics.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS The Summary Report can be customized to display the charts that you require. Use the Customize taskbar icon to select the charts that you want to be displayed on this report. Only 12 charts can be displayed in the report. Topology Report The Topology report at the system level displays a topology map that shows a graphical representation of all the connections between the WAAS devices.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS Note • Applied Policy/Bypass Reason—Displays icons representing the applied optimization policies, including TFO, DRE, LZ, and an application accelerator, respectively (hover your mouse over the icon to see its meaning). If the connection was not optimized, the bypass reason is shown. • Connection Start Time—Date and time when the connection was started.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Using Predefined Reports to Monitor WAAS Note • CIFS: Cache Utilization—Displays the utilization percentage of the CIFS cache. • CIFS: Cached Objects—Displays the number of objects in the CIFS cache. • CIFS: Client Average Throughput—Displays the average throughput (in KB/second) between the WAAS device and its clients.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Managing Reports From this window, you may save all disk information details to an Excel spreadsheet by clicking the Export Table icon in the taskbar. AppNav Report The AppNav report displays AppNav flow distribution information. This report is available at the AppNav Cluster level, where it shows statistics for the whole AppNav Cluster, and at the device level for AppNav Controllers (ANCs), where it shows statistics for a single ANC.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Managing Reports Creating Custom Reports A report consists of up to eight charts and tables. The system and device dashboard displays are examples of predefined reports, along with the other reports available in the Monitor menu. Reports can be created only at the system level, not at the device level. To create a custom report, follow these steps: Step 1 From the WAAS Central Manager menu, choose Monitor > Reports > Reports Central.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Managing Reports b. You can customize report settings such as the time frame and the time zone as described in the “Customizing a Dashboard or Report” section on page 1-10. c. Click the Edit icon in the upper left of a chart to customize the chart settings. For more information, see the “Configuring Chart Settings” section on page 1-14. d. Click OK. Repeat the steps for each chart you want to customize.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Managing Reports Scheduling Reports You can schedule reports to be generated once or periodically such as daily, weekly, or monthly. When a scheduled report is generated, a copy of the report can be e-mailed. To schedule a report, follow these steps: Step 1 From the WAAS Central Manager menu, choose Monitor > Reports > Reports Central. Step 2 Check the box next to the report that you want to schedule.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Managing Reports Step 11 In the Select drop-down list, choose Device(s), DeviceGroup, Cluster, or Location to display a list of the chosen entities. Step 12 In the Select entity area, choose the devices that are to be included in the statistics for the report. Place a check in the box next to each device, device group, cluster, or location that you want to include.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring Flow Monitoring Any reports scheduled by an external user are deleted if the maximum limit of days without a login passes and the user is deleted. For more information, see the cdm.remoteuser.deletionDaysLimit system configuration property in Table 1-4 on page 1-18.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring Flow Monitoring Step 4 Check the Enable check box. Step 5 In the tcpstat-v1 Host field, enter the IP address of the monitoring agent console. This configuration allows the WAE to establish a temporary connection (a control connection) to the console for the purpose of obtaining the IP address of the collector device. You must configure the collector IP address information from the console device.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs Example Using NetQoS for Flow Monitoring NetQoS integrates with the WAAS software by running the NetQoS FlowAgent on WAE devices. FlowAgent is a software module developed by NetQoS that resides on the WAE appliance. The FlowAgent collects metrics about the packet flows, which are then sent across the network to a NetQoS SuperAgent.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs To enable system logging, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Monitoring > Log Settings > System Log. The System Log Settings window appears. (See Figure 1-10.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs d. In the Recycle field, specify the size of the syslog file (in bytes) that can be recycled when it is stored on a disk. The default value of the file size is 10000000. Whenever the current log file size surpasses the recycle size, the log file is rotated. (The default recycle size for the log file is 10,000,000 bytes.) The log file cycles through at most five rotations, and each rotation is saved as log_file_name.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs Table 1-16 System Logging Priority Levels and Descriptions (continued) Priority Code Condition Description 5 Notice Normal but significant conditions. 6 Information Informational messages. 7 Debug Debugging messages. Multiple Hosts for System Logging Each syslog host can receive different priority levels of syslog messages.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs Figure 1-11 Step 3 Transaction Log Settings Window Under the General Settings heading, check the TFO Transaction Log Enable check box to enable transaction logging. This check box does not appear for video transaction logging. The fields on the window become active. Step 4 In the Access Control List Name field, optionally enter the name of an access control list that you want to use to limit transaction logging.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs Table 1-17 Export Settings Field Function Enable Export Enables transaction logging to be exported to an FTP server. Compress Files before Export Enables compression of archived log files into gzip format before exporting them to external FTP servers. Export occurs every (interval) Interval at which the working log should be cleared by moving data to the FTP server.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs Because multiple archive files are saved, the filename includes the time stamp when the file was archived. Because the files can be exported to an FTP/SFTP server, the filename also contains the IP address of this WAAS device. The archive filenames for TFO transactions use this format: tfo_IPADDRESS_YYYYMMDD_HHMMSS.txt.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Configuring and Viewing Logs – Size Truncation—Limits the messages in the log to the number you specify. The log uses a first in, first out process to remove old messages once the log reaches the specified number. – Date Truncation—Limits the messages in the log to the number of days you specify. – Message Truncation—Removes messages from the log that match the specified pattern. c.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Tools To view events that have occurred on your entire WAAS network, see the “Viewing the System Message Log” section on page 1-56. To view the logged information for a WAAS device, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose Admin > History > Logs. The System Message Log for Device window appears.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Tools Step 3 Check the Enable check box to enable the kernel debugger, and click Submit. By default, this option is disabled.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Tools For tests that fail, error messages describe the problem and provide recommended solutions. You can run the same diagnostic tests again and refresh the results by clicking the Refresh icon in the taskbar. To print the results, click the Print icon in the taskbar. Diagnostic Testing Using the CLI You can use the test EXEC command to perform diagnostic and connectivity tests.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Tools Using the show and clear Commands from the WAAS Central Manager GUI To use the WAAS Central Manager GUI show and clear command tool, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name. Step 2 Choose Monitor > CLI Commands > Show Commands or Clear Commands. Step 3 From the drop-down list, choose a show or clear command. Step 4 Enter arguments for the command, if any.
Chapter 1 Monitoring and Troubleshooting Your WAAS Network Troubleshooting Tools Cisco Wide Area Application Services Configuration Guide 1-62 OL-26579-01
CH A P T E R 1 Configuring SNMP Monitoring This chapter describes how to configure SNMP traps, recipients, community strings and group associations, user security model groups, and user access permissions. Note Throughout this chapter, the term WAAS device is used to refer collectively to the WAAS Central Managers and WAEs in your network. The term WAE refers to WAE appliances, WAE Network Modules (the NME-WAE family of devices), and SM-SRE modules running WAAS.
Chapter 1 Configuring SNMP Monitoring About SNMP • SNMP agent—A software module that resides on a managed device. An agent has local knowledge of management information and translates that information into a form compatible with SNMP. The SNMP agent gathers data from the Management Information Base (MIB), which is the repository for information about device parameters and network data. The agent can also send traps, or notification of certain events, to the management system.
Chapter 1 Configuring SNMP Monitoring About SNMP Figure 1-1 SNMP Components in a WAAS Network SNMP management station (SNMP trap host) SNMP requests WAAS Central Manger GUI SNMP traps and statistics WAE WAAS CLI Local management database 247103 SNMP agent Supported SNMP Versions The WAAS software supports the following versions of SNMP: • Version 1 (SNMPv1)—This is the initial implementation of SNMP. See the RFC 1157 for a full description of its functionality.
Chapter 1 Configuring SNMP Monitoring About SNMP SNMPv3 provides security models as well as security levels. A security model is an authentication process that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security process is used when an SNMP packet is handled. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3.
Chapter 1 Configuring SNMP Monitoring About SNMP • EVENT-MIB • HOST-RESOURCES-MIB • IF-MIB • MIB-II • SNMP-COMMUNITY-MIB • SNMP-FRAMEWORK-MIB • SNMP-NOTIFICATION-MIB • SNMP-TARGET-MIB • SNMP-USM-MIB • SNMPv2-MIB • SNMP-VACM-MIB CISCO-APPNAV-MIB This MIB provides information about AppNav objects.
Chapter 1 Configuring SNMP Monitoring About SNMP • cAppNavSNIpAddrType • cAppNavSNIpAddr • cAppNavSNServContextName • cAppNavSNSNGName • cAppNavSNCurrentCMState CISCO-CDP-MIB This MIB displays the ifIndex value of the local interface. For 802.3 repeaters on which the repeater ports do not have ifIndex values assigned, this value is a unique value for the port and is greater than any ifIndex value supported by the repeater.
Chapter 1 Configuring SNMP Monitoring About SNMP CISCO-SMI This is the MIB module for Cisco Enterprise Structure of Management Information. There is nothing to query in this MIB; it describes the structure of Cisco MIBs. CISCO-WAN-OPTIMIZATION-MIB This MIB provides information about the status and statistics associated with optimization and the application accelerators.
Chapter 1 Configuring SNMP Monitoring About SNMP The following SMB application accelerator statistics objects are supported: • cwoAoSmbxStatsBytesReadCache • cwoAoSmbxStatsBytesWriteCache • cwoAoSmbxStatsBytesReadServer • cwoAoSmbxStatsBytesWriteServer • cwoAoSmbxStatsBytesReadClient • cwoAoSmbxStatsBytesWriteClient • cwoAoSmbxStatsProcessedReqs • cwoAoSmbxStatsActiveReqs • cwoAoSmbxStatsTotalTimedOutReqs • cwoAoSmbxStatsTotalRemoteReqs • cwoAoSmbxStatsTotalLocalReqs • cwoAoSmbxSta
Chapter 1 Configuring SNMP Monitoring About SNMP • cwoAoMapixStatsEncrARRT • cwoAoMapixStatsTotalEncrLRs • cwoAoMapixStatsTotalEncrRRs • cwoAoMapixStatsEncrAvgRedTime The following NFS application accelerator statistics objects are supported: • cwoAoNfsxStatsALRT • cwoAoNfsxStatsARRT • cwoAoNfsxStatsTotalLRs • cwoAoNfsxStatsTotalRRs • cwoAoNfsxStatsEstTimeSaved The following video application accelerator statistics objects are supported: • cwoAoVideoxStatsTotalInBytes • cwoAoVideoxSta
Chapter 1 Configuring SNMP Monitoring About SNMP • entityPhysicalGroup • entityLogicalGroup The entConfigChange notification is supported. EVENT-MIB This MIB defines event triggers and actions for network management purposes. The MIB is published as RFC 2981. HOST-RESOURCES-MIB This MIB manages host systems. The term “host” implies any computer that communicates with other similar computers connected to the Internet.
Chapter 1 Configuring SNMP Monitoring About SNMP SNMP-COMMUNITY-MIB This MIB is documented in RFC 2576. SNMP-FRAMEWORK-MIB This MIB is documented in RFC 2571. SNMP-NOTIFICATION-MIB This MIB is documented in RFC 3413. SNMP-TARGET-MIB This MIB is documented in RFC 3413. SNMP-USM-MIB This MIB is documented in RFC 2574. SNMPv2-MIB This MIB is documented in RFC 1907.
Chapter 1 Configuring SNMP Monitoring Checklist for Configuring SNMP The SNMP agent on a WAAS device is enabled when you define the SNMP community string on the device. The WAAS Central Manager GUI allows you to define the SNMP community string on a device or device group. If the SNMPv3 protocol is going to be used for SNMP requests, the next step is to define an SNMP user account that can be used to access a WAAS device through SNMP.
Chapter 1 Configuring SNMP Monitoring Preparing for SNMP Monitoring Preparing for SNMP Monitoring Before you configure your WAAS network for SNMP monitoring, complete the following preparation tasks: • Set up the SNMP host (management station) that the WAAS devices will use to send SNMP traps. • Determine if all your WAAS devices will be sending traps to the same host, or to different hosts. Write down the IP address or hostname of each SNMP host.
Chapter 1 Configuring SNMP Monitoring Enabling SNMP Traps Figure 1-2 Table 1-3 SNMP General Settings Window SNMP General Settings GUI Parameter Traps Enable Snmp Settings WAE Function Enables SNMP traps. Enables SNMP WAE traps: • Disk Read—Enables disk read error trap. • Disk Write—Enables disk write error trap. • Disk Fail—Enables disk failure error trap. • Overload Bypass—Enables WCCP overload bypass error trap. Transaction Logging—Enables transaction log write error trap.
Chapter 1 Configuring SNMP Monitoring Enabling SNMP Traps Table 1-3 SNMP General Settings (continued) GUI Parameter WAE Alarm Function Enables WAE alarm traps: • Raise Critical—Enables raise-critical alarm trap • Clear Critical—Enables clear-critical alarm trap • Raise Major—Enables raise-major alarm trap • Clear Major—Enables clear-major alarm trap • Raise Minor—Enables raise-minor alarm trap Clear Minor—Enables clear-minor alarm trap Enables SNMP entity traps. Enables the Event MIB.
Chapter 1 Configuring SNMP Monitoring Defining SNMP Traps Note If you override the device group settings from the SNMP General Settings window, the Central Manager deletes the SNMP community, SNMP group, SNMP user, SNMP view, and SNMP host settings. You are asked to confirm this behavior. To define additional SNMP traps for other MIB objects of interest to your particular configuration, see the “Defining SNMP Traps” section on page 1-16.
Chapter 1 Configuring SNMP Monitoring Defining SNMP Traps Table 1-4 Creating New SNMP Trigger Settings (continued) GUI Parameter Function Test Test used to trigger the SNMP trap. Choose one of the following tests: Sample Type Step 4 • absent—A specified MIB object that was present at the last sampling is no longer present as of the current sampling. • equal—The value of the specified MIB object is equal to the specified threshold.
Chapter 1 Configuring SNMP Monitoring Specifying the SNMP Host Step 5 Click Submit. The new SNMP trigger is listed in the SNMP Trigger List window. You can edit an SNMP trigger by clicking the Edit icon next to the MIB name in the SNMP Trigger List Entries window. You can delete an SNMP trigger by clicking the Edit icon next to the MIB name and then clicking the Delete taskbar icon. Note If you delete any of the default SNMP triggers, they will be restored after a reload.
Chapter 1 Configuring SNMP Monitoring Specifying the SNMP Community String Table 1-5 SNMP Host Settings GUI Parameter Trap Host Community/User Authentication Function Hostname or IP address of the SNMP trap host that is sent in SNMP trap messages from the WAE. This is a required field. Name of the SNMP community or user (64 characters maximum) that is sent in SNMP trap messages from the WAE. This is a required field.
Chapter 1 Configuring SNMP Monitoring Creating SNMP Views Step 3 In the taskbar, click the Create New SNMP Community String icon. The Creating New SNMP Community String window appears. Table 1-6 describes the fields in this window. Table 1-6 SNMP Community Settings GUI Parameter Community Group name/rw Group Name Function Community string used as a password for authentication when you access the SNMP agent of the WAE.
Chapter 1 Configuring SNMP Monitoring Creating an SNMP Group Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Monitoring > SNMP > View. The SNMP Views window appears. Step 3 In the taskbar, click the Create New View icon. The Creating New SNMP View window appears. Table 1-7 describes the fields in this window.
Chapter 1 Configuring SNMP Monitoring Creating an SNMP User Table 1-8 SNMP Group Settings GUI Parameter Name Sec Model Function Name of the SNMP group. You can enter a maximum of 64 characters. This is a required field. Security model for the group. Choose one of the following options from the drop-down list: • v1—Version 1 security model (SNMP Version 1 [noAuthNoPriv]). • v2c—Version 2c security model (SNMP Version 2 [noAuthNoPriv]). • v3-auth—User security level SNMP Version 3 AuthNoPriv.
Chapter 1 Configuring SNMP Monitoring Creating an SNMP User To define a user who can access the SNMP engine, follow these steps: Step 1 From the WAAS Central Manager menu, choose Devices > device-name (or Device Groups > device-group-name). Step 2 Choose Configure > Monitoring > SNMP > User. A list of SNMP users for the device or device group appears. Step 3 In the taskbar, click the Create New SNMP User icon. The Creating New SNMP User window appears. Table 1-9 describes the fields in this window.
Chapter 1 Configuring SNMP Monitoring Configuring SNMP Asset Tag Settings Step 4 In the appropriate fields, enter the username, the group to which the user belongs, the engine identity of the remote entity to which the user belongs, the authentication algorithm used to protect SNMP traffic from tampering, the user authentication parameters, and the authentication parameters for the packet. Step 5 Click Submit.
Chapter 1 Configuring SNMP Monitoring Configuring SNMP Trap Source Settings Step 1 From the WAAS Central Manager menu, choose Devices > device-name. (This setting is not supported from device groups.) Step 2 Choose Configure > Monitoring > SNMP > Trap Source. The SNMP Trap Source Settings window appears. Step 3 From the Trap Source drop-down list, choose the interface to be used as the trap source.
Chapter 1 Configuring SNMP Monitoring Configuring SNMP Trap Source Settings Cisco Wide Area Application Services Configuration Guide 1-26 OL-26579-01
A P P E N D I X 1 Predefined Optimization Policy The WAAS software includes over 200 predefined optimization policy rules that help your WAAS system classify and optimize some of the most common traffic on your network. Table 1-1 lists the predefined applications and class maps that WAAS will either optimize or pass through based on the policy rules that are provided with the system.
Appendix 1 • Predefined Optimization Policy Application accelerator—A collection of individual application accelerators for the following traffic types: CIFS, EPM, HTTP, ICA, MAPI, NFS, SSL, and streaming video. (Some application accelerators are not available on WAAS Express devices.) .
Appendix 1 Predefined Optimization Policy Table 1-1 Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports sip-tls Passthrough 5061 VoIP-Control Passthrough 1718, 1719, 11000–11999 LZ+TFO+DRE+ CIFS accelerator 139, 445 Citrix-ICA (monitored) TFO+ ICA accelerator 1494 Citrix-CGP (monitored) TFO+ ICA accelerator 2598 cuseeme Passthrough 7640, 7642, 7648, 7649 ezMeeting Passthrough 10101–10103, 26260, 26261 MS-NetMeeting (monitored) Passthrou
Appendix 1 Table 1-1 Predefined Optimization Policy Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports imap LZ+TFO+DRE 143 imap3 LZ+TFO+DRE 220 imaps TFO 993 iso-tsap LZ+TFO+DRE 102 lotusnote LZ+TFO+DRE 1352 LZ+TFO+DRE+ MAPI accelerator UUID:a4f1db00-ca47-1067-b31f-00dd0106 62da LZ+TFO+DRE 3000, 3001 Passthrough UUID:f5cc5a18-4264-101a-8c59-08002b2f 8426 MS-Exchange-Directory-RFR1 Passthrough UUID:1544f5e0-613c-11d1-93df-00c04fd7 bd0
Appendix 1 Predefined Optimization Policy Table 1-1 Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports ftp (monitored) Passthrough 21 LZ+TFO+DRE 20 (source port) TFO 990 Passthrough 989 (source port) sftp LZ+TFO+DRE 115 TFTP LZ+TFO+DRE 69 TFTPS TFO 3713 AOL Passthrough 5190–5193 Apple-iChat Passthrough 5297, 5298 ircs Passthrough 994 ircu Passthrough 531, 6660–6665, 6667–6669 msnp Passthrough 1863, 6891–6900 sametime Passt
Appendix 1 Table 1-1 Predefined Optimization Policy Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports Other-Secure Passthrough 261, 448, 695, 994, 2252, 2478, 2479, 2482, 2484, 2679, 2762, 2998, 3077, 3078, 3183, 3191, 3220, 3410, 3424, 3471, 3496, 3509, 3529, 3539, 3660, 3661, 3747, 3864, 3885, 3896, 3897, 3995, 4031, 5007, 7674, 9802, 12109 ssc-agent LZ+TFO+DRE 2847, 2848, 2967, 2968, 38037, 38292 Unclassified LZ+TFO+DRE P2P (monitored) BitTorre
Appendix 1 Predefined Optimization Policy Table 1-1 Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports laplink LZ+TFO+ 1547 DRE-unidirectional Laplink-surfup-HTTPS TFO 1184 ms-wbt-server (monitored) TFO 3389 net-assistant Passthrough 3283 netrjs-3 TFO 73 pcanywheredata TFO 5631, 5632, 65301 radmin-port TFO 4899 Remote-Anything (monitored) TFO 3999, 4000 timbuktu TFO 407 timbuktu-srv TFO 1417–1420 Vmware-VMConsole TFO 902 VNC
Appendix 1 Table 1-1 Predefined Optimization Policy Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports LZ+TFO+DRE UUID:3f99b900-4d87-101b-99b7-aa000400 7f07 ms-sql-s (monitored) LZ+TFO+DRE 1433 MySQL LZ+TFO+DRE 3306 Oracle LZ+TFO+DRE 66 orasrv LZ+TFO+DRE 1521, 1525 Pervasive-SQL LZ+TFO+DRE 1583 PostgreSQL LZ+TFO+DRE 5432 sqlexec LZ+TFO+DRE 9088, 9089 sql-net LZ+TFO+DRE 150 sqlserv LZ+TFO+DRE 118 sqlsrv LZ+TFO+DRE 156 ssql L
Appendix 1 Predefined Optimization Policy Table 1-1 Predefined Traffic Policy Rules (continued) Application/Class Map WAAS Action Destination Ports LANDesk LZ+TFO+DRE 9535, 9593–9595 NetIQ Passthrough 2220, 2735, 10113–10116 Netopia-netOctopus Passthrough 1917, 1921 netviewdm Passthrough 729–731 novadigm LZ+TFO+DRE 3460, 3461, 3464 novell-zen LZ+TFO+DRE 1761–1763, 2037, 2544, 8039 objcall LZ+TFO+DRE 94, 627, 1965, 1580, 1581 WBEM Passthrough 5987–5990 Clearcase LZ+TFO+DRE 37
Appendix 1 Predefined Optimization Policy Cisco Wide Area Application Services Configuration Guide 1-10 OL-26579-01
A P P E N D I X 1 Transaction Log Format You can use the transaction logging feature to log individual TCP transactions for a WAAS device. For information on configuring transaction logging, see the “Configuring Transaction Logging” section on page 1-53. TFO transaction logs are kept on the local disk in the directory /local1/logs/tfo.
Appendix 1 Table 1-1 Transaction Log Format Transaction Log Field Descriptions (continued) Field Description Dst_IP, Dst_Port Destination IP address and port number for connection. OT Indicates an optimized connection. BP Indicates a pass-through connection. SODRE Indicates a log message generated by TFO. Log_type START or END indicates the start or end of the flow.
Appendix 1 Transaction Log Format Table 1-1 Transaction Log Field Descriptions (continued) Field Description Original_bytes_written Bytes written on the original side of the connection. Optimized_bytes_read Bytes read on the optimized side of the connection. Optimized_bytes_written Bytes written on the optimized side of the connection. RESTART Indicates that the WAE was reloaded and the transaction log process was started.
Appendix 1 Mon Feb :246 Transaction Log Format 2 14:49:41 2009 :28 :2.75.52.131 :4390 :2.75.52.2 :80 :OT :END :EXTERNAL CLIENT :(HTTP) :0 :0 :468 Pass-Through Connection Thu Jul 24 03:09:34 2008 :2.75.52.130 :40027 :2.75.52.
