Solved: WAAS Branch Design Assistance

chuckholley · ‎10-09-2012

Hi,

I have a drawing attached of the branch office current setup.

Issue: At my data center i have a WAE setup using the Aggregation Layer design model using WCCP. WCCP statements are on the specific VLANS and on the inside interface of my WAN router.

At the branch, I have ACL which specifies permits for the user subnet at the brach and the vlan subnets at the data center in both directions. One ACL specifying subnets in both directions. I have this ACL assigned to WCCP 61 and 62 service. When i place the WCCP statements on the interfaces shown, basically it cannot access the subnets specified in the ACL.

I see traffic being redirected, but it is a black hole it seems. The 4506 I have at the office does not support WCCP.

When i look at documentation on this, I get different answers it seems. Some assistance would be greatly appreciated.

Thanks

Chuck

Natalie Ramirez · ‎10-10-2012

It is not configured any differently than you already have it configured. It will just negotiate L2 as opposed to GRE when it sees it is on the same subnet.

If I were doing this remotely. I would change the IP address on the WAE to a /30, then have a local user move the cable to the open port on the router. Set the /30 address on that interface on the router, telnet from the router to the WAE and change the default gateway.

When WCCP negotiates between the router and the WAE, it will negotiate L2 as opposed to GRE.

"sh ip wccp summary" will show that it came up L2.

Re-enable the WCCP and see if you get acceleration or locked out.

When I have a spare port on a router to do this, there is no need to configure an access list (for me anyway) because I want to accelerate all traffic coming in the WAN interface and all the traffic coming in the LAN interface, and nothing coming from the WAE interface. I only create access lists when my WAE is on the same interface as my users, to prevent loops.

Forgot to mention... changing the ip address on the WAE will cause the CM to not acknowledge it anymore. On the WAE, run the command "CMS Deregister force" then the "cms enable" again.

Also, the 3925 router has MDIX ports, so no need for a crossover cable.

View solution in original post

Natalie Ramirez · ‎10-09-2012

Hey Chuck,

Can we see the pertenant parts of the IOS config (specifically the ACL and how it is applied) and the WAAS wccp config? Also the output of "show ip wccp" from the router? And "sh wccp routers" from the WAE674?

This is probably not relevant, but why does the router show an address of 10.8.0.129? If that is with a /25, then it would overlap with 10.8.0.254/30

chuckholley · ‎10-09-2012

Thanks for the reply! The address is a loopback, so it is a /32. It is also the Router ID for WCCP. I do not have the wccp statements on the interfaces at the moment because of the issue I stated earlier.

sh run | s wccp

ip wccp 61 redirect-list 100

ip wccp 62 redirect-list 100

Extended IP access list 100

10 permit ip 10.8.2.0 0.0.1.255 10.12.12.0 0.0.0.255 (931480 matches)

20 permit ip 10.8.2.0 0.0.1.255 10.12.72.0 0.0.0.255 (38428275 matches)

30 permit ip 10.12.12.0 0.0.0.255 10.8.2.0 0.0.1.255 (1274186 matches)

40 permit ip 10.12.72.0 0.0.0.255 10.8.2.0 0.0.1.255 (36234914 matches)

sh ip wccp

Global WCCP information:

Router information:

Router Identifier: 10.8.0.129

Protocol Version: 2.0

Service Identifier: 61

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 39357428

Process: 0

CEF: 39357428

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: 100

Total Packets Denied Redirect: 3768303850

Total Packets Unassigned: 50

Group Access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 35521114

Service Identifier: 62

Number of Service Group Clients: 1

Number of Service Group Routers: 1

Total Packets s/w Redirected: 37511294

Process: 0

CEF: 37511294

Service mode: Open

Service Access-list: -none-

Total Packets Dropped Closed: 0

Redirect Access-list: 100

Total Packets Denied Redirect: 2328347504

Total Packets Unassigned: 83

Group Access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

Total GRE Bypassed Packets Received: 43113137

sh wccp routers

Router Information for Service Id: 61

Routers Seeing this Wide Area Engine(1)

Router Id Sent To

10.8.0.129 10.8.0.129

Routers not Seeing this Wide Area Engine

-NONE-

Routers Notified of from other WAE's

-NONE-

Router Information for Service Id: 62

Routers Seeing this Wide Area Engine(1)

Router Id Sent To

10.8.0.129 10.8.0.129

Routers not Seeing this Wide Area Engine

-NONE-

Routers Notified of from other WAE's

Natalie Ramirez · ‎10-09-2012

I figured it was going to be your access list, but there is nothing wrong with your access list. Your configuration looks good on the router there.

The router appears to be sending/recieving and processing data recieved from the WAE.

Unfortunatly, I do not have a solution for you, so I will tell you what I am doing different from you that is working:

My WAE is on the same subnet as my router and the the WCCP is connected via L2 as opposed to GRE. Moving the WAE to the same subnet as the router may be a quick fix to the problem, to reduce the number of changes to be made, maybe just plug it directly into one of the extra Ethernet ports on the 3925.

chuckholley · ‎10-10-2012

Beau,

My router is connected via L3 to the switch using a /30, so I cannot put it in the same subnet unfortunately. However, i do have an open port, my question is how would that design work. i do not want to use PBR, i would rather use WCCP as that would be consistent with others out there.

So how would that look?

Thanks

Natalie Ramirez · ‎10-10-2012

It is not configured any differently than you already have it configured. It will just negotiate L2 as opposed to GRE when it sees it is on the same subnet.

If I were doing this remotely. I would change the IP address on the WAE to a /30, then have a local user move the cable to the open port on the router. Set the /30 address on that interface on the router, telnet from the router to the WAE and change the default gateway.

When WCCP negotiates between the router and the WAE, it will negotiate L2 as opposed to GRE.

"sh ip wccp summary" will show that it came up L2.

Re-enable the WCCP and see if you get acceleration or locked out.

When I have a spare port on a router to do this, there is no need to configure an access list (for me anyway) because I want to accelerate all traffic coming in the WAN interface and all the traffic coming in the LAN interface, and nothing coming from the WAE interface. I only create access lists when my WAE is on the same interface as my users, to prevent loops.

Forgot to mention... changing the ip address on the WAE will cause the CM to not acknowledge it anymore. On the WAE, run the command "CMS Deregister force" then the "cms enable" again.

Also, the 3925 router has MDIX ports, so no need for a crossover cable.

chuckholley · ‎10-10-2012

OK, I will give this a shot and let you know how it works.

Thanks

Srin_G · ‎10-18-2012

we connect the wae through L3 switch as well and use the loopback as the router id...the only difference is the router's connected to the L3 switch will be on a access port in its own management vlan.Yours is a /30 routed port.It will work for sure if it is an access port in its own vlan or even in the waas vlan as well.

good luck

chuckholley · ‎10-18-2012

OK, I have not had a chance to get back to this, however I should be able to this week. On the WAAS at the data center I am seeing this now, "asymetric connections count more than 1000" I am not sure what that means?

Thanks

Natalie Ramirez · ‎10-18-2012

That basically means the path from destination from source is different from the path from source to destination. If you look at it logically, you assume that it uses the same path going each direction, but if you take one of those sessions that are in passthrough asymetric, and run a traceroute from the source to the destination, then a traceroute from the destination to the source, you will probably find that there is a descrepency, usually right at one of the ends of the connection.

You need to ensure that the path is the same on both ends to ensure that the WAAS device can properly intercept and forward the traffic.

Your traceroute will show you, more than likely, that a default gateway on one end is different than the IP address that is transmitting onto that subnet. I need a diagram to show it, hard to put into words.

chuckholley · ‎10-18-2012

So on the DC side i have the traffic being redirected to the WAE, but on the remote side at the moment I do not. Does this cause the PT Asymmetric?

Natalie Ramirez · ‎10-18-2012

Yes, but those sessions are supposed to change from PT Asymmetric to just PT after a little bit (10 to 60 seconds). If they are staying as PT asymmetric, then they are in fact Asymmetric. type "show stat conn" down in the 3rd section of the output, you will see all the passthrough sessions, check one of the PT asymmetric sessions and verify that its destination is a site that has a WAAS device. If it is destined for a WAAS location, more research is needed, if not, it is odd that it is remaining as Asymmetric and not just switching to PT. What Version/versions are you running in your WAAS deployment?

chuckholley · ‎10-26-2012

Baeu, that worked well actually thanks for the help.