580 likes | 2.44k Views
Cisco Wide Area Application Services (WAAS) Design Guidance. Enterprise Solutions Engineering. Agenda. Background Introduction WAAS Enterprise Data Center Considerations WAAS Enterprise WAN Considerations WAAS Enterprise Branch Considerations WAAS and Oracle 11i. Session Objectives.
E N D
Cisco Wide Area Application Services (WAAS)Design Guidance • Enterprise Solutions Engineering
Agenda • Background Introduction • WAAS Enterprise Data Center Considerations • WAAS Enterprise WAN Considerations • WAAS Enterprise Branch Considerations • WAAS and Oracle 11i
Session Objectives At the end of the session, the participants should be able to: • Will understand introduction to WAAS concepts, benefits, and differentiators • Will understand WAAS design considerations within the enterprise data center • Will understand WAAS design considerations within the enterprise branch • Will understand WAAS and Oracle 11i enterprise test efforts and results
WAAS Design ConsiderationsIntroduction • Damon Li
Branch/WAN Services Data Center Remote User Branch Cisco Application Networking Services: Powerful Solution for Your Application Challenges • Wide Area Application Services • Complete WAN optimization, application acceleration and WAFS • Deployed in branch + data center • Enables branch server, storage and backup consolidation • Application Delivery • Highly scalable server switching and load balancing • Data center-based application acceleration • Maximum application availability and time-to-service WAN ACE/CSSCSM AVS WAAS WAAS
Round Trip Time (RTT) ~ 0mS LAN Switch Client Server Round Trip Time (RTT) ~ many many milliseconds Client LAN Switch Routed Network LAN Switch Server The WAN is the Barrier to Branch Application Performance • Applications are designed to work well on LAN’s • High bandwidth • Low latency • Reliability • WANs have opposite characteristics • Low bandwidth • High latency • Packet Loss WAN Packet Loss and Latency = Slow Application Performance = Keep and manage servers in branch offices ($$$)
Preservation of IP and TCP Header Information A B Origin FileServer LAN Switch WAN NAS QoS NetFlow ACL NBAR Security Filter VPN NAT Traditional WAN Optimization:Not Seamless, but Disruptive to Existing Network Optimization Tunnel Traditional WAN Optim. Client Workstation Edge Device Firewall WAN Router Firewall Core Device WAN Router LAN Switch • Traditional WAN Optimization changes TCP/IP header information • Result: • Services may not work • Extra integration required • Risk of downtime due to dedicated links
Full Preservation of IP and TCP Header Information A B IPNetwork NAS Filter Visibility NAT ACL NetFlow NetFlow NBAR QoS VPN Security QoS Cisco WAASSeamless Network Integration, Service Preservation Cisco WAAS LAN Switch Client Workstation Firewall Firewall LAN Switch WAN Router WAN Router Core WAE Edge WAE Robust ApplicationAdapters to OffloadWAN and Data CenterLocal Services Transport and Flow OptimizationsData Redundancy Elimination Accelerates ALL TCP Traffic Data CenterScalability
Cisco WAAS: Per Flow Auto-Discovery No Overlay Network, Easier to Integrate Traditional WAN Optim. Cisco WAAS
Save 5-MB PowerPoint Download of 8MB MS SMS Package 20 Sec 40 Sec 60+ Sec Operation Over Native WAN Operation with WAAS LAN-Like Access to Various Applications File Services SharePoint Open 500KBWord Doc Save 1MBWord Doc 15 Sec 30 Sec 45 Sec Mail - Exchange Data Protection Native SnapMirror Op of 1GB; T3/80 51 Min 4 Min WAAS – Exchange 2003 16% 22 Min Backup Op of 83MB; T1/80 4 Min WAAS – Exchange 2000 10% 23 Min Restore Op of 83MB; T1/80 2 Min 25% 50% 100% Bandwidth Consumed [Network Link—T1, 80ms Latency]
WAAS Design ConsiderationsData Center • Damon Li
Integrating WAAS in the Data Center • Core WAE Placement • WCCP Interception/Redirection • High Availability • Scalability
WAN WAE at WAN Edge WAN Edge • Terminate optimization at WAN Edge • Payload is uncompressed in the Campus/DC • WAN Traffic only without ACL filter • Optimization apply to all hosts DC Core DC Aggregation DC Access
WAN WAE at Aggregation • Optimization tunnel extents to Aggregation layer • Must have ACL filtering • Closer to servers/selective optimization • No issues with asymmetric routing WAN Edge DC Core DC Aggregation DC Access
WCCP Redirection WCCP Redirect Header Original IP Packet GRE Header: Type 0x883e IP Header: Protocol GRE GRE D A Reserved Service ID Alternate Bucket Primary Bucket Alternate Used Dynamic L2 WCCP Client MAC Header Original IP Packet
L2-redirection, Hashing and Masking • Hashing • Use Net-Flow to build table • First packet is process by MSFC, subsequent packet switch in hardware (CAT platform) • Masking • 96 bits supported by WCCP • 7 bits are supported by Cisco Hardware • Ability to tweak the care-bits • No software involved
Masking assignments – Initial setup • Value SrcAddr DstAddr SrcPort DstPort CE-IP • WAAS WAE 1 • 0000: 0x00000000 0x00000000 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0001: 0x00000000 0x00000001 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0020: 0x00000000 0x00000500 0x0000 0x0000 0x0C141D08 (12.20.29.8) • WAAS WAE 2 • 0021: 0x00000000 0x00000501 0x0000 0x0000 0x0C141D06 (12.20.29.6) • 0022: 0x00000000 0x00000540 0x0000 0x0000 0x0C141D06 (12.20.29.6) • 0041: 0x00000000 0x00001201 0x0000 0x0000 0x0C141D06 (12.20.29.6) • WAAS WAE 3 • 0042: 0x00000000 0x00001240 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0043: 0x00000000 0x00001241 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0063: 0x00000000 0x00001741 0x0000 0x0000 0x0C141D07 (12.20.29.7)
Masking assignments – WAE 2 failed • Value SrcAddr DstAddr SrcPort DstPort CE-IP • ----- ------- ------- ------- ------- ----- • WAAS device 1 • 0000: 0x00000000 0x00000000 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0001: 0x00000000 0x00000001 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0031: 0x00000000 0x00000741 0x0000 0x0000 0x0C141D08 (12.20.29.8) • WAAE device 3 • 0032: 0x00000000 0x00001000 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0062: 0x00000000 0x00001740 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0063: 0x00000000 0x00001741 0x0000 0x0000 0x0C141D07 (12.20.29.7)
Masking assignments – WAE online • WAAS WAE 2 • 0000: 0x00000000 0x00000000 0x0000 0x0000 0x0C141D06 (12.20.29.6) • 0019: 0x00000000 0x00000441 0x0000 0x0000 0x0C141D06 (12.20.29.6) • 0020: 0x00000000 0x00000500 0x0000 0x0000 0x0C141D06 (12.20.29.6) • WAAS WAE 1 • 0021: 0x00000000 0x00000501 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0040: 0x00000000 0x00001200 0x0000 0x0000 0x0C141D08 (12.20.29.8) • 0041: 0x00000000 0x00001201 0x0000 0x0000 0x0C141D08 (12.20.29.8) • WAAS WAE 3 • 0042: 0x00000000 0x00001240 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0062: 0x00000000 0x00001740 0x0000 0x0000 0x0C141D07 (12.20.29.7) • 0063: 0x00000000 0x00001741 0x0000 0x0000 0x0C141D07 (12.20.29.7)
Standby Interface • WCCP • 30 seconds failover time • No tuneable timers • Rebuild DRE cache • WAE failure • Standby interface • 5 second failover • DRE consistency • Interface/switch failure DC core DC aggr
HSRP 2 HSRP 1 Outbound Traffic Load Balancing HSRP 1
Network Network HSRP 2 HSRP 1 Multiple HSRP groups Outbound traffic load balancing HSRP 1 Single HSRP group
Network HSRP 1 HSRP 2 N+1 Scalability Scaling WAE - WCCP • N+1 configuration with WCCP • Expandable up to 32 WAEs • Up to 32 routers • Scale almost linearly
WAAS Design ConsiderationsWAN / Branch • May Konfong
Branch WAN Profiles WAAS Central Manager WAAS Central Manager WAAS Central Manager WAE WAE WAE WAE WAE WAE • Dual-router configuration • MPLS-WAN to either the same or different service providers • Dual-router configuration • 1 interface from each router to either the same or different different service providers • 2 WAN interfaces from the same router to 2 different service providers • 1 WAN, 1 Internet connection • WAE supports only one gateway • Multiple WAE Interface IP addresses should be in the same subnet • With multiple routers, create a priority list for TCP-promiscuous for active-passive configuration Router-list 1 10.0.1.10 10.0.1.20
WAN Factors Affecting WAE Hardware Selection WAE Scalability And Sizing Table Revisited…
WAN Factors Affecting Application Performance WAN DATA CENTER BRANCH Round-Trip latency (Delay) • Two factors: • Bandwidth • Delay • The combination of both is the Bandwidth Delay Product (BDP) • BDP is the amount of data that can be in-transit at any time • BDP Calculation: BDP [Kbytes] = (link BW [Kbytes/sec] * Round-trip latency [Sec]) • Example: • For a T1 connection and a 60 millisecond round-trip time: BDP = (1544Mbps/8) * .06 = 11.58 KB • WAAS default buffer settings are appropriate for most settings • In cases of very high latency and very low links, the BDP may have to be adjusted • Adjustment parameters • For RAM size <= 1GB: Default buffer size = 32KB • For RAM size = 2GB: Default buffer size = 512KB • For RAM size = 4GB: Default buffer size = 2048KB • Maximum Buffer size: 8 GB client server Bandwidth #config t (config)#tfo tcp optimized-receive-buffer min(4xBDP,8000 KB) (config)#tfo tcp optimized-send-buffer min(4xBDP,8000 KB) (config)#exit #write
Origin FileServer LAN Switch Client Workstation LAN Switch CE Router PE Router PE Router CE Router MPLS VPN MPLS Tunnel IPSec Tunnel WAAS Optimization Path NAS Core WAE Edge WAE WAAS and Tunneling over the WAN • WAAS proxy session is created between the Branch WAE and Core WAE • IPSec Tunnel between the outside interfaces of the CE router • MPLS Tunnel between the PE routers
Branch 2: Consolidated Branch Branch 1: Extended Services Branch Branch Router Branch Router Switch Switch IP phone IP phone NAM • Voice (Centralized Call Proc, SRST) • Wireless HWIC • Ethernet Module (optional) • Netflow collector to Data Center NAM • IOS Security, QoS, IP SLA, etc… • WAE module (NM-302, NM-502) • NAM (NM-NAM) • Voice (CME, CUE) • Wireless HWIC • Ethernet Module (optional) • IOS Security, QoS, IP SLA, etc… WAN WAN Edge WAE (512,612) Branch Client Branch Client WAAS Branch Profiles
Branch LAN Segmentation with WAAS LAN Topologies End Devices Router with L2 or L3 Switch (WAE-512 or WAE-612) • WAAS TCP proxy session is created between the Branch WAE and Core WAE where user data is accelerated • Integrated Switch is only practical for very small branches that are limited in its deployment of branch services • Requires a 3845 router if you deploy a NM-WAE and NM-NAM in the same solution Wired/wireless PC Router with Stackwise Switches (WAE-512 or WAE-612) Mobile wireless handhelds IP phone WAE inline Video Router with Integrated Switch & NM-WAE
WAAS and Branch Security Services – Notables Secure Connectivity Infrastructure Protection Threat Mitigation • Includes security best practices for securing the infrastructure hardware • RFC 1918 Private Addressing • Locking down unused ports • Network Address Translation (NAT) • …etc… • ACLs and WCCP ACLs may be used to exclude traffic from being redirected to the WAE • WAAS also has ACLs but are policies applied to whether to apply optimizations within the WAE • WAAS is interoperable with infrastructure protection measures • Keep WAE optimization path outside of secure tunnels • WCCP not VRF-aware • Currently not supported but is already being implemented for a future IOS and WAAS release • MPLS VRF tunnels can be created on separate routers • IP IPS • Generates false positive 3051 • Related to half-sessions created and temporarily left open as part of TCP proxy session between WAEs • Disable or increase error number limits for 3051 • Firewall Packet Inspection • TCP sequence number generation affects the firewall packet inspection • Not interoperable if applied within the WAAS optimization path • Resolved in IOS 12.4(11)T2
QoS Strategy in the Branch + WAAS • WAAS is interoperable with most QoS policies since it does not modify the TCP header • CIFS DSCP marking may override mapping at the LAN edge • NBAR deep packet inspection past the TCP port may be affected if applied within the WAAS optimization path • WAAS ATP Priorities • CIFS DSCP marking
WAN WAN NM-NAM WAAS and Unified Communications Services Branch 1 Data Center • Centralized WAN centralized call processing • Call control SCCP and SIP are TCP based and can be optimized at a very modest rate • RTP voice streams are UDP and not redirected to the WAE • Interoperable but may require more testing to fully assess impact of WAAS on all voice components • e.g.: Unified Messaging deployment in corporate Exchange deployment • Bandwidth utilization on Call Admission Control (CAC) CallManager Edge WAE appliance Branch 2 • CallManager Express – call processing is handled all within the router. • No WAAS optimizations expected for calls originating from CCME • Evaluate IOS interoperability for the total empowered branch solution • Compare CCME IOS compatibility matrix with both NM-WAE and NM-NAM IOS • Currently only IOS compatible versions by matrix comparison (but not fully tested): • 12.4(11)T and above • CCME 4.0.2 Data Center CCME NM-WAE Core WAE • The most latency-sensitive components of voice (RTP streams) are not redirected to WAAS • WCCP ACLs to exclude any voice traffic from being redirected to the WAEs as a safe alternative • WAAS may provide improvements to IP phone services
Monitoring Application Tools for and WAN Performance and Statistics at the branch • Interesting Metrics • User-Centric: Application Response Time, Server CPU% • Infrastructure-Centric: Router CPU%, Link Utilization, Transaction Rates • WAAS-Centric: Effective Capacity, % Reduction, DRE Cache % • Monitoring Tools • Netflow • Branch 1 topology sends flows over the WAN to a Netflow collector at the data center • Collector may be Cisco NAM or a 3rd party software (e.g.: NetQoS, Scrutinizer) • Branch 2 topology utilizes the NM-NAM as a local Netflow collector • Retrieves application response time and packets/netflows sent • IP Service Level Agreements (IP SLA) • Provides another means of measuring response time for popular applications such as http, ftp, ldap, and others… • IP SLA is applied at the branch router with protocols configured to either an application server or to an “IP SLA responder” (simulated at the other end). • Measures various different metrics depending on the supported protocol configured • Example: HTTP IP SLA shows TCP and HTTP response time, VoIP IP SLA shows delay and jitter • Test Tools • LoadRunner, Ixia, Spirent Avalanche • Enterprise Apps Test Tools
IP SLA - Latency over Native WAN WAN WAAS – Latency with TFO improvements IP SLAExample for HTTP FSB4-3825-1#sho ip sla mon stat det Round trip time (RTT) Index 10 Latest RTT: 841 ms Latest operation start time: 10:36:38.985 EST Tue Mar 6 2007 Latest operation return code: OK Over thresholds occurred: FALSE Latest DNS RTT: 0 ms Latest TCP Connection RTT: 91 ms Latest HTTP time to first byte: 587 ms Latest HTTP Transaction RTT: 750 ms Latest HTTP Status: 200 Latest HTTP Message Size: 7912 Latest HTTP Entity-Body size: 7736 Number of successes: 10 Number of failures: 0 Operation time to live: Forever Operational state of entry: Active Last time this entry was reset: Never • IP SLA HTTP test is from the router to the web server • HTTP application calls originate from the router so the WAE is out of the loop • RTTs may be used to compare latency between Native WAN and with WAAS savings
WAN NAS DC LAN-Edge Core WAE Campus WAN Edge WAN Branch WAN Edge Branch WAE Branch LAN Edge Router Interface Feature QoS Y N Y N/A Y N Y NBAR Y N Y N/A Y N Y IOS FW inspection (ip inspect) Y N N N N N Y IOS FW ACLs Y Y Y N/A Y Y Y IP IPS Y N N N N N Y Netflow Y Y Y N/A Y Y Y IP SLA N/A N/A Y* N/A Y* N/A N/A N/A = not applicable * =Not supported for the NME-WAE-502 due to lack of feature transparency between 12.4(11)T and 12.4(10) WAAS Router Interface to IOS Feature Matrix
WAAS Design ConsiderationsOracle 11i Integration and Testing • May Konfong
JSP Pages Servlets Application Architect's Perspective - RevisitedOracle Applications Architect's View J2EE Application 2 J2EE Application 1 Client Machine Tier Application Client Dynamic HTML Pages J2EE Server Machine Web Tier Enterprise Beans Enterprise Beans Business Logic Tier Database Server Machine Database Database Enterprise Data Tier Source : Oracle Applications Server, Nov 2004
WAAS - Oracle 11i Testbed • Mercury LoadRunner client configured at branch 1 to test Oracle E-Business Application pages • 100 users in increments of 4 users at a time ramp up and accessing PaySlip forms from Oracle server • PaySlips were downloaded as a created HTML file • Core WAE cluster configured behind ACE with policies to redirect all TCP traffic initiated from branches through ACE for load distribution • Oracle relevant TCP ports for WAAS • Application Classifiers added within the WAAS CM • 1521: SQL (configure on the core WAE) • 9000: Oracle NCA (configure on the core WAE) • 8000: Oracle client (configure on the edge WAE)
Oracle 11i Testing – Application Response Native WAN WAAS Enabled PaySlip Retrieval Average Response Time is faster by 22% Maximum Response Time is faster by 85%
3x T1 speed = 3 * 1.544Mbps = 4.632Mbps Oracle 11i Testing – WAAS Statistics Identified traffic for WAAS optimizations identified as “Other” and “Web”
WAN WAAS Load Balancing • Approximately even distribution on mostly outbound traffic between both core WAEs behind the ACE module • Not as even distribution but still distributes load (mostly inbound) between both edge WAEs at branch 1 • Based on hashing algorithm; varies with destination address • Priority distribution is configurable 12.6:1 7.1:1 12.1:1 12.2:1 WBE1 WBE3 WCE2 WCE7326-1 Data Center Branch
WAAS Design Considerations • Wrap-Up
Key Takeaways • Data Center • Placement of the WAE within the campus/data center affects performance and service interoperability • Better understanding of WCCP allows one to evaluate design of redirection at the campus • WAAS HA and Outbound loadbalancing best practices • WAN and Branch • Cisco IOS features are complementary to WAAS for WAN and application optimizations • IOS version compatibility is critical to interoperability of multiple infrastructure services within the empowered branch • IOS order of operations are important in determining interoperability of WAAS and IOS features • Oracle 11i • Systems testing of WAAS with Oracle 11i shows a marked improvement in application response time, link utilization, and Oracle server CPU processing