Configuring WAAS Express
Available Languages
Contents
- Configuring WAAS Express
- Finding Feature Information
- Prerequisites for WAAS Express
- Restrictions for WAAS Express
- Information About WAAS Express
- WAAS Express Overview
- WAAS Express-Enabled Traffic Optimization Process
- Key Services of WAAS Express
- Transport Flow Optimization
- Windows Scaling
- Selective Acknowledgement
- Binary Increase Congestion TCP
- Compression
- LZ
- DRE
- Autodiscovery of WAAS Express Devices
- Application Acceleration
- CIFS-Express Accelerator
- Read Ahead
- Async Write
- Negative Caching
- HTTP-Express Accelerator
- HTTP Metadata Caching
- DRE Hints
- Server Encoding Suppression
- SSL-Express Accelerator
- SSL Sessions
- Cipher Lists
- WAAS Express Application Policies
- Multiple WAN Links
- SNMP Support for WAAS Express
- Troubleshooting Tips
- How to Configure WAAS Express
- Configuring WAN Optimization Parameters
- Defining WAAS Express Policies
- Defining Class Maps
- Associating Class Maps with Policy Maps
- Troubleshooting Tips
- Enabling WAAS Express
- Troubleshooting Tips
- Configuring Upload DRE
- Configuring CIFS-Express Accelerator
- Configuring HTTP-Express Accelerator
- Configuring HTTP Metadata Caching
- Configuring SSL-Express Accelerator
- Configuring SNMP Traps for WAAS Express
- Configuration Examples for WAAS Express
- Example: Associating Class Maps with Policy Maps
- Example: Configuring WAAS Express
- Example: Configuring CIFS-Express Accelerator
- Example: Configuring HTTP-Express Accelerator
- Example: Configuring SSL-Express Accelerator
- Example: Configuring SNMP Traps for WAAS Express
- Additional References
- Feature Information for WAAS Express
Configuring WAAS Express
Cisco's Wide-Area Application Services (WAAS) Express feature is a key component of the Cisco WAAS product portfolio. WAAS Express is a cost-effective, IOS-based, WAN optimization solution that increases the amount of available bandwidth for small-to-mid-size branch offices and remote locations, while accelerating TCP-based applications that operate in a WAN environment.
WAAS Express uses the capabilities of IOS software and provides a small-footprint, cost-effective solution that transparently integrates into the Integrated Services Routers (ISRs) Generation 2 (G2). WAAS Express extends the WAN optimization solution to the entire ISR G2. WAAS Express is fully interoperable with WAAS on Service Module-Service Ready Engine (SM-SRE) modules and with WAAS appliances and can be managed by a common WAAS Central Manager (WCM).
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for WAAS Express
WAAS Express requires a Wide-Area Application Virtualization Engine (WAVE) as a peer device, running WAAS Version 4.4.3c.9 or higher, at the data center. WAAS Express requires no additional hardware, assuming that the maximum memory is installed on the device. WAAS Express uses the device's CPU and memory for optimization. The data center component consists of a Cisco WAAS data center appliance and a WAAS Central Manager to manage WAAS Express-enabled devices.
You must have a valid license for WAAS Express. WAAS Express includes an evaluation license for 60 days. WAAS Express switches to one of the following modes based on the available memory on the device:
- WAAS_Standard--If maximum memory (the amount of memory that can be upgraded on the device) is available on the device
- WAAS_Trial_Limited--If default memory (the amount of memory with which the device is shipped) is available on the device
- WAAS_Disabled--If less than default memory is available on the device
 Note |
The maximum and default memory depend on the device. |
The number of connections that can be optimized on a platform running WAAS Express depend on the mode enabled. For example, on a particular platform, WAAS Express can optimize 200 connections in the WAAS_Standard mode, but can optimize only up to 50 connections in the WAAS_Trial_Limited mode; if there are more than 50 concurrent connections in WAAS_Trial_Limited mode, they will be passed through and not optimized.
The amount of Data Redundancy Elimination (DRE) cache also depends on the mode being operated.
Restrictions for WAAS Express
- Wide-Area Application Services (WAAS) Express is not supported on Cisco Integrated Services Routers (ISRs) Generation 1 (G1) (Cisco 1800, Cisco 2800, and Cisco 3800 Series Routers). In Cisco 1905 and 1921 routers, Data Redundancy Elimination (DRE) is disabled because the maximum memory in these devices is 512 MB. For more information about DRE, see the "Compression" section.
- WAAS Express does not support the definition of a user-defined policy map of the type waas.
- The maximum number of concurrent connections optimized by WAAS Express depends on the platform.
- As WAAS Express uses the device CPU to optimize the traffic, there might be a performance impact on other CPU-heavy features as well as on the performance of WAAS Express.
- You can configure Flexible NetFlow to collect WAAS Express flow information. If WAAS Express, cryptomaps, and Flexible NetFlow are configured on the same WAN interface, the ingress Flexible NetFlow record contains only a small number of optimized packets.
- The following restrictions apply to WAAS Express licensing:
- WAAS Express should be enabled only on an interface that is designated as the WAN interface.
-
WAAS Express does not support the following configurations, where:
- Packets from a connection are routed between two WAN interfaces, that is, packets are received on a WAN interface and routed to another WAN interface. As a result, packets neither originate from nor are destined to the branch. WAAS Express is enabled on both WAN interfaces.
- Packets from a connection are routed to the same WAN interface, that is, packets are received on a WAN interface and routed to the same WAN interface. As a result, packets neither originate from nor are destined to the branch. WAAS Express is enabled on the WAN interface.
- Packets from a connection are asymmetrically routed between two or more edge devices. At least one of these devices must have WAAS Express enabled on the WAN link.
- Traffic is load balanced (in per flow/destination manner) across multiple WAN links, but WAAS Express is enabled only on a subset of these interfaces.
Information About WAAS Express
- WAAS Express Overview
- WAAS Express-Enabled Traffic Optimization Process
- Key Services of WAAS Express
- Application Acceleration
- WAAS Express Application Policies
- Multiple WAN Links
- SNMP Support for WAAS Express
WAAS Express Overview
The Wide-Area Application Services (WAAS) Express software optimizes TCP traffic flows across a WAN. WAAS Express integrates with native services such as security, NetFlow, and quality of service (QoS). WAAS Express provides the following benefits:
- Bandwidth optimization
- Application acceleration
- Increase in remote user productivity
- Interoperation with existing Cisco WAAS infrastructure
- Network transparency
- Deployment flexibility with on-demand service enablement
WAAS Express is supported on Cisco ISR G2 devices (Cisco 800, Cisco 890, Cisco 1905, Cisco 1921, Cisco 1941, Cisco 2901, Cisco 2911, Cisco 2921, Cisco 2951, Cisco 3925, and Cisco 3945 Series routers) only. These devices must have the maximum Dynamic random-access memory (DRAM) installed because WAAS Express stores Data Redundancy Elimination (DRE) cache in DRAM. For more information about DRE, see the "Compression" section. WAAS Express supports WAN speeds in the range from 1.5 to 10 Mbps.
WAAS Express switches to one of the following modes based on the available memory on the device: WAAS_Standard, WAAS_Trial_Limited, or WAAS_Disabled. The table below lists the default memory and maximum memory that can be installed on each of the devices that supports WAAS Express.
The Cisco WAN optimization system consists of ISR G2 devices running the WAAS Express software feature and WAVEs that work together to optimize TCP traffic in your network. When client and server applications attempt to communicate with each other, the network intercepts the traffic and acts on behalf of the client application and the destination server. WAAS Express and Wide-Area Application Virtualization Engines (WAVE) examine the traffic and use built-in application policies to determine whether the traffic in the network can be optimized.
Any application that uses TCP as its underlying transport can benefit from WAAS Express. However, a lot depends on the redundant elements in the application's transactions and the WAN bandwidth condition. The more the redundancy, the more the application is benefitted by WAAS Express. Typical applications that benefit from WAAS Express include HTTP, FTP, and mail applications.
WAAS Express uses the following TCP optimization techniques to overcome the most common challenges associated with transporting traffic over a WAN:
- Constrained bandwidth: Data caching and data compression reduce the amount of data sent over the WAN, which increases data transfer rates. These solutions improve the total transaction time on congested links by reducing the amount of data sent across the WAN.
- Packet loss: The optimized TCP stack in WAAS overcomes issues associated with high packet loss and protects the communicating endpoints from the state of the WAN.
Two devices using WAAS Express can optimize network traffic between themselves, but without any DRE.
When a WAAS Express device is moved from one device group to another device group on the WAAS Central Manager (WCM), the policy definitions under the new device group do not function. When a device is unassigned from a device group, the device gets the policies from the backup policy set from the previously assigned group.
Perform the following steps on WCM when you move a device between device groups. You can either perform only the first step or perform from step 2 through step 4 to move a device between device groups.
- Go to the "Policy Definitions" page of the device that you want to move; select the new device group, and click "Submit".
- Go to "Assign Devices" page of device group-1, and unassign the device from the device group.
- Go to "Assign Devices" page of device group-2, and assign the device to the device group.
- Go to "Policy Definitions" page of device group-2, and click "Force DG settings".
WAAS Express offers the following benefits:
- Ease of deployment: WAAS Express deployment is easy through simple software activation on any Cisco ISR G2 device running Cisco software.
- Integration with device services: WAAS Express integrates with security, QoS, and other services native to Cisco software.
- Application acceleration: WAAS Express mitigates the effects of WAN latency while allowing data to be transferred faster.
- Investment protection: WAAS Express enables you to deploy your current WAAS deployments to smaller branches and devices without having to invest heavily in WAN optimization overlay technologies.
WAAS Express-Enabled Traffic Optimization Process
The following steps describe how a Wide-Area Application Services (WAAS) Express-enabled network optimizes connections between a branch office client and the destination server:
- A branch office client attempts to connect to the destination server over the native application port.
- The branch client intercepts the traffic.
-
The branch client performs the following actions:
- Examines parameters in the TCP headers of the traffic and then refers to the application policies to determine whether the intercepted traffic should be optimized. Information such as the source and destination IP addresses in the TCP header allows the branch client to match the traffic to an application policy. For a list of the default policies, see the "WAAS Application Policies" section.
- Negotiates with the data-center Wide-Area Application Virtualization Engine (WAVE) about whether the traffic must be optimized.
- Based on the negotiation, if the branch client determines that the traffic should be optimized, it adds information to the TCP header that informs the next client in the network path to optimize the traffic.
- The branch client passes the client request through the network to its original destination server.
-
The data-center WAVE performs the following actions:
- Intercepts traffic going to the destination server.
- Establishes an optimized connection with the branch client. If optimization is disabled on the data-center WAVE, then the connection established between the data-center WAVE and the branch client is not optimized, and the traffic passes over the network unoptimized.
- WAAS optimizes subsequent traffic between the branch client and data-center WAVE depending on the connection type.
WAAS Express does not optimize traffic in the following scenarios:
- The number of concurrent connections exceed the maximum number of concurrent connections supported on a WAAS Express device.
- WAAS Express and WAVE intercept non-TCP traffic such as Internet Control Message Protocol (ICMP).
- WAVE is overloaded and does not have resources to optimize traffic.
-
The intercepted traffic matches an application policy that specifies to pass the traffic unoptimized.
Note
If unoptimized traffic reaches a WAVE, the WAVE forwards the traffic in pass-through mode without affecting the performance of the application by using the passed-through connection.
Key Services of WAAS Express
Transport Flow Optimization
WAAS Express uses the transport flow optimization (TFO) features described in the following sections to optimize the traffic intercepted by WAAS devices. TFO protects the communicating clients and servers from negative WAN conditions such as bandwidth constraints, packet loss, congestion, and retransmission.
Windows Scaling
Windows scaling allows the receiver of a TCP packet to advertise that its TCP receive window can exceed 64 KB. The receive window size determines the amount of space available on the receiver for unacknowledged data. Windows scaling allows TCP endpoints to take advantage of the bandwidth available in your network and not be limited to the default window size specified in the TCP header.
Note |
WAAS Express limits the maximum receive window size to 64 KB on the WAN side and to 32 KB on the LAN side. |
RFC 1323 describes TCP extensions for high performance.
Selective Acknowledgement
Selective Acknowledgement (SACK) is an efficient packet loss recovery and retransmission feature that allows clients to recover from packet losses more quickly than the default recovery mechanism used by TCP.
By default, TCP uses a cumulative acknowledgment scheme that forces the sender either to wait for a round trip to learn if any packets were not received by the recipient or to unnecessarily retransmit segments that may have been correctly received.
SACK allows the receiver to inform the sender about all segments received, so the sender needs to retransmit only the segments that are lost.
RFC 2018 describes TCP SACK options.
Binary Increase Congestion TCP
Binary Increase Congestion (BIC) TCP is a congestion management protocol that enables a network to recover quickly from packet loss events.
When a network loses a packet, BIC TCP reduces the receiver's window size and sets that reduced size as the new value for the minimum window size value. BIC TCP then sets the maximum window size value to the size of the window that existed just before the packet loss occurred. Because packet loss occurred at the maximum window size, the network can transfer traffic without dropping packets with sizes between the minimum and maximum window size values.
If BIC TCP does not register packet loss at the updated maximum window size, then this window size becomes the new minimum. If packet loss does occur, the updated window size becomes the new maximum. This process continues until BIC TCP determines the new optimum minimum and maximum window size values.
Compression
WAAS Express uses two compression technologies to help reduce the size of data transmitted over a WAN: DRE and Lempel-Ziv (LZ).
These compression technologies reduce the size of transmitted data by removing redundant information before sending the shortened data stream over WAN. By reducing the amount of transferred data, WAAS compression can reduce network utilization and application response times.
When WAAS Express uses compression to optimize TCP traffic, it replaces repeated data in the stream with a much shorter reference and then sends the shortened data stream across the WAN. The receiving WAAS Express device uses its local redundancy library to reconstruct the data stream before passing it to the destination client or server.
LZ
Lempel-Ziv (LZ) is a standards-based compression that can minimize the amount of bandwidth consumed by a TCP flow. LZ compression operates on smaller data streams and keeps limited compression history.
Traffic between two WAAS Express devices is optimized using TFO and LZ.
LZ compression can be used in conjunction with DRE or independently.
DRE
The Data Redundancy Elimination (DRE) compression scheme is based on a shared cache architecture, where each device involved in compression and decompression shares the same redundancy library.
DRE operates on significantly large data streams (typically tens to hundreds of bytes or more) and maintains a much larger compression history. Large chunks of redundant data are common in file system operations when files are incrementally changed from one version to another or when certain elements such as file headers and logos are common to many files.
In WAAS Express, DRE is performed completely in device memory; thus maximum DRAM is required in every platform.
Note |
DRE optimization is not supported for connections between WAAS Express devices. In such cases, traffic is optimized using TFO and LZ. |
WAAS Express compresses upload traffic (with some limitations) by using the DRE algorithm. WAAS Express decompresses the download traffic that is compressed using DRE.
With WAAS Express Phase 2, DRE compression is also supported in the upload direction. You can enable or disable the upload DRE operations for troubleshooting purposes.
Upload DRE is useful in the download-edit-upload scenario, where a user in a branch office downloads a file from the data center, modifies the file, and uploads the modified document back to the data center. If the modifications are small and localized, the upload of the modified file can benefit from the unmodified contents stored in the DRE cache. The compression in the upload direction is performed based on the cache entries that were added in the download direction.
Autodiscovery of WAAS Express Devices
The autodiscovery feature of WAAS Express enables WAVEs and WAAS Express devices to automatically locate peer WAVEs on a network by adding TCP options on control packets. After discovering a peer device automatically, the WAVEs terminate and separate the LAN-to-WAN TCP connections and add a buffering layer to resolve the differing speeds or WAAS Express proxies the connection on the device in different segments to achieve optimization benefits. After a WAVE establishes a connection with a peer WAVE, the two devices can establish an optimized link for TCP traffic or pass the non-TCP traffic as unoptimized.
The autodiscovery of peer WAAS devices is achieved using TCP options. These TCP options are recognized and understood only by WAAS devices and are ignored by non-WAAS devices.
A server is blacklisted by WAAS Express if the server is not able to receive TCP packets with options because these TCP packets are being blocked by network devices such as firewalls. WAAS Express learns not to send TCP packets with options to these blacklisted servers.
Application Acceleration
In addition to the TCP optimization features that enhance the flow of traffic over a WAN, WAAS Express provides selected application acceleration benefits. WAAS Express reduces the response time of remote applications. Even though TFO optimizes traffic over a WAN, protocol messages between branch office clients and remote servers can cause slow application response time. To resolve this issue, WAAS Express helps to respond to messages locally so that the client need not wait for a response from the remote server.
- CIFS-Express--Optimizes Common Internet File System (CIFS) traffic exchanged with a remote file server.
- HTTP-Express--Optimizes HTTP traffic.
- SSL-Express--Optimizes encrypted Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic. SSL-Express accelerator provides traffic encryption and decryption within a WAAS Express-enabled network to allow end-to-end traffic optimization.
For an accelerator to operate, you must enable the accelerator on both the WAAS Express device and the peer WAVE at either end of a WAN link. CIFS-Express is a single-sided accelerator; it works when it is enabled only on the WAAS Express device. Each WAAS Express-enabled device uses application policies to match specific types of traffic to an application and to determine whether that application traffic should be optimized and accelerated. For more information, see the "WAAS Application Policies" section.
All WAAS Express accelerators, except SSL-Express accelerator, are mutually exclusive. This means that only one accelerator is applied to a specific flow. The only two accelerators that can act in conjunction are SSL-Express and HTTP-Express accelerators. TFO, along with DRE and LZ, forms a transport optimization (TO) module.
For a particular flow, the following optimizations are possible:
CIFS-Express Accelerator
CIFS-Express accelerator allows a WAAS Express-enabled device to reply to client requests by using locally cached data instead of retrieving this data from remote file and application servers.
In a typical Common Internet File System (CIFS) application accelerator scenario, a client sends a large number of synchronous requests that require the client to wait for a response before sending the next request. Compressing data over the WAN is not sufficient for an acceptable response time. For example, when you open a 5 MB Word document, about 700 CIFS requests (550 read requests plus 150 other requests) are produced. If all these requests are sent over a 100 ms round trip WAN, the response time is at least 70 seconds (700 x 0.1 seconds). WAAS CIFS-Express accelerator minimizes the synchronous effect of the CIFS protocol, which reduces application response time.
CIFS-Express accelerator requires about 10 MB of memory as a global entity (across all platforms) and about 130 KB for each supported flow. Other accelerators, such as HTTP-Express accelerator, that are mutually exclusive with CIFS-Express accelerator use the same 130 KB per flow.
CIFS-Express accelerator supports the following:
CIFS-Express accelerator operates only on flows where WAAS Express is configured on an edge device; CIFS-Express accelerator is not applied to a connection if the WAAS Express device acts as a core device for a CIFS-Express session.
You can enable CIFS-Express accelerator by using the enable command in WAAS CIFS configuration mode and disable it by using the no form of the command. Enter the WAAS CIFS configuration mode by using the accelerator cifs-express command in parameter map configuration mode. In addition to the global CIFS-Express accelerator configuration, you can configure traffic streams, classified by the Cisco Common Classification Policy Language policy map, that will go through CIFS-Express acceleration. This can be achieved by updating the class map configuration in WAAS Express by using the optimize tfo command.
CIFS works on TCP ports 139 and 445. Both the ports are subject to optimization when synchronization messages (SYNs), with one of these values on the destination port, arrive on the LAN side.
The subsequent sections describe CIFS-Express acceleration that require minimum memory and CPU resources.
Read Ahead
The read ahead feature of the CIFS-Express accelerator allows WAAS Express to read a file ahead of user requests when an application is conducting a sequential file read. The maximum read request in CIFS is limited to 64 KB. Most applications, including Microsoft Office and Windows Explorer, do not pipeline read requests.
Async Write
The async write feature of CIFS-Express accelerator facilitates efficient write operations. The maximum write request in CIFS is 64 KB.
The mechanism followed by CIFS-Express accelerator to write asynchronously is described below.
Whenever a write request arrives, the accelerator forwards the request to the server and provides a local success reply to the client.
- If an error response is received from the server, a local error response is sent to one of the subsequent write requests.
- If there are no subsequent write requests before the file is closed, a local error reply is sent to the close request.
Because the primary reason for write request failures is a lack of disk space or quota, async write optimization is disabled when the available space drops below 20 MB. This value can be configured.
Negative Caching
The negative caching feature of CIFS-Express accelerator allows WAAS Express to store information about missing files to reduce round-trips across the WAN.
While browsing directories (remote or local) in a Windows operating system before Windows 7, Windows Explorer continuously asks for mostly nonexistent files and metadata, such as icons, thumbnails, and author information. This metadata is stored in "alternate data streams," and therefore, the negative caching is also referred to as the alternate data streaming negative caching.
The accelerator caches negative response for 3 seconds (this can be configured) and provides local responses if possible. The reason for the relatively short, default 3 seconds interval is to decrease the probability of issues that might be caused when alternate data streams are created by another desktop during the same period.
HTTP-Express Accelerator
WAAS Express optimizes web-based applications by using the HTTP-Express accelerator. This accelerator express enables a fast connection setup and eliminates round trips associated with the connection setup. HTTP-Express accelerator also helps to minimize the impact of latency or limited bandwidth.
HTTP-Express accelerator operates only on flows where WAAS Express is configured on an edge device. WAAS Express applies HTTP-Express acceleration only if the connections originate from the branch; the connections originating from the data center are not optimized.
You can enable HTTP-Express accelerator by using the enable command in WAAS HTTP configuration mode and disable the accelerator by using the no form of the command. Enter the WAAS HTTP configuration mode by using the accelerator http-express command in parameter map configuration mode. In addition to the global HTTP-Express accelerator configuration, you can configure traffic streams, classified by the Cisco Common Classification Policy Language policy map, that will go through HTTP-Express acceleration. This can be achieved by updating the class map configuration in WAAS Express using the optimize tfo command.
By default, when the HTTP-Express accelerator is enabled, it is applied for ports 80, 8080, 8000, 8001, and 3128, which are classified as HTTP under the default application policy configuration.
HTTP Metadata Caching
HTTP metadata caching enables the client side WAVE to respond locally to certain types of HTTP requests by caching the metadata information found in the HTTP response headers. A metadata cache is used to store attributes of an object, but not the actual object. Expiration time (time beyond which an object cannot be cached), file name, and file size are some examples of metadata.
Metadata cache is used to eliminate unnecessary round trips to the server over the WAN by locally servicing conditional requests at the branch WAAS Express when possible (thereby reducing the latency experienced by the client).
Metadata cache serves the following types of HTTP responses from the local cache of the edge WAAS Express device:
HTTP metadata cache is used to cache all metadata entries necessary for the above listed responses. The table below lists the header information stored in metadata cache:
| Table 1 | HTTP Information Stored in Metadata Cache |
| Header | Description |
| Etag |
The entity tag associated with this entity. It is represented as a string. |
| Expires |
The date and time at which this entity will no longer be valid and will need to be fetched again from the original source. It is expressed in absolute time and is used for HTTP1.0+ compatibility. It is represented as a string. |
| Max-age |
The amount of time for which the entry will still be valid. It is expressed in seconds, starting at the time the server created it. This is the HTTP1.1 accepted expiration time. |
| Last-Modified |
The last date and time when this entity changed. It is expressed in absolute time as a string. |
If the responses from the server contain any cache-control directives that do not allow caching, HTTP-Express accelerator does not cache any content from these responses. The cache-control attributes include:
DRE Hints
The DRE module operates on chunks of data and helps to avoid transferring redundant information on the WAN, irrespective of the Layer 7 protocol.
HTTP-Express accelerator can pass DRE hints to the DRE module at any point during a session. The hints are provided to the DRE module based on payload, resulting in better compression and improved overall DRE efficiency. Since HTTP-Express accelerator parses the Layer 7 content, the accelerator can provide the following useful hints to the DRE module:
-
Apply LZ or Not
When the response from the server is already compressed, such as in the form of a jpeg or gzip file, HTTP-Express accelerator can instruct the DRE module to not apply LZ compression again. This can save some CPU cycles on WAAS Express.
-
Skip Bytes
Multiple HTTP requests that request for the same file can have different headers even if the file being transferred is the same. To improve DRE compression in these cases, HTTP-Express accelerator can instruct DRE to skip the header bytes.
Server Encoding Suppression
Servers commonly serve web pages with minimal variations to different clients. Such pages, when compressed by the server, can vary considerably even when the uncompressed files are very similar. This reduces the effectiveness of DRE.
This problem can be solved by suppressing the server side encoding and allowing the core side WAAS device to apply LZ compression on the data after using DRE. If the client side WAAS Express removes any Accept-Encoding header from HTTP requests before sending them to the server, the server will not compress the data it sends. WAAS Express uses this mechanism to provide better compression on HTTP response from the server and also frees the server from the additional computation required to compress responses.
SSL-Express Accelerator
WAAS Express optimizes Secure Sockets Layer (SSL) web-based applications by applying SSL-Express acceleration along with generic optimization and compression techniques (TFO/DRE/LZ). By adding the capability to encrypt and decrypt SSL traffic, SSL-Express accelerator provides the benefits of DRE, LZ, and TFO to the SSL traffic between the client and the server. If SSL-Express accelerator is not enabled, the WAAS Express DRE optimizations are not effective on SSL-encrypted traffic. SSL-Express accelerator enables WAAS Express to decrypt data and apply optimizations while maintaining the security of the connection.
Note |
SSL-Express accelerator is applicable only if LZ and DRE optimizations are successfully negotiated and applied to the connection; otherwise, only TFO is applied to the connection. |
SSL and TLS protocols encrypt TCP segments by using various symmetric cryptographic algorithms, such as Advanced Encryption Standard (AES) and Data Encryption Standard (DES). SSL-Express accelerator supports SSL Version 3.0 and TLS Version 1.0. If a client attempts to initiate an SSL session with a higher version, the core device will attempt to downgrade the session to a lower supported version.
SSL-Express accelerator operates only on flows where WAAS Express is configured on an edge device; SSL-Express accelerator is not applied to a connection if the WAAS Express device acts as a core device for an SSL session. In addition, WAAS Express applies SSL-Express acceleration only if the connections originate from the branch; the connections originating from the data center are not optimized.
You can enable SSL-Express accelerator by using the enable command in WAAS SSL configuration mode and disable the accelerator by using the no form of the command. Enter the WAAS SSL configuration mode by using the accelerator ssl-express command in parameter map configuration mode. You can create a cipher list, specify the version of the SSL protocol, and associate the accelerator with a valid trustpoint label to configure SSL-Express accelerator. Default values are used if these parameters are not configured. You can also configure peering service to control the secure communications established by SSL-Express accelerator between WAAS Express devices while optimizing SSL connections.
When an SSL connection is optimized by SSL-Express accelerator, WAAS Express generates an empty SSL fragment and sends it to a client as the first encrypted message. This behavior can impact interoperability with older versions of the client applications such as Internet Explorer 6. You can disable the generation and sending of this empty SSL fragment using the no empty-ssl-fragment-insertion command in WAAS SSL configuration mode.
SSL Sessions
An SSL session comprises the following phases: SSL handshake, SSL rehandshake, SSL data transfer, and SSL shutdown or alerts. Since SSL is an end-to-end security protocol, decryption of data by any device in between the end hosts is not possible without the knowledge of the private key of the server. The session keys derived by the core device are sent to the edge device over the WAN-to-WAN SSL session set up between the WAAS devices.
There are two modes of operation: one where the server's private key and certificate are installed on the WAAS core device, and the other where the WAAS core device uses its own private key and certificate during the SSL handshake. The limitation of the second mode of operation is that the client browser displays a warning message stating that the server certificate received is not that of the server that the client is trying to reach. After the WAAS core device has knowledge of the private keys, it can derive the necessary SSL session keys and pass them on to the WAAS edge device. After this point, any data received over the SSL session at the edge device can be decrypted, compressed, reencrypted, and sent to the WAAS core device. At the WAAS core device again, the received message can be decrypted, uncompressed, and the original data can be sent encrypted to the server.
SSL-Express accelerator leverages the public key infrastructure (PKI) on the WAAS Express device. PKI provides comprehensive certificate management (required for the WAN-to-WAN session), including the management of self-signed and certificate authority (CA) certificates, and certificate verification and certificate revocation checks using the Simple Certificate Enrollment Protocol (SCEP).
Note |
SSL-Express accelerator uses buffers from the public buffer pools for encrypt and decrypt operations. Ensure that you tune the public pool for minimal impact due to trims, misses, and failures. |
After the SSL handshake is complete, SSL-Express accelerator examines the application data in the LAN-to-WAN connection to determine whether HTTP is being used. If HTTP is being used and HTTP-Express accelerator is enabled, HTTP acceleration is applied.
Cipher Lists
Cipher lists are sets of cipher suites that you can assign to an SSL-Express accelerator configuration. A cipher suite is an SSL encryption method that includes the key exchange algorithm, the encryption algorithm, and the secure hash algorithm.
SSL-Express accelerator supports the following cipher suites for WAN-to-WAN peering sessions:
- RSA_WITH_3DES_EDE_CBC_SHA
- RSA_WITH_AES_128_CBC_SHA
- RSA_WITH_DES_CBC_SHA
- RSA_WITH_RC4_128_MD5
- RSA_WITH_RC4_128_SHA
WAAS Express and WAVE can interoperate only when common cipher suites are used. If the WAAS Express device does not support the cipher suite that is negotiated for the client-to-server connection, WAAS Express resets the connection. The cipher suite supported by a WAAS Express device for a client-to-server session depends on the capability of the crypto engine available on the device.
SSL-Express accelerator supports the following cipher suites for client-to-server sessions:
WAAS Express Application Policies
The WAAS Express software includes over 150 default application policies that help WAAS Express to classify and optimize some of the most common types of traffic in a network.
The table below lists the default applications and classifiers that WAAS Express either optimizes or passes through based on the policies that are provided with the system.
The WAAS Express software supports the following optimization actions based on the type of traffic it encounters:
- TFO--A collection of optimization technologies such as automatic windows scaling, increased buffering, and selective acknowledgment that optimize all TCP traffic over a network.
- DRE--A compression technology that reduces the size of transmitted data by removing redundant information before sending the shortened data stream over the WAN. DRE operates on significantly larger streams and maintains a much larger compression history than LZ compression.
- LZ--A compression technology that operates on smaller data streams and keeps limited compression history compared to DRE.
- Application accelerators--A collection of individual accelerators for the following traffic types: CIFS, HTTP, and SSL.
We recommend that you review the default policies and modify them as appropriate before you create a new application policy. Often, modifying an existing policy is easier than creating a new one.
When reviewing the table below, note the following:
- The subheadings represent the application names. The associated classifiers are listed under these subheadings. For example, Authentication is a type of application and Kerberos is a classifier for that application.
- The word monitored indicates that the applications are monitored by the WAAS Central Manager (WCM), which can display statistics for only 20 applications at a time.
| Table 2 | Default Traffic Policies |
| Classifier |
WAAS Express Action |
Destination Ports |
|---|---|---|
| Authentication |
||
| Apple-SASL |
Passthrough |
3659 |
| auth | Passthrough | 113 |
| Kerberos |
Passthrough |
88, 888, 2053 |
| kerberos-adm | Passthrough | 749 |
| klogin | Passthrough | 543 |
| kpasswd | Passthrough | 464 |
| kshell | Passthrough | 544 |
| TACACS |
Passthrough |
49 |
| tell | Passthrough | 754 |
| Backup (monitored) |
||
| Amanda |
TFO |
10080 |
| BackupExpress |
TFO |
6123 |
| CommVault |
TFO |
8400-8403 |
| connected |
TFO |
16384 |
| IBM-TSM |
TFO+LZ+DRE |
1500-1502 |
| Legato-NetWorker |
TFO |
7937, 7938, 7939 |
| Legato-RepliStor |
TFO |
7144, 7145 |
| Veritas-BackupExec |
TFO |
1125, 3527, 6101, 6102, 6106 |
| Veritas-NetBackup |
TFO |
13720, 13721, 13782, 13785 |
| Call Management |
||
| Cisco-CallManager |
Passthrough |
2443, 2748 |
| cisco-q931-backhaul | Passthrough | 2428 |
| cisco-sccp | Passthrough | 2000-2002 |
| h323hostcall | Passthrough | 1720 |
| h323hostcallsc | Passthrough | 1300 |
| mgcp-callagent | Passthrough | 2727 |
| mgcp-gateway | Passthrough | 2427 |
| sip |
Passthrough | 5060 |
| sip-tls |
Passthrough | 5060 |
| VoIP-Control |
Passthrough |
1718, 1719,11000-11999 |
| Computer-Aided Design (CAD) |
||
| PDMWorks |
TFO+LZ+DRE |
30000, 40000 |
| Conferencing |
||
| cuseeme |
Passthrough |
7640, 7642, 7648, 7649 |
| ezMeeting |
Passthrough |
10101-10103, 26260, 26261 |
| MS-NetMeeting |
Passthrough |
522, 1503, 1731 |
| proshare |
Passthrough |
5713-5717 |
| PSOM-MTLS | Passthrough | 8057 |
| VocalTec |
Passthrough |
1490, 6670, 22555, 25793 |
| Console |
||
| cmd |
Passthrough |
514 |
| exec | Passthrough |
512 |
| login | Passthrough | 513 |
| sshell | Passthrough |
614 |
| Telnet |
Passthrough |
23, 107 |
| Telnets |
Passthrough |
992 |
| Content Management (monitored) |
||
| dmdocbroker |
TFO+LZ+DRE |
1489 |
| Filenet |
TFO+LZ+DRE |
32768-32774 |
| Directory Services (monitored) |
||
| LDAP |
TFO+LZ+DRE |
389, 8404 |
| ldaps | Passthrough |
636 |
| msft-gc | TFO+LZ+DRE |
3268 |
| msft-gc-ssl | Passthrough |
3269 |
| E-mail and Messaging |
||
| ccmail | TFO+LZ+DRE |
3264 |
| groupwise | TFO+LZ+DRE |
1677, 2800, 3800, 7100, 7101, 7180, 7181, 7205, 9850 |
| imap | TFO +LZ+DRE |
143 |
| imap3 | TFO+LZ+DRE |
220 |
| imaps | TFO | 993 |
| iso-tsap | TFO+LZ+DRE | 102 |
| lotusnote | TFO+LZ+DRE | 1352 |
| MDaemon |
TFO+LZ+DRE |
3000, 3001 |
| NNTP |
TFO+LZ+DRE |
119 |
| nntps |
TFO |
563 |
| openmail |
TFO+LZ+DRE |
5755, 5757, 5766, 5767, 5768, 5729 |
| pcmail-srv |
TFO+LZ+DRE |
158 |
| pop3 | TFO+LZ+DRE | 110 |
| pop3s | TFO+LZ+DRE | 995 |
| QMTP |
TFO+LZ+DRE |
209 |
| smtp |
TFO+LZ+DRE |
25 |
| smtps | TFO | 465 |
| Enterprise Applications (monitored) |
||
| MS-GROOVE | TFO | 2492 |
| SAP |
TFO+LZ+DRE |
3200-3204, 3206-3219, 3221-3224, 3226-3259, 3261-3263, 3265-3267, 3270-3282, 3284-3305, 3307-3351, 3353-3388, 3390-3399, 3600-3658, 3662-3699 |
| Siebel |
TFO+LZ+DRE |
2320, 2321, 8448 |
| File System (monitored) |
||
| afpovertcp | TFO+LZ+DRE | 548 |
| afs3 |
TFO+LZ+DRE |
7000-7009 |
| ncp |
TFO+LZ+DRE |
524 |
| NFS |
TFO+LZ+DRE |
2049 |
| sunrpc |
Passthrough |
111 |
| File Transfer (monitored) |
||
| BFTP |
TFO+LZ+DRE |
152 |
| ftp | Passthrough | 21 |
| ftps-data1 |
TFO+LZ+DRE |
20 (source port) |
| FTPS2 |
Passthrough |
989 (source port) |
| ftps |
TFO |
990 |
| sftp |
TFO+LZ+DRE |
115 |
| TFTP |
TFO+LZ+DRE |
69 |
| TFTPS |
TFO |
3713 |
| Instant Messaging |
||
| AOL |
Passthrough |
5190-5193 |
| Apple-iChat |
Passthrough |
5297, 5298 |
| ircs |
Passthrough |
994 |
| ircu |
Passthrough |
531, 6660-6665, 6667-6669 |
| msnp | Passthrough | 1863, 6891-6900 |
| sametime | Passthrough | 1533 |
| talk |
Passthrough |
517 |
| xmpp-client |
Passthrough |
5222 |
| xmpp-server |
Passthrough |
5269 |
| Yahoo-Messenger |
Passthrough |
5000, 5001, 5050, 5100 |
| Name Services |
||
| DNS |
Passthrough |
53 |
| isns |
Passthrough |
3205 |
| nameserver | Passthrough | 42 |
| netbios | Passthrough | 137 |
| svrloc |
Passthrough |
427 |
| WINS |
Passthrough |
1512 |
| Other (monitored) |
||
| Basic-TCP-services |
Passthrough |
1-19 |
| BGP |
Passthrough |
179 |
| corba-iiop-ssl | Passthrough | 684 |
| epmap | TFO | 135 |
| msmq |
TFO+LZ+DRE |
1801, 2101, 2103, 2105 |
| NTP |
Passthrough |
123 |
| Other-Secure |
Passthrough |
261, 448 |
| ssc-agent |
TFO+LZ+DRE |
2847, 2848, 2967, 2968, 38037, 38292 |
| Peer-to-peer (P2P) (monitored) |
||
| BitTorrent |
Passthrough |
6881-6889, 6969 |
| eDonkey |
Passthrough |
4661, 4662 |
| Gnutella |
Passthrough |
5634, 6346-6349, 6355 |
| Grouper |
Passthrough |
8038 |
| HotLine |
Passthrough |
5500-5503 |
| Kazaa |
Passthrough |
1214 |
| Laplink-ShareDirect |
Passthrough |
2705 |
| Napster |
Passthrough |
6666, 6677, 6688, 6700, 7777, 8875 |
| Qnext |
Passthrough |
44, 5555 |
| SoulSeek |
Passthrough |
2234, 5534 |
| WASTE |
Passthrough |
1337 |
| WinMX |
Passthrough |
6699 |
| Printing (monitored) |
||
| hp-pdl-datastr |
TFO+LZ+DRE |
9100 |
| IPP |
TFO+LZ+DRE |
631 |
| printer | TFO+LZ+DRE | 515 |
| print-srv | TFO+LZ+DRE | 170 |
| xprint-server |
TFO+LZ+DRE |
8100 |
| Remote Desktop (monitored) |
||
| Altiris-CarbonCopy |
Passthrough |
1680 |
| citrixadmin |
TFO+LZ+DRE |
2513 |
| citrixima | TFO+LZ+DRE | 2512 |
| citriximaclient | TFO+LZ+DRE | 2598 |
| ControlIT |
TFO |
799 |
| Danware-NetOp |
TFO |
6502 |
| ica |
TFO+LZ+DRE |
1494 |
| laplink |
TFO+LZ+DRE |
1547 |
| Laplink-surfup-HTTPS |
TFO |
1184 |
| ms-wbt-server |
TFO |
3389 |
| net-assistant | Passthrough | 3283 |
| netrjs-3 |
TFO |
73 |
| pcanywheredata |
TFO |
5631, 5632, 65301 |
| radmin-port |
TFO |
4899 |
| Remote-Anything |
TFO |
3999, 4000 |
| timbuktu | TFO | 407 |
| timbuktu-srv | TFO | 1417-1420 |
| Vmware-VMConsole |
TFO |
902 |
| VNC |
TFO |
5800-5809, 5900-5909 |
| x11 |
TFO |
6000-6063 |
| Replication (monitored) |
||
| Double-Take |
TFO+LZ+DRE |
1100, 1105 |
| EMC-Celerra-Replicator |
TFO+LZ+DRE |
8888 |
| ms-content-repl-srv |
TFO |
507, 560 |
| netapp-snapmirror |
TFO+LZ+DRE |
10565-10569 |
| pcsync-http | TFO+LZ+DRE | 8444 |
| pcsync-https | TFO | 8443 |
| rrac |
TFO |
5678 |
| Rsync |
TFO+LZ+DRE |
873 |
| Secure Sockets Layer (SSL) (monitored) |
||
| HTTPS |
TFO |
443 |
| Secure Shell (SSH) |
||
| SSH |
TFO |
22 |
| Storage (monitored) |
||
| EMC-SRDFA-IP |
TFO+LZ+DRE |
1748 |
| FCIP |
TFO+LZ+DRE |
3225 |
| iFCP |
TFO+LZ+DRE |
3420 |
| iSCSI |
TFO+LZ+DRE |
3260 |
| Streaming (monitored) |
||
| Liquid-Audio |
TFO+LZ+DRE |
18888 |
| ms-streaming |
TFO+LZ+DRE |
1755 |
| RTSP |
TFO+LZ+DRE |
554, 8554 |
| Structured Query Language (SQL) (monitored) |
||
| gds_db |
TFO+LZ+DRE |
3050 |
| IBM-DB2 |
TFO+LZ+DRE |
523 |
| intersys-cache |
TFO+LZ+DRE |
1972 |
| ms-olap4 | TFO | 2383 |
| ms-sql-m | TFO+LZ+DRE | 1434 |
| ms-sql-s | TFO+LZ+DRE | 1433 |
| MySQL |
TFO+LZ+DRE |
3306 |
| Oracle |
TFO+LZ+DRE |
66 |
| orasrv | TFO+LZ+DRE | 1521, 1525 |
| Pervasive-SQL |
TFO+LZ+DRE |
1583 |
| PostgreSQL |
TFO+LZ+DRE |
5432 |
| sqlexec | TFO+LZ+DRE | 9088, 9089 |
| sql-net | TFO+LZ+DRE | 150 |
| sqlserv |
TFO+LZ+DRE |
118 |
| sqlsrv |
TFO+LZ+DRE |
156 |
| ssql | TFO+LZ+DRE | 3352 |
| sybase-sqlany |
TFO+LZ+DRE |
1498, 2439, 2638, 3968 |
| UniSQL |
TFO+LZ+DRE |
1978, 1979 |
| Systems Management (monitored) |
||
| BMC-Patrol |
Passthrough |
6161, 6162, 6767, 6768, 8160, 8161, 10128 |
| eTrust-policy-Compliance | TFO | 1267 |
| flowmonitor | TFO+LZ | 7878 |
| HP-OpenView |
Passthrough |
7426-7431, 7501, 7510 |
| LANDesk |
TFO+LZ+DRE |
9535, 9593-9595 |
| NetIQ |
Passthrough |
2220, 2735, 10113-10116 |
| Netopia-netOctopus |
Passthrough |
1917, 1921 |
| netviewdm | Passthrough |
729-731 |
| novadigm | TFO+LZ+DRE | 3460, 3461, 3464 |
| novell-zen | TFO+LZ+DRE | 1761-1763, 2037, 2544, 8039 |
| objcall | TFO+LZ+DRE | 94, 627, 1965, 1580, 1581 |
| WBEM |
Passthrough |
5987-5990 |
| Version Management (monitored) |
||
| Clearcase |
TFO+LZ+DRE |
371 |
| cvspserver |
TFO+LZ+DRE |
2401 |
| VPN |
||
| CIFS |
TFO+LZ+DRE |
139, 445 |
| HTTP |
TFO+LZ+DRE+HTTP-Express accelerator |
80, 3128, 8000, 8080, 8088 |
| HTTPS |
TFO+LZ+DRE+SSL-Express accelerator |
443 |
| L2TP |
TFO |
1701 |
| OpenVPN |
TFO |
1194 |
| PPTP |
TFO |
1723 |
Multiple WAN Links
WAAS Express Phase 2 extends support for active/active and active/standby configurations on multiple WAN links.
IP Cisco Express Forwarding can efficiently use multiple parallel links without additional hardware multiplexers. The load balancing functionality on a device distributes packets across multiple links based on Layer 3 routing information. The load balancing functionality is inherent to the forwarding mechanism of a device. Some of the load balancing features supported by Cisco software include:
- Per-destination load balancing: In this type of load balancing, all packets for a given destination are forwarded along the same path. This preserves packet order, with potential unequal usage of links. If one host receives major part of traffic, all packets use one link, leaving bandwidth on other links unused. A larger number of destination addresses lead to more equally used links. You can enable per-destination load balancing on WAN interfaces by configuring the ip load-sharing per-destination command
- Per-packet load balancing: This type of load balancing guarantees equal load across all links. However, the packets may arrive out-of-order at the destination because of differential delay in the network. You can enable per-packet load balancing on WAN interfaces by configuring the ip load-sharing per-packet command.
Both per-destination and per-packet load balancing require the ip cef command to be configured.
Note |
WAAS Express does not support interoperability with a per-packet load balancing configuration or any other configuration that results in sending packets from one flow to be sent to a different WAN link. |
WAAS Express supports backup interface configuration. During switch over between active and standby interfaces, you will need to re-establish a session.
SNMP Support for WAAS Express
Simple Network Management Protocol (SNMP) is an interoperable, application-layer protocol that provides a message format for communication between SNMP managers and agents. SNMP provides a standardized framework and a common language that is used for monitoring and managing devices in a network.
SNMP allows for monitoring of WAAS Express. WAAS Express supports only SNMPv2c for SNMP traps; WAAS Express SNMP notification will fail if the correct SNMP version is not used.
How to Configure WAAS Express
- Configuring WAN Optimization Parameters
- Defining WAAS Express Policies
- Enabling WAAS Express
- Configuring Upload DRE
- Configuring CIFS-Express Accelerator
- Configuring HTTP-Express Accelerator
- Configuring HTTP Metadata Caching
- Configuring SSL-Express Accelerator
- Configuring SNMP Traps for WAAS Express
Configuring WAN Optimization Parameters
Use the tfo optimize command to configure the type of compression required. The remaining steps in this task are optional.
DETAILED STEPS
Defining WAAS Express Policies
Note |
You can configure WAAS Express by using the default class and policy maps. Alternatively, you can first define the class and policy maps and then configure WAAS Express. |
Perform these tasks to define class and policy maps if you do not want to use the default class and policy maps that are created when WAAS Express is enabled:
Defining Class Maps
The table in the "WAAS Application Policies" section lists the predefined applications and classifiers that WAAS will either optimize or pass through based on the policies that are provided with the system. We recommend that you review the default policies and modify them as appropriate before you create a new application policy. Often, modifying an existing policy is easier than creating a new one.
Perform this task to define a new policy (class map). Class maps help to classify traffic into groups based on a protocol, application, or other criterion. After defining a class map, associate it with a policy map. See the "Associating Class Maps with Policy Maps" task. Policy maps help to give a singular treatment to the created class maps.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
class-map type waas [match-any] class-map-name
Example: Device(config)# class-map type waas waas_global |
Defines a class map of the type waas and enters QoS class-map configuration mode. |
||
|
Step 4
|
match tcp {any | destination | source} {ip ip-address [inverse mask] | port start-port-number1 [end-port-number2]}
Example: Device(config-cmap)# match tcp destination port 7000 7009 |
Matches traffic based on the specified criteria.
|
||
|
Step 5
|
exit
Example: Device(config-cmap)# exit |
Exits QoS class-map configuration mode. |
Example
The following example shows how to match traffic that has the destination TCP port number between 7000 and 7009:
Device(config)# class-map type waas waas_global Device(config-cmap)# match tcp destination port 7000 7009 Device(config-cmap)# exit Device(config)# class-map type waas waas_global Device(config-cmap)# match tcp destination ip 209.165.200.225 0.0.0.31 port 80 80 Device(config-cmap)# match tcp destination ip 209.165.200.225 0.0.0.31 port 8080 8080
In this example, traffic is matched if either one of the following conditions is true:
Associating Class Maps with Policy Maps
Before enabling WAAS Express on a device, perform this task to associate a class map with a policy map.
Note |
Any changes to the policy configuration (global policy map and class maps of the type waas) are persistent. For instance, if you modify the policy configuration, disable WAAS Express on interfaces, and re-enable WAAS Express, the policy configuration changes will still be visible. |
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
policy-map type waas policy-name
Example: Device(config)# policy-map type waas waas_global |
Defines a policy map of the type waas and enters QoS policy-map configuration mode. |
||
|
Step 4
|
sequence-interval number
Example: Device(config-pmap)# sequence-interval 100 |
Assigns sequential numbers to class maps at the specified interval. |
||
|
Step 5
|
class class-map-name
Example: Device(config-pmap)# class waas_global |
Specifies the class on which optimization must be performed and enters QoS policy-map class configuration mode. |
||
|
Step 6
|
optimize tfo {dre | lz} application application-name accelerate {cifs-express | http-express }
Example: Device(config-pmap-c)# optimize tfo dre application web accelerate http-express |
Applies WAN optimization for the matching traffic. |
||
|
Step 7
|
passthrough application application-name
Example: Device(config-pmap-c)# passthrough application web |
Passes through matched traffic and does not apply WAN optimization to the matching traffic.
|
||
|
Step 8
|
end
Example: Device(config-pmap-c)# end |
Exits QoS policy-map class configuration mode and returns to privileged EXEC mode. |
||
|
Step 9
|
show policy-map type waas
Example: Device# show policy-map type waas |
(Optional) Displays the policy-map information. |
Example
The following example shows how to create a new policy with actions and application tagging:
Device(config)# policy-map type waas waas_global Device(config-pmap)# class AFS Device(config-pmap-c)# optimize tfo lz application Web Device(config-pmap-c)# exit Device(config-pmap)# class Http Device(config-pmap-c)# optimize tfo lz application Filesystem Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# exit Device(config-pmap)# exit
The following output from the show policy-map type waas command shows the policy map created in the previous example:
Device# show policy-map type waas
Policy Map type waas waas_global
Class AFS
optimize dre lz application Web
Class Http
optimize lz application Filesystem
Class class-default
Enabling WAAS Express
The waas enable command must be explicitly applied on each WAN interface. You can enable WAAS Express by using either the default class and policy maps created automatically or the class and policy maps that you define.
The global policy map governs the behavior of optimization on a WAN interface. All traffic exiting or entering a WAN interface is screened for optimization as per the global policy map. WAAS Express supports flows that travel over multiple WAN interfaces, entering one interface and exiting another. Traffic on other interfaces is not optimized by WAAS Express.
Perform this task to enable WAAS Express on a WAN interface.
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
|
Step 3
|
interface interface-type/number
Example: Device(config)# interface GigabitEthernet0/0 |
Specifies an interface for configuration and enters interface configuration mode |
|
Step 4
|
waas enable
Example: Device(config-if)# waas enable |
Enables WAAS Express on the WAN interface. |
|
Step 5
|
exit
Example: Device(config-if)# exit |
Exits interface configuration mode. |
Troubleshooting Tips
To troubleshoot the WAAS Express configuration, use the following commands:
- debug waas--Detects errors.
- monitor--Monitors and collects packet capture.
- show waas--Verifies the configuration.
The no waas enable command does not remove the WAAS Express configuration. This command neither affects the existing execute flows that are already optimized by WAAS Express on an interface, nor it removes the default maps from the WAAS device. To remove the WAAS Express configuration and disable WAAS Express, use the no waas enable remove-config command. To terminate the optimization flows and disable WAAS Express, use the no waas enable forced command.
Use the waas config remove-all command to remove default maps from the device. Use the waas config restore-default command to replace the policy configuration you defined with the default policy configuration.
Note |
You can use the waas config remove-all and waas config restore-default commands only if WAAS Express is disabled. |
Configuring Upload DRE
Upload DRE is enabled by default. Upload DRE is a CPU-intensive operation. If you perceive that the benefits provided by upload DRE is not worth the CPU utilization, you can disable upload DRE. Perform this task to disable upload DRE.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
parameter-map type waas parameter-map-name
Example: Device(config)# parameter-map type waas waas_global |
Configures a parameter map of the type waas and enters parameter map configuration mode.
|
||
|
Step 4
|
no dre upload
Example: Device(config-profile)# no dre upload |
Disables the upload DRE operation. |
||
|
Step 5
|
exit
Example: Device(config-profile)# exit |
Exits parameter map configuration mode. |
Configuring CIFS-Express Accelerator
Note |
You can configure the global CIFS-Express accelerator parameters while CIFS-Express accelerator is disabled. |
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
parameter-map type waas parameter-map-name
Example: Device(config)# parameter-map type waas waas_global |
Configures a parameter map of the type waas and enters parameter map configuration mode.
|
||
|
Step 4
|
accelerator cifs-express
Example: Device(config-profile)# accelerator cifs-express |
Enters WAAS CIFS configuration mode and allows the configuration of CIFS-Express accelerator parameters. |
||
|
Step 5
|
enable
Example: Device(config-waas-cifs)# enable |
Enables CIFS-Express accelerator. |
||
|
Step 6
|
read-ahead enable
Example: Device(config-waas-cifs)# read-ahead enable |
(Optional) Enables the read ahead feature. |
||
|
Step 7
|
read-ahead size value
Example: Device(config-waas-cifs)# read-ahead size 200 |
(Optional) Configures the amount of data to read ahead per file. |
||
|
Step 8
|
async-write enable
Example: Device(config-waas-cifs)# async-write enable |
(Optional) Enables async write operation. |
||
|
Step 9
|
async-write quota-threshold value
Example: Device(config-waas-cifs)# async-write quota-threshold 100 |
(Optional) Configures the quota threshold for async write to perform the optimization. |
||
|
Step 10
|
ads-negative-cache enable
Example: Device(config-waas-cifs)# ads-negative-cache enable |
(Optional) Enables negative caching for alternate data streams. |
||
|
Step 11
|
ads-negative-cache timeout seconds
Example: Device(config-waas-cifs)# ads-negative-cache timeout 10 |
(Optional) Configures the timeout value for negative caching entries. |
||
|
Step 12
|
end
Example: Device(config-waas-cifs)# end |
Exits WAAS CIFS configuration mode and returns to privileged EXEC mode. |
||
|
Step 13
|
show waas accelerator cifs-express
Example: Device# show waas accelerator cifs-express |
(Optional) Displays the status and configuration of all CIFS-Express accelerator parameters. |
Configuring HTTP-Express Accelerator
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
parameter-map type waas parameter-map-name
Example: Device(config)# parameter-map type waas waas_global |
Configures a parameter map of the type waas and enters parameter map configuration mode.
|
||
|
Step 4
|
accelerator http-express
Example: Device(config-profile)# accelerator http-express |
Enters WAAS HTTP configuration mode and allows the configuration of HTTP-Express accelerator parameters. |
||
|
Step 5
|
enable
Example: Device(config-waas-http)# enable |
Enables HTTP-Express accelerator. |
||
|
Step 6
|
dre-hints enable
Example: Device(config-waas-http)# dre-hints enable |
(Optional) Enables HTTP-Express accelerator to pass DRE hints to the DRE module. |
||
|
Step 7
|
suppress-server-encoding enable
Example: Device(config-waas-http)# suppress-server-encoding enable |
(Optional) Suppresses server side encoding. |
||
|
Step 8
|
end
Example: Device(config-waas-http)# end |
Exits WAAS HTTP configuration mode and returns to privileged EXEC mode. |
||
|
Step 9
|
show waas accelerator http-express
Example: Device# show waas accelerator http-express |
(Optional) Displays the status and configuration of all HTTP-Express accelerator parameters. |
Configuring HTTP Metadata Caching
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
parameter-map type waas parameter-map-name
Example: Device(config)# parameter-map type waas waas_global |
Configures a parameter map of the type waas and enters parameter map configuration mode.
|
||
|
Step 4
|
accelerator http-express
Example: Device(config-profile)# accelerator http-express |
Enters WAAS HTTP configuration mode and allows the configuration of HTTP-Express accelerator parameters. |
||
|
Step 5
|
enable
Example: Device(config-waas-http)# enable |
Enables HTTP-Express accelerator. |
||
|
Step 6
|
metadatacache enable
Example: Device(config-waas-http)# metadatacache enable |
(Optional) Enables HTTP metadata caching. |
||
|
Step 7
|
metadatacache https enable
Example: Device(config-waas-http)# metadatacache https enable |
(Optional) Enables HTTPS metadata caching. |
||
|
Step 8
|
metadatacache max-age seconds
Example: Device(config-waas-http)# metadatacache max-age 1000 |
(Optional) Configures the maximum time, in seconds, to retain cache entries in the metadata cache table. |
||
|
Step 9
|
metadatacache min-age num
Example: Device(config-waas-http)# metadatacache min-age 1000 |
(Optional) Configures the minimum time, in seconds, to retain cache entries in the metadata cache table. |
||
|
Step 10
|
metadatacache filter-extension ext1, ext2,...
Example: Device(config-waas-http)# metadatacache filter-extension html,css,jpg |
(Optional) Configures the metadata cache to store only the file extensions specified in the list. |
||
|
Step 11
|
metadatacache request-ignore-no-cache enable
Example: Device(config-waas-http)# metadatacache request-ignore-no-cache enable |
(Optional) Configures the metadata cache to ignore cache-control on requests. |
||
|
Step 12
|
metadatacache response-ignore-no-cache enable
Example: Device(config-waas-http)# metadatacache response-ignore-no-cache enable |
(Optional) Configures the metadata cache to ignore cache-control on response. |
||
|
Step 13
|
metadatacache redirect-response enable
Example: Device(config-waas-http)# metadatacache redirect-response enable |
(Optional) Enables the HTTP URL redirect feature. |
||
|
Step 14
|
metadatacache unauthorized-response enable
Example: Device(config-waas-http)# metadatacache unauthorized-response enable |
(Optional) Enables the HTTP authentication-redirect feature. |
||
|
Step 15
|
metadatacache conditional-response enable
Example: Device(config-waas-http)# metadatacache conditional-response enable |
(Optional) Enables responses for the HTTP conditional requests feature. |
||
|
Step 16
|
end
Example: Device(config-waas-http)# end |
Exits WAAS HTTP configuration mode and returns to privileged EXEC mode. |
||
|
Step 17
|
show waas cache http-express metadatacache all
Example: Device# show waas cache http-express metadatacache all |
(Optional) Displays HTTP-Express accelerator metadata cache entries. |
Configuring SSL-Express Accelerator
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Step 3
|
parameter-map type waas parameter-map-name
Example: Device(config)# parameter-map type waas waas_global |
Configures a parameter map of the type waas and enters parameter map configuration mode.
|
||
|
Step 4
|
accelerator ssl-express
Example: Device(config-profile)# accelerator ssl-express |
Enters WAAS SSL configuration mode and allows the configuration of SSL-Express accelerator parameters. |
||
|
Step 5
|
enable
Example: Device(config-waas-ssl)# enable |
Enables SSL-Express accelerator. |
||
|
Step 6
|
no empty-ssl-fragment-insertion
Example: Device(config-waas-ssl)# no empty-ssl-fragment-insertion |
(Optional) Disables the sending of an empty SSL fragment as the first encrypted message sent to the client.
|
||
|
Step 7
|
waas-ssl-trustpoint label
Example: Device(config-waas-ssl)# waas-ssl-trustpoint ssl-tp |
Associates the specified trustpoint with SSL-Express accelerator. |
||
|
Step 8
|
cipher-list list-name
Example: Device(config-waas-ssl)# cipher-list clist |
Creates a cipher list for a WAAS-to-WAAS session and enters cipher list configuration mode. |
||
|
Step 9
|
cipher cipher-suite
Example: Device(config-waas-cipher-list)# cipher rsa-with-3des-ede-cbc-sha |
Adds the specified cipher suite to a cipher list. | ||
|
Step 10
|
exit
Example: Device(config-waas-cipher-list)# exit |
Exits cipher list configuration mode and returns to WAAS SSL configuration mode. | ||
|
Step 11
|
services host-service peering
Example: Device(config-waas-ssl)# services host-service peering |
Configures host peering service and enters SSL peering service configuration mode. | ||
|
Step 12
|
peer-ssl-version ssl-tls-version
Example: Device(config-waas-ssl-peering)# peer-ssl-version ssl3 |
Configures the SSL version to be used for WAAS-to-WAAS sessions. |
||
|
Step 13
|
peer-cipherlist list-name
Example: Device(config-waas-ssl-peering)# peer-cipherlist clist |
Configures the cipher list to be used for WAAS-to-WAAS sessions. |
||
|
Step 14
|
peer-cert-verify enable
Example: Device(config-waas-ssl-peering)# peer-cert-verify enable |
Enables the verification of the peer certificate. |
||
|
Step 15
|
end
Example: Device(config-waas-ssl-peering)# end |
Exits SSL peering service configuration mode and returns to privileged EXEC mode. |
||
|
Step 16
|
show waas statistics accelerator ssl-express ciphers
Example: Device# show waas statistics accelerator ssl-express ciphers |
(Optional) Displays statistics about the cipher suites being used for different SSL sessions. |
Configuring SNMP Traps for WAAS Express
WAAS Express supports only SNMPv2c for SNMP traps. WAAS Express SNMP notification will fail if the correct SNMP version is not used.
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1
|
enable
Example: Device> enable |
Enables privileged EXEC mode. |
|
Step 2
|
configure terminal
Example: Device# configure terminal |
Enters global configuration mode. |
|
Step 3
|
snmp-server enable traps waas [cpu-throttle-off] [cpu-throttle-on] [license-deleted] [license-expired] [license-revoked] [peer-overload] [tfo-conn-overload]
Example: Device(config)# snmp-server enable traps waas peer-overload |
Enables SNMP traps for WAAS Express. |
|
Step 4
|
snmp-server community community-string [ro | rw]
Example: Device(config)# snmp-server community public ro |
Sets up the community access string to permit access to SNMP. |
|
Step 5
|
snmp-server source-interface [traps | informs] interface
Example: Device(config)# snmp-server source-interface traps gigabitethernet5/3 |
Specifies the interface from which an SNMP trap originates the notifications or traps. |
|
Step 6
|
snmp-server host {hostname | ip-address} [vrf vrf-name | informs | traps | version {1 | 2c | 3} [auth | noauth | priv]] community-string [udp-port port [notification-type]]
Example: Device(config)# snmp-server host 10.1.1.1 version 2c public waas |
Specifies the recipient of an SNMP notification. |
|
Step 7
|
exit
Example: Device(config)# exit |
Exits global configuration mode and returns to privileged EXEC mode. |
|
Step 8
|
show snmp mib
Example: Device# show snmp mib |
(Optional) Displays a list of MIB module instance identifiers (OIDs) registered on your device. |
Configuration Examples for WAAS Express
- Example: Associating Class Maps with Policy Maps
- Example: Configuring WAAS Express
- Example: Configuring CIFS-Express Accelerator
- Example: Configuring HTTP-Express Accelerator
- Example: Configuring SSL-Express Accelerator
- Example: Configuring SNMP Traps for WAAS Express
Example: Associating Class Maps with Policy Maps
The following example shows how to create a policy map. The insert-before keyword will insert the class policy being created before the specified class. The class-default keyword helps to match unclassified packets.
Device(config)# policy-map type waas waas_global Device(config-pmap)# class AFS Device(config-pmap-c)# optimize tfo lz application Filesystem Device(config-pmap-c)# exit Device(config-pmap)# class Http insert-before AFS Device(config-pmap-c)# optimize tfo lz application Web Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# exit Device(config-pmap)# exit
The following output from the show policy-map type waas command shows the policy map created in the previous example:
Device# show policy-map type waas
Policy Map type waas waas_global
Class Http
optimize dre lz application Web
Class AFS
optimize lz application Filesystem
Class class-default
The following example shows how to create a policy map with sequence numbers:
Device(config)# policy-map type waas waas_global Device(config-pmap)# sequence-interval 10 Device(config-pmap)# class AFS Device(config-pmap-c)# optimize tfo lz application Web Device(config-pmap-c)# exit Device(config-pmap)# class Http Device(config-pmap-c)# optimize tfo lz application Filesystem Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap-c)# exit Device(config-pmap)# exit
The following output from the show policy-map type waas command shows the policy map created in the previous example:
Device# show policy-map type waas
Policy Map type waas waas_global
sequence-interval 10
10 Class AFS
optimize dre lz application Web
20 Class Http
optimize lz application Filesystem
30 Class class-default
Example: Configuring WAAS Express
Device(config)# class-map type waas match-any http Device(config-cmap)# match tcp destination port 80 80 Device(config-cmap)# match tcp destination port 8080 8082 Device(config-cmap)# exit Device(config)# class-map type waas waas_global Device(config-cmap)# match tcp destination port 5190 5193 Device(config-cmap)# exit Device(config)# class-map type waas match-any bittorrent Device(config-cmap)# match tcp destination port 6969 Device(config-cmap)# match tcp destination port 6881 6889 Device(config-cmap)# exit Device(config)# policy-map type waas waas_global Device(config-pmap)# class http Device(config-pmap-c)# optimize tfo lz application web-traffic Device(config-pmap-c)# exit Device(config-pmap)# class aol Device(config-pmap-c)# optimize tfo lz application IM Device(config-pmap-c)# exit Device(config-pmap)# class bittorrent Device(config-pmap-c)# optimize tfo lz application p2p Device(config-pmap-c)# exit Device(config-pmap)# exit Device(config)# interface E0 Device(config-if)# description WAN Connection Device(config-if)# waas enable Device(config-if)# exit
Example: Configuring CIFS-Express Accelerator
The following example shows how to enable CIFS-Express accelerator and configure read ahead, async write, and negative caching features:
Device(config)# parameter-map type waas waas_global Device(config-profile)# accelerator cifs-express Device(config-waas-cifs)# enable Device(config-waas-cifs)# read-ahead size 100 Device(config-waas-cifs)# async-write quota-threshold 500 Device(config-waas-cifs)# ads-negative-cache timeout 15 Device(config-waas-cifs)# end
Example: Configuring HTTP-Express Accelerator
The following example shows how to enable HTTP-Express accelerator, enable server encoding suppression, and configure various metadata caching parameters:
Device(config)# parameter-map type waas waas_global Device(config-profile)# accelerator http-express Device(config-waas-http)# enable Device(config-waas-http)# suppress-server-encoding enable Device(config-waas-http)# metadatacache enable Device(config-waas-http)# metadatacache max-age 10000 Device(config-waas-http)# metadatacache min-age 100 Device(config-waas-http)# metadatacache redirect-response enable Device(config-waas-http)# metadatacache unauthorized-response enable Device(config-waas-http)# metadatacache conditional-response enable Device(config-waas-http)# end
Example: Configuring SSL-Express Accelerator
The following example shows how to enable SSL-Express accelerator, associate it with a trustpoint, create a cipher list, and configure peering services.
Device(config)# parameter-map type waas waas_global Device(config-profile)# accelerator ssl-express Device(config-waas-ssl)# enable Device(config-waas-ssl)# waas-ssl-trustpoint ssl-trust Device(config-waas-ssl)# cipher-list clist Device(config-waas-cipher-list)# cipher rsa-with-des-cbc-sha Device(config-waas-cipher-list)# exit Device(config-waas-ssl)# services host-service peering Device(config-waas-ssl-peering)# peer-ssl-version ssl3 Device(config-waas-ssl-peering)# peer-cipherlist clist Device(config-waas-ssl-peering)# peer-cert-verify enable Device(config-waas-ssl-peering)# exit Device(config-waas-ssl)# end
Additional References
Related Documents
MIBs
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for WAAS Express
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 3 | Feature Information for WAAS Express |
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| WAAS Express |
15.1(2)T |
Cisco's WAAS Express is a key component of the Cisco WAAS product portfolio. WAAS Express is a cost-effective, IOS-based, WAN optimization solution that increases the amount of available bandwidth for small-to-mid-size branch offices and remote locations. The following commands were introduced or modified: class-map type waas, clear waas, cpu-threshold, debug waas, lz entropy-check, match tcp, optimize, parameter-map type waas, passthrough, policy-map type waas, sequence-interval, show waas alarms, show waas auto-discovery, show waas connection, show waas statistics aoim, show waas statistics application, show waas statistics auto-discovery, show waas statistics class, show waas statistics dre, show waas statistics global, show waas statistics lz, show waas statistics pass-through, show waas statistics peer waas, show waas status, show waas token, tfo auto-discovery, tfo optimize, waas cm-register url, waas config, waas enable, and waas export. |
| WAAS Express Phase 2 | 15.2(3)T | WAAS Express Phase 2 extends the feature set of Cisco's WAAS Express to include feature interoperability and application acceleration capabilities. It introduces the following application accelerators: CIFS-Express accelerator, HTTP-Express accelerator, and SSL-Express accelerator. WAAS Express Phase 2 also provides multiple WAN link support and support for upload DRE. The following commands were introduced or modified: accelerator, ads-negative-cache, async-write, cipher, cipher-list, clear waas, debug waas, debug waas accelerator cifs-express, debug waas accelerator http-express, debug waas accelerator ssl-express, dre-hints enable, dre upload, metadatacache, optimize tfo, peer-cert-verify enable, peer-cipherlist, peer-ssl-version, read-ahead, services host-service peering, show waas accelerator, show waas alarms, show waas cache http-express metadatacache, show waas connection, show waas statistics accelerator, show waas statistics dre, show waas statistics errors, show waas statistics global, show waas status, snmp-server enable traps waas, suppress-server-encoding enable, and waas-ssl-trustpoint |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback