Network Integration and Interception
This chapter provides an in-depth review of the network integration and interception capabilities of Cisco WAAS. The chapter begins by describing the options for basic connectivity, including link aggregation and NIC teaming. This is followed by a discussion of the interception methods available for redirecting traffic to a WAAS device for optimization. The techniques and methods discussed in this chapter form the foundation of the design and deployment solutions presented in subsequent chapters of this book.
Interface Connectivity
Each Cisco Wide Area Application Engine (WAE) has two 10/100/1000BASE-T Ethernet interfaces. In a typical deployment, each WAE is connected using a single interface to a LAN switch or router. By default, WAE interfaces auto-negotiate their speed and duplex. You can optionally configure the interface speed to 10 or 100 Mbps. In order for the interface speed to run at 1000 Mbps, it must be configured for auto-negotiation. The duplex of the interface is also configurable.
The router-integrated network module (NME-WAE) is also equipped with two Ethernet interfaces, but only one interface is accessible externally. The other interface connects directly to the internal router PCI bus at 1 Gbps and is configured in a similar manner as an external interface would be configured on a WAE appliance. Unlike a WAE appliance configuration, the WAE interface IP address and default gateway are configured as part of the Cisco IOS interface configuration where the NME-WAE is installed. Figure 4-1 shows the physical interface layout on the router-integrated NME-WAE.
Figure 4-1 NME-WAE Physical Interface Connectivity
The WAE interface configuration options are similar to the Cisco IOS configuration options, both in terms of function and CLI commands. Example 4-1 shows the interface configuration options available on a WAE.
Example 4-1. WAE Interface Configuration Options
WAE-612(config)# interface gigabitEthernet 1/0 WAE-612(config-if)# ? autosense Interface autosense bandwidth Interface bandwidth cdp Cisco Discovery Protocol Interface Config commands channel-group Configure EtherChannel group description Interface specific description exit Exit from this submode full-duplex Interface fullduplex half-duplex Interface halfduplex ip Interface Internet Protocol Config commands mtu Set the interface Maximum Transmission Unit (MTU) no Negate a command or set its defaults shutdown Shutdown the specific interface standby Standby interface config commands WAE-612(config-if)#
One of the interface configuration commands that behaves differently in WAAS versus IOS is the bandwidth command. The bandwidth interface configuration command in WAAS is used to specify the speed of the interface when auto-negotiation is disabled. The way in which the standby interface command is used is another important difference between WAAS and IOS. In IOS, the standby interface command is used for configuring the Hot Standby Router Protocol (HSRP) feature, while in WAAS it is used to configure the standby interface feature, described in the next section. You can see from the output in Example 4-1 that the remaining WAAS interface configuration commands are similar to the corresponding IOS interface configuration commands.
You can explicitly configure the interface with an IP address and subnet mask, or the WAE can acquire an IP address using DHCP. Each WAE interface can also be configured with multiple secondary IP addresses. It is also possible for the same interface to acquire an IP address through DHCP, and have multiple secondary IP addresses statically configured. By default, the interfaces on a WAE are administratively disabled, and are automatically enabled when a valid IP address is configured.
Each WAE interface is primarily referenced using the standard Cisco IOS interface naming scheme:
- <interface-name> <slot/port>
This is how WAE interfaces are referred to during configuration through the CLI or GUI. The interfaces also have an internal name by which the Linux operating system knows them. Table 4-1 shows the mapping between the internal and external interface names.
Table 4-1. WAE External and Internal Interface Names
IOS Name |
Internal Name |
gigabitEthernet 1/0 |
eth0 |
gigabitEthernet 2/0 |
eth1 |
Understanding the internal name of an interface is useful for understanding system log messages and using internal operating system tools, such as Ethereal or Tcpdump, which are useful for capturing traffic for offline analysis.
Just like the interface configuration, the outputs of interface show commands in WAAS are similar to Cisco IOS. Example 4-2 shows the output from the show interface command in WAAS.
Example 4-2. WAE show interface Command Output
AST6-CCO-02# show interface gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:28
Internet address:10.88.81.2
Broadcast address:10.88.81.15
Netmask:255.255.255.240
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 966044
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 1046794
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: autoselect, full-duplex, 100baseTX
AST6-CCO-02#
In addition to the normal interface information, such as IP address, Ethernet address, and counters, each interface also has a set of flags. These flags are the same flags that can be seen in the output of the ifconfig command in Linux. The two most important flags are UP and RUNNING. The presence of the UP flag indicates that the interface is administratively enabled. The presence of the RUNNING flag indicates that line protocol on the interface is operational.
Link Aggregation Using EtherChannel
To increase the available interface bandwidth for a WAE, Cisco WAAS supports EtherChannel. EtherChannel allows for the grouping of multiple physical interfaces to create a single "virtual" interface. The virtual interface, which functions as a single interface, has the aggregate bandwidth of the available physical interfaces in the channel group. EtherChannel is useful when the output from a single WAE exceeds the physical limitations of a single interface. For example, some remote sites may only have 100-Mbps LAN connections available, whereas the traffic from a single WAE can easily exceed 100 Mbps. In these situations, using EtherChannel to group both physical WAE interfaces together provides 200 Mbps of usable interface bandwidth.
In addition to increasing the available interface bandwidth, the EtherChannel has automatic failure and recovery detection based on the link state of each individual interface. In the event of a single interface failure, traffic continues to pass over the remaining interface in the channel group. The EtherChannel interface uses the MAC address from one of the physical interfaces in the group. The same MAC address is used persistently for the EtherChannel interface, even if the physical interface associated with that MAC address goes down. The formation of an EtherChannel in WAAS is based purely on device configuration. WAAS does not support Cisco Port Aggregation Protocol (PAgP) or 802.3ad Link Aggregation Control Protocol (LACP). When configuring EtherChannel between a WAE and a LAN switch, the channel mode on the LAN switch should be set to On for the WAE EtherChannel.
By default, the WAE load balances packets across all available interfaces in the channel group using a round-robin algorithm. WAAS also supports load balancing using destination IP address or destination MAC address.
Figure 4-2 shows a WAE connected to a single LAN switch using EtherChannel.
Figure 4-2 WAE Connected Using EtherChannel Feature
EtherChannel Configuration
Configuring EtherChannel in WAAS involves the following steps:
Step 1 Create a virtual PortChannel interface.
Step 2 Configure an IP address and subnet mask for the PortChannel interface.
Step 3 Assign the physical interfaces to the PortChannel.
Example 4-3 shows a basic EtherChannel configuration.
Example 4-3. WAE EtherChannel Configuration
! interface PortChannel 1 description ** EtherChannel Link to Switch ABC *** ip address 10.10.10.5 255.255.255.0 exit ! interface GigabitEthernet 1/0 channel-group 1 exit interface GigabitEthernet 2/0 channel-group 1 exit !
You should observe the following limitations when configuring EtherChannel in WAAS:
- Both interfaces in the channel group must run at the same speed.
- Access control lists (ACL) are still applied to each physical interface.
The load-balancing algorithm used for distributing traffic across the EtherChannel is configured using the following command:
port-channel load-balance dst-ip | dst-mac | round-robin
The command is configured globally and applies to all PortChannels on the WAE.
To check the status of the PortChannel interface, use the show interface PortChannel channel-number command. Example 4-4 demonstrates the output of this command.
Example 4-4. WAAS show interface PortChannel Output
AST6-CCO-01# show interface PortChannel 1 Interface PortChannel 1 (2 physical interface(s)): GigabitEthernet 1/0 (active) GigabitEthernet 2/0 (active) --------------------- Type:Ethernet Ethernet address:00:11:25:AB:43:32 Internet address:10.88.80.130 Broadcast address:10.88.80.255 Netmask:255.255.255.128 Maximum Transfer Unit Size:1500 Metric:1 Packets Received: 815996 Input Errors: 0 Input Packets Dropped: 0 Input Packets Overruns: 0 Input Packets Frames: 0 Packet Sent: 321842 Output Errors: 0 Output Packets Dropped: 0 Output Packets Overruns: 0 Output Packets Carrier: 0 Output Queue Length:0 Collisions: 0 Flags:UP BROADCAST RUNNING MASTER MULTICAST AST6-CCO-01#
Each member of the channel group, along with the status of the interface, is shown at the beginning of the output. The MASTER flag in the example output indicates that this is the virtual EtherChannel interface. Also notice the Ethernet address, which is taken from one of the physical interfaces in the channel group. Example 4-5 demonstrates the same command for each physical interface in the channel group.
Example 4-5. Channel Group Member Interface Output
AST6-CCO-01# show interface gigabitEthernet 1/0 Type:Ethernet Ethernet address:00:11:25:AB:43:32 Internet address:10.88.80.130 Broadcast address:10.88.80.255 Netmask:255.255.255.128 Maximum Transfer Unit Size:1500 Metric:1 Packets Received: 816176 Input Errors: 0 Input Packets Dropped: 0 Input Packets Overruns: 0 Input Packets Frames: 0 Packet Sent: 321880 Output Errors: 0 Output Packets Dropped: 0 Output Packets Overruns: 0 Output Packets Carrier: 0 Output Queue Length:1000 Collisions: 0 Base address:0x2000 Flags:UP BROADCAST RUNNING SLAVE MULTICAST Mode: full-duplex, 100baseTX AST6-CCO-01# AST6-CCO-01# show interface gigabitEthernet 2/0 Type:Ethernet Ethernet address:00:11:25:AB:43:32 Internet address:10.88.80.130 Broadcast address:10.88.80.255 Netmask:255.255.255.128 Maximum Transfer Unit Size:1500 Metric:1 Packets Received: 0 Input Errors: 0 Input Packets Dropped: 0 Input Packets Overruns: 0 Input Packets Frames: 0 Packet Sent: 0 Output Errors: 0 Output Packets Dropped: 0 Output Packets Overruns: 0 Output Packets Carrier: 0 Output Queue Length:1000 Collisions: 0 Base address:0x3400 Flags:UP BROADCAST SLAVE MULTICAST Mode: autoselect AST6-CCO-01#
The command output for each physical interface is the same as it is without EtherChannel configured, with the following exceptions:
- The SLAVE flag is set, indicating that the interface is part of an EtherChannel group.
- The Ethernet address for each interface is the same, and matches the MAC address used by the virtual EtherChannel interface.
Using the Standby Interface Feature
When you do not require increased interface bandwidth but desire interface redundancy, you can use the standby interface feature. The standby interface feature configures both physical interfaces on the WAE in an active/standby failover pair. At any point in time, only one of the interfaces is active and passing traffic. The second interface, or standby interface, is passively waiting to take over in the event that the active interface fails. When the active interface fails, the standby interface takes over the active role. When the previously active interface recovers, it assumes the standby role. The interface with the highest priority is preferred as the active interface. The priority is configurable.
The standby interface feature has become a popular choice for deployments because the WAE can be physically connected to two different LAN switches. This prevents the failure of a single LAN switch or switchport from disrupting the operation of the WAE. Figure 4-3 shows an example of a WAE connected using the standby interface feature.
Figure 4-3 WAE Connected Using Standby Interface Feature
The failure of the active interface in the standby group is detected using three different methods. The first method monitors the link state of the active interface. Line protocol is up when the RUNNING flag is present on the Ethernet interface. If line protocol fails on the active interface, the interface is marked as down.
The second method uses an ICMP ping to check availability of the default gateway configured on the WAE. An ICMP echo request is sent once every 10 seconds to the configured default gateway. If there is a response to the echo request, the interface is considered up. If there is no response to the echo request, five more echo requests are sent. If at least three responses are received, the interface is considered up. Otherwise, the interface is considered failed, and the interface is marked as down.
The final method available for monitoring the health of the active interface uses the interface error count to determine if an unacceptable number of errors have been seen on the interface. The error count is the absolute number of transmit and receive errors on the active interface. This check is disabled by default, but can be enabled using the following command:
errors 1-2147483647
The interface state and error counts (when configured) are checked once every 10 seconds. If the active link fails or the error count threshold is exceeded, the interface with the next highest priority is activated. When the failed interface recovers, it becomes the standby interface for the group. The standby interface does not have a preempt capability. When a new interface is activated, the WAE generates a gratuitous ARP to update the MAC address for the shared IP on all other devices on the same subnet. This prevents devices from sending traffic to the shared IP address on the WAE to the MAC address of the failed WAE interface.
Standby Interface Configuration
Configuring the standby interface feature in WAAS involves the following steps:
Step 1 Create a virtual standby interface.
Step 2 Configure an IP address and subnet mask for the standby interface.
Step 3 Assign the physical interfaces to the standby group.
Example 4-6 shows a basic standby interface configuration.
Example 4-6. WAE Standby Interface Configuration
! interface Standby 1 ip address 10.88.80.130 255.255.255.128 exit ! interface GigabitEthernet 1/0 standby 1 priority 105 exit interface GigabitEthernet 2/0 standby 1 exit !
You should observe the following limitations when configuring the standby interface feature within WAAS:
- The physical interfaces in the standby group do not require IP addresses.
- The standby interface feature does not have a preempt capability.
Each physical interface can be assigned a numeric priority between 1 and 2,147,483,647. The default standby priority for an interface is 100. The virtual standby interface uses the MAC address of the active interface. When the active interface fails and the standby interface takes over, the WAE generates a gratuitous ARP request to update the adjacent devices with the new MAC address associated with the WAE IP address.
To check the status of the standby interface, use the show interface Standby standby-interface-number command. Example 4-7 shows the output of this command.
Example 4-7. WAAS show interface Standby Interface Output
AST6-CCO-01# show interface Standby 1 Standby Group: 1 IP address: 10.88.80.130, netmask: 255.255.255.128 Member interfaces: GigabitEthernet 1/0 priority: 105 GigabitEthernet 2/0 priority: 100 Active interface: GigabitEthernet 1/0 AST6-CCO-01#
Each member of the standby group, as well as the status of the interface, is shown in the output. The current active interface is also displayed. The output for each physical interface is shown in Example 4-8.
Example 4-8. Standby Group Member Interface Output
AST6-CCO-01# show interface gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:32
Internet address (secondary): 10.88.80.130 Netmask: 255.255.255.128
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 819025
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 322492
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: full-duplex, 100baseTX
AST6-CCO-01#
AST6-CCO-01# show interface gigabitEthernet 2/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:33
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 0
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 0
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x3400
Flags:UP BROADCAST MULTICAST
Mode: autoselect
AST6-CCO-01#
In this output, the only indication that the interface is a member of a standby group is the secondary IP address, which matches the IP address configured on the virtual standby interface.