WAAS inline deployment

Similar Messages

• WAAS inline deployment options

  Hi,
  Can someone answer this basic question? I cant seem to find that much documentation on the inline modules.
  Can you confirm whether or not devices can see each other on layer 2 across the two groups of an inline WAAS Ethernet module? i.e., if I have a router connected to the WAN of group 1 and another connected to the WAN of group 2, and the two routers are running HSRP (or even an ASA cluster), will they see each other correctly?
  Thanks

  Thanks for that. So if I had
  Group1 = router1 - WAAS inline group1 - LAN switch
  Group 2 = router2 - WAAS inline group2 - LAN switch
  The routers would see each other through the WAAS and then the LAN switches (as if they were just connected to the switches), but wouldn't see each other directly across the WAAS module? Or you mean they don't see each other at all?
  Cheers

• WAAS Inline & HSRP Deployment

  I'm running in a problem where auto-discovery is failing. We have remote-offices with one router and one wae in inline deployment, so far so good, this works perfect.
  On the Main-Office we have two routers for redundancy, on the lan site we use hsrp.
  Can I use both inline-cards two for each router ?
  -----|- inlinegroup1---hsrp-router1-|--mpls
  lan--|- inlinegroup2---hsrp-router2-|
  or do I have to put both routers behind one pair of inline-card ?
  -----|- inlinegroup1-|-hsrp-router1-|
  lan--|- inlinegroup1-|-hsrp-router2-|--mpls
  Kind Regards
  -Lukas

  Lukas,
  If traffic for a connection flows asymmetrically through both inline groups, then CSCsk47177 can prevent optimization. This is schedule to be fixed in the next WAAS maintenance release.
  Thanks,
  Zach

• WAAS - 2 arm inline deployment

  I have a 2 arm deployment on a WAE-7371 with inline deployment at the core. Both WAN routers are connecting to the same MPLS cloud.
  I found out when the traffic going out via the L0/W0 & return via the same int inlinegroup then it's fine. But if the return traffic come in via the W1/L1 then the traffic will be PT no peer/ Asymetric.
  Does anyway face this before or am I missing something?
  Thanks.
  Edward

  Hi Dan,
  We have deployed more than 12 remote sites + 1 at DC for the client. Traceroute from both client & server end shows that the traffic is flowing through the WAE at both ends.
  However, at DC's WAE with the 2 arm deployment, if traffic going out through the inlinegroup 1/0 (due to HSRP active router) and return via inlinegroup 2/0 then it will not optimised. So far there is 1 remote site traffic is routing this way (return via inlinegroup 2/0).
  When I change the HSRP active router to force the out going traffic flowing through inlinegroup 2/0, this particular remote site will be fine & traffic is being optimized. But the rest of the 11 remote sites will be in Asymetric PT.
  That's why I hope to find out why asymetric routes on a single WAE with 2 arm will not optimized.
  Thanks & Regards,
  Edward

• Waas inline in L2 environment

  Hi,
  A new WAAS installation is planed. The customer has 3 sites with one WAAS on each. On each site, there is no core layer. The L3 device is the ISP router. So, the WAAS will be plugged via inline interfaces between the ISP router and a switch. The WAAS will received all L2 broadcast from the LAN. There is no L3 point-to-point dedicated network between the router and the switch.
  Is this scenario could be an issue ?
  Rgds.

  Wow, cant believe noone answered this for two years!
  I´m having the similar WAAS deployment, check this link out:
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_C11-560131.pdf

• WAAS inline adapter issue

  There isn't any lights on the 4 port inline adapter in the WAAS.  When I plug in a wire none of the ports light up.  Is there some kind of configuration, That I need to do to turn on these ports?  Please help!  Thank you

  Hi,
  You definitely need an Inline Adapter to setup WAAS 674 for inline interception mode. The built in Gig interfaces cannot be used for inline interception but can be used for WCCP or PBR. Inline adapter comes in a group LAN port and a WAN port.
  Regards
  Kiran.

• WAAS Inline Adaper and Microsoft NLB (ISA Server Array)

  Hi
  I would like to place a waas device with 4-port inline adapter  between a MS ISA Firewall and the LAN switches. The ISA are unfortunately forming an array and using NLB which causes the switches to do unknown unicast flooding.
              / Switch A --------------- LAN0   WAN0  ------------ ISA1 ------------- Switch C ---------- Router A
  LAN -- |            |                               WAAS                        Array                        |       HSRP     |
              \ Switch B --------------- LAN1   WAN1  ------------ ISA2 ------------- Switch D ---------- Router B
  Will the WAAS get problems since it is seen all the traffic on both inline groups? Is this setup possible?
  kind regards
  Tobias

  Gary,
  Yes you just need to configuring your firewall to allow TCP options (specifically option 33 (0x21 in HEX)), then configure the WAEs for directed mode.
  The firewall will see a TCP 3-way handshake at first so the two WAEs can auto discover each other and negotiate a UDP directed mode tunnel.
  Once the auto discovery phase is complete traffic traffic sent over the WAN side of the connection will be encapsulated in the UDP 4050 tunnel (so your firewall must allow this traffic through as well).
  Please see the configuration guide section on directed mode here which explains in more detail, and let me know if you have other questions.
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v421/configuration/guide/network.html#wpxref53362
  Cheers,
  Mike

• WAAS inline without module?

  Is it possible to use a WAE appliance (WAE-512-K9) as an inline device without purchasing a WAE-INLN-4CG=? The device has 2 NICS, and I really wouldn't have a need for more than 1 port in and 1 port out.
  Thanks,
  Jason

  Jason,
  The inline module is required to deploy the WAE using inline interception.
  Thanks,
  Zach

• WAAS Inline Network Adapter Required for 674 Appliance Inline Mode?

  Is an Inline Network Adpater required to setup a WAAS 674 Appliance in Inline Interception Mode or can the two inbuilt interfaces Gi1/0 anf Gi2/0 be used?

  Hi,
  You definitely need an Inline Adapter to setup WAAS 674 for inline interception mode. The built in Gig interfaces cannot be used for inline interception but can be used for WCCP or PBR. Inline adapter comes in a group LAN port and a WAN port.
  Regards
  Kiran.

• WAAS - Multicast Deployment

  Has anyone deployed WAAS using multicast for the WCCP registration? We're using the multicast address of 239.0.0.1 ip pim dense-mode and multicast routing being enabled. Does anyone know if you can use  ip pim sparse-dense-mode instead of ip pim dense-mode? The documentation shows only an example for ip pim dense-mode. I've gotten it working in the LAB, I was just wondering what the recomendation is and if it's alight to use 239.0.0.1 instead of the 224.10.10.1 multicast address shown in the documentation.Is the 224.10.10.1 reserved for WAAS? If so then I would want to use that instead of 239.0.0.1.

  Either multicast mode will work.  In addition, WAAS/WCCP don't care which multicast group is used (they'll use what is configured).
  Regards,
  Zach

• WAE Inline Deployment on a router intergated switch module

  Hi,
  Is it possible to simulate an inline WAE deployment on a router with an integrated switch module?
  Thanks.
  Ed.

  Ed,
  Unfortunitely you have to use WCCP or PBR with NME-WAE. Inline is only possible with the inline card on an appliance.
  Dan

• IPS 4240 Inline deployment.

  Hi,
  I am trying to deploy IPS 4240 with Software version 4.1. My query is, will this version support inline prevention? If yes, what are the deployment & sensor interface configuration considerations. I believe the new 5.0 version supports this feature. But the documentation on v4.x is not clear.
  Thanks in advance.
  Ajay Dand

  Inline is implemented in software version 5.0.
  The upgrade image is available at:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  All IPS software is available at:
  http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

• Waas inline and exchange cluster

  Hello,
  Somebody can help me ?
  I put an WAE574 in inline mode betwen the switch and the wan router.
  When i no shut the inline group, the ip virtual address of the exchange cluster is not OK but the two physical address are OK.
  The exchange cluster is on the LAN
  When I shut the inline group, all it's OK
  Thanks for your help
  Bibian

  Hello,
  I finally fix my problem
  I configure a static mac address on the router and a static arp.
  the mac address is the cluster mac address and the arp is the ip and mac address of the cluster :
  mac address-table static 02BF.AC14.00A5 vlan 1 int gig 1/0/24 gig 3/0/23
  arp 172.20.0.165 02BF.AC14.00A5 arpa
  Regards
  Bibian

• Inline Duplex issues

  Hi all
  We are in the middle of a WAAS deployment across our network, we have deployed 7341's at our datacecntres using WCCP and 674, 574 and 274's at our branch sites using Inline.
  10 Sites have been completed without issue using all of the above hardware models and connection methods however on our last install we attempted to install a 274 WAVE Inline and a small branch site. The WAVE sit's in between the onsite router which is a Nokia and 3750 Cisco Switch, both the switch port and Inlinegroup have been hard coded to 100/full and I was assured that the Nokia NIC port is also set to 100/full.
  The devices have been cabled up in the following way:
  Nokia Router to WAVE Inlineport 1/1/wan         - Crossover
  WAVE Inlineport 1/1/lan to Cisco 3750 Switch - Straight Through
  Nokia Router Port  - 100/Full
  WAVE Inlinegroup  - 100/Full
  3750 Switch Port    - 100/Full
  When the WAVE was cabled in we found that we couldn't get a link, both the lan and wan inline links reported as being down. If I set the Inlinegroup to Auto the link then came up but we recieved the following error in the CMS:
  eth_not_fduplex TIRWACMER-01 10.160.27.248  Major The interface InlinePort 1/1/wan,configured for auto negotiation,is not in full-duplex mode.
  Im thinking there may be a compatability problem between the WAE and Nokia NIC cards? if the switch is plugged directly into the Nokia at 100/Full is is fine with now errors.
  Any Ideas?
  Adam

  Hi Adam,
  Few tests you may want to do if you have redundant pair of inline interface. Try using different inline pair on waas to rule out waas inline interface. if the second inline pair on waas also has same issues, means there is some incompatibility between waas and nokia nic.
  if the second pari comes up fine, it may be a faulty NIC / inline pair on waas side.
  On the other side, if you have a spare interface n Nokia FW, try chaning the interface on Nokia and verify if that works or not.
  For your reference, here is the inline adapter config guide:
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/wae/module/inline/installation/guide/17880fru.html#wp39911
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this answers your question.

• CSS Deployment Best Option

  Hello All,
  I'm searching for best deployment scenario in such situation:
  I have a 2 x Firewall ASA, both with 5 DMZs. In 3 of them I have HTTPS servers.
  What I want to do:
  - do SSL offloading by using 2 x CSS11501 with integrated SSL module
  - I cannot move servers to one DMZ network segment
  - I cannot change addressing scheme for network segments with HTTPS servers
  I thought about inline deployment with bridge mode, but I'm not sure if it'll works as I want/need. So my questions are:
  1. Are there any restrictions for using bridge mode with SSL offloading ?
  2. I don't want situation where servers from different server-side vlans, can communicate each other through CSS. They should communicate through firewall. Is it possible with CSS and what should I use to guarantee it? or it's done by default like on L2 vlan-enabled switch ?
  3. Could I use ASR for Active-Backup scenario ? (I think no due to lack of configured Interface Redundancy - am I right ?)
  4. In bridge mode as I undestand is needed to use one pair vlans (client-side / server-side) for each serwer farm (or DMZ like in my example) ?
  5. What about STP considerations in bridge mode, any problems ?
  Topology for one branch(I think it should look like):
  FW --- Switch L2 --- Servers
  vlan1 || vlan2
  CSS
  Any other advices will be appreciated.
  Many thanks & Regards,
  Daniel.

  Daniel,
  unfortunately, bridge mode won't help in your scenario. The CSS will route between the vlans - ALWAYS. So server-2-server communication can't be avoided.
  ASR does not work for SSL terminated connection [bridge more or not].
  You could put the CSS in front of the firewalls. The risk is that it is going to be under possible attacks. But it makes the design eaier - will all your restrictions.
  You could also put the CSS in a DMZ and use client nat to guarantee the response going back to the CSS. But you then lose stats about real client ip address.
  Because of all the restrictions you will end up with a design not very satisfying. It is better to make a few modifications to the current design to guarantee that the future will be better. Like moving all the servers into a single DMZ and readdressing those.
  You can use private ip addresses for the servers as they will be fronted by the CSS that can perform nat if needed.
  Gilles.