WAAS - policy prioritization

Similar Messages

• High circuit utilization and WAAS

  We have been experiencing some issues that I think are related to the WAAS and need opinions and advice on how to resolve.
  We are running the latest 4.1.1c code on all WAEs and are running in the new AO mode (not file services in legacy mode).
  At our data center (where the servers are) we have a 9mbps circuit connecting it to the MPLS cloud. At some of our remote sites (where the users are) we have T1s and fractional T1s. Almost daily we are seeing cases where a single connection is consuming all of the bandwidth at the remote sites. This is typically only for a defined period of anywhere from 10 minutes to an hour and can be traced to particular activity like copying a large files, etc. Before the WAAS was implemented we wouldn't see cases where a single operation could consume literally 100% of the bandwidth and I wonder if the core WAAS (at the data center) could be over utilizing the bandwidth since the core has 9mbps available.
  The problem is that when this occurs, it affects everyone else on the circuit since the circuit is slammed. Most of our users use terminal server connections and theses are greatly affected when all of the bandwidth is consumed. We have given the terminal server connections a higher priority inside the WAAS (through policy prioritization) and setting the DSCP marking to af21(18). We have even tried QOS on the routers but the condition occurs on a regular basis.
  Please help!
  David

  See the attached. It provides a very good overview. Is the adaptive buffering enabled?
  If not, either way a TCP window of 512K allwos the WAE to burst segments upwards to 512Kbytes. You want to be able to utilize the link to maximum capacity to compensate for latency. Howeve rif smaller apps are being choked then need to be adjusted. I am suprised that Q0S on the router had little effect ont he smaller traffic sessions.

• WAAS Not returning proper web redirects

  We have one WAAS edge device which is not returning the proper results when entered in a browser. When we reload
  the WAAS device, while it is rebooting, it will return the proper results. We have cleared all of the caches that we know
  of and all of our edge devices are the same and using the same policy.
  It is not handling redirects properly.
  We have one server running Apache, which handles redirects. For Instance Typing in :
  prod   goes to https://prod.domain.com
  test    goes to https://test.domain.com
  train   goes to https://train.domain.com
  When the WAAS is up, typing prod,test,or train will all take you to https://prod.doman.com
  When the WAAS is down or rebooting typing prod,test, or train will take you to the correct URL as specified until
  it comes back up. The other sites are configured identically as can be seen by the WAAS central manager. This WAAS
  device is running version 4.4.1.12
  Has anyone run into this before? W

  This case is now solved, for now. We opened a TAC and there was something wrong with the policy that was applied that was affecting mutiple WAAS devices. We were unable to grab a trace while this issue was in failure.
  In summary, we have an "ALL WAAS" policy which applies to all devices. The TAC technican created a singular policy
  that applied directly to one of the affected WAAS devices and set the policy to TFO only. Just putting this policy in force
  seemed to correct the issue. After this was done, we then reapplied the orginal policy and the issue no longer existed.
  The issue has not returned so far. When the issue was happening, it was easy to reproduce. Setting the HTTP AO policy to "PassThrough" immediately corrected the issue. Setting it back, the issue would return.
  So right now we are working, but do not know the "Why" as to exactly what caused the problem.

• WAAS out of session - Symantec End Point

  Hi,
  We have a router 3845 with a WAE-522-K9. Eventually we have received notifications about "session limit" and we got this:
  Current Active Optimized Flows: 790
  Current Active Optimized TCP Plus Flows: 790
  Current Active Optimized TCP Only Flows: 0
  Current Active Optimized TCP Preposition Flows: 0
  Current Active Auto-Discovery Flows: 0
  Current Reserved Flows: 10
  Current Active Pass-Through Flows: 155
  Historical Flows: 387
  D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio
  A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO
  ConnID Source IP:Port Dest IP:Port PeerID Accel RR
  I was reading some trouble shooting documents but i cannot get a solution. It could be a "Denial of Service" or a misconfiguration of SEP.
  Both Servers are Symantec End Point Servers.
  Thanks for your support
  131107 12.17.2.5:4423 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%
  131173 12.17.2.5:4465 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 02.4%
  131175 12.17.2.5:4489 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 48.6%
  131200 12.17.2.5:4514 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.9%
  131211 12.17.2.5:4515 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 10.1%
  131259 12.17.2.5:4561 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 30.1%
  131295 12.17.2.5:4591 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.3%
  131332 12.17.2.5:4619 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%
  131345 12.17.2.5:4629 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 14.1%
  131402 12.17.2.5:4665 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 00.0%
  131424 12.17.2.5:4706 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 06.4%
  131439 12.17.2.5:4725 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 16.2%
  131444 12.17.2.5:4744 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 23.3%
  131473 12.17.2.5:4796 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.9%
  131482 12.17.2.5:4813 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 21.9%
  131498 12.17.2.5:4824 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 31.8%
  131500 12.17.2.5:4839 10.5.19.146:8014 00:21:5e:27:9c:58 TDL 07.4%

  What version of WAAS OS are you on and how long has it been since you reset your Policy Rules to the default?  Also, from enable, do a "clear connection" to purge all those out of there and get things accelerating again.  The WAAS policy rules stay the same through each upgrade, so if your original policy rules date back to version 4.1.1, there have been a lot of enhancements since then.
  I had a similar problem with Sophos corporate virus protection.  Each of my clients would open 20+ sessions to the Sophos update server and max out my connections.
  I was on WAAS OS Version 4.4.3c when it was happening.  My first solution, was to create a Policy for Pass through only on the Sophos TCP port destination.  I kept this policy in place until I upgraded to WAAS OS verion 5.0.1 about a month ago.  After the update, I removed the rule and reset all rules to the default, which the default rule set from 5.0 is different than the default ruleset on 4.3.x which I had kept through every upgrade.  I reset the ruleset for a different issue, but after I did the reset, the Sophos Clients only took 2 TCP sessions each.  One from Client to Server, one from Server to Client.

• Loadbalancing using waas with ace

  i tried this configuraion for load balance all tcp traffic to waas in datacenter and it worked
  ACE(config)# class-map match-any ALL-TCP
  ACE(config-cmap)# 10 match virtual-address 0.0.0.0 0.0.0.0 tcp any
  ACE(config-cmap)# exit
  ACE(config)# policy-map type loadbalance first-match TCP-POLICY-TYPE
  ACE(config-pmap-lb)# class class-default
  ACE(config-pmap-lb-c)# serverfarm WAAS
  ACE(config-pmap-lb-c)# exit
  ACE(config)# policy-map multi-match WAAS-INTERCEPT
  ACE(config-pmap)# class ALL-TCP
  ACE(config-pmap-c)# loadbalance vip inservice
  ACE(config-pmap-c)# loadbalance policy TCP-POLICY-TYPE
  ACE(config-pmap-c)# exit
  the question now i do not want to redirect all tcp traffic of datacenter i want to deny some traffic from being intercepted so i think the solution
  in make class-map ALL-TCP to match access-list (not virtual-address) do you think it will work or have any limitation for that
  the new configuration "that i want to apply"
  ACE(config-pmap-c)ip access-list extn all-tcp
  ACE(config-pmap-c)permit tcp any any
  ACE(config-pmap-c)exit
  ACE(config)# class-map match-any ALL-TCP
  ACE(config-cmap)# 10 match access-group all-tcp
  ACE(config-cmap)# exit
  ACE(config-pmap-c)policy-map type loadbalance first-match TCP-POLICY-TYPE
  ACE(config-pmap-c)class class-default
  ACE(config-pmap-c)serverfarm WAAS
  ACE(config-pmap-c)exit
  ACE(config-pmap-c)policy-map multi-match WAAS-INTERCEPT
  ACE(config-pmap-c)class ALL-TCP
  ACE(config-pmap-c)# loadbalance vip inservice
  ACE(config-pmap-c)# loadbalance policy TCP-POLICY-TYPE
  ACE(config-pmap-c)# exit

  You will need to create a HTTP loadbalance classmap to match the source address of this traffic. The configuration would look something like this:
  class-map match-all TCP_ANY
  2 match virtual-address 0.0.0.0 tcp any
  class-map type http loadbalance match-any ROUTE
  2 match source-address 1.1.1.0 255.255.255.0
  policy-map type loadbalance first-match TCP-POLICY-TYPE
  class ROUTE
  forward
  class class-default
  serverfarm WAAS
  policy-map mulit-match WAS-INTERCEPT
  class TCP_ANY
  loadbalance policy TCP-POLICY-TYPE
  loadbalance vip inservice
  Due to the nature of the WAAS traffic, you will also need to turn on mac-sticky on the and disable TCP normalization on the interface.

• A problem with RDP when WAEs was connected to the network

  The customer has a problem with RDP sessions on one Microsoft cluster server. The problem started when the WAEs (management and acceleration WAEs) are connected to a network (where a cluster is connected). Did anybody have the similar problem? The sessions are connected, but after some different times these sessions are frozen. This problem is only with this Microsoft cluster, the RDP on other servers are good. The WAAS is 4.0.17b14.

  Hi,
  I have the same problem as I write. RDP seems to get slower when I connect the WAEs and the login timesout before the user can type the username and password.
  I have ensured that "EPM Classification" is disbled.
  Check and see if Term-services are well configured on the TS server side. Maybe some config is conflicting with WAAS TS optimization.
  What happens when you set TS to passthrough?
  Also try this for your case;
  " HOW-TO: Configuring RDP and Terminal Services for Full WAAS Optimization
  Microsoft RDP and Terminal Services are, by default, compressed and encrypted. As such, the default Cisco WAAS policy for these applications is to apply TCP optimizations only. RDP and Terminal Services can be configured to allow Cisco WAAS to provide full optimization (DRE, LZ, TFO) which is a 2X-10X improvement over native WAN and 2X-3X improvement over the compression provided by Microsoft.
  Configuring Microsoft RDP and Terminal Services to support Cisco WAAS full optimization requires a change to the client and a change to the server.
  On the client, disable compression by editing the .RDP file for the connection using Notepad or a similar text editor. Identify a line in the file that shows "compression:i:1". Modify this line to say "compression:i:0". This disables compression for the RDP/TS connection.
  On the server, open the Terminal Services Configuration found under Start > Programs > Administrative Tools. From here, expand Terminal Services Configuration to Connections. Double-click the "RDP-Tcp" entry found in the workspace. Change the encryption level to "Low", which specifies that only login will be encrypted. Then, click "Ok" and close Terminal Services Configuration.
  Then, modify the Cisco WAAS policy on the configured device group (or explicitly on each of the WAEs) called "MS-Terminal-Services". Set this policy to "Optimize Full". "
  Anyone out there with a clue why RDP gets disconnected?

• Single WAE \ WCCP \ Dual Routers - Slow Accelerated Traffic

  Our standard WAE design was to have dual WAE's at sites with dual Routers.
  The WAE's are either 674's or 574's and the routers are Cisco ISR's all works well.
  Several new sites have coome online but these sites now only have a single WAE devcie and two WAN routers.  Some users at
  The issue I have now is that some "Accelerated" sessions via the WAE devices are reported by users as being very slow. When those sessions are removed from WAAS policy and set to pass through the user reports normal access again.
  On looking at the problem I have possibly identified that the lack of the command;
  ip wccp redirect exclude in on the router interface
  But this command was never applied to the exisiting design, though potentialy under normal conditiaon where both routers and both WAE's are working it's never been a problem.
  From Cisco;
  In any scenario where egress redirection is used, the command above MUST be issued on the router interface adjacent to the WAE. This command, "ip wccp redirect exclude in", ensures that packets received on the interface are not redirected again. This prevents an optimized packet from being rerouted directly back to the WAE. Instead, with this command applied, the router would simply see the packet coming in and forward it normally (WCCP would be bypassed for packets received on that interface).
  The WAE's are NOT L2 connected to the Routers so the following config is applied,
  rtr no 1
  ip wccp 61 redirect-list WAAS
  ip wccp 62 redirect-list WAAS
  ip cef
  interface GigabitEthernet0/0
  description *** Data LAN
  ip address x.y.7.6 255.255.255.192
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  rtr no 2ip wccp 61 redirect-list WAAS
  ip wccp 62 redirect-list WAAS
  ip cef
  interface GigabitEthernet0/0
  description *** Data LAN
  ip address x.y.7.1 255.255.255.192
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  WAE Configprimary-interface Standby 1
  interface Standby 1
  ip address x.y.7.65 255.255.255.192
  interface GigabitEthernet 1/0
  standby 1 primary
  exit
  interface GigabitEthernet 2/0
  standby 1
  exit
  wccp router-list 1 x.y.7.1 x.y.7.6
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  Option 2 below is used.  But all sites have DUAL Routers.  Note Redirect Exclude is NOT configured.
  Thanks in advance for any support offered.

  Thanks for your post, details below.
  What do you mean by "sessions removed from WAE policy" ? Are you configuring static bypass on the WAE or are you excluding specific traffic with the WCCP redirect list ?
  I am defining certain traffic as Passtrough via a ststic bypass on the WAE’s
  - check if the slowness affects all the redirected traffic or just particular sources/destinations/applications
        Recent testing has identified it just seems to affect a certain share, which I am investigating as this share has some kind of "Archive" solution in place.
  - make sure that the WCCP redirect ACL matches both directions of the connections
        It does
  - check the redirect / return method that is being negotiated
        All OK     
  - make sure both routers are seeing the WAE via WCCP
        Yes they are
  - check for "routing loop" in the WAE syslog.txt to understand if the WAE is receiving some traffic twice
        Investigating and will post reply. 
  Are the affected connections showing up in the "show stat connection" output on the WAE ? If so, are they optimized or PT ?
       They show as fully optimized when configured for the CIFS AO, but revert to PT when the static WAE policy is altered.

• Help about WAAS SSL optimized policy

  hi everyone
  I enable SSL optimized function and it work fine
  but I have a question
  in my environment, most SSL tcp session size is under 10 KB
  so when small size tcp session optimized by waas
  it's optimized bytes is bigger than original byte
  so, does waas have the function that if  the tcp session original size under 10KB
  it only opimize in TFO or pass-through it
  on the contrary, if tcp session original size is bigger than10KB
  it will full optimzed
  does waas has this function ??
  thanks

  Notice the highlighted line in the output you provided:
  Core-WAE#sh stat con detail server-port 443
  Connection Id:            852083
      Peer Id:                  00:14:5e:85:26:c3
      Connection Type:          EXTERNAL SERVER
      Start Time:               Tue Jun  8 09:29:29 2010
      Source IP Address:        2.2.2.2
      Source Port Number:       2930
      Destination IP Address:   1.1.1.1
      Destination Port Number:  443
      Application Name:         SSL
      Classifier Name:          HTTPS
      Map Name:                 basic
      Directed Mode:            FALSE
      Preposition Flow:         FALSE
      Policy Details:
             Configured:        TCP_OPTIMIZE + DRE + LZ
                Derived:        TCP_OPTIMIZE + DRE + LZ
                   Peer:        TCP_OPTIMIZE + DRE + LZ
             Negotiated:        TCP_OPTIMIZE + DRE + LZ
                Applied:        TCP_OPTIMIZE + DRE + LZ
      Accelerator Details:      None
                                      Original            Optimized
      Bytes Read:                       958333              1431050
      Bytes Written:                   1137856              1198434
      Total Reduction Ratio: 00.000%
  This means that the SSL AO is not applied to this connection.  Are you sure this server is configured for SSL acceleration?  Can you please provide a copy of your configuration?
  Thanks,
  Zach

• How does QoS work with WAAS WCCP? What's the interaction between QoS Traffic Classification and WAE Traffic Application Policy?

  How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?

  By default, WAAS preserves the DSCP marking on intercepted packets.  There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels.  Currently WAAS provides marking only.  There is no action taken by WAAS based on the DSCP value.
  Regards,
  Zach

• WAAS Central Manager Policy Definitions across several device groups

  Hi there,
  I am trying to find a way to apply a custom application policy(s) to multiple device groups. ( not the AllDevicesGroup).
  I have not found a way to export or import the policy.
  Any help would be appreciated.
  Todd

  I have my "Core" WAE's in a separate device group to prevent them from recieving a policy or setting intended for Edge WAEs.  For example, If someone sets the assignment method to hash, I certianly dont want that pushed to my Core, ( using Mask assignment)
  However, a custom application definition WILL need to be applied to both Core and Edge WAE's. Therefore I need a way to create the policy for all devices group and copy out and apply selected custom policies to the Core device group as well.
  Problem:  I have QUALYS Vulnerability Scanners that wreak havoc on WAE's by opening 1000's of sessions and not propoerly closing them, causing TFO Overload conditions, throughout the network.
  Solution: create a custom policy to set Scanner IP action to pass-through. there are 30+ scanners so the match condition is lenthy and woudl be painful to build manually for each device group.
  new Problem: need to apply this to multiple device groups.

• Cisco WAAS-Global policy for VMware Vsphere and/or 3par replication

  So, this is somewhat annoying that VMware Site Recovery Manager 5.0 does not seem to get much replication acceleration, mostly it is just Pass Through.  I have read a couple of Cisco marketing powerpoints that say WAAS will accelerate VMware.  But there are no Policies to that effect or configuration assistance.  So, vmware has a hundred or so connections in passthrough, all using port 44046, this web site here:
  http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1009562
  Shows that this is the port used for Ongoing replication, and port 31031 is used for the initial replication.  So, I have two 674-8gb with inline cards.  One in main office, one at DR office, both running 5.0.1.  The Lan ports on each side point to the LAN and the WAN interfaces on each end point to each other.  I have a layer 2 - 90Mbps link between the two locations, so "show cdp neighbor" shows the WAN interface connected.
  My question is, is there a policy I should create for this data to be accelerated and stop being "PT Asymmetric"?
  Second question, very similar to the first, 3par replication.  Same as above, but 3par uses port 5785 and the traffic shows up as "PT In Progress", there are only 6 or so connections in this state, but all are on this port 5785.
  If I pull up the pretty graphs on the CM for this device, it shows a well distributed graph, but if I click the check box for "include Pass-Through" it turns all blue and says 100% of traffic is "other-traffic"  Since 99% of what goes between these two WAAS devices is VMware site recovery manager 5.0 and 3par replication, I would really like to find a fix for this.

  ANSWER *******  SOLUTION  *******  ANSWER
  I created 2 - Optimization Policy Rules for "WAAS-GLOBAL"
  par3-rcopy, destination ports - 5785, 3491-3492, Application - Replication, TFO with DRE Adaptive and LZ
  VMware-Replication, destination ports - 44046, 31031, Application - Replication, TFO with DRE Adaptive and LZ
  Then I rebooted both WAAS devices and shut off the link for 20 minutes.  When I brought the link back online.  100% of data was accelerated, and 99% of the data was classified as "Replication" data.  I now get between 60% and 90% acceleration on this "Replication" traffic.  The final 1% is other data, remote desktop, ssl, citrix, sql, web...
  Lessons learned:  The 3par and VMware keep TCP connections open forever, and once the traffic in that session is classified as something, "other traffic" or "Pass Through" it does not change until you reset the connection.  So, if you make any changes, you have to shutdown the link, and clear all TCP connections from the WAAS devices, then it will go to a different optimization rule. 
  Final thoughts:  I am not completely sure that the Optimization policy rule "TFO with DRE Adaptive and LZ" is the BEST possible rule to use for this traffic.  If anyone has a better configuration for this traffic, I would really appreciate your input.

• QOS Policy gets Policy hits but doesn't seem to do anything when put to the test

  I have been trying to implement a policy that prioritizes certain types of of traffic over another namyly Lync Voice Traffic, Cisco CAPWAP traffic from controllers to AP's, and Citrix ICA Traffic. 
  I do recieve policy hits but when I load the connection up with say copying a file the policy seems to not work. This is on a 1921 router. 
  I will include the config as I may be doing somthing wrong.
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  aaa session-id common
  ip cef
  ip domain name pmp.local
  no ipv6 cef
  multilink bundle-name authenticated
  username XXXXXXXXXXXXXXXXXXXX
  ip ssh time-out 60
  ip ssh version 2
  class-map match-any CAPWAP
   match access-group 104
  class-map match-any LYNC
   match access-group 103
  class-map match-any CITRIX
   match protocol citrix
   match access-group 110
  policy-map OUTBOUND
   class LYNC
    priority percent 25
   class CITRIX
    priority percent 50
   class CAPWAP
    priority percent 20
   class class-default
    shape average 20000000
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   no ip address
   duplex auto
   speed auto
  interface GigabitEthernet0/0.1
   description LAN Facing
   encapsulation dot1Q 1 native
   ip address 172.16.27.254 255.255.255.0
   ip helper-address 10.128.4.48
   ip helper-address 10.128.4.20
   ip helper-address 172.16.27.79
   no ip redirects
   ip flow ingress
  interface GigabitEthernet0/0.5
   encapsulation dot1Q 5
   ip address 172.16.127.254 255.255.255.0
   ip helper-address 10.128.4.48
   no ip redirects
   ip flow ingress
  interface GigabitEthernet0/0.50
   description ITTestVlan Interface
   encapsulation dot1Q 50
  interface GigabitEthernet0/1
  description PointToPoint
  bandwidth 20480
  ip address 10.0.27.254 255.255.255.0
   no ip redirects
   ip flow ingress
   duplex full
   speed 100
   service-policy output OUTBOUND
  router eigrp 10
   network 10.0.27.0 0.0.0.255
   network 172.16.27.0 0.0.0.255
   network 172.16.127.0 0.0.0.255
  ip forward-protocol nd
  ip forward-protocol udp 4011
  ip forward-protocol udp bootps
  no ip http server
  ip http access-class 23
  ip http authentication aaa login-authentication default
  ip http authentication aaa exec-authorization default
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 1000
  ip route 0.0.0.0 0.0.0.0 172.16.27.253 200
  access-list 23 permit 10.0.27.0 0.0.0.255
  access-list 23 permit 172.16.0.0 0.0.0.255
  access-list 23 permit 172.16.27.0 0.0.0.255
  access-list 23 permit 172.16.127.0 0.0.0.255
  access-list 103 remark LYNC-Priorisation
  access-list 103 permit tcp any any eq 3389
  access-list 104 remark CAPWAP-Priority
  access-list 104 permit udp any eq 5246 any
  access-list 104 permit udp any any eq 5246
  access-list 104 permit udp any eq 5247 any
  access-list 104 permit udp any any eq 5247
  access-list 110 remark Citrix-Priorisation
  access-list 110 permit tcp any eq 2598 any
  access-list 110 permit tcp any any eq 2598
  access-list 110 permit tcp any eq 1494 any
  access-list 110 permit tcp any any eq 1494
  snmp-server enable traps entity-sensor threshold
  radius-server host 10.128.4.20 key XXXXXXXXXXXXXXXXXXXXXXXXXX
  control-plane

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  So what do you have, a 100 Mbps Ethernet hand-off with a 20 Mbps bandwidth cap?
  If so, you want to shape for your logical bandwidth cap and then priorize, as desired, in a child policy.
  BTW, you normally don't use LLQ for other than very time critical traffic, e.g. VoIP bearer, and Cisco recommends you don't allocate more than a third of your bandwidth to LLQ.
  I would suggest you just shape for your 20 Mbps and try FQ for all traffic.
  e.g.
  policy-map Sample
  class class-default
  shape average 20000000
  fair-queue
  NB: I'm unsure whether FQ will apply to the shaped traffic, if not:
  policy-map SampleParent
  class class-default
  shape average 20000000
  service-policy SampleChild
  policy-map SampleChild
  class class-default
  fair-queue
  NB: SampleChild is where/how you would provide a custom policy for your shaped traffic.
  PS:
  BTW, you apply the policy with the shaper to the interface.

• Prepositioning in WAAS 4.1.1c

  I am having trouble with this atm.
  I have setup a test share on a remote server,with permissions etc and configured the relevant fields on WAAS GUI under -"File Services,Preposition".
  I can broswe and find the directory and schedule the job to run.
  The job seems to run ok,but when I go to the remote WAE and look at the Preposition Policy I am seeing no data actually being copied,just the Duration field is incrementing.The throughput field is also blank.
  Any ideas?
  Regards,
  Nick

  Can any help with this please?

• Class-Map and Policy-Map Configuration in CM Confusion

  Hi,
  I'm implementing a green field WAAS deployment for a customer. We currently have a Proof-of-Concept up and running.
  I've got some questions regarding custom class-map and policy-map configuration in the CM. I'd like to nail-down the custom class-map and policy-map configuration (and understanding) in the PoC before cutting over the PoC branches to the production WAAS environment.
  Assuming a typical WAAS Deployment using WCCP for off-path interception, branch to DC.
   ==> 61 in LAN (BRANCH ROUTER) <== 62 in WAN        (WAN CLOUD)        ==> 61 in WAN (DC ROUTER) <== 62 in LAN
  We are using two distinct device groups, BRANCH and DATA CENTER.
  If the customer has traffic that we need to classify in order to provide TFO only optimisation, should the single class-map include the traffic in both directions? Ie., (assume the SERVER is 10.1.1.1 TCP Port 443). Should the class-map be configured as:
  Class-Map
  Line 1: DST IP 10.1.1.1 DST Port 443
  Line 2: SRC IP 10.1.1.1 SRC Port 443
  Or in this case is only the DST line required? And in which Device Group should the custom policy be applied? Or should it be applied to both Device Groups? If it should be applied to both Device Groups, then would it make more sense to have the policy-map in the Branch DG configured to match the DST traffic, and on the Data Center DG have a different class-map match the SRC traffic?
  My confusion is how to classify the traffic (SRC or DST or Both - Separate classes for each or different lines within the same class-map), and where to apply the appropriate policy (both Device Groups, just Branch, just DC) and why...
  I tried to apply a custom policy and the impact in the PoC was that the TCP Summary report stopped reporting the individual traffic classes showed 'other traffic' only. Can anyone explain why this may have occurred?
  I hope this makes sense.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Prioritize data on one SSID on an autonomous AP with multiple SSIDs

  Hello,
  I have a standalone AP(AP1261N) which is configured with 3 SSIDs.I would like to prioritize any data flow on SSID 1 for example so that users on SSID 1 are always functional independent on what is happening on the other SSIDS.
  Then have the SSID 2 with a lower priority and SSID 3 lowest priority.
  Each SSID is associated with a vlan.
  I have seen some posts describing that this can be done using QOS associated with the different vlans.
  Could someone please explain how I could configure the AP to do so?
  I am using Command line.     
  Thank you 

  Hi Kavi,
  Here are the few important points you need to understand when it comes to Autonomous AP QoS (this is extract from the link provided by Scot in above).
  The QoS implementation for wireless LANs differs from QoS  implementations on other Cisco devices. With QoS enabled, access points  perform the following:
  •They  do not classify packets; they prioritize packets based on DSCP value,  client type (such as a wireless phone), or the priority value in the  802.1q or 802.1p tag.
  •They  do not construct internal DSCP values; they only support mapping by  assigning IP DSCP, Precedence, or Protocol values to Layer 2 COS values.
  •They carry out EDCF like queuing on the radio egress port only.
  •They do only FIFO queueing on the Ethernet egress port.
  •They support only 802.1Q/P tagged packets. Access points do not support ISL.
  •They support only MQC policy-map set cos action.
  •They  prioritize the traffic from voice clients (such as Symbol phones) over  traffic from other clients when the QoS Element for Wireless Phones  feature is enabled.
  •They support Spectralink phones using the class-map IP protocol clause with the protocol value set to 119.
  Also it is important to understand what type of traffic get impacted by AAP QoS. When you configure AAP for QoS it will primarily affect downstream traffic from AP to Client (No control over traffic coming from wireless client to AP - where priority will determine by WMM UP of clients traffic)
  As you can see in the above, only FIFO available on ethernet egress (from AP to rest of your network) & then depend on how do you configure network switch ports connected to these AP (either trust DSCP or COS) it will determine how QoS maintain within your wired network.
  In unified wireless enviroment you can classify each SSID with different QoS profile (Platinum, Gold, Silver & Bronze) & control what is the max level of QoS priority packets will get in each SSID. But in autonomous world it is not straightforward like that.
  HTH
  Rasika