[c-nsp] OT: Cisco WAAS Setup Scenario

James Michael Keller jmkeller at houseofzen.org
Fri Jun 26 10:12:19 EDT 2009 

Felix,

As the SYN packet for a new tcp session passes through the WAE unit 
(in-line or via wccp) the WAE uses the tcp option fields of the SYN 
packet to tag the packet with it's unique ID and it's capabilities (CIFS 
Acceleration, DRE, TFO, etc).   If the flow doesn't encounter another 
WAE unit, it is processed by the other end of the connection as a normal 
(outside of firewalls/IDP blocking it for unknown tcp options).    If 
passing through a another WAE unit, the return SYN/ACK is tagged by that 
WAE and any matching capabilities are enabled for that flow on the 
return path WAE and the source WAE.

The use of the TCP options fields for the 'WAAS magic' is where you run 
into problems with firewalls and IDS systems, they either drop packets 
completely or strip the TCP 'unknown' options from the packets.   Which 
prevents any optimizations from engaging (if stripping) or the 
connections being blocked (if dropping packet).

ASA/PIX's where updated to pass WAE tagged traffic, other vendors may 
have issues passing the traffic.   It depends on what your WAN network 
is connected with.   In the case I had to get it working via a 
Checkpoint->Checkpoint IPSEC VPN, the wire-mode VPN feature worked to 
avoid any packet mangling of the TCP options and we got full optimization.

I would also make sure you are on the latest and greatest release.   
There have been a lot of improvements and general bug / crash fixes in 
the  in the last year.

---
James Michael Keller



Felix Nkansah wrote:
> Hi Team,
> Pardon me for the OT.
>
> I want to deploy Cisco WAAS as a proof of concept to a client with several
> sites connected in a hub-n-spoke topology.
>
> I would deploy only one WAE (and a CM) at the hub/head office and one WAE at
> a selected spoke, in production.
>
> I intend on setting the WAEs Inline for simplicity. However, I have some
> doubts that I hope you could help clear.
>
> If the WAE at the head office accelerates traffic going to a spoke site
> without a WAE, would the traffic be dropped?
>
> If the hub site receives non-accelerated traffic from spoke sites without
> WAE, would the head office WAE drop the traffic?
>
> I am concerned because I know the acceleration process utilizes compression
> schemes which may require decompression at the other site by a WAE.
>
> Labbing this up would give me the answers, but I felt I could leverage your
> skills for quick answers to these :-)
>
> Your responses are appreciated.
>
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list