Home > Articles > Network Integration and Interception

Network Integration and Interception

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Jun 30, 2008.

Chapter Description

This chapter provides an in-depth review of the network integration and interception capabilities of Cisco WAAS.

This chapter provides an in-depth review of the network integration and interception capabilities of Cisco WAAS. The chapter begins by describing the options for basic connectivity, including link aggregation and NIC teaming. This is followed by a discussion of the interception methods available for redirecting traffic to a WAAS device for optimization. The techniques and methods discussed in this chapter form the foundation of the design and deployment solutions presented in subsequent chapters of this book.

Interface Connectivity

Each Cisco Wide Area Application Engine (WAE) has two 10/100/1000BASE-T Ethernet interfaces. In a typical deployment, each WAE is connected using a single interface to a LAN switch or router. By default, WAE interfaces auto-negotiate their speed and duplex. You can optionally configure the interface speed to 10 or 100 Mbps. In order for the interface speed to run at 1000 Mbps, it must be configured for auto-negotiation. The duplex of the interface is also configurable.

The router-integrated network module (NME-WAE) is also equipped with two Ethernet interfaces, but only one interface is accessible externally. The other interface connects directly to the internal router PCI bus at 1 Gbps and is configured in a similar manner as an external interface would be configured on a WAE appliance. Unlike a WAE appliance configuration, the WAE interface IP address and default gateway are configured as part of the Cisco IOS interface configuration where the NME-WAE is installed. Figure 4-1 shows the physical interface layout on the router-integrated NME-WAE.

Figure 4-1

Figure 4-1 NME-WAE Physical Interface Connectivity

The WAE interface configuration options are similar to the Cisco IOS configuration options, both in terms of function and CLI commands. Example 4-1 shows the interface configuration options available on a WAE.

Example 4-1. WAE Interface Configuration Options

WAE-612(config)# interface gigabitEthernet 1/0
WAE-612(config-if)# ?
  autosense      Interface autosense
  bandwidth      Interface bandwidth
  cdp            Cisco Discovery Protocol Interface Config commands
  channel-group  Configure EtherChannel group
  description    Interface specific description
  exit           Exit from this submode
  full-duplex    Interface fullduplex
  half-duplex    Interface halfduplex
  ip             Interface Internet Protocol Config commands
  mtu            Set the interface Maximum Transmission Unit (MTU)
  no             Negate a command or set its defaults
  shutdown       Shutdown the specific interface
  standby        Standby interface config commands
WAE-612(config-if)#

One of the interface configuration commands that behaves differently in WAAS versus IOS is the bandwidth command. The bandwidth interface configuration command in WAAS is used to specify the speed of the interface when auto-negotiation is disabled. The way in which the standby interface command is used is another important difference between WAAS and IOS. In IOS, the standby interface command is used for configuring the Hot Standby Router Protocol (HSRP) feature, while in WAAS it is used to configure the standby interface feature, described in the next section. You can see from the output in Example 4-1 that the remaining WAAS interface configuration commands are similar to the corresponding IOS interface configuration commands.

You can explicitly configure the interface with an IP address and subnet mask, or the WAE can acquire an IP address using DHCP. Each WAE interface can also be configured with multiple secondary IP addresses. It is also possible for the same interface to acquire an IP address through DHCP, and have multiple secondary IP addresses statically configured. By default, the interfaces on a WAE are administratively disabled, and are automatically enabled when a valid IP address is configured.

Each WAE interface is primarily referenced using the standard Cisco IOS interface naming scheme:

  • <interface-name> <slot/port>

This is how WAE interfaces are referred to during configuration through the CLI or GUI. The interfaces also have an internal name by which the Linux operating system knows them. Table 4-1 shows the mapping between the internal and external interface names.

Table 4-1. WAE External and Internal Interface Names

IOS Name

Internal Name

gigabitEthernet 1/0

eth0

gigabitEthernet 2/0

eth1

Understanding the internal name of an interface is useful for understanding system log messages and using internal operating system tools, such as Ethereal or Tcpdump, which are useful for capturing traffic for offline analysis.

Just like the interface configuration, the outputs of interface show commands in WAAS are similar to Cisco IOS. Example 4-2 shows the output from the show interface command in WAAS.

Example 4-2. WAE show interface Command Output

AST6-CCO-02# show interface gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:28
Internet address:10.88.81.2
Broadcast address:10.88.81.15
Netmask:255.255.255.240
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 966044
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 1046794
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: autoselect, full-duplex, 100baseTX
AST6-CCO-02#

In addition to the normal interface information, such as IP address, Ethernet address, and counters, each interface also has a set of flags. These flags are the same flags that can be seen in the output of the ifconfig command in Linux. The two most important flags are UP and RUNNING. The presence of the UP flag indicates that the interface is administratively enabled. The presence of the RUNNING flag indicates that line protocol on the interface is operational.

Link Aggregation Using EtherChannel

To increase the available interface bandwidth for a WAE, Cisco WAAS supports EtherChannel. EtherChannel allows for the grouping of multiple physical interfaces to create a single "virtual" interface. The virtual interface, which functions as a single interface, has the aggregate bandwidth of the available physical interfaces in the channel group. EtherChannel is useful when the output from a single WAE exceeds the physical limitations of a single interface. For example, some remote sites may only have 100-Mbps LAN connections available, whereas the traffic from a single WAE can easily exceed 100 Mbps. In these situations, using EtherChannel to group both physical WAE interfaces together provides 200 Mbps of usable interface bandwidth.

In addition to increasing the available interface bandwidth, the EtherChannel has automatic failure and recovery detection based on the link state of each individual interface. In the event of a single interface failure, traffic continues to pass over the remaining interface in the channel group. The EtherChannel interface uses the MAC address from one of the physical interfaces in the group. The same MAC address is used persistently for the EtherChannel interface, even if the physical interface associated with that MAC address goes down. The formation of an EtherChannel in WAAS is based purely on device configuration. WAAS does not support Cisco Port Aggregation Protocol (PAgP) or 802.3ad Link Aggregation Control Protocol (LACP). When configuring EtherChannel between a WAE and a LAN switch, the channel mode on the LAN switch should be set to On for the WAE EtherChannel.

By default, the WAE load balances packets across all available interfaces in the channel group using a round-robin algorithm. WAAS also supports load balancing using destination IP address or destination MAC address.

Figure 4-2 shows a WAE connected to a single LAN switch using EtherChannel.

Figure 4-2

Figure 4-2 WAE Connected Using EtherChannel Feature

EtherChannel Configuration

Configuring EtherChannel in WAAS involves the following steps:

Step 1 Create a virtual PortChannel interface.

Step 2 Configure an IP address and subnet mask for the PortChannel interface.

Step 3 Assign the physical interfaces to the PortChannel.

Example 4-3 shows a basic EtherChannel configuration.

Example 4-3. WAE EtherChannel Configuration

!
interface PortChannel 1
 description ** EtherChannel Link to Switch ABC ***
 ip address 10.10.10.5 255.255.255.0
 exit
!
interface GigabitEthernet 1/0
 channel-group 1
 exit
interface GigabitEthernet 2/0
 channel-group 1
 exit
!

You should observe the following limitations when configuring EtherChannel in WAAS:

  • Both interfaces in the channel group must run at the same speed.
  • Access control lists (ACL) are still applied to each physical interface.

The load-balancing algorithm used for distributing traffic across the EtherChannel is configured using the following command:

   port-channel load-balance dst-ip | dst-mac | round-robin

The command is configured globally and applies to all PortChannels on the WAE.

To check the status of the PortChannel interface, use the show interface PortChannel channel-number command. Example 4-4 demonstrates the output of this command.

Example 4-4. WAAS show interface PortChannel Output

AST6-CCO-01# show interface PortChannel 1
   Interface PortChannel 1 (2 physical interface(s)):
           GigabitEthernet 1/0 (active)              
           GigabitEthernet 2/0 (active)              
---------------------
Type:Ethernet
Ethernet address:00:11:25:AB:43:32                   
Internet address:10.88.80.130
Broadcast address:10.88.80.255
Netmask:255.255.255.128
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 815996
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 321842
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:0
Collisions: 0
Flags:UP BROADCAST RUNNING MASTER MULTICAST
AST6-CCO-01#

Each member of the channel group, along with the status of the interface, is shown at the beginning of the output. The MASTER flag in the example output indicates that this is the virtual EtherChannel interface. Also notice the Ethernet address, which is taken from one of the physical interfaces in the channel group. Example 4-5 demonstrates the same command for each physical interface in the channel group.

Example 4-5. Channel Group Member Interface Output

AST6-CCO-01#  show interface gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:32              
Internet address:10.88.80.130
Broadcast address:10.88.80.255
Netmask:255.255.255.128
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 816176
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 321880
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING SLAVE MULTICAST
Mode: full-duplex, 100baseTX
AST6-CCO-01#
AST6-CCO-01# show interface gigabitEthernet 2/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:32              
Internet address:10.88.80.130
Broadcast address:10.88.80.255
Netmask:255.255.255.128
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 0
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 0
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x3400
Flags:UP BROADCAST SLAVE MULTICAST
Mode: autoselect
AST6-CCO-01#

The command output for each physical interface is the same as it is without EtherChannel configured, with the following exceptions:

  • The SLAVE flag is set, indicating that the interface is part of an EtherChannel group.
  • The Ethernet address for each interface is the same, and matches the MAC address used by the virtual EtherChannel interface.

Using the Standby Interface Feature

When you do not require increased interface bandwidth but desire interface redundancy, you can use the standby interface feature. The standby interface feature configures both physical interfaces on the WAE in an active/standby failover pair. At any point in time, only one of the interfaces is active and passing traffic. The second interface, or standby interface, is passively waiting to take over in the event that the active interface fails. When the active interface fails, the standby interface takes over the active role. When the previously active interface recovers, it assumes the standby role. The interface with the highest priority is preferred as the active interface. The priority is configurable.

The standby interface feature has become a popular choice for deployments because the WAE can be physically connected to two different LAN switches. This prevents the failure of a single LAN switch or switchport from disrupting the operation of the WAE. Figure 4-3 shows an example of a WAE connected using the standby interface feature.

Figure 4-3

Figure 4-3 WAE Connected Using Standby Interface Feature

The failure of the active interface in the standby group is detected using three different methods. The first method monitors the link state of the active interface. Line protocol is up when the RUNNING flag is present on the Ethernet interface. If line protocol fails on the active interface, the interface is marked as down.

The second method uses an ICMP ping to check availability of the default gateway configured on the WAE. An ICMP echo request is sent once every 10 seconds to the configured default gateway. If there is a response to the echo request, the interface is considered up. If there is no response to the echo request, five more echo requests are sent. If at least three responses are received, the interface is considered up. Otherwise, the interface is considered failed, and the interface is marked as down.

The final method available for monitoring the health of the active interface uses the interface error count to determine if an unacceptable number of errors have been seen on the interface. The error count is the absolute number of transmit and receive errors on the active interface. This check is disabled by default, but can be enabled using the following command:

   errors 1-2147483647

The interface state and error counts (when configured) are checked once every 10 seconds. If the active link fails or the error count threshold is exceeded, the interface with the next highest priority is activated. When the failed interface recovers, it becomes the standby interface for the group. The standby interface does not have a preempt capability. When a new interface is activated, the WAE generates a gratuitous ARP to update the MAC address for the shared IP on all other devices on the same subnet. This prevents devices from sending traffic to the shared IP address on the WAE to the MAC address of the failed WAE interface.

Standby Interface Configuration

Configuring the standby interface feature in WAAS involves the following steps:

Step 1 Create a virtual standby interface.

Step 2 Configure an IP address and subnet mask for the standby interface.

Step 3 Assign the physical interfaces to the standby group.

Example 4-6 shows a basic standby interface configuration.

Example 4-6. WAE Standby Interface Configuration

!
interface Standby 1
 ip address 10.88.80.130 255.255.255.128
 exit
!
interface GigabitEthernet 1/0
 standby 1 priority 105
 exit
interface GigabitEthernet 2/0
 standby 1
 exit
!

You should observe the following limitations when configuring the standby interface feature within WAAS:

  • The physical interfaces in the standby group do not require IP addresses.
  • The standby interface feature does not have a preempt capability.

Each physical interface can be assigned a numeric priority between 1 and 2,147,483,647. The default standby priority for an interface is 100. The virtual standby interface uses the MAC address of the active interface. When the active interface fails and the standby interface takes over, the WAE generates a gratuitous ARP request to update the adjacent devices with the new MAC address associated with the WAE IP address.

To check the status of the standby interface, use the show interface Standby standby-interface-number command. Example 4-7 shows the output of this command.

Example 4-7. WAAS show interface Standby Interface Output

AST6-CCO-01# show interface Standby 1
Standby Group: 1
        IP address: 10.88.80.130, netmask: 255.255.255.128
        Member interfaces:
                GigabitEthernet 1/0     priority: 105
                GigabitEthernet 2/0     priority: 100
        Active interface: GigabitEthernet 1/0
AST6-CCO-01#

Each member of the standby group, as well as the status of the interface, is shown in the output. The current active interface is also displayed. The output for each physical interface is shown in Example 4-8.

Example 4-8. Standby Group Member Interface Output

AST6-CCO-01# show interface gigabitEthernet 1/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:32
Internet address (secondary): 10.88.80.130 Netmask: 255.255.255.128
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 819025
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 322492
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x2000
Flags:UP BROADCAST RUNNING MULTICAST
Mode: full-duplex, 100baseTX
AST6-CCO-01#
AST6-CCO-01# show interface gigabitEthernet 2/0
Type:Ethernet
Ethernet address:00:11:25:AB:43:33
Maximum Transfer Unit Size:1500
Metric:1
Packets Received: 0
Input Errors: 0
Input Packets Dropped: 0
Input Packets Overruns: 0
Input Packets Frames: 0
Packet Sent: 0
Output Errors: 0
Output Packets Dropped: 0
Output Packets Overruns: 0
Output Packets Carrier: 0
Output Queue Length:1000
Collisions: 0
Base address:0x3400
Flags:UP BROADCAST MULTICAST
Mode: autoselect
AST6-CCO-01#

In this output, the only indication that the interface is a member of a standby group is the secondary IP address, which matches the IP address configured on the virtual standby interface.

2. Interception Techniques and Protocols | Next Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020