Cisco WAAS and Cisco Wide Area Application Engine (WAE) Appliances and router-integrated network modules provide a framework that IT organizations can use to consolidate costly, difficult-to-manage distributed infrastructure while delivering performance metrics that meet the expectations of the demanding branch-office user.
As shown in Figure 1, Cisco WAAS and Cisco WAE are deployed at network entry and exit points in remote-office, regional-office, and data center locations and are smoothly integrated into the network to transparently optimize application flows that traverse the WAN.
All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 10 White Paper Cisco Wide Area Application Services Availability and Integrity IT organizations are challenged with conflicting requirements: to consolidate costly remote-office infrastructure and to maintain adequate service levels for remote-office users. Cisco Wide Area Application Services (WAAS) provides the technologies necessary to consolidate infrastructure in the data center while also providing application acceleration and WAN optimization capabilities that achieve application delivery performance similar to that of a LAN. This document examines how, through Cisco WAAS, Cisco Systems provides the framework to deliver data integrity and high availability in solutions that facilitate consolidation and improved application delivery performance. CISCO WAAS ARCHITECTURE Cisco WAAS and Cisco Wide Area Application Engine (WAE) Appliances and router-integrated network modules provide a framework that IT organizations can use to consolidate costly, difficult-to-manage distributed infrastructure while delivering performance metrics that meet the expectations of the demanding branch-office user. As shown in Figure 1, Cisco WAAS and Cisco WAE are deployed at network entry and exit points in remote-office, regional-office, and data center locations and are smoothly integrated into the network to transparently optimize application flows that traverse the WAN. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 10 Figure 1. Cisco WAAS Enterprise Deployment The architectures of Cisco WAAS and the Cisco WAE hardware platform allow the intelligent optimization of application protocols while providing the levels of availability and integrity demanded by today s discriminating IT organizations. As shown in Figure 2, Cisco WAAS is deployed out of band using network interception and redirection technologies such as Web Cache Control Protocol Version 2 (WCCPv2) and policy-based routing (PBR). With its extensible, out of band architecture, Cisco WAAS is well positioned to provide acceleration for application flows, transparency to existing network functions, availability to meet critical business demands, and scalability to meet application performance objectives. Furthermore, global device policy is controlled through the Cisco WAAS Central Manager, enabling simplified synchronization of application traffic policy throughout the enterprise. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 10 Figure 2. Cisco WAAS Packet Flow Diagram CISCO WAAS HIGH AVAILABILITY Cisco WAAS is designed to meet the availability requirements of the most demanding enterprise IT organizations. From the extensible software architecture to network interception, all aspects of Cisco WAAS have been designed to meet or exceed availability metrics. This section discusses each of the components associated with Cisco WAAS high availability. Software Architecture The Cisco WAAS Software architecture is designed to be highly available and fail-safe. Multiple monitoring processes and internal keepalive processes are used to help ensure that critical system processes remain online. If a process fails, Cisco WAAS automatically restarts the failed process. Furthermore, the optimization components communicate with each other to identify available load levels. If a component has a heavy load, that component can notify the other components within the system, allowing overloaded components to receive less workload so that they do not become bottlenecks. If the system or an optimization component has a load that exceeds its capacity, Cisco WAAS continues to optimize existing connections and pass new connections through unoptimized until the system load reaches acceptable levels. At that point, Cisco WAAS begins optimizing new connections again. In this manner, the Cisco WAAS Software prevents overload from affecting system availability and functions. With Cisco WAAS Automatic Discovery, Cisco WAEs automatically discover one another in the network path of a TCP connection, and most network topologies are supported. Complex overlay networks that require definition of endpoints and mappings between devices (also known as tunnel definitions) are not necessary with Cisco WAAS. By using automatic discovery, administrators gain improved system availability and administrative simplicity, because automatic discovery reduces the likelihood of misconfiguration of endpoint mappings or tunnels. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 10 Cisco WAAS can also be monitored using system logging (syslog) and Simple Network Management Protocol (SNMP). MIBs report on device and component availability and status, and alarms are generated when system thresholds are exceeded or the status of a Cisco WAAS component changes. Hardware Architecture The Cisco WAE Appliances, shown in Figure 3, are designed for availability. Each Cisco WAE Appliance has different availability characteristics, and each is positioned for different uses. Figure 3. Cisco WAE Appliances Every Cisco WAE Appliance includes the following availability features: Error checking and correction (ECC) ECC can detect and correct any errors immediately while data is being read to or written from memory. Extended-availability hard drives All Cisco WAE hard drives are rated for extended availability and designed to operate in an always-on capacity. Redundant Array of Independent Disks (RAID) All Cisco WAEs configured with two or more hard drives use RAID1 for each of the internal file systems for high-availability mirroring. If all disks fail, Cisco WAAS can still provide standards-based compression and TCP flow optimizations. Redundant network interfaces Interfaces can be deployed in an active or standby mode or in a PortChannel. PortChannel interfaces provide load-balancing capabilities as well as failover. Boot from flash memory disk Cisco WAEs boot from an onboard flash memory disk and are accessible on the network even if every hard disk in the appliance has failed. This capability allows administrators to access the device and obtain critical system information even if the device cannot provide optimization because of disk failure. The Cisco WAE-7326 Wide Area Application Engine, designed for enterprise data center deployment, also includes redundant and hot-swappable power supplies. Each Cisco WAE Appliance is rated for a mean time between failure (MTBF) of no fewer than 30,000 hours. This MTBF rating is calculated using a method that defines a failure as any scenario that is visible to the customer and directly attributed to the product, including dead-on-arrival (DOA) and end-of-life products. The calculation used to generate the MTBF is extremely aggressive and counts the number of operational hours until the installed inventory has experienced the equivalent of one failure for each installed product. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 10 Cisco WAAS Central Manager The Cisco WAAS Central Manager provides secure and scalable central management and monitoring of all Cisco WAEs within a Cisco WAAS topology. The Cisco WAAS Central Manager can be deployed in an active-standby high-availability fashion, where one Cisco WAE acts as the primary Central Manager and another Cisco WAE acts as a standby node. Configuration changes that are made on the primary Central Manager, as well as monitoring data received from Cisco WAEs within the topology, are automatically distributed to the standby Central Manager. If the primary Central Manager fails, the standby Central Manager is promoted to primary and assumes responsibility on behalf of the failed node. If no Central Manager is available, the WAEs within the WAAS topology continue to operate without disruption. WCCPv2 WCCPv2 is the preferred mechanism for network interception and redirection in Cisco WAAS networks. With WCCPv2, the adjacent network device, such as a router, switch, or firewall, actively monitors traffic flows to find traffic that may be a candidate for optimization. When such packets are identified, they are redirected to a nearby Cisco WAE. WCCPv2 has built-in mechanisms for high availability, including the following: Keepalive processes All Cisco WAEs and network elements continuously exchange heartbeat information at a fixed interval to allow safe redirection of flows. Scalability Up to 32 Cisco WAE devices can be clustered together in a WCCPv2 service group with up to 32 routers, allowing enterprises to deploy WAN optimization and application acceleration in an N + 1 high-availability fashion. Stateful distribution of workload and load balancing WCCPv2 automatically distributes load among available Cisco WAEs, providing linear scalability of performance. In this way, all WAEs are used simultaneously, thereby improving overall capacity for application acceleration and WAN optimization. Redirection is performed statefully based on a load-balancing algorithm that helps ensure that a flow is always redirected to the same WAE every time to facilitate maximum performance and optimization. Automatic failover If a WAE fails, the workload handled by the failed WAE is shifted to other remaining WAEs. Failover to another WAE provides graceful performance degradation because all WAEs are active within a location, so other WAEs likely have similar compression histories. Fail-through If no Cisco WAEs remain in a location, the WCCPv2 process no longer has a WAE device to redirect packets to, so the router begins forwarding packets natively without redirection. Overload handling If a WAE becomes overloaded and unable to service an incoming request, it can simply forward the packet in an unoptimized fashion until the system returns to normal load levels. PBR PBR is another mechanism for network interception and redirection in Cisco WAAS networks. With PBR, network routers and switches can be configured to use the Cisco WAE as a next-hop router for traffic that is to be optimized. When such packets are identified, they are forwarded to the configured next-hop Cisco WAE. With PBR and Cisco IOS Software, numerous high-availability mechanisms are available: Cisco WAE availability verification Through the use of Cisco IOS IP Service Level Agreement (IP SLA) functions, the Cisco WAE can be polled periodically through Internet Control Message Protocol (ICMP) or TCP connection attempts to verify that the WAE is online. Automatic failover If multiple Cisco WAEs are configured as next-hop routers, the router forwards traffic to the first WAE until it is determined to be unavailable. At that point, the router automatically uses the next Cisco WAE in the next-hop router list. Fail-through If none of the configured next-hop Cisco WAEs are available, the router no longer forwards traffic to them for optimization. The packets are routed normally instead. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 10 File Services Acceleration The application-specific acceleration components of Cisco WAAS for the Common Internet File System (CIFS) protocol, also known as Cisco Wide Area File Services Software (WAFS) functions, are designed for high availability. In a Cisco WAAS Version 4 topology, WAEs can be configured as WAFS Edge WAEs or WAFS core WAEs, depending on the proximity to users or file servers, as shown in Figure 4. Figure 4. Cisco WAAS File Services Acceleration Deployment The Cisco WAFS Edge service is deployed on Cisco WAEs that are close to users who need high-performance access to geographically distant file servers or NAS devices. The Cisco WAFS Core service is deployed on Cisco WAEs that are close to the file servers and NAS devices that need to be accessed by distant users. Each component of the file services acceleration framework in Cisco WAAS is designed to be highly available. Cisco WAFS Edge service The Cisco WAFS Edge service is continuously monitored by an internal process so that if the service becomes unresponsive or otherwise unavailable, it is automatically restarted. This service can be run concurrently on multiple Cisco WAEs in the same location to provide high levels of availability for file services optimization. Cisco WAFS Core service The Cisco WAFS Core service is continuously monitored by an internal process so that if the service becomes unresponsive or otherwise unavailable, it is automatically restarted. The Cisco WAEs running this service can be clustered together, and load from connected Cisco WAFS Edge WAEs is distributed in a round-robin fashion. If a WAE fails, the connected Cisco WAFS Edge WAEs are notified and automatically reconnect to an alternate Cisco WAFS Core WAE within the cluster. Cisco WAFS Optimized Transport Communication between the Cisco WAFS Edge WAE and the Cisco WAFS Core WAE uses an optimized transport that improves availability in WAN environments. This optimized transport includes connection multiplexing, which minimizes the effects of packet loss on the connection between the WAFS edge and WAFS core by using multiple concurrent connections and adaptive congestion-management algorithms. Read-only disconnected mode File servers or NAS devices that are optimized by Cisco WAAS can be configured for read-only disconnected-mode operation. Any user who can be successfully reauthenticated by a domain controller during periods of prolonged disconnection has read-only access to files and folders that are fully cached on the Cisco WAE. The WAE uses cached copies of file and directory metadata and access control lists (ACLs) to self-authorize users. The file services acceleration component of Cisco WAAS is designed to handle changes in WAN conditions to improve the stability of interactive and noninteractive operations, as follows: Transient network disconnection For periods of disconnection of less than 90 seconds, the Cisco WAE temporarily buffers user transactions. If the connectivity to the Cisco Core WAE is restored within 90 seconds, buffered transactions are flushed to the origin file server or NAS device, and the temporary disconnection is fully masked from the user. Prolonged network disconnection Any disconnection between Cisco WAEs running file services acceleration that extends beyond 90 seconds causes the Cisco WAEs to enter prolonged network disconnection mode. In prolonged disconnection mode, Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 10 all states are immediately cleared and sessions are terminated. The cause of the prolonged network disconnection determines the scenario that follows: No Cisco WAEs, and WAN is offline In this scenario, the user is fully disconnected from the file server, unless Windows Offline Files and Folders is configured. No Cisco WAEs, and WAN is online In this scenario, the user can reestablish the session with the file server and resume operation without the benefits of the optimizations provided by Cisco WAAS. Disconnected mode of operation If disconnected mode is configured, the Cisco WAFS Edge WAE is online but unable to reach the Cisco WAFS Core WAE, and if the user can successfully authenticate with a domain controller, the user will be able to access the cached data in read-only mode according to the cached user authorization and access control information. CISCO WAAS MAINTAINS DATA INTEGRITY, SECURITY, AND CORRECTNESS In addition to providing a high-availability infrastructure for WAN optimization and application acceleration, Cisco WAAS was designed to maintain data integrity, data security, correctness, and coherency under all circumstances. This section discusses how each of the optimization and acceleration components of Cisco WAAS maintains data integrity, application and protocol correctness, and coherency. Disk Storage Security Data stored on a Cisco WAE file system can be accessed only through an infrastructure where Cisco WAAS is deployed. For instance, a user cannot access cached files unless the Cisco WAE is installed, configured, and operating within a Cisco WAAS network; the user has permissions for the origin file server, share, and file; and the file in the Cisco WAAS file cache is 100-percent consistent with the copy stored on the origin file server. Data stored in the Cisco WAAS Data Redundancy Elimination (DRE) cache can never be accessed by the user and is used only as user traffic or server traffic is seen on the network. Management access is restricted to the Central Manager, Device Manager, or local device command-line interface (CLI), and the local file systems can be manipulated and managed only through the mechanisms provided by these management tools. Direct disk data management for cached data is not possible. Each Cisco WAE uses a proprietary partition mounting and file system access format that makes data on the cache file systems unusable if the disk is mounted by a device other than a Cisco WAE. Transport Flow Optimization Cisco WAAS Transport Flow Optimization (TFO) is a series of TCP optimizations that may be applied after two Cisco WAEs have automatically discovered one another. If two Cisco WAEs cannot automatically discover one another, no optimizations are applied to the connection. If autodiscovery is successful, the two peering Cisco WAEs negotiate the level of optimization applied to the connection. If a connection is configured for pass-through, no optimization is applied, and the TCP proxy is not used for the connection. If a connection is configured for optimization, the TCP proxy service is used for the connection. The TCP proxy runs on each WAE to terminate TCP locally within each WAE so that three connections exist in the path between the two communicating nodes, as shown in Figure 5. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 10 Figure 5. Cisco WAAS TCP Proxy Service Using a TCP proxy allows each Cisco WAE to shield the communicating nodes from problematic conditions that arise in the WAN. Each of the connections is managed independently, and sequence and acknowledgment numbers are handled separately for each of the three connections. If either of the two Cisco WAEs in the connection path fails, the sequence and acknowledgment numbers received by the next upstream device will not match those associated with the connection to that device, and the connection is reset. At that point, the client application reestablishes the TCP connection to the server, and the automatic discovery process occurs again. DRE DRE is another optimization process that may be applied to a connection if two Cisco WAEs automatically discover one another and the negotiated optimization policy includes DRE. With DRE, the two peering WAEs retain a cache of previously seen chunks of TCP data (not application specific) in a local context. This context is loosely synchronized, and if repeated chunks of TCP data are seen again, signatures referencing the original chunks of TCP data can be sent on behalf of the chunk of data (shown in Figure 6). Figure 6. Cisco WAAS DRE and Loosely Synchronized Contexts With DRE, Cisco WAAS can provide significant levels of data suppression across many TCP applications, thereby minimizing WAN bandwidth consumption. DRE has numerous integrated mechanisms that help ensure that data integrity is never compromised: DRE context synchronization When peering WAEs automatically discover one another, synchronization of the DRE contexts is initiated, and DRE is not used until the contexts are synchronized. This synchronization involves negotiation to determine which portions of the context are still valid, based on timestamps, and which portions of the context are not usable. The invalid portions of the context on each WAE are immediately flushed. Signature acknowledgment If a Cisco WAE receives an encoded message that is, one that has gone through the DRE process the it attempts to rebuild the original message on the basis of the enclosed signatures. If a referenced signature is not found in the local context, the WAE can send a nonacknowledgment message to the encoding WAE and request that the original data referenced by the signature be resent. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 10 Message validity verification Before a Cisco WAE attempts to encode an original block of data through DRE, it first calculates a 16-byte message validity signature, which is a Message Digest Algorithm 5 (MD5) hash of the original message. This message validity signature is appended to every DRE-encoded message and is used by decoding Cisco WAEs to double-check the validity of the messages that have been rebuilt based on data from the local context. When the decoding WAE has rebuilt the message from data chunks contained in the context, a new 16-byte message validity signature is computed and compared to the original. If the two are identical, the message is identical to the original. If the two are not identical, the decoding WAE sends a nonacknowledgment message for the entire block of data and requests that the original data be sent. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 10 File Services Acceleration The file services acceleration component of Cisco WAAS provides robust acceleration for the CIFS protocol without compromising data integrity, user authenticity, file locking, coherency, or correctness. By implementing intelligent protocol interfaces, the Cisco WAE can safely examine every incoming message to determine what can be safely handled locally and what must traverse the WAN natively for handling by the origin file server or NAS device. User sessions User session control messages are always forwarded for native handling by the origin file server. This processing includes CIFS dialect negotiation, user authentication and session establishment (SESSION_SETUP), and user authorization and share mounting (TREE_CONNECT). Thus, the origin file server always sees the session as having come from the remote-office user, thereby preserving the investment in Active Directory security and file server features such as disk quota enforcement and auditing. Cisco WAEs never provide application-specific acceleration to a user session unless the WAE sees the establishment of the session, thereby protecting security and data integrity. Global file locking All message exchanges that involve locks or opportunistic locks are propagated natively between the user and the origin file server or NAS device and are never handled by the Cisco WAE. Thus, the file server device always owns the state of the lock for every file in use, thereby facilitating global collaboration, even among optimized and unoptimized environments. Furthermore, if a WAE fails, sessions are immediately closed and the state is cleared. Cisco WAAS never leaves a session or a file lock in an unknown state. Cached file validation When a file is being opened and a copy resides in the file cache on the Cisco WAE, the WAE validates the file with the origin file server to determine whether the cached copy is identical to the copy on the origin file server. If the two are identical, the WAE knows that any authorized requests for segments of the file can be served locally and safely. If the two are not identical, the WAE immediately flushes the file out of the cache and applies read-ahead and message prediction to provide high-performance access for the user. Change notifications Cisco WAAS supports unsolicited and solicited change notifications from the origin server to update metadata and directory listing information. Thus, users browsing a file server through an optimized connection always see an up-to-date directory listing. Graceful handling of legacy dialects Cisco WAAS is designed to provide pass-through for unrecognized commands and legacy dialects. If it sees an unrecognized message, it forwards the message normally for proper handling by the origin file server. Transition to disconnected mode If the Cisco WAEs enter prolonged disconnection mode (periods longer than 90 seconds) and connectivity is severed, the WAEs automatically and gracefully close existing sessions. This processing helps ensure that no stale state is left behind on the origin server. If a Cisco WAE terminates unexpectedly, the user session times out normally on the file server on the basis of the configured timeout value, which by default is 15 minutes. SUMMARY Cisco WAAS provides the optimization capabilities necessary to allow distributed enterprises to consolidate costly server and storage infrastructure while improving the delivery of centralized applications to meet remote-office user performance expectations. Every aspect of the Cisco WAAS hardware, software, and optimization framework is designed to meet and exceed the availability requirements demanded by enterprise IT organizations, all without compromising data integrity, correctness, or coherency. By using Cisco WAAS, enterprise IT organizations can safely centralize and improve performance while meeting or exceeding the expectations for availability and integrity that exist today. Untitled Document All contents are Copyright 1992 2006 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 10 Printed in USA C11-359910-00 08/06