Manual Chapter : Configuring a One-Arm Deployment Using WCCPv2

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring a one-arm deployment using WCCPv2

In certain cases, it is not advantageous or even possible to deploy the BIG-IP system inline. For example, in the case of a collapsed backbone where the WAN router and the LAN switch are in one physical device, you might not be able to deploy the BIG-IP system inline.

If you choose not to deploy the BIG-IP system inline, you can use a one-arm deployment. In a one-arm deployment, the BIG-IP system has a single (hence, one-arm) connection to the WAN router or LAN switch. The WAN router (or switch) redirects all relevant traffic to the BIG-IP system. In this configuration, the WAN router typically uses Web Cache Communication Protocol version 2 (WCCPv2) to redirect traffic to the BIG-IP system.

Network topology for a one-arm connection Network topology for a one-arm connection

The traffic flow sequence in this illustration is as follows:

  1. The client initiates a session.
  2. A WAN router redirects traffic to the BIG-IP system.
  3. The BIG-IP1 processes traffic and sends it back to the WAN router.
  4. The WAN router forwards traffic across the WAN.

About WCCPv2 redirection on the BIG-IP system

TMOS includes support for Web Cache Communication Protocol version 2 (WCCPv2). WCCPv2 is a content-routing protocol developed by Cisco Systems. It provides a mechanism to redirect traffic flows in real time. The primary purpose of the interaction between WCCPv2-enabled routers and a BIG-IP system is to establish and maintain the transparent redirection of selected types of traffic flowing through those routers.

To use WCCPv2, you must enable WCCPv2 on one or more routers connected to the BIG-IP system, and configure a service group on the BIG-IP system that includes the router information. The BIG-IP system then receives all the network traffic from each router in the associated service group, and determines both the traffic to optimize and the traffic to which to apply a service.

In configuring WCCPv2 on a network, you define a service group on the BIG-IP system, which is a collection of WCCPv2 services configured on the BIG-IP system. A WCCPv2 service in this context is a set of redirection criteria and processing instructions that the BIG-IP system applies to any traffic that a router in the service group redirects to the BIG-IP system. Each service matches a service identifier on the router.

The following illustration shows a one-arm configuration on one side of the WAN and an inline (bridge) configuration on the other side.

one-arm config Example of a one-arm configuration

Before you begin configuring an iSession connection

Before you configure an iSession connection on the BIG-IP system, make sure that you have completed the following general prerequisites.

  • You must have an existing routed IP network between the two locations where the BIG-IP devices will be installed.
  • One BIG-IP system is located on each side of the WAN network you are using.
  • The BIG-IP hardware is installed with an initial network configuration applied.
  • F5 recommends that both units be running the same BIG-IP software version.
  • The Application Acceleration Manager license is enabled.
  • Application Acceleration Manager (AAM) is provisioned at the level Nominal.
  • The management IP address is configured on the BIG-IP system.
  • You must have administrative access to both the Web management and SSH command line interfaces on the BIG-IP system.
  • If there are firewalls, you must have TCP port 443 open in both directions. Optionally, you can allow TCP port 22 for SSH access to the command line interface for configuration verification, but not for actual BIG-IP iSession traffic. After you configure the BIG-IP system, you can perform this verification from the Configuration utility (Acceleration > Symmetric Optimization > Diagnostics).

Task summary

To use WCCPv2 for traffic redirection, you configure a service group on the BIG-IP system that includes at least one service. You also configure this service on the WCCPv2-enabled router connected to the BIG-IP system.

For optimization, you also need to configure the BIG-IP system on the other side of the WAN to complete the connection. The BIG-IP system on the other side of the WAN can be set up in either a one-arm or inline configuration.

Note: The example described in this implementation applies to the Cisco 3750 and Cat 6500 routers.

Prerequisites

Before you begin configuring WCCPv2 for traffic redirection, ensure that you have performed the following actions on the other devices in your network.

  • The interface and associated VLAN have been configured on the router or switch. For instructions, refer to the Cisco documentation for your device.
  • IP addresses have been assigned on the Cisco router or switch interface. Note the router identification address, which you will use when configuring WCCPv2 on the BIG-IP system.

Task list

Creating a VLAN for a one-arm deployment

For a one-arm deployment, you create only one VLAN on the BIG-IP system, because the system has only a single connection to the WAN router or switch.
  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Click Create. The New VLAN screen opens.
  3. In the Name field, type wan.
  4. In the Tag field, type a numeric tag, from 1 to 4094 for the VLAN, depending on your network configuration.
  5. For the Interfaces setting, click an interface number in the Available list, and move the selected interface to the Untagged or Tagged list, depending on your network configuration.
  6. Click Finished. The screen refreshes, and displays the new VLAN from the list.

Creating a self IP address for a one-arm deployment

A VLAN must be configured before you create a self IP address.
This self IP address is the local endpoint for the iSession connection.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a descriptive name for the self IP address, for example onearm.
  4. In the IP Address field, type an IP address that is not in use and resides on the wan VLAN you created. In the example shown, this is 10.150.3.1.
  5. In the Netmask field, type the network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select wan.
  7. From the Port Lockdown list, select Allow None. This selection avoids potential conflicts (for management and other control functions) with other TCP applications. However, to access any of the services typically available on a self IP address, select Allow Custom, so that you can open the ports that those services need.
  8. In the Traffic Group field, clear the check box, and select traffic-group-local-only (non-floating) from the drop-down menu.
  9. Click Finished. The screen refreshes, and displays the new self IP address.
The self IP address is assigned to the external (WAN) VLAN.
Example of the Properties screen for the self IP address you created Example of the Properties screen for the self IP address you created
Use this self IP address on the WAN Optimization Quick Start screen for the WAN Self IP Address, which is the local endpoint for the iSession connection.

Defining a route

You must define a route on the local BIG-IP system for sending traffic to its destination. In the example shown, the route defined uses the default gateway to send traffic to the router.
  1. On the Main tab, click Network > Routes.
  2. Click Add. The New Route screen opens.
  3. In the Name field, type default-gateway.
  4. In the Destination field, type the IP address 0.0.0.0. An IP address of 0.0.0.0 in this field indicates that the destination is a default route.
  5. In the Netmask field, type 0.0.0.0, the network mask for the default route.
  6. From the Resource list, select Use Gateway. The gateway represents a next-hop or last-hop address in the route.
  7. For the Gateway Address setting, select IP Address and type an IP address. In the example shown, this is 10.150.3.254.

Configuring WCCPv2

To configure traffic redirection using WCCPv2 for a one-arm deployment, follow these steps on the BIG-IP system. This implementation specifies the Layer 2 (L2) method of traffic forwarding and mask assignment as the load-balancing method for a WCCPv2 service.
Note: The values you select for Redirection Method, Return Method, and Traffic Assign are automatically selected by the Cisco router or switch, provided that the Cisco device supports these settings.
Example showing browser interface for configuring WCCP Example showing browser interface for configuring WCCP
  1. On the Main tab of the BIG-IP system user interface, click Network > WCCP.
  2. Click the Create button. The New WCCP List screen opens.
  3. In the Service Group field, type a name for the service group, for example, service-wccp.
  4. In the Service field, type a service group identifier, which is a number between 51 and 255. This number must match the service ID you configure on the Cisco router. In the illustration shown, this number is 75.
  5. From the Port Type list, select Destination. If you specify a port in the Port List , this setting specifies the port on which the server listens for incoming traffic that has been redirected by WCCP. For best results, select Destination, even if you do not specify a port.
  6. From the Redirection Method list, select L2. This setting specifies the method the router uses to redirect traffic to the BIG-IP system. Typically, L2 has a faster throughput rate than GRE, but GRE traffic has the advantage that it can be forwarded by a Layer-3 router. This example uses L2.
    Note: The router or switch uses the same redirection method, if supported.
  7. From the Return Method list, select L2. This setting specifies the method the BIG-IP system uses to return pass-through traffic to the router. Typically, L2 has a faster throughput rate than GRE, but GRE traffic has the advantage that it can be forwarded by a Layer-3 router. This example uses L2.
    Note: The router or switch uses the same return method, if supported.
  8. From the Traffic Assign list, select Mask. This setting specifies whether load balancing is achieved by a hash algorithm or a mask. This example uses a mask.
    Note: The router or switch uses the same setting, if supported.
  9. In the Routers field, type the IP address of the Cisco router, and click Add. In the illustration shown, this is 10.150.3.254.
    Important: Do not use a secondary IP address for the Cisco router or switch.
  10. In the Port List field, select an application, or leave it blank to indicate all ports.
  11. For the Router Identifier setting, type the Router Identifier IP address of the router. If you do not know the Router Identifier IP address, consult the Cisco documentation that applies to the router or switch you are using.
  12. In the Client ID field, type the IP address of the VLAN that connects to the Cisco router. In the illustration shown, this is 10.150.3.1.
  13. Click Finished.
The BIG-IP is configured for WCCPv2 traffic redirection in a one-arm deployment. The completed screen looks similar to the following example.
Example of completed configuration screen Example of completed configuration screen

Verifying connectivity

Important: Use this task as a checkpoint before proceeding with the one-arm setup.
You can verify connectivity from the command-line interface.
  1. Ping the router interface using the command-line access to the BIG-IP system.
  2. Use TCPdump on TCP traffic between the servers at both sites to verify that TCP packets are redirected when you initiate TCP traffic.
  3. Review the log /var/log/wccpd.log and look for the SESSION up message. The following example is an excerpt from the log of a one-arm configuration. Aug 2 17:26:18 clientside3600 notice router_ip 10.150.3.254 Aug 2 17:26:18 clientside3600 notice ports: 0,0,0,0,0,0,0,0, Aug 2 17:26:18 clientside3600 notice tunnel_remote_addr: 192.31.3.161 Aug 2 17:26:18 clientside3600 notice Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] WccpMcpInterface.cpp:113 : Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] WccpApp.cpp:208 : Failover status active 0 Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] WccpApp.cpp:208 : Failover status active 1 Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] ServiceGroup.cpp:194 : Sending Wccp Capabilities Service group 75, Forwarding Type: L2, Return Type: L2, Assignment Type: MASK Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] ServiceGroup.cpp:468 : Final Wccp Capabilities Service group 75, Redirection: L2, Return: L2, Traffic Assign: MASK Aug 2 17:26:18 clientside3600 notice wccpd-1[1db1:f73f46d0] ServiceGroup.cpp:615 : SESSION up

Verifying WCCPv2 configuration for one-arm deployment

You can use the command line interface to verify the WCCPv2 configuration on the BIG-IP system.
  1. Log on to the command-line interface using the root account.
  2. At the command prompt, type tmsh list net wccp, and verify the WCCP values you configured. A listing similar to the following appears. net wccp server-wccp services 75 port-type dest redirection-method l2 return-method l2 routers { 10.150.1.254 } traffic-assign mask tunnel-local-address 10.150.3.1 tunnel-remote-addresses { 10.150.2.1 }

Creating an iSession connection

You cannot view the Quick Start screen until you have defined at least one VLAN and at least one self IP on a configured BIG-IP system that is provisioned for symmetric optimization.
Use the Quick Start screen to set up symmetric optimization for a one-arm deployment.
  1. Log in to the BIG-IP system that you want to configure. The default login value for both user name and password is admin.
  2. On the Main tab, click Acceleration > Quick Start > Symmetric Properties.
  3. In the WAN Self IP Address field, type the local endpoint IP address. In the example shown, this is 10.150.3.1.
  4. Verify that the Discovery setting is set to Enabled. If you disable the Discovery setting, or discovery fails, you must manually configure any remote endpoints and advertised routes.
  5. In the Select VLANs field, select the wan VLAN for both the LAN VLANs and WAN VLANs settings. You select only one VLAN, because the system has only a single connection to the WAN router or switch.
  6. Click Apply.
This example shows a completed Quick Start screen.
Example of completed Quick Start screen Example of completed Quick Start screen
After you configure the iSession endpoints, use an iApp template to select the application traffic for optimization. Click Acceleration > Quick Start > Deploy Applications. Click Create, from the Template list select f5.replication, and follow the online instructions.

Validating iSession configuration in a one-arm deployment

At this point,you have finished configuring BIG-IP systems at opposite sides of the WAN, and the systems have discovered their remote iSession endpoints.
Important: Use this task as a checkpoint to allow for troubleshooting before you complete the setup.
You can validate the configuration using the browser and command-line interfaces.
  1. Run diagnostics to verify the configuration.
    1. On the Main tab, click Acceleration > Symmetric Optimization > Diagnostics.
    2. Next to Diagnose WOM Configuration, click Run.
    3. Correct any configuration errors as indicated on the screen.
  2. Transfer data between the servers at the two sites, and verify that the transfer was successful.
  3. Using the command-line interface, enter tmsh show wom remote-endpoint all, and verify the remote endpoint IP address and the STATE: Ready message. The following listing is an example of the results for this command. ----------------------------------------------------------- Remote endpoint: 10.150.2.1 ----------- ----------------------------------------------------------- Status HOSTNAME: server_bridge3600.example.net MGMT ADDR: 192.X.X.X VERSION: 11.4.0 UUID: 195f:74a0:d242:eab6:57fe:c3a:c1d2:6e22 enabled STATE: ready ----------- BEHIND NAT: no CONFIG STATUS: none DEDUP CACHE: 43.5G REFRESH count: 0 REFRESH timestamp: 12/31/12 16:00:00 ALLOW ROUTING: enabled ----------------------------------------------------------- Endpoint Isession Statistic: _tunnel_data_10.150.2.1 ----------------------------------------------------------- Connections Current Maximum Total Connections OUT IDLE: 0 0 0 Connections OUT ACTIVE: 1 1 1 Connections IN ACTIVE: 0 0 0 Direction Action Raw Opt Out (to WAN) bits Deduplication 880 1.2K Out (to WAN) bits Compression 1.2K 1.2K Direction Action Opt Raw In (from WAN) bits Decompression 273.9M 273.8M In (from WAN) bits Deduplication 272.6M 272.5M
  4. Using the browser interface, view the green status indicator on the Remote Endpoints screen.
  5. On the Main tab, click WAN Optimization > Dashboard, and view the traffic optimization data.

Configuring the Cisco router for a one-arm deployment using WCCPv2

To configure traffic redirection using Web Cache Communication Protocol version 2 (WCCPv2) for a one-arm deployment, follow these steps on the Cisco router.
  1. Configure the service ID that you configured on the BIG-IP device.
    1. Enable WCCP globally.
    2. In Command mode, configure the service ID; for example, 75. In the example shown, the command line might look like the following.(config)#ip wccp 75
  2. Using the router interface that is connected to the client from which you want to redirect traffic, associate the VLAN with the service ID you configured. In the example shown, the command-line interface might look like the following. (config)#interface vlan 254 (config)#ip wccp 75 redirect in
The following listing is an example of the information displayed for a Cisco router configured to redirect traffic to the BIG-IP system using WCCPv2. Clientside_Top_switch#sh run Building configuration... Current configuration : 4848 bytes version 12.2 no service pad hostname Clientside_Top_switch ! no aaa new-model switch 1 provision ws-c3750g-48ts system mtu routing 1500 vtp mode transparent ip subnet-zero ip routing ip wccp 75 ! interface GigabitEthernet1/0/4 switchport access vlan 200 switchport mode access ! interface GigabitEthernet1/0/5 switchport access vlan 100 switchport mode access ! interface GigabitEthernet1/0/6 ! interface GigabitEthernet1/0/7 switchport access vlan 254 switchport mode access ! interface Vlan1 ip address 192.31.3.161 255.255.255.0 ! interface Vlan100 ip address 10.15.3.254 255.255.255.0 ! interface Vlan200 ip address 10.15.2.254 255.255.255.0 ! interface Vlan254 ip address 10.15.1.254 255.255.255.0 ip wccp 75 redirect in !

Viewing pertinent configuration details from the command line

You can view details of the BIG-IP iSession configuration from the command line.
  1. Log on to the command-line interface of the BIG-IP system using the root account.
  2. At the command prompt, type tmsh.
  3. At the command prompt, type list all-properties. The following listing is an example of the pertinent information displayed for a one-arm configuration. ltm profile tcp wom-tcp-lan-optimized { abc enabled ack-on-push enabled app-service none close-wait-timeout 5 cmetrics-cache disabled congestion-control high-speed defaults-from tcp-lan-optimized deferred-accept disabled delay-window-control disabled delayed-acks disabled description none dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 600 init-cwnd 0 init-rwnd 0 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled partition Common pkt-loss-ignore-burst 0 pkt-loss-ignore-rate 0 proxy-buffer-high 1228800 proxy-buffer-low 98304 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled rfc1323 enabled selective-acks enabled selective-nack disabled send-buffer-size 65535 slow-start disabled syn-max-retrans 3 syn-rto-base 0 tcp-options none time-wait-recycle enabled time-wait-timeout 2000 verified-accept disabled zero-window-timeout 20000 } ltm profile tcp wom-tcp-wan-optimized { abc enabled ack-on-push disabled app-service none close-wait-timeout 5 cmetrics-cache enabled congestion-control high-speed defaults-from tcp-wan-optimized deferred-accept disabled delay-window-control disabled delayed-acks disabled description none dsack disabled ecn disabled fin-wait-timeout 5 idle-timeout 600 init-cwnd 0 init-rwnd 0 ip-tos-to-client 0 keep-alive-interval 1800 limited-transmit enabled link-qos-to-client 0 max-retrans 8 md5-signature disabled md5-signature-passphrase none nagle enabled partition Common pkt-loss-ignore-burst 8 pkt-loss-ignore-rate 10000 proxy-buffer-high 196608 proxy-buffer-low 131072 proxy-mss disabled proxy-options disabled receive-window-size 2048000 reset-on-timeout enabled rfc1323 enabled selective-acks enabled selective-nack enabled send-buffer-size 2048000 slow-start disabled syn-max-retrans 3 syn-rto-base 0 tcp-options none time-wait-recycle enabled time-wait-timeout 2000 verified-accept disabled zero-window-timeout 300000 } ltm virtual isession-virtual { app-service none auth none auto-lasthop default clone-pools none cmp-enabled yes connection-limit 0 description none destination 10.150.3.1:any enabled fallback-persistence none gtm-score 0 http-class none ip-protocol tcp last-hop-pool none mask 255.255.255.255 mirror disabled nat64 disabled partition Common persist none pool none profiles { isession { context clientside } wom-default-clientssl { context clientside } wom-tcp-lan-optimized { context serverside } wom-tcp-wan-optimized { context clientside } } rate-class none rules none snat none source-port preserve traffic-classes none translate-address enabled translate-port disabled vlans none vlans-disabled } net interface 1.1 { app-service none description none enabled flow-control tx-rx force-gigabit-fiber disabled mac-address 0:1:d7:79:9a:84 media none media-active 1000T-FD media-fixed auto media-max 1000T-FD media-sfp auto mtu 1500 prefer-port sfp stp enabled stp-auto-edge-port enabled stp-edge-port true stp-link-type auto vendor none } net route def { description none gw 10.150.3.254 mtu 0 network default partition Common } net self "clientside Self" { address 10.150.3.1/24 allow-service none app-service none description none floating disabled inherited-traffic-group false partition Common traffic-group traffic-group-local-only unit 0 vlan wan } net vlan wan { app-service none auto-lasthop default description none failsafe disabled failsafe-action failover-restart-tm failsafe-timeout 90 interfaces { 1.1 { app-service none untagged } } learning enable-forward mtu 1500 partition Common source-checking disabled tag 4094 } sys datastor { cache-size 1066 description none disk enabled high-water-mark 90 low-water-mark 80 store-size 97152 } sys disk application-volume datastor { logical-disk HD1 owner datastor preservability discardable resizeable false size 97152 volume-set-visibility-restraint none } sys management-route default { app-service none description none gateway 192.31.3.129 mtu 1500 network default } sys provision wom { app-service none cpu-ratio 0 description none disk-ratio 0 level nominal memory-ratio 0 } sys provision woml { app-service none cpu-ratio 0 description none disk-ratio 0 level none memory-ratio 0 } wom deduplication { description none dictionary-size 256 disk-cache-size 97152 enabled max-endpoint-count 1 } wom endpoint-discovery { auto-save enabled description none discoverable enabled discovered-endpoint enabled icmp-max-requests 1024 icmp-min-backoff 5 icmp-num-retries 10 max-endpoint-count 0 mode enable-all } wom local-endpoint { addresses { 10.150.3.1 } allow-nat enabled description none endpoint enabled ip-encap-mtu 0 ip-encap-profile { /Common/default-ipsec-policy-isession } ip-encap-type ipsec no-route passthru server-ssl serverssl snat none tunnel-port https } wom profile isession isession-http { adaptive-compression enabled app-service none compression enabled compression-codecs { deflate lzo bzip2 } data-encryption disabled deduplication enabled defaults-from isession deflate-compression-level 1 description none mode enabled partition Common port-transparency enabled reuse-connection enabled target-virtual virtual-match-all } wom remote-endpoint 10.150.2.1 { address 10.150.2.1 allow-routing enabled app-service none description none endpoint enabled ip-encap-mtu 0 ip-encap-profile none ip-encap-type default origin manually-saved server-ssl none snat default tunnel-encrypt enabled tunnel-port https } wom server-discovery { auto-save enabled description none filter-mode exclude idle-time-limit 0 ip-ttl-limit 5 max-server-count 50 min-idle-time 0 min-prefix-length-ipv4 32 min-prefix-length-ipv6 128 mode enabled rtt-threshold 10 subnet-filter none time-unit days }

Implementation result

After you complete the tasks in this implementation, the BIG-IP system is configured in a one-arm deployment. For symmetric optimization, you must also configure the other side of the WAN. The other BIG-IP deployment can be in bridge, routed, or one-arm mode.