About Cisco AppNav
Cisco AppNav greatly reduces dependency on the intercepting switch or router by distributing traffic among Cisco WAAS devices for optimization, by using a powerful class-and-policy mechanism. You can use Cisco WAAS nodes to optimize traffic based on sites, or applications, or both.
The Cisco AppNav solution has the ability to scale up to available capacity by taking into account Cisco WAAS device utilization because it distributes traffic among nodes. Also, the solution provides for high availability of optimization capacity by monitoring node overload and liveliness, and by providing configurable failure and overload policies.
This section contains the following topics:
Benefits of Cisco AppNav
Cisco AppNav greatly reduces dependency on the intercepting switch or router by distributing traffic among Cisco WAAS devices for optimization, by using a powerful class-and-policy mechanism. You can use Cisco WAAS nodes to optimize traffic based on sites, or applications, or both.
The AppNav solution has the ability to scale up to available capacity by taking into account Cisco WAAS device utilization because it distributes traffic among nodes. Also, the solution provides for high availability of optimization capacity by monitoring node overload and liveliness, and by providing configurable failure and overload policies.
AppNav System Components
The Cisco AppNav solution consists of the following components, shown in the following figure and described in this section.
-
AppNav Controller (ANC, or AC on the router): A device that intercepts network traffic and, based on an AppNav policy, distributes that traffic to one or more Cisco WAAS nodes (WNs) for optimization. The device can be one of the following:
-
A Cisco WAAS appliance with a Cisco AppNav Controller Interface Module
-
A Cisco router with Cisco IOS XE Release 3.9 or later, running AppNav-XE (known as an AppNav-XE device in this document).
-
You cannot mix the ANCs on different platforms in the same AppNav cluster.
-
AppNav Controller Group (ANCG, or ACG on the router): A group of AppNav Controllers that together provide the necessary intelligence for handling asymmetric flows and high availability. The ANCG is configured on the ANC. An ANCG can have up to eight Cisco WAAS appliance-based ANCs or four AppNav-XE-based ANCs, which must be on the same router platform with the same memory configuration.
-
WAAS Node (WN, or SN on the router): A Cisco WAAS optimization engine (Cisco WAE or Cisco WAVE appliance, Cisco NME-WAE or Cisco SM-SRE network module (for Cisco WAAS versions earlier than 6.4.x), or Cisco vWAAS instance, but not a Cisco WAAS Express device) that optimizes and accelerates traffic according to the optimization policies configured on the device. You can have up to 32 WNs in the cluster. (In the Cisco WAAS CLI and on the router, a Cisco WAAS node is also known as a service node.)
-
WAAS Node Group (WNG, or SNG on the router): A group of Cisco WAAS nodes that services a particular set of traffic flows identified by AppNav policies. The WNG is configured on the ANC. You can have up to 32 WNGs in the cluster. (In the Cisco WAAS CLI and on the router, a Cisco WAAS node group is also known as a service node group.)
-
AppNav Cluster: A group of all the ANC and WN devices within a cluster.
-
AppNav Context: The topmost entity that groups together one AppNav Controller Group (ANCG), one or more Cisco WAAS node groups (WNGs), and an associated AppNav policy. The AppNav context is configured on the ANC. When using a Cisco WAAS appliance ANC, there is only one AppNav context. However, when using an AppNav-XE ANC, you can define up to 32 AppNav contexts that are associated with different Virtual Routing and Forwarding (VRF) instances defined on the router.
Within a service context, Cisco WAAS devices can operate in one of two modes:
-
Application accelerator: The device serves only as a WN within the service context. It receives traffic from the ANC, optimizes the traffic, and returns the traffic to the ANC to be delivered to its destination. The WN can be any kind of WAAS device or Cisco vWAAS instance.
-
AppNav Controller: The device operates as an ANC that intercepts network traffic, and, based on a flow policy, distributes that traffic to one or more Cisco WAAS nodes for optimization. Only a Cisco WAVE appliance that contains an AppNav Controller Interface Module, or an AppNav-XE device, can operate as an ANC. A Cisco WAAS appliance ANC can also operate as a Cisco WAAS node and optimize traffic as part of a WNG.
AppNav Controller Deployment Models and Modes
As shown in the following figure, you can deploy Cisco WAAS appliance AppNav Controllers (ANCs) in your network in two ways, in-path or off-path:
-
In-Path deployment: The ANC is physically placed between one or more network elements, enabling traffic to traverse a bridge group configured on the device in inline mode.
-
Off-Path deployment: The ANC works with the network infrastructure to intercept traffic through the Web Cache Communication Protocol (WCCP).
The ANC provides the same features in both in-path and off-path deployments. In either case, only ANCs participate in interception from the switch or router. The ANCs then distribute flows to WNs using a consistent and predictable algorithm that considers configured policies and Cisco WAAS node utilization.
The following figure shows that Cisco WAAS Nodes can be attached to either or both switches in the diagrams.
AppNav-XE ANCs have deployment models similar to the in-path diagram shown in the following figure. You can see the specific deployment diagrams in the Cisco WAAS Central Manager cluster wizard when you choose a platform.
Combination Mode
A Cisco WAAS device, which has an AppNav IOM card installed, can be configured to perform traffic interception using the AppNav module, and perform optimization as a single device. This is Combination mode, an example of which is shown in the following figure.
A combination mode deployment is not recommended due the limitation of single point failure as explained below.
Limitation
In a combination deployment, a single AppNav IOM module failure impacts both the AppNav and Cisco WAAS functionality. All the traffic to a WAAS node is blocked leading to a loss of active sessions in Cisco WAAS. The WAAS node on the combination device becomes unreachable and is removed from the distribution list as shown below. Note that this is applicable for both In-path and Off-path deployments.
You may experience some delay during cluster convergence when the AppNav IOM module comes back on line. Until then, other devices in the cluster will handle the new flows.
Recommendation
Considering the technical limitation in the combination mode, we strongly recommend to use separate devices for AppNav IOM and WAAS node to avoid a single point failure.
AppNav Controller Interface Modules
A Cisco WAAS appliance operating as an ANC requires a Cisco AppNav Controller Interface Module. A Cisco AppNav Controller Interface Module is similar to a standard Cisco WAVE appliance interface module, but contains additional hardware, including a network processor and high-speed Ternary Content Addressable Memory (TCAM), to provide intelligent and accelerated flow handling. The following AppNav Controller Interface Modules are supported:
-
1-GB copper 12-port AppNav Controller Interface Module
-
1-GB SFP 12-port AppNav Controller Interface Module
-
10-GB SFP+ 4-port AppNav Controller Interface Module
AppNav Controller Interface Module interfaces are configured differently to support either in-path or off-path models of deployment:
-
In-path: The ANC operates in inline interception mode with at least one inline bridge group configured on the AppNav Controller Interface Module. A bridge group consists of two or more physical or logical (port channel) interfaces.
-
Off-path: The ANC operates in WCCP interception mode with one physical or logical (standby or port channel) interface configured with an IP address.
Interfaces on the AppNav Controller Interface Module can have three functions:
-
Interception: Used to receive traffic intercepted from the network and egress traffic to the network. The interception interface is implied based on the AppNav Controller placement and does not require explicit configuration for this function.
-
Distribution: Used to distribute traffic to the WNs and receive egressed traffic from the WNs. The distribution interface is explicitly configured as the cluster interface for intracluster traffic and must be assigned an IP address.
-
Management: A management interface can be optionally and exclusively designated for management traffic and isolated from the normal data path. We recommend that you use one of the appliance’s built-in interfaces for management traffic and reserve the high-performance interfaces on the AppNav Controller Interface Module for interception and distribution.
For best performance, use separate interfaces for interception and distribution. However, you can use the same interface for both functions.
AppNav Controller Interface Modules support port channel and standby logical interfaces. A port channel allows you to increase the bandwidth of a link by combining multiple physical interfaces into a single logical interface. A standby interface allows you to designate a backup interface in case of a failure.
Interfaces on the AppNav Controller Interface Module support the following:
-
A maximum of seven port channels with up to eight physical interfaces combined into a single port channel group.
-
A maximum of five bridge groups configured over the physical or logical interfaces.
Interfaces on the AppNav Controller Interface Module do not support the following:
-
Fail-to-wire capability
-
Bridge Virtual Interfaces (BVIs)
AppNav Policy
The AppNav policy is a flow distribution policy that allows you to control how ANCs distribute traffic to the available WNs.
The AppNav policy consists of class maps that classify traffic according to one or more match conditions and a policy that contains rules that specify distribution actions to WNGs for each of the classes.
This section contains the following topics:
Class Maps
AppNav class maps classify traffic according to one or more of the following match conditions:
-
Peer device ID: Matches traffic from one peer Cisco WAAS device, which could be handling traffic from a single site or a group of sites.
You can use this kind of matching to classify all traffic from a peer device that serves one branch office.
-
3-tuple of source IP, or destination IP, or destination port (matches traffic from a specific application).
For example, you can use this kind of matching to classify all HTTP traffic that uses port 80.
-
A mix of one peer device ID and the source IP, or destination IP, or destination port (matches application-specific traffic from one site).
For example, you can use this kind of matching to classify all HTTP traffic that is from a peer device that serves the branch office.
The class-default class map (or APPNAV-class-default on AppNav-XE clusters) is a system-defined default class map that is defined to match any traffic. By default, it is placed in the last rule in each policy to handle traffic that is not matched by other classes.
Policies
An AppNav Controller matches incoming flows to class maps and the policy rules in a policy associate class maps with actions, such as distributing a flow to a particular WNG for optimization. The order in which rules are listed in the policy is important. Starting at the top of the policy, the first rule that matches a flow determines to which WNG it is distributed.
A policy rule can specify four kinds of actions to take on a flow:
-
Specify the primary WNG to which to distribute the flow (required).
-
Specify a backup WNG for distribution if the primary WNG is unavailable or overloaded (optional; not supported on AppNav-XE clusters).
Note |
Even though a new WNG or SNG can become operational without having an AppNav policy attached, in order to have your Cisco WAAS system work successfully, configure and attach an AppNav policy to each new WNG or SNG. |
The primary WNG receives all traffic until all WNs within the group become overloaded (reach 95 percent of the maximum number of connections) or are otherwise unavailable, and then traffic is distributed to the backup WNG. If a WN in the first WNG becomes available, traffic is again distributed there. If all WNs in both the WNGs become overloaded, traffic is passed through unoptimized.
-
Monitor the load on the application accelerator that corresponds to the application traffic matched by the class (optional).
If the monitored application accelerator on one WN in a WNG becomes overloaded (reaches 95 percent of its maximum number of connections), the WN is considered overloaded and traffic is directed to another WN in the group. If all WNs become overloaded, traffic is distributed to the backup WNG. This application accelerator monitoring feature is useful for ensuring optimization for critical applications and is recommended for the MAPI and SMB accelerators.
-
Specify a nested policy to apply to the flow (optional; not supported on AppNav-XE clusters).
For more information, see Nested Policies.
Within a WNG, flows are distributed among WNs using a hash. If a WN reaches its maximum capacity or becomes unavailable, it is not sent new flows. New flows are sent to other available WNs in the WNG so that they can be optimized successfully. If an unavailable WN later becomes available again, the same client/server pairs will hash to this WN as before.
Note |
If a WAAS Node that is doing MAPI or ICA application acceleration becomes overloaded, flows associated with existing MAPI and ICA sessions continue to be sent to the same WN due to the requirement that the same WN handles these types of flows. New MAPI and ICA flows, however, are distributed to other WNs. |
The AppNav policy is specific to each ANC, though typically, all the ANCs in a cluster have the same policy. Each ANC consults its AppNav policy to determine which WNG to use for a given flow. Different ANCs in a cluster can have different AppNav policies, which allows you to customize distribution in certain cases. For example, when a cluster contains ANCs and WNs that are in different locations, it may be more desirable for an ANC to distribute traffic to WNs that are closer to it.
Note |
On AppNav-XE clusters, the AppNav policy must be the same on all the ANCs in a context. |
Nested Policies
A policy rule can specify one nested policy, which allows traffic identified in a class to be subdivided and handled differently. Nested policies provide two advantages:
-
They allow another policy to be used as a common subclassification tool.
For example, you can define a policy that contains monitoring actions and apply it as a subpolicy to multiple classes in the primary policy.
-
They provide a method of including class maps with both match-any and match-all characteristics into a single subclass.
The nested policy feature is designed for use with site-based classes (matched by peer ID) at the first-level and application-based subclasses (matched by IP address/port) at the second level. Only the first level policy can contain classes that use match peer conditions.
Note |
AppNav-XE clusters do not support nested policies. |
Site and Application Affinity
This section contains the following topics:
About Site and Application Affinity
You can provision a WNG to serve specific peer locations (site affinity) or applications (application affinity) or a combination of the two. Using a WNG for site or application affinity provides the following advantages:
-
Provisioning: Localize a class of traffic to achieve control over provisioning and performance monitoring. For example, a business-critical application such as Sharepoint or a business-critical site can be given assured capacity and monitored closely for performance.
-
Enhanced application performance: Better compression performance is achieved by limiting data that belongs to a site, to one or a few WNs, which results in better utilization of the Data Redundancy Elimination (DRE) cache.
The following figure shows how sites and applications can be associated with node groups. In this figure, the following WNGs are defined:
-
WNG-1: Consists of two WNs that process flows coming only from Site A and Site B.
-
WNG-2: Consists of two WNs that process HTTP and SSL flows from any site. Whether HTTP and SSL flows from Site A and Site B should be processed by WNG-2 or WNG-1 is determined by the order of rules in the policy.
-
WNG-3: Consists of two WNs that process MAPI flows coming from any site. Whether MAPI flows from Site A and Site B should be processed by WNG-3 or WNG-1 is determined by the order of rules in the policy.
-
WNG-4: Consists of three WNs. The class-default class is applied to this WNG so that it all the flows that do not match any other class map are sent to it.
Site Affinity Operating Guidelines
Consider the following site affinity operating guidelines:
-
Site affinity provides you with the ability to always send all the traffic from one site to a specific WNG, which allows you to reserve optimization capacity for critical sites and to improve compression performance through better utilization of the DRE cache.
-
Traffic from any location, not just a single site, can be matched in a class map and associated with a WNG.
-
You can implement site affinity by configuring a class map that matches the device ID of the WAE in the site. If a site has more than one WAE in a WCCP farm or a serial inline cluster, specify multiple device IDs in the class map. Next, associate the class map with a distribution action to a WNG in a policy rule. You can also identify sites using source IP addresses or subnets in the class map, if you know what IP addresses are used in the site and keep the policy configuration consistent with site IP addresses. However, we recommend that you use peer device IDs when configuring site affinity.
-
A peer ID-based class map works only for matching flows that carry the Cisco WAAS autodiscovery TCP options. If you configure a class to match a site peer ID at the data center, the same class does not match flows that originate in the other direction, such as those flows that originate from the data center and go back to the same site. Such flows are usually small in number compared to the site-to-data center flows.
-
If you want flows in both directions to go to the same WNG, you must configure two class maps: one to match in the site-to-data center direction, typically using the site device ID; and another to match the data center-to-site direction, using destination IP subnets belonging to the site. Both class maps can be configured to distribute traffic to the same WNG. A mesh network is a specific use case where flows can originate in either direction.
-
If the site WAE is in overload or does not mark the SYN packet with autodiscovery options for any other reason, the ANC cannot match it to the peer match class map.
-
Application Affinity Operating Guidelines
Consider the following application affinity operating guidelines:
-
Application affinity gives you the ability to always send certain application traffic to a specific WNG, which allows you to reserve optimization capacity for different applications depending on business priorities.
-
In the context of AppNav flow distribution, an application is defined using a three-tuple of source IP, destination IP, and destination TCP port. The actual type of traffic does not matter for flow distribution. For example, you can use separate WNGs for HTTP traffic that is addressed to different destination ports or different server IP addresses. Destination IP and ports are most useful in using application affinity, but having the source IP also helps you to define the traffic of interest.
-
A small number of protocols, such as FTP, use dynamic destination ports. An FTP server in active mode originates a data connection back to the FTP client using a dynamic destination port. This port is exchanged over the control channel from client to server using the well-defined destination port 21. Consider trying to define a class map for FTP. Because the destination port is not known in advance, you cannot map both control and data connections to the same class.
In this case, we recommend that you use the client IP addresses or subnets to match the destination IP addresses for the data connections. You must configure two class maps: one for the control channel, using destination port 21, and another for the data channel, using destination IP addresses. You can configure policy rules so that both class maps distribute traffic to the same WNG.
-
You can further classify traffic from a site into applications by combining the peer matches with three-tuple matches in a match-all class map, called a Custom class map type, in the Cisco WAAS Central Manager.
Default Policy Behavior
The following default class maps are provided:
-
Citrix: Matches traffic for destination port 1494 and 2598
-
epmap: Matches traffic for destination port 135
-
HTTP: Matches traffic for destination ports 80, 3128, 8000, 8080, and 8088
-
HTTPS: Matches traffic for destination port 443
-
MAPI: Matches traffic for the MS RPC MAPI application (dynamic port assignment)
-
RTSP: Matches traffic for destination ports 554 and 8554
-
class-default or APPNAV-class-default: Matches any TCP traffic. This class map cannot be edited or deleted.
If you use the Cisco WAAS Central Manager AppNav Cluster wizard to create an AppNav Cluster, the wizard creates a default policy. This policy is assigned by default to all the ANCs in a cluster and contains only the class-default policy rule (APPNAV-class-default on AppNav-XE clusters) that has the following characteristics:
-
Matches class-default (any TCP) traffic (APPNAV-class-default on AppNav-XE clusters).
-
Distributes class-default traffic to the default WNG, which includes all the WNs created by the wizard, with no backup WNG specified.
-
Contains the waas_app_default nested policy, which provides application monitoring for each of the default class maps. (Not used on AppNav-XE clusters, which do not support nested policies.)
When you use the Cisco WAAS Central Manager to define a policy rule for any class that uses peer matching or source or destination IP address matching (but not port matching), it automatically adds the waas_app_default policy as a nested policy. The waas_app_default policy is created by the system and monitors all application accelerators, so you do not need to manually add application accelerator monitoring to your policy rules.
If you do not use the Cisco WAAS Central Manager AppNav Cluster Wizard to create a cluster, there is no default flow distribution. Therefore, if an incoming flow does not match any class in the AppNav policy, it is not distributed to any WNG; instead, it is passed through.
If a WNG is defined, but is not used in any policy rule, it does not receive any flows. If a policy is defined, but not applied to an ANC, it does not take effect.
The default action for a policy rule is none, which is context dependent: in a top-level policy, it means pass-through, and if the policy is nested, it means inherit-the-parent-policy-rule action.