Backgroound Image

Cisco ISR Project – vWAAS deployment (14 of ?)

(I just noticed that I forgot to publish this, so anyone reading my posts on IWAN deployment… Sorry this one’s a few years late…)

To get the WAAS deployment done there are a few prerequisites:

  • Virtual Central Manager (vCM) deployed (at HQ)
  • vWAAS appliance deployed (at HQ)
  • vWAAS appliance deployed (at branch)
  • WAN connectivity between branch and HQ

A couple things to be aware of right off the bad:

  • Default username is: admin
  • Default password is: default
  • Telnet is enabled by default, and SSH is disabled.
    • To enable SSH run these commands from a config prompt (make sure hostname and domain are set before running)
      • ssh-key-generate
      • sshd enable
    • Telnet can be disabled, however, it seems the management software 
  • When logging into the web interface if there is a prompt to select an SSL certificate, click Cancel.  That should bring up the login page.

After the OVA has been deployed you should be able to log into the appliance and it should automatically start the device configuration.  If not simply enter the ‘setup’ command.

The setup between the vCM and vWAAS is pretty similar, so I’m just going to go over the vWAAS as there are more of those.  However, the vCM does need to be configured before the vWAAS, as the vWAAS needs to connect to the vCM.

WAAS setup

The setup is text-based, and pretty straightforward.  One thing to be aware of is if the CMS service fails to start (I set up vWAAS up without setting the correct vNIC settings) you can run the command ‘cms enable’ from a config prompt.  That should force the vCM to start, or force a vWAAS appliance to register with the vCM.

After completing the setup a window will pop up with a list of commands to configure WCCP on the router.

WCCP template

To make things easier, here’s a text version of the commands:

ip wccp version 2

ip wccp 61 (optional:waas-wccp-redirect-list) 

ip wccp vrf IWAN-PRIMARY/SECONDARY 62 (optional:waas-wccp-redirect-list)  

interface (Router LAN interface(s)) 

     ip wccp 61 redirect in 

interface (Router WAN interface(s)) 

     ip wccp vrf IWAN-PRIMARY/SECONDARY 62 redirect in

interface (Router NM-WAE interface) 

     ip wccp redirect exclude in


  ip acces-list extended waas-wccp-redirect-list 






One thing that isn’t covered in this default config is the ISR uses VRFs for the WAN interface(s).  For the WAN interface enter the correct VRF and then the commands should work.




Unable to add Cisco ISR to WAAS Central Manager

If you are trying to add an ISR to the WAAS CM and the process fails with no error (and it detects as WAAS Express) then I may have found the solution.  Use the CLI.  I know, seems obvious in hindsight, the CLI working where the GUI fails.  The issue for me was actually finding the process for the CLI in the documentation.

Well, here’s the link to the documentation:

The short version is you need to do the following:

  1. Create a user with privilege level 15 
    1. For a local account – from config#: username user privilege 15 password 0 password
  2. Export WAAS vCM cert
    1. From exec: show crypto certificate-detail admin
    2. Copy the cert (including the —Begin Certificate— and —End Certificate—)
  3. Import the certificate into the router
    1. From config#:
      1. crypto pki trustpoint wcm
      2. enroll terminal pem
      3. exit
      4. crypto pki authenticate wcm
      5. Paste the certificate, and then enter a blank line to complete
      6. accept the certificate
  4. Create a router certificate
    1. From config#:
      1. crypto pki trustpoint local
      2. enrollment selfsigned
      3. subject-alt-name RouterFQDN
      4. exit
      5. crypto pki enroll local
        1. Answer the questions as prompted
        2. Serial number: Yes
        3. IP address: Yes
        4. Enter IP: IP_address
        5. Generate certificate: Yes
  5. Enable the web server and set authentication
    1. From config#:
      1. ip http secure-server
      2. ip http authentication local
  6. Enable SSH V2
    1. From config#: ip ssh version 2
  7. Register with vCM
    1. From exec: appnav cm-register https://vCMIP:8443/wcm/register

Unfortunately, there’s no output to the command, so you have to go to the Central Manager to see if it worked.  If it didn’t here are a few things to look at:

  1. Make sure the two devices can ping each other
  2. Verify that NTP is configured on both devices
  3. Verify that the AppX license is installed and activated on the router

Cisco ISR Project – Deploying the OVAs (3 of ?)

The next stage of the process is relatively straight forward.  The deployment of the OVAs for the virtual appliances.

First and foremost is the resource requirements.  Each OVA will be unpacked into a VM in the environment, so we need to make sure there are sufficient resources.

Name vCPU GB vRAM GB Disk (thin) GB Disk (thick) Notes
vCM 100 2 2 1.6 254
vWAAS 2500 4 8 1.5 754
vNAM 2 4 100 Thin not available
LiveAction 4 16 230 Thin not available
Prime Infrastructure – Express  4 12 300 Thin TBD
Prime Infrastructure – Express-Plus 8 16 600 Thin TBD
Prime Infrastructure – Standard  16 16 900 Thin TBD
Prime Infrastructure – Professional 16 24 1200 Thin TBD
CSR 1000V – Small 1 4 0.6 8.3
CSR 1000V – Medium 2 4 0.6 8.3
CSR 1000V – Large 4 4 0.6 8.3
CSR 1000V – Large w/ DRAM upgrade 4 8 0.6 8.3 Requires DRAM SKU


For Cisco Prime, the Scaling information can be found in the Quickstart guide here:

For the OVA deployment it should be pretty self-explanatory.  From the vSphere client click File – Deploy OVF Template.

From the VMware vSphere Web Client select your cluster, then on the top bar click the Actions drop down and select Deploy OVF Template.

Now it’s just a matter of following the prompts based on the environment.  Find the OVA file, name the VM, set the appropriate host, network, and datastore, and the rest of the things the wizard asks for.

The CSR will prompt for a bunch of information for the setup.

CSR OVA properties

The PNSC and Intercloud settings can be left blank.  The rest depends on your environment.  I would recommend enabling SSH, so you will need to have a domain name configured for the key generation.

Cisco ISR project – Licensing (2 of ?)

After the hardware has been purchased comes what might be the most difficult part of the project – sorting out Cisco licenses.

Hopefully you’re well aware of the Cisco licensing and support process.  I’ll try and make this clear as mud…

First and foremost, you need a Cisco account.  If you don’t have one you can go here:   Your account will need to be associated with the business you work for, so this can get more complicated.  If you get stuck, contact your reseller.

For reasons beyond me, Cisco likes to send out the cardboard mailers with the PAK licenses (and EULA, and paper license, and sometimes T&Cs on a CD…).  Sort through the material you receive and find everything that lists a PAK.  Also, be careful to actually look at each piece of paper, as sometimes there are specific instructions for product access.

To register a PAK you need to go to:

Again, you’ll need to log in with a Cisco account.  When you are logged in you will be able to register the PAK.

You should be able to follow the instructions to register the PAK.  I would suggest waiting on actually generating licenses until you are ready to use the specific product.  Some require the SN or UDI of the device the license is applied to.  It’s easier to just do that when you are ready.  So, now the PAKs should be done.

But wait, there’s more!  You still need to register your support contract.

Log into your Cisco account, and at the top of the screen click “Account” then “Customer Profile Manager”  (Note: the link at the bottom for Cisco Service Contract Center is very helpful.  It will show all the contracts and details that are linked to your account)

Under your account you can add access to your Cisco contract.  Click the “Access” tab at the top and this will list your contracts and allow you to add more by clicking the “Add Access” button.

Typically, I just use the Full Support option, as that allows me to download software and open TAC cases for the products.

The next page can be difficult.  I use a Cisco reseller, so the Bill-to ID on my orders is for my reseller.  Usually, I just open a chat session and provide the agent with my Cisco SO# (it can be found on the packing slip, in the eDelivery e-mail, or it will be listed in the licensing page when you activate a PAK).  The agent then can find the specific contract number(s) to add.

After the contracts are added you should be able to download firmware for the hardware.

Here are the links for what I downloaded:

CSR 1000V

ISR 4331

ISR 4351


Prime vNAM


It seems that vCM OVA isn’t downloadable, but media for that should be sent with the PAK.  The vCM can be upgraded by using the “Universal Binary Image” which can be downloaded from the WAAS software location


VMware vSphere

Cisco USB console driver Not needed, but it’s nice to have the USB console driver

Cisco ISR project – IWAN, WAAS, UCS-E, Prime, and more (1 of ?)

This is the start of a series of posts about my adventures in getting a Cisco IWAN project deployed.

To start with, the new gear order was as follows:

  • HQ
    • Two Cisco ISR 4331 routers (Cisco ONE for WAN license)
      • One to terminate MPLS and one for Internet
    • Two CSR 1000V routers in an HA pair
    • Cisco WAAS virtual central manager (vCM)
    • Cisco WAAS virtual application engine (AE)
    • Cisco Prime VM
    • Cisco virtual network analysis module (vNAM)
    • LiveAction Pro
  • Site 1 (MPLS only)
    • Cisco ISR 4351 (Cisco ONE for WAN license)
    • UCS E-160D-M2 server
      • 64GB RAM
      • 3x 900GB drives in RAID 5
  • Site 2 (Dual connected)
    • Two Cisco ISR 4351 (Cisco ONE for WAN license)
    • Two UCS E-160D-M2 servers
      • 64GB RAM
      • 3x 900GB drives in RAID 5
  • Site 3 (VPN Only)
    • Cisco ISR 4351 (Cisco ONE for WAN license)
    • UCS E-160D-M2 server
      • 64GB RAM
      • 3x 900GB drives in RAID 5

For the remote sites, this will completely replace any routers, firewalls, servers, and/or WAN accelerators deployed.  From the HQ side this will augment the existing environment, as the current hardware still needs to support sites that aren’t migrating to the ISR solution yet.

IWAN topology

There were a few iterations of the design process.  I would recommend working with your Cisco partner to figure out what the best design would be for your environment