Apply WCCP redirect to logical or physical interface?

Similar Messages

• WCCP on ASA & traffic between physical interfaces on ASA

  Hello,
  I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
  Eth 0/0 : Outside (to internet)
  Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
  Eth 0/1.211 : Vlan211 (20.21.10.0/24)
  Eth 0/1.212 : Vlan212 (20.21.20.0/24)
  Eth 0/1.220 : Vlan220 (20.22.0.0/16)
  Eth 0/2 : WAAS (20.21.30.0/24)
  I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
  I get this error message:
  3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
  How can I fix this?
  My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
  wccp 61 redirect-list WCCP_To_LAN
  wccp 62 redirect-list WCCP_To_WAN
  wccp interface outside 62 redirect in
  wccp interface LAN 61 redirect in
  access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
  access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
  I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
  Thanks
  Ankit

  common guys
  Am I doing something wrong here?
  No one replies to my posts. I had the same experience with the previous one.
  Is this not the right forum for this query???
  Ankit

• ASR1002 throughput degradation when wccp redirect-list is changed

  We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
  Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
  At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
  As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.

  Thank you very much for sharing that information.  It is great to hear verification that the mask assignment change did resolve your problem.   That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time.   We've been told that TAC will set this up in a lab and test for us by our Cisco SE.  We're hoping to get verfication that this actually resolves the problem before we take the outage.   
       If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment?    We may also need to implement this in our redirects to BlueCoat from our Nexus.  Do you happen to have a link to how to make this change in Bluecoat?   Thanks again!

• Does wccp redirect break routing protocol?

  This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
  If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS?  and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
  Should this type of traffic be denied on wccp redirect-list?
  Thanks

  Hi Joe,
  Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
  If you run a TCP based routing protocol like BGP, it will get redirected.
  Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
  Best Regards
  Finn Poulsen

• Crypto Map on Loopback interface or Physical Interface

  Dear All,
  When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
  6506(config)#interface loopback 3
  6506(config-if)#crypto map XXXX
  ERROR: Crypto Map configuration is not supported on the given interface
  Any hardware limitation?

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Policy-map on tunnel or physical interface?

  Hi all,
  I have a 3800 headend router which has a number of ipsec tunnels to remote office sites. Our current QoS design applies a policy-map to each tunnel interface to prioritise and shape outbound traffic.
  My question is how does the physical egress interface queue and transmit traffic from tunnel interfaces with this design? For example, if a mixture of large data packets and voice packets from different tunnel interfaces hit the physical interface around the same time what will happen to the voice packets?
  Furthermore, would it be a better to apply the policy-map to the physical interface instead of the tunnel interfaces? What advantages if any would this bring?
  Many thanks.

  If you're shaping each tunnel to the outbound physical bandwidth, yes it would be better to just have the policy, without any shaping, on the physical interface. Again, you'll will either need to depend on a copied ToS value in the outbound packet or use qos pre-classify. (A single physical policy would be much like your QUEUE_DATA if using qos pre-classify.)
  e.g.
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA
  What I thought you might be doing, and you could also do, was shape each tunnel to the far side's ingress bandwidth. This would require a distinct policy, if the shaper values change, for every tunnel interface, or a policy on the physical interface that has a class per tunnel (matches against tunnel destination address).
  e.g.
  !assume local outbound interface not oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  e.g.
  !assume local outbound interface not oversubscribed
  class-map match-all Tunnel1
  match group (ACL that matches tunnel1 destination address)
  class-map match-all Tunnel2
  match group (ACL that matches tunnel2 destination address)
  policy-map outbound_tunnels
  class Tunnel1
  shape average 768000
  service-policy output QUEUE_DATA
  class Tunnel2
  shape average 512000
  service-policy output QUEUE_DATA
  Interface Ethernet 0
  service-policy outbound outbound_tunnels
  If all the far side bandwidths exceed your local outbound physical bandwidth, then you should have both tunnel policies, that shape each tunnel, and a physical interface policy.
  e.g.
  !assume local outbound interface is oversubscribed
  policy-map NESTED_QOS_512K
  class class-default
  shape average 512000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_768K
  class class-default
  shape average 768000
  service-policy QUEUE_DATA
  policy-map NESTED_QOS_1500K
  class class-default
  shape average 1500000
  service-policy QUEUE_DATA
  interface Tunnel1
  service-policy output NESTED_QOS_786K
  interface Tunnel2
  service-policy output NESTED_QOS_512K
  interface Tunnel3
  service-policy output NESTED_QOS_1500K
  interface Tunnel4
  service-policy output NESTED_QOS_512K
  !assumes qos-preclassify
  interface Ethernet0
  service-policy output QUEUE_DATA

• Ip wccp redirection direction at ethernet and serial interface.

  hi all.
  commonly, we use 'ip wccp 62 redirect in' at serial interface to grap packet for sending cisco waas.
  but some document is mentioned that 'ip wccp 62 redirect out' ethernet interface facing data center side.
  I guess, there is same meaning, I think that It's better to apply 'ip wccp 62 redirect in' at serial interface due to router performance. Right?
  Can you explain clarify for me?
  Thank you.

  You are correct redirect in is less cpu intensive as compared to redirect out
  WCCP redirection can be configured to occur as packets enter a router or switch interface (inbound, or ingress, redirection) or as they are beginning to leave a router or switch interface (outbound, or egress, redirection).
      * Inbound redirection - the WCCP process inspects traffic to find packets that should be optimized before the packets enter the router or switch forwarding/routing selection process.  Inbound redirection is less CPU intensive than outbound redirection (when using process or other SW based switching).
      * Outbound redirection - the WCCP process inspects traffic to find packets that should be optimized as the packets are ready to leave a router or switch interface, after the packet has gone through the router or switch forwarding/routing selecting process.  Outbound redirection is more CPU intensive than inbound redirection.
  Thanks
  -Smita

• How is a GRE tunnel applied to a physical interface?

  Within a tunnel's configuration we use the commands, source and destination for the tunnel but how does the physical interface know to use the tunnel? Do the tunnel's source settings override the physical interface? If we only configure a tunnel with the correct source would that interface then send all information out encapsulated in GRE?
  If we also configure IPSec on the interface and specify a crypto map to only encrypt the matching traffic would this matching traffic only use the GREtunnel or is all information regardless if it's encrypted in IPSec also be encapsulated in GRE?
  Also, I read here: https://supportforums.cisco.com/docs/DOC-3067
  "Bind crypto map to the physical (outside) interface if you are running Cisco IOS  Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace."
  Why was it necessary to apply the crypto map to both the physical and tunnel interfaces, and why is it not necessary with newer IOS versions?
  Thanks for any help!  -mark

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• WCCP v2 - "ip wccp redirect out" command

  I'd like to validate the following:
  1.- I have this equipment:
  Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE, RELEASE SOFTWARE (fc2)
  * Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported.
  I'd like to know if there's a version that support the command.
  1.- If there's no version that supports the command in the equipment. Then, which is the "smallest" switch model that can support the command.
  Thanks a lot for your support.

  Ali,
  The issue is that not all of your traffic is being redirected in hardware. When you configure outbound interception on the 6500/Sup720, the first packet for every flow is punted to the MSFC and switched in software. Subsequent packets for that flow are redirected in hardware using NetFlow forwarding. So the impact on your MSFC CPU utilization is tied to the number of connections per second (cps) being redirected, as well as some overhead for managing the NetFlow forwarding table.
  In addition, the command 'ip wccp redirect exclude in' is not completely understood by the 6500 hardware. So again, the first packet for every flow entering the interface with this configured must be punted to the MSFC and switched in software.
  And finally, the use of mask assignment (as opposed to hash assignment) is needed to ensure that all interception is handled in hardware).
  Taking these three points together, the following configuration is required if you want WCCP interception to be handled completely in hardware on the 6500/Sup720:
  - GRE or L2 forwarding
  - Mask assignment
  - Inbound redirection
  - No 'ip wccp redirect exclude in'
  This will require you to reverse the logic of how your service groups are applied:
  - 'ip wccp web-cache redirect in' on client-facing interfaces
  - 'ip wccp 95 redirect in' on internet-facing interfaces
  If you have any questions, please let us know.
  Zach

• C3750 & WCCP redirection

  Hi all,
  I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
  CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
          WAE-ENGINE ---- VLAN2--|
  I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
  ip wccp web-cache redirect in
  I am using L2 redirect & L2 return & my state is "enabled":
  Switch#show ip wccp web-cache detail
  WCCP Client information:
          WCCP Client ID:          10.101.2.202
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Packets Redirected:    0
          Connect Time:          02:24:08
          Assignment:            MASK
  First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
  Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
  Third, my  cache savings are 0 %
  Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
  Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
  Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
  Am i correct or am i wrong ? How to solve it ?
  Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
  PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
  regards,
  Geert

  Hi Geert,
  With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
  check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
  With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
  to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
  To redirect return traffic you will need to configure WCCP Dynamic Service group ,
  By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
  same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
  This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
  wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0 
  wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
  wccp version 2
  wccp spoof-client-ip enable
  You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
  Hope this helps,
  Best Regards,
  Rahul

• WAAS - WCCP redirect inbound

  Hello Everyone,
  I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
  Any ideas ?
  interface FastEthernet0/0.999
  description ****Dublin User Vlan****
  encapsulation dot1Q 999 native
  ip address x.x.x.x 255.255.255.192
  ip helper-address 134.65.181.11
  no ip redirects
  no ip proxy-arp
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  ip flow ingress
  no ip mroute-cache
  service-policy input DBN_LAN

  You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

• WCCP Redirection not happening on 3750

  I have a problem with WCCP redirection on a 3750 switch. hardware and IOS versions are listed as supporting WCCPv2. WAE configured at a core site and at the remote site. "ip wccp 62 redirect in" configured on the interfaces at each end connected to the WAN link. A WAE is directly connected to the WCCP switch at each end. Traffic is successfully being optimised when ssh to the remote site WAE itself (can see in sh tfo conn summ) but traffic coming from remote site clients does not appear to be getting redirected at the remote site. "ip wccp 61 redirect in" configured on vlan int didn't work and also have tried setting up the int as L3 and configured the same on physical int but still not redirecting. Looks like the traffic from the client IS being redirected at core site though, since we are seeing the traffic in "show tfo conn summ" on the core WAE but it is listed under pass through. Also getting PT no peer for this traffic. Nothing showing up from clients on the remote site WAE unfortunately.
  If anyone has some ideas on how to resolve this please advise.

  Thanks Zach,
  double checked my configs and found it was hash instead of mask. now all working OK...
  Takes a little time to negotiate before the services become "usable" and even when you set it to hash it still comes up as usable so was a bit misleading. We were also using wrong SDM template (which I noticed yesterday in the logging and fixed).
  cheers for the quick responses.

• Multiple Public IP's on one physical interface for devices behind Router.

  Hi guys, I am trying to find information on applying multiple IP addresses to a router
  basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
  Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address.  but still on the same LAN network.
  Could someone help me out and point me in the right direction with a sample config

  I agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
  You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
  HTH
  Rick

• Importing logical and physical model from Sybase power designer/Erwin

  Hello,
  We have several models created in Sybase Power designer, logical and as a well as physical. Is there a way to directly import models into Oracle designer?
  Thank you for your help.
  Syed

  Hi Syed,
  ERwin has a facility to export to Designer 2000. Of course you're probably not using Designer 6.0 or earlier so it's of little use.
  I have been looking at a couple of tools for importing from ERwin: Reischmann Informatik’s TOOLBUS Interface for Oracle Designer and ALLFusion ERwin; and Meta Integration Technology’s Meta Integration Model Bridge (MIMB). Neither product is free (nor inexpensive) but if you've got a number of models to convert then the tools seem cheap by comparison. Also, none of the products that I've looked at recreate the actual diagrams (not that I expected them to).
  I am leaning towards TOOLBUS as it provides more complete migration of Logical and Physical models (especially the linkages between the models) using Oracle Designer’s API rather than a DAT file as provided by MIMB.
  Hope this helps,
  Wayne Lehman
  Avanti Business Systems Inc.

• Logical and Physical Standby Practice

  Hello Gurus
  I am now attempting to practice Oracle Data Guard and in this direction I understand since 10g we have logical standby server as well as a physical standby server. While I am gathering information and knowledge about the data guard as is and varisous modes and types possible with oracle 10g and 11g in specific, an attempt to upgrade my self and learn these set-ups and understand them in detail.. I come to you for some guidence..
  I am referring to Oracle Documentation for these details. At the same time I also approach you to share your experiences .. may be a link apart from the documentation of oracle which you might want to refer me to use as a quick reference.. some thing that a person like me .. fairly new to this set-up understand it and then attempt to come up with one..
  This is for my practise and learning purpose.
  Sarat.

  Logical Standby was already introduced in 9i. It differs from physical standby in the way, the redo protocol, transmitted from the primary, gets used to actualize the standby. With logical standby, you have SQL APPLY - basically, we try to generate the same SQL that was done on the primary from the redo protocol that was written on behalf of that SQL on the primary. That SQL then is done on the OPEN instance at the logical standby.
  In case of a physical standby, the redo protocol from the primary is used to do RECOVERY - called REDO APPLY - to actualize the standby.
  Since 10g, the sames protection levels can be achieved with logical or physical standby.
  Drawback of logical standby: Not all kinds of SQL and all datatypes are supported
  Drawback of physical standby: It is mounted (versions before 11g) while being recoverd - or in 11g, REDO APPLY in READ ONLY status is possible but comes with an extra charge (ACTIVE DATA GUARD feature).
  If you look on my Blog, I have some examples about creating physical & logical standby DBs
  Kind regards
  Uwe
  http://uhesse.wordpress.com