Does introducing WCCP redirect for WAAS disrupt Netflow information?

Similar Messages

• Wccp redirection for waas on same platform as wccp for websense?

  just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
  seems like the priority value would come into play determining which service group gets handled first?
  we currently do WCCP for WaaS on our 3945s.
  I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
  Thanks,
  Paul

  Hi Paul,
  Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
  Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
  Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
  Regards
  Daniel

• Best practice with WCCP flows for WAAS

  Hi,
  I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
  All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
  WAAS# sh interface gi 1/0
  Internet Address                    : 10.0.1.1
  Netmask                             : 255.255.255.0
  Admin State                         : Up
  Operation State                     : Running
  Maximum Transfer Unit Size          : 1500
  Input Errors                        : 0
  Input Packets Dropped               : 0
  Packets Received                    : 20631
  Output Errors                       : 0
  Output Packets Dropped              : 0
  Load Interval                       : 30
  Input Throughput                    : 239 bits/sec, 0 packets/sec
  Output Throughput                   : 3270892 bits/sec, 592 packets/sec
  Packets Sent                        : 110062
  Auto-negotiation                    : On
  Full Duplex                         : Yes
  Speed                               : 1000 Mbps
  WAAS# sh interface gi 2/0
  Internet Address                    : 10.0.2.1
  Netmask                             : 255.255.255.0
  Admin State                         : Up
  Operation State                     : Running
  Maximum Transfer Unit Size          : 1500
  Input Errors                        : 0
  Input Packets Dropped               : 0
  Packets Received                    : 86558
  Output Errors                       : 0
  Output Packets Dropped              : 0
  Load Interval                       : 30
  Input Throughput                    : 2519130 bits/sec, 579 packets/sec
  Output Throughput                   : 3431 bits/sec, 2 packets/sec
  Packets Sent                        : 1580
  Auto-negotiation                    : On
  Full Duplex                         : Yes
  Speed                               : 100 Mbps
  The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
  Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
  Is there a best practice recommended by Cisco on this ?
  Thanks.
  Stéphane

  Hi Stephane,
  We usually advise the following in such scenario with an internal module:
  "ip wccp 61 redirect in" the LAN interface.
  "ip wccp 61 redirect in" on the WAN one.
  "ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
  That way, we are sure that no loops are created because of the WCCP redirection.
  Regards,
  Nicolas

• Mask assignment for wccp redirection in WAEs

  We're tying to understand the mask assignment process better, so we can replace the default mask value of 0X1741 with the correct one as, supposedly, the 0x1741 does not allocate the buckets evenly among the WAEs in a cluster. To that extent, could someone pls refer me to where we could read up on this?
  Thanks.
  _ Greg

  Hey Greg,
  I would suggest going through the below doc. and also there is a mask calculator doc attached here with this for your reference.
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html
  Regards,
  Kanwal

• Router WCCP redirect ACLs for WAAS

  Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?

  Greg,
  The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
  Regards,
  Zach

• WCCP Redirect list ACL mask for WAAS

  Good day,
  I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
  ip access-list extended WCCPLIST-61
  permit tcp 10.112.0.0 0.0.31.255 any
  ip access-list extended WCCPLIST-62
    permit tcp any 10.112.0.0 0.0.31.255
  So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
  Just want to confirm that the mask in the ACL doesn't have to match exactly.
  Thanks in advance.

  Hi Zach,
  Thanks for the response and confirmation.
  I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
  A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
  If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
  Any input would be apprecited.
  Thanks again.
  Paul.

• WAAS: ASR for WCCP redirect

  Has anyone deployed an ASR for WCCP redirection? How stable is this platform?
  Thanks,
  DG

  DG,
  I work for Cisco Systems.
  WCCP support on ASR has been there for a while now. Many of our customers do run WCCP on ASR and happy with the stability and performance. As you may know it is a h/w based platform and hence it processes WCCP in h/w. Pl ensure that you are using mask assignment to take advantage of h/w processing on ASR.
  thanks
  Nat

• ACE as cache engine for wccp redirection

  Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
  I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
  Second and third options are one-armed and direct server return... both not suitable for my requirements.
  Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
  Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
  Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
  I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
  If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.

  I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
  All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
  The only problems would be if you exceed the BW of the 4710 with all your traffic.
  Regarding the WCCP support for the 4710 this is not currently in our roadmap.
  Ask your cisco account team to introduce the request.
  Thanks,
  Gilles.

• WAAS 4.0 redirection: Only edge redirection for WAFS?

  Hello:
  I am migrating from WAFS 3.0 to WAAS 4.0, but I am only interested in using WAFS for CIFS traffic (no other application optimizations at the moment).
  In version 3 we do not use WCCP service 89 redirection at CORE side (because Edge uses a tunnelled connection through TCP port 4050, directly to the Core). We did not use a ?out-of-band network? for WAEs either.
  Is it possible to maintain the same reditrection schema in version 4 (only for CIFS optimization)?
  The CIFS optimization is still tunnelled between core and edge?
  Is it possible to re-image a WAAS 4 WAE with WAFS 3 software image using recovery CD?(I do not care about loosing configuration)
  Thanks in advance.
  Gustavo.

  Gustavo,
  In the current version of WAAS (4.0.1 or 4.0.3) we do not require WCCP at the Core. However, this will change in a future release.
  At the Edge, it is required that the WAE is deployed on a separate subnet from the clients, even if you are only using the WAFS functionality.
  To answer your last question, you can install WAFS 3.0 or WAAS 4.0 using the recovery CD method.
  Zach

• WAAS - WCCP redirect inbound

  Hello Everyone,
  I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
  Any ideas ?
  interface FastEthernet0/0.999
  description ****Dublin User Vlan****
  encapsulation dot1Q 999 native
  ip address x.x.x.x 255.255.255.192
  ip helper-address 134.65.181.11
  no ip redirects
  no ip proxy-arp
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  ip flow ingress
  no ip mroute-cache
  service-policy input DBN_LAN

  You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

• WCCP 61 and 62 for WAAS?

  What if, I wanted to use TWO wan optimizing pieces of hardware--One WAAS and one another vendor? Both "Head-End" devices would need to use a WCCP redirect off the same GIG and POS interace (with a different ACL and WCCP number) BUTTTT..the problem it seems, is the Cisco WAAS devices will only use 61 and 62 in promiscuous mode...while other vendors can do numbered modes...is this true? Or can you do something like
  Gig0/0
  ip wccp 10 redirect in <--Cisco waas
  ip wccp 20 redirect in <--vendor2
  etc..
  Thanks for any help

  Hi Alan,
  WAAS currently only supports service groups 61/62. Note that these numeric designations are really just identifiers, and don't impact order of operations or anything else. So long as the 'vendor2' device above uses some other service group numbers besides 61/62, you should be fine.
  Also note that if you are configuring WCCP on a software-based platform (ISR, 7200, etc.), you will also need to configure the global command 'ip wccp check services all'.
  Please let us know if you have any additional questions.
  Regards,
  Zach

• Does wccp redirect break routing protocol?

  This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
  If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS?  and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
  Should this type of traffic be denied on wccp redirect-list?
  Thanks

  Hi Joe,
  Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
  If you run a TCP based routing protocol like BGP, it will get redirected.
  Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
  Best Regards
  Finn Poulsen

• My subscription does not expire for another 6 months. Why am I being asked to upgrade ??? If Adobe systems are down, maybe you should redirect us to a page informing us.

  My subscription does not expire for another 6 months. Why am I being asked to upgrade ??? If Adobe systems are down, maybe you should redirect us to a page informing us.

  We had an issue on our end earlier today. Can you try again?

• Branch IPSEC VPN Site with WCCP setup for vWAAS - Overthinking this

  OK, I have a fairly large WAAS environment so I'm kicking myself for overthinking this.  I have a particular branch that has an 881 router that terminates an IPSEC connection back to my main location.  I have a vWAAS at this branch site, so I'm going WCCP.  I got the license upgrade to enable to the WCCP feature set.  Now Im confused on the WCCP setup.  There is only 1 VLAN at the branch.  I have the WAAS setup to do WCCP GRE.
  Question is:  Would I do the redirect 61,62 on the VLAN1 internface?  I think I would, but Im used to dropping the 62 on the serial interface of my MPLS.  I.E.:
  int vlan1
  ip wccp 62 redirect in
  ip wccp 61 redirect in
  HERE IS THE CURRENT CONFIG
  ip wccp 61 redirect-list branch-waas
  ip wccp 62 redirect-list branch-waas
  interface Vlan1
  description Branch Data VLAN
  ip address 10.22.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  crypto ipsec client ezvpn Corporate-client inside
  ip access-list extended branch-waas
  remark WCCP Redirect ACL
  deny   tcp any any eq telnet
  deny   tcp any any eq 22
    permit ip any any

  wccp 62 is to intercept the WAN traffic, but if you put it on the LAN side, you have to catch the traffic on its way out:
  ip wccp 62 redirect out
  There is no need to deny telnet and ssh, those both have policies in WAAS for passthrough.  Also, I prefer to put my WAAS device on its own VLAN.  However, if it is going to be on VLAN 1, your access list will need:
  ip access-list extended branch-waas
  remark WCCP Redirect ACL
  deny   ip any host (WAAS IP)
  deny   ip host (WAAS IP) any
    permit ip any any
  To make sure you do not loop WCCP traffic.
  Just edited to change from TCP to IP in access list.

• ASR1002 throughput degradation when wccp redirect-list is changed

  We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
  Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
  At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
  As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.

  Thank you very much for sharing that information.  It is great to hear verification that the mask assignment change did resolve your problem.   That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time.   We've been told that TAC will set this up in a lab and test for us by our Cisco SE.  We're hoping to get verfication that this actually resolves the problem before we take the outage.   
       If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment?    We may also need to implement this in our redirects to BlueCoat from our Nexus.  Do you happen to have a link to how to make this change in Bluecoat?   Thanks again!