Mask assignment for wccp redirection in WAEs

We're tying to understand the mask assignment process better, so we can replace the default mask value of 0X1741 with the correct one as, supposedly, the 0x1741 does not allocate the buckets evenly among the WAEs in a cluster. To that extent, could someone pls refer me to where we could read up on this?
Thanks.
_ Greg

Hey Greg,
I would suggest going through the below doc. and also there is a mask calculator doc attached here with this for your reference.
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html
Regards,
Kanwal

Similar Messages

  • WAAS: ASR for WCCP redirect

    Has anyone deployed an ASR for WCCP redirection? How stable is this platform?
    Thanks,
    DG

    DG,
    I work for Cisco Systems.
    WCCP support on ASR has been there for a while now. Many of our customers do run WCCP on ASR and happy with the stability and performance. As you may know it is a h/w based platform and hence it processes WCCP in h/w. Pl ensure that you are using mask assignment to take advantage of h/w processing on ASR.
    thanks
    Nat

  • ACE as cache engine for wccp redirection

    Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
    I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
    Second and third options are one-armed and direct server return... both not suitable for my requirements.
    Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
    Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
    Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
    I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
    If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.

    I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
    All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
    The only problems would be if you exceed the BW of the 4710 with all your traffic.
    Regarding the WCCP support for the 4710 this is not currently in our roadmap.
    Ask your cisco account team to introduce the request.
    Thanks,
    Gilles.

  • WCCP Redirect list ACL mask for WAAS

    Good day,
    I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
    ip access-list extended WCCPLIST-61
    permit tcp 10.112.0.0 0.0.31.255 any
    ip access-list extended WCCPLIST-62
      permit tcp any 10.112.0.0 0.0.31.255
    So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
    Just want to confirm that the mask in the ACL doesn't have to match exactly.
    Thanks in advance.

    Hi Zach,
    Thanks for the response and confirmation.
    I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
    A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
    If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
    Any input would be apprecited.
    Thanks again.
    Paul.

  • Does introducing WCCP redirect for WAAS disrupt Netflow information?

    Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
    Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?

    I believe your problem may be due to the fact that you are redirecting http
    based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
    version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
    htm#wp1017009
    Support for Non-HTTP Services:
    WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.

  • Wccp redirection for waas on same platform as wccp for websense?

    just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
    seems like the priority value would come into play determining which service group gets handled first?
    we currently do WCCP for WaaS on our 3945s.
    I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
    Thanks,
    Paul

    Hi Paul,
    Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
    Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
    Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
    Regards
    Daniel

  • Router WCCP redirect ACLs for WAAS

    Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?

    Greg,
    The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
    Regards,
    Zach

  • WAE standby group and L2 redirection mask-assignment not compatible?

    I have a WAE-674 connected to two 6509 switches (sup720). The two WAE ports are in a standby group. I'm also using WCCP L2 redirection from 6509 to the WAE, but I remember in older WAAS software, WAE standby group was not compatible with L2 redirection mask-assignment. Only hash could be used.
    Is it still the same with the newer 4.2.1 software? I couldn't find specifics in its documentations.
    Thanks
    Gary

    Hi Gary,
    I believe you are talking about this defect: CSCso66693
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCso66693 
    Now, Standby interface does work with L2 Masking.
    Details about virtual standby interface:
    The virtual standby interface uses the MAC address of the active interface. Standby interfaces remain unused unless an active interface fails. When an active network interface fails (because of cable trouble, Layer 2 switch failure, or other failure), and that interface is part of a standby group, a standby interface can start to carry traffic and take the load off the failed interface. With standby interface configuration, only one interface is in use at a given time.
    CLI command: show interface standby 1
    Please note that VB interface bridging is not supported when you are using  standby interface feature.
    Hope this helps.
    Regards.
    PS: If this answers your question, please mark it as Answered.

  • WAAS - WCCP redirect inbound

    Hello Everyone,
    I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
    Any ideas ?
    interface FastEthernet0/0.999
    description ****Dublin User Vlan****
    encapsulation dot1Q 999 native
    ip address x.x.x.x 255.255.255.192
    ip helper-address 134.65.181.11
    no ip redirects
    no ip proxy-arp
    ip wccp 61 redirect in
    ip wccp 62 redirect out
    ip flow ingress
    no ip mroute-cache
    service-policy input DBN_LAN

    You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
    http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

  • WCCP redirect not working on Cat 3560

    We have a 3560 running 12.2(37)SE1, IP services image.
    Through debug, we can see WCCP communication betweeen the 3560 and our content engine (for web caching).
    However, web traffic isn't being redirected to the CE at all. Instead, it goes straight out to the Internet.
    Does anyone have the same issue? Has anyone got their 3560 to work w/ their WCCP products (web caching or WAAS)?

    The 3560 does not support GRE redirection (layer3), so you need to use layer 2 redirection on your Content Engine for your 3560 to work fine with WCCP, also you need to use mask assignment since hash is non-supported as well.
    Check this link:
    http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a008081db5b.html#wp1051427
    Hope it helps!!

  • C3750 & WCCP redirection

    Hi all,
    I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
    CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
            WAE-ENGINE ---- VLAN2--|
    I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
    ip wccp web-cache redirect in
    I am using L2 redirect & L2 return & my state is "enabled":
    Switch#show ip wccp web-cache detail
    WCCP Client information:
            WCCP Client ID:          10.101.2.202
            Protocol Version:        2.0
            State:                   Usable
            Redirection:             L2
            Packet Return:           L2
            Packets Redirected:    0
            Connect Time:          02:24:08
            Assignment:            MASK
    First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
    Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
    Third, my  cache savings are 0 %
    Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
    Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
    Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
    Am i correct or am i wrong ? How to solve it ?
    Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
    PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
    regards,
    Geert

    Hi Geert,
    With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
    check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
    With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
    to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
    To redirect return traffic you will need to configure WCCP Dynamic Service group ,
    By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
    same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
    This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
    wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0 
    wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
    wccp version 2
    wccp spoof-client-ip enable
    You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
    Hope this helps,
    Best Regards,
    Rahul

  • WCCP redirect on 4507 to ironport

    I am trying to setup WCCP on our 4507. For some reason I cannot get this to work! The config I have tried is below. I can't figure out what I'm doing wrong here!
    ip wccp web-cache group-list IRONPORT-GROUPLIST
    ip wccp source-interface GigabitEthernet2/24
    Interface Vlan160
    ip address 10.10.16.1 255.255.254.0
    ip wccp web-cache redirect out
    ip access-list IRONPORT-GROUPLIST
    permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
    On the ironport I setup web-cache under transparent redirection and provided the IP address I used to source from above (GigabitEthernet2/24). Here is the output I get on the 4507:
    10CSW-LAN1#sh ip wccp web-cache
    Global WCCP information:
        Router information:
            Router Identifier:                   10.11.1.9
            Configured source-interface:         GigabitEthernet2/24
            Protocol Version:                    2.0
        Service Identifier: web-cache
            Number of Service Group Clients:     1
            Number of Service Group Routers:     1
            Total Packets Redirected:            0
              Process:                           0
              CEF:                               0
              Platform:                          0
            Service mode:                        Open
            Service Access-list:                 -none-
            Total Packets Dropped Closed:        0
            Redirect access-list:                -none-
            Total Packets Denied Redirect:       0
            Total Packets Unassigned:            0
            Group access-list:                   IRONPORT_GROUPLIST
            Total Messages Denied to Group:      0
            Total Authentication failures:       0
            Total GRE Bypassed Packets Received: 0
              Process:                           0
              CEF:                               0
              Platform:                          0
    Here is the debug output:
    2w3d: WCCP-EVNT:Process: Start V2 (138)
    2w3d: WCCP-EVNT:Successfully opened UDP socket
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
    2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
    2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
    2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
    2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
    2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
    10CSW-LAN1(config)#
    2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
    2w3d: WCCP-EVNT:S0: Building new router view
    2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
    2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
    2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
    2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
    2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: setting up wc mask assignments
    2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
    2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
    2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
    2w3d: WCCP-EVNT:S0: Building new router view
    2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
    2w3d: WCCP-EVNT:S0: copy blank current info
    2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
    2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
    2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
    10CSW-LAN1(config)#
    2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5
    2w3d: WCCP-EVNT:Process: Start V2 (138)
    2w3d: WCCP-EVNT:Successfully opened UDP socket
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
    2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
    2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
    2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
    2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
    2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
    2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
    10CSW-LAN1(config)#
    2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
    2w3d: WCCP-EVNT:S0: Building new router view
    2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
    2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
    2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
    2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
    2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: setting up wc mask assignments
    2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
    2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
    2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
    2w3d: WCCP-EVNT:S0: Building new router view
    2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
    2w3d: WCCP-EVNT:S0: copy blank current info
    2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
    2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
    2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
    10CSW-LAN1(config)#
    2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
    10CSW-LAN1(config)#
    2w3d: WCCP-EVNT:S0: updating wc orig assign info
    2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
    2w3d: WCCP-EVNT:S0: wc assignment validated
    2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5

    I would recommend doing the following. Also feel free to call into the ironport support line. It is listed at the bottom of the page.
    Change the wccp service to service-number 90
    Try to redirect inbound traffic not outbound traffic.
    Set Load-balancing to mask
    Set forward method to L2
    Set return method to L2
    ip wccp 90 group-list IRONPORT-GROUPLIST  <- Set the wccp service-number
    ip wccp source-interface GigabitEthernet2/24
    Interface Vlan160
    ip address 10.10.16.1 255.255.254.0
    ip wccp 90 redirect out  <- Set the WCCP Service-number try to redirect inbound traffic
    ip access-list IRONPORT-GROUPLIST
    permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
    Below is an example of how you should setup your ironport for a customer service number. Place the port numbers that you want to redirect.
    Christian Rahl
    Customer Support Engineer                      
    Cisco IronPort - Web Security Appliances
    Cisco Technical Assistance Center RTP
    United States Ironport: 1-877-641-IRON (4766)

  • ASR1002 throughput degradation when wccp redirect-list is changed

    We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
    Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
    At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
    As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.

    Thank you very much for sharing that information.  It is great to hear verification that the mask assignment change did resolve your problem.   That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time.   We've been told that TAC will set this up in a lab and test for us by our Cisco SE.  We're hoping to get verfication that this actually resolves the problem before we take the outage.   
         If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment?    We may also need to implement this in our redirects to BlueCoat from our Nexus.  Do you happen to have a link to how to make this change in Bluecoat?   Thanks again!

  • SRE External Gig port for WCCP traffic?

    Has anyone been successful with using the external Gig port on the SRE modules for WCCP traffic?  Has anyone tried it?
    I'd like to reduce the CPU on my ISR-G2 routers that have the SRE modules running WCCP GRE.  I'd like to use the external gig port on the SRE module for the WCCP traffic, which will allow me to use WCCP L2.  Is this even feasible?  Or maybe I just need to add WCCP L2 on an SRE as a New Feature request to Cisco?
    According the to Cisco documentation....
    The external service-module interface can be used to monitor LAN traffic. You can also select the external interface as the management interface for the SM. The external interface cannot be used for downloading applications.
    Visible only to the SM software on the Cisco SM-SRE, the external service-module interface is the Gigabit Ethernet interface connector on the Cisco SM-SRE faceplate. The external interface supports data requests and data transfers from outside sources, and it provides direct connectivity to the LAN through an RJ-45 connector.

    Tammy,
    What is preventing you from configuing WAAS on SRE with L2 WCCP / Mask assignment via the internal interface?   This is totally feasible.
    If you are trying to decrease CPU utilization on your router, don't expect switching from GRE to L2 to make a drastic difference.  The ISR G2 is a software based platform, as such WCCP (whether L2 or GRE) is processed by the CPU with CEF assistance. 
    True removing the GRE encapsulation will save some processing overhead, but in the end it's the PPS (packets per second) your router is handling that's driving the CPU.
    Remember when you add WCCP / WAAS to the flow it's no longer packet in/ packet out on the router.  Compressed data in on WAN, out to WAAS, uncompressed from WAAS back to Router, out on the LAN, then the reverse... uncompressed data on the LAN in to the router, out to WAAS, compressed from WAAS out to the router, then out on the WAN.  So depending on the compression observed you will see > 2x the amount of traffic being processed by the router. 

  • WCCP v2 - "ip wccp redirect out" command

    I'd like to validate the following:
    1.- I have this equipment:
    Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE, RELEASE SOFTWARE (fc2)
    * Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported.
    I'd like to know if there's a version that support the command.
    1.- If there's no version that supports the command in the equipment. Then, which is the "smallest" switch model that can support the command.
    Thanks a lot for your support.

    Ali,
    The issue is that not all of your traffic is being redirected in hardware. When you configure outbound interception on the 6500/Sup720, the first packet for every flow is punted to the MSFC and switched in software. Subsequent packets for that flow are redirected in hardware using NetFlow forwarding. So the impact on your MSFC CPU utilization is tied to the number of connections per second (cps) being redirected, as well as some overhead for managing the NetFlow forwarding table.
    In addition, the command 'ip wccp redirect exclude in' is not completely understood by the 6500 hardware. So again, the first packet for every flow entering the interface with this configured must be punted to the MSFC and switched in software.
    And finally, the use of mask assignment (as opposed to hash assignment) is needed to ensure that all interception is handled in hardware).
    Taking these three points together, the following configuration is required if you want WCCP interception to be handled completely in hardware on the 6500/Sup720:
    - GRE or L2 forwarding
    - Mask assignment
    - Inbound redirection
    - No 'ip wccp redirect exclude in'
    This will require you to reverse the logic of how your service groups are applied:
    - 'ip wccp web-cache redirect in' on client-facing interfaces
    - 'ip wccp 95 redirect in' on internet-facing interfaces
    If you have any questions, please let us know.
    Zach

Maybe you are looking for

  • Acrobat XI Pro "Not Responding

    I recently updated to Windows 8 Professional and Acrobat worked like a charm for 3 days with instantaneous reponse. Now progressively I am back to the old problem that I had under Windows 7 and with Acrobat X and 9 - Whenever I open a new PDF it take

  • How to create a Web Service in ABAP 4.7E

    Dear Experts,         We are on SAP R/3 4.7E. Can anybody tell me what are the Pre-requisites or steps to exposed an existing BAPI / RFC's as Web Services. Kindly explain me in detailed. or if any link is available. Regards, Umesh

  • How can I create 3D visuals using existing artwork?

    I have designed some packaging artwork using Illustrator which looks fine although I would like to see the artwork as it would look when made up. The artwork will be used for pouches, bags and boxes. Is there a way of creating a generic 3D pouch, bag

  • Error in the code

    Hi everyone, when i run this query it is giving missing keyword error...can anyone correct this query and help me Thanks SELECT Listnontranstextid ,   Listnontransshort,   Listnontransmedium,   Listnontransextended FROM WITH TEXT_T AS(   SELECT TT.TE

  • ITunes has no Digital Signature

    Everytime I try to download iTunes, it'll either stop downloading halfway through it, or if it does download, it'll say it doesn't have a digital signature, so what do I do to make it download?