Router WCCP redirect ACLs for WAAS

Since WAAS accelerates TCP connections only, would it be more efficient to code my router WCCP redirect ACLS for protocol TCP instead of all IP traffic between my source and dest subnets I want redirected?

Greg,
The protocol (TCP) is an attribute of the WCCP service group, so using IP in your ACL is fine.
Regards,
Zach

Similar Messages

  • WCCP Redirect ACL with Static Routes

    I need help in creating a redirect ACL (along with an explanation) for one of our sites that has multiple static routes on the router pointing to a customers device on his network.  I have attached relevant config for review.  We have tried numerious combo's for this and so far nothing has worked correctly.  Essentially we need the 165. network, 10.48 and the 10.0 network to all be redirected to the WAE appliance hanging off FA0/1 to be optimized and returned back, but not break communication b/w 10.0 and 10.48 network.  Thoughts and/or suggestions?
    Thank you

    Have you try to do the static route in the WAE?
    Jan

  • Wccp redirection for waas on same platform as wccp for websense?

    just wondering if anyone knows if a Cisco router or switch can handle wccp redirection enabled for both waas and some other web content filtering appliance using a different service group?
    seems like the priority value would come into play determining which service group gets handled first?
    we currently do WCCP for WaaS on our 3945s.
    I am going to advocate to my customer that we separate this out for CPU load issues, config complexity issues, IOS issues, etc... but the question is going to come up - "can we do WCCP for different applications on our Catalyst 3750 core switch, or our 3945 WAN routers?"
    Thanks,
    Paul

    Hi Paul,
    Yes, it's technically possible to have WCCP redirection for several services even in those devices that don't support setting the priority. However, in this case, both WAAS and Websense need to redirect HTTP traffic, and that's what makes things complicated.
    Assuming you first want to send the traffic to Websense and then to WAAS, I would recommend doing the WAAS redirection only on the WAN link (with one service inbound and the other outbound). You can then configure Web-cache redirection inbound on the client vlan and, a service for the return traffic (I'm not sure if this is required for websense), inbound on the interface where the WAE is connected (with a redirect-list to match only the return direction)
    Even if it's possible to have both redirections in the same device, if possible, I would strongly suggest you to either use different devices for the redirection or to make them mutually exclusive (for example, not sending HTTP to WAAS), otherwise, if you make a small mistake with the configuration, you can end up with a redirection loop.
    Regards
    Daniel

  • WCCP Redirect list ACL mask for WAAS

    Good day,
    I would like to conform if the following would be correct to implement for WCCP redirection list on 6500. We have over 800 branches and we also need to manage the intra-server traffic in the Data Center which we do not want to be re-directed.
    ip access-list extended WCCPLIST-61
    permit tcp 10.112.0.0 0.0.31.255 any
    ip access-list extended WCCPLIST-62
      permit tcp any 10.112.0.0 0.0.31.255
    So, as an example, would these masks work for us, as the number of entries otherwise would be exhaustive.
    Just want to confirm that the mask in the ACL doesn't have to match exactly.
    Thanks in advance.

    Hi Zach,
    Thanks for the response and confirmation.
    I was wanting to make sure that it is not required to have the masks match the source masks, resulting in the exhaustive list (operational nightmare).
    A quick question on the ACL for WCCP redirect-list. Should we not see hits on specific entry's (e.g.permit tcp 10.113.9.0 0.0.0.31 any for the 61 redirect list, and the same for the permit tcp any 10.113.9.0 0.0.0.31 for the 62 redirect list).
    If we don't, no traffic? We see flows on the branch WAE, although very few (not many users), but no hits on the ACL on the DC 6500. Is this due them being handled in hardware maybe, TCAM's?
    Any input would be apprecited.
    Thanks again.
    Paul.

  • Does introducing WCCP redirect for WAAS disrupt Netflow information?

    Before installing WAAS and WCCP redirect on some 6500 interfaces in our data center, those interfaces showed Netflow flows for users at a remote location accessing servers at our data center. Now with WCCP redirecting that traffic to the WAEs, I notice the only netflow flows for that remote location are UDP flows and some ICMP stuff.
    Is this an unintended consequence of installing WAAS - that netflow statistics are going to be skewed by not showing flows that are now accelerated?

    I believe your problem may be due to the fact that you are redirecting http
    based traffic per the ACL configuration. The sup720 uses wccp v2 as a default
    version,however, the Sup720 does NOT support the hardware-based redirection for the TCP port 80 when we enable wccpv2.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/wccp.
    htm#wp1017009
    Support for Non-HTTP Services:
    WCCPv2 allows redirection of traffic other than HTTP (TCP port 80 traffic), including a variety of UDP and TCP traffic. WCCPv1 supported the redirection of HTTP (TCP port 80)traffic only. WCCPv2 supports the redirection of packets intended for other ports, including those used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, web caching for ports other than 80, and real audio, video, and telephony applications.

  • WAAS: ASR for WCCP redirect

    Has anyone deployed an ASR for WCCP redirection? How stable is this platform?
    Thanks,
    DG

    DG,
    I work for Cisco Systems.
    WCCP support on ASR has been there for a while now. Many of our customers do run WCCP on ASR and happy with the stability and performance. As you may know it is a h/w based platform and hence it processes WCCP in h/w. Pl ensure that you are using mask assignment to take advantage of h/w processing on ASR.
    thanks
    Nat

  • WCCP 61 and 62 for WAAS?

    What if, I wanted to use TWO wan optimizing pieces of hardware--One WAAS and one another vendor? Both "Head-End" devices would need to use a WCCP redirect off the same GIG and POS interace (with a different ACL and WCCP number) BUTTTT..the problem it seems, is the Cisco WAAS devices will only use 61 and 62 in promiscuous mode...while other vendors can do numbered modes...is this true? Or can you do something like
    Gig0/0
    ip wccp 10 redirect in <--Cisco waas
    ip wccp 20 redirect in <--vendor2
    etc..
    Thanks for any help

    Hi Alan,
    WAAS currently only supports service groups 61/62. Note that these numeric designations are really just identifiers, and don't impact order of operations or anything else. So long as the 'vendor2' device above uses some other service group numbers besides 61/62, you should be fine.
    Also note that if you are configuring WCCP on a software-based platform (ISR, 7200, etc.), you will also need to configure the global command 'ip wccp check services all'.
    Please let us know if you have any additional questions.
    Regards,
    Zach

  • Best practice with WCCP flows for WAAS

    Hi,
    I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
    All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
    WAAS# sh interface gi 1/0
    Internet Address                    : 10.0.1.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 20631
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 239 bits/sec, 0 packets/sec
    Output Throughput                   : 3270892 bits/sec, 592 packets/sec
    Packets Sent                        : 110062
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 1000 Mbps
    WAAS# sh interface gi 2/0
    Internet Address                    : 10.0.2.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 86558
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 2519130 bits/sec, 579 packets/sec
    Output Throughput                   : 3431 bits/sec, 2 packets/sec
    Packets Sent                        : 1580
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 100 Mbps
    The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
    Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
    Is there a best practice recommended by Cisco on this ?
    Thanks.
    Stéphane

    Hi Stephane,
    We usually advise the following in such scenario with an internal module:
    "ip wccp 61 redirect in" the LAN interface.
    "ip wccp 61 redirect in" on the WAN one.
    "ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
    That way, we are sure that no loops are created because of the WCCP redirection.
    Regards,
    Nicolas

  • Does wccp redirect break routing protocol?

    This may be a dumb question to ask, sorry i don't have equipment to test it at this moment.
    If wccp redirect is configured on an interface running routing protocol (such as eigrp or ospf), will this redirect the "unicast" ospf database or eigrp topology update to WAAS?  and/or will this also redirect ospf & eigrp "multicast" update which maintains neighbor relationship to WAAS?
    Should this type of traffic be denied on wccp redirect-list?
    Thanks

    Hi Joe,
    Since WAAS normally uses TCP promiscuous mode services, based on service group number 61 and 62 - you'll only get TCP redirected ... and neither OSPF nor EIGRP runs on top of TCP, so don't worry.
    If you run a TCP based routing protocol like BGP, it will get redirected.
    Later versions of WAAS don't, by default, try to optimize on BGP, as it has given some problems in the past due to sequence number manipulation.
    Best Regards
    Finn Poulsen

  • WAAS - WCCP redirect inbound

    Hello Everyone,
    I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
    Any ideas ?
    interface FastEthernet0/0.999
    description ****Dublin User Vlan****
    encapsulation dot1Q 999 native
    ip address x.x.x.x 255.255.255.192
    ip helper-address 134.65.181.11
    no ip redirects
    no ip proxy-arp
    ip wccp 61 redirect in
    ip wccp 62 redirect out
    ip flow ingress
    no ip mroute-cache
    service-policy input DBN_LAN

    You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
    http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

  • WAAS - WCCP redirect in Cat 3560

    Are WAAS redirect ACLs supported on Catalyst 3560?
    Thanks

    You can only configure allow ACLs, no denys (except the deny all at the end).
    Dan

  • Ip wccp redirect-list acl

    Hi
    İ have 2 different Nexus working diffrent NX-OS (6.0(4) & 6.2(6) )  with different line card (F2  & F2E ) and different Sup (Sup 1 & Sup 2 ) but share the same problem. Sup 2 devices work with VPC Sup 1 device Standalone this is the only difference
     I try to configure WCCP on device your redirect http & https Traffic  to Websense. i create following lines  in boot nexus
    Feature wccp
    ip wccp 1 redirect-list WS_REDIRECT
    ip wccp 5 redirect-list WS_REDIRECT
    ip wccp 70 redirect-list WS_REDIRECT
    ip access-list  WS_REDIRECT
     deny  ip any 10.0.0.0 0.255.255.255
     deny   ip any 172.16.0.0 0.15.255.255
     deny   ip any 192.168.0.0 0.0.255.255
     permit tcp any any eq www
     permit tcp any any eq 443
     permit tcp any any eq ftp
    interface vlan 7
    ip wccp 1 redirect in
    ip wccp 5 redirect in
    ip wccp 70 redirect in
    This redirects all the traffic even deny list.
    No bug reported in but tool kit
    Could you please help me.

    Okay, Its weird you have multiple WCCP groups, 
    Considering you are only using one ACL, just simple use one WCCP Group ID
    Also, here is a sample config:
    Let's say you want to redirect traffic from VLAN 10,11 and 12 to WCCP
    and your WCCP device is at VLAN20
    #conf t
    #ip wccp version 2            -DEFAULT: ver1
    #ip wccp 90 
    #ip wccp 90 password wccp123    -THIS IS OPTIONAL! Place a password on your WCCP instance.
    #interface vlan 10
      #ip wccp 90 redirect in
    #interface vlan 11
    ​  #ip wccp 90 redirect in
    #interface vlan 12
    ​  #ip wccp 90 redirect in
    #interface vlan 20
      #ip wccp redirect exclude in     -avoid optimization loops
    Your WCCP device will be in VLAN 20, and I recommend dedicating that VLAN to WCCP devices:
    Configure your WCCP device(Websense) and define the Service group ID, in this example, its wccp 90 and of course the IP of VLAN 20
    By default, all traffic in interfaces configured with "wccp 90 in" will forward traffic to the WCCP device

  • Inbound ACL for public VPN router

    Hi all,
    I have configured our VPN router for access for all our mobile clients. Our private VPN range is going to be 172.16.10.x/24. Do I need to add ACL permit rules for this range on our inbound ACL to all the inside LANs to facilitate access for the VPN users?
    eg int S0/0/0
         ip address 85.x.x.x
         ip access-group 100 in
    access-list 100 permit ip 172.16.10.0 0.0.0.255 192.168.1.0 0.0.0.255
    If I understand things correctly, once the user connects, the VPN is tunnelled as far as the inside of the interface, so traffic passing through the VPN is encapsulated and hence wouldnt appear as a private IP?
    All comments are greatly appreciated.
    Paul

    Sorry  I mean to say you should not edit outside acl for vpn traffic for rest of the things you can do it.
    Thanks
    Ajay

  • WCCP bug notice for IOS 15.2.2T

    Just FYI...
    I have had two ISRG2 routers (2900 & 3900) hit by a bug in IOS 15.2.2T. TAC has verified it is a defect.
    (SR 621141965)
    Fix;
    Downgrade below 15.2.2T , upgrade to 15.2.2T1, or add a SEC license to the router.
    Senario;
    If you have an ISRG2 router and only have a IPBase license. (SEC licensed routers are not an issue) 
    If you are running IOS 15.2.2T
    If you use an ACL on the router to select what is redirected to WAAS
    All WCCP redirected traffic is "redirect_denied"
    TAC;
    Diabled CEF
    Set WCCP to redirect ANY traffic
    Tried "ip wccp 61 redirect in" and "ip wccp 62 redirect out" on a single interface
    Tried to remove NBAR, QOS, IP FLOW, and other services from the Interface
    Nothing we tried would resolve the issue.

    I am ready to throw my phone at the wall I am so frustrated by the annoying whooshing sound it emits after I send a text message. Upon calling Apple Tech Support I learned that there is no control setting to fix or alter the sound made once a text is sent.
    I want to individually control what happens when I receive a call, receive a text, and send a text. I have no idea why they are all interconnected. This is a basic phone necessity that has been completely overlooked by Apple.
    Those of you who have this same problem I encourage you to post about it so the problem is addressed in the next update. For a short term fix just set the phone to vibrate, you lose the ability to hear calls, but gain sanity that would otherwise be lost putting up with the whoosh sound.

  • Ip wccp redirection direction at ethernet and serial interface.

    hi all.
    commonly, we use 'ip wccp 62 redirect in' at serial interface to grap packet for sending cisco waas.
    but some document is mentioned that 'ip wccp 62 redirect out' ethernet interface facing data center side.
    I guess, there is same meaning, I think that It's better to apply 'ip wccp 62 redirect in' at serial interface due to router performance. Right?
    Can you explain clarify for me?
    Thank you.

    You are correct redirect in is less cpu intensive as compared to redirect out
    WCCP redirection can be configured to occur as packets enter a router or switch interface (inbound, or ingress, redirection) or as they are beginning to leave a router or switch interface (outbound, or egress, redirection).
        * Inbound redirection - the WCCP process inspects traffic to find packets that should be optimized before the packets enter the router or switch forwarding/routing selection process.  Inbound redirection is less CPU intensive than outbound redirection (when using process or other SW based switching).
        * Outbound redirection - the WCCP process inspects traffic to find packets that should be optimized as the packets are ready to leave a router or switch interface, after the packet has gone through the router or switch forwarding/routing selecting process.  Outbound redirection is more CPU intensive than inbound redirection.
    Thanks
    -Smita

Maybe you are looking for

  • I have a WRT610n and the 2.4 GHz just stopped working (5 GHz network is working fine)

    Almost with the coming of the new year, the 2.4 GHZ net slowed down to nearly nothing. That is to say that it works only very slightly, and is usually not even visible as an option to select. But the 5 GHz network is available and works fine. Here is

  • Magic Mouse: Accidental Input

    Do you scroll and adjust things by mistake with your Magic Mouse? Sometimes as I move the Magic Mouse my fingers accidentally touch the surface causing scrolling to occur (unintentional input). During general use (e.g., using the Finder, surfing the

  • Jdbc adapter: DeliveryException error

    Hello I have the following synchronous scenario: RFC <-> JDBC Adapter. The RFC is executed many times in a job and 99% of them works well, but some of them I receive the error: Returning synchronous error notification to calling application: com.sap.

  • User authentication not done in OAM for 2nd instance users

    Hi, I have installed oracle access manager using sunone directory server. I have created one more instance of that directory server and added the directory profile in OAM for that instance... but the users in the 2nd instance are not able to login in

  • Linux satellite 10.3.4: ZMD.RefreshHandlerException warning

    Running ZCM 10.3.4. Both our satellite servers suddenly started (during my holidays, where no changes were made) getting a warning. It occours every hour at Refresh. Both satellites are running Linux 64 bit. One is SLES 10SP2 the other is SLES 11. Th