WAAS WCCP 6500 ACL Redirection

Similar Messages

• WAAS / WCCP service groups / L2 adjacencies

  Hi all,
  I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
  Something like:
  - two routers (rtr-A, rtr-B)
  - two WAAS accelerators (waas-A, waas-B)
  - rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
  - rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
  - rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
  - rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
  Here's a quick diagram:
  http://i4.tinypic.com/62nhf5u.jpg
  (all links are L3/routed)
  cheers!

  Dale,
  There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
  Regards,
  Zach

• Router IOS requirements to work with WAAS WCCP?

  Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
  Here is out WAAS 4.2.3 deployment in the network:
  Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
  Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
  Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
  Thanks a lot.

  Here you go.
  http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
  For IOS release, you will need a package that has WCCP support.
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this answers your question.

• How does QoS work with WAAS WCCP? What's the interaction between QoS Traffic Classification and WAE Traffic Application Policy?

  How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?

  By default, WAAS preserves the DSCP marking on intercepted packets.  There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels.  Currently WAAS provides marking only.  There is no action taken by WAAS based on the DSCP value.
  Regards,
  Zach

• WCCP V2 Question (Redirect https)

  Hello all
  I have been successful in implementing wccp in my multiple vlan environment.
  Router is Cisco 2921
  G0/0 - Internet
  G0/1 - Squid Proxy
  G0/2 - Clients in multiple vlans
  Here is the config:
  ip wccp web-cache redirect-list 120
  interface GigabitEthernet0/2.1
  encapsulation dot1Q 3
  ip address 172.16.1.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.2
  encapsulation dot1Q 2
  ip address 172.16.2.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  interface GigabitEthernet0/2.3
  encapsulation dot1Q 3
  ip address 172.16.3.1 255.255.255.0
  ip wccp web-cache redirect in
  ip nat inside
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 deny   ip any any
  I have some questions:
  1) In the command "ip wccp web-cache redirect-list 120", "redirect-list 120" is not required since all vlans are clients.
  using  ip wccp web-cache redirect in under all subinterfaces alone would work.
  Am I correct ?
  2) How can I redirect HTTPS traffic to my squid proxy.

  Hello,
  1. "ip wccp web-cache redirect in"
  It would work if you squid proxy have another default gateway to internet.
  Otherwise the traffic from the SQUID is also forwarded. You have to use different interfaces for users and squid. On sabinterfeyse vlan SQUID you should not use a configuration wccp
  2. Web-cache permit only http. You must configuring Dynamic WCCP.
  some example:
  in global:
  ip wccp 120 redirect-list 120
  access-list 120 remark REDIRECTION_CRITERIA
  access-list 120 deny   ip host 192.168.1.2 any
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.1.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.2.0 0.0.0.255 any eq 443
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq www
  access-list 120 permit tcp 172.16.3.0 0.0.0.255 any eq 443
  access-list 120 deny   ip any any
  on interface:
  ip wccp 120 redirect in
  See link below for more information
  http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-wccp.html#GUID-5E9AE273-1AFD-4598-9325-85F8C822D168
  Best regards

• WAAS - WCCP redirect in Cat 3560

  Are WAAS redirect ACLs supported on Catalyst 3560?
  Thanks

  You can only configure allow ACLs, no denys (except the deny all at the end).
  Dan

• WAAS - WCCP redirect inbound

  Hello Everyone,
  I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
  Any ideas ?
  interface FastEthernet0/0.999
  description ****Dublin User Vlan****
  encapsulation dot1Q 999 native
  ip address x.x.x.x 255.255.255.192
  ip helper-address 134.65.181.11
  no ip redirects
  no ip proxy-arp
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  ip flow ingress
  no ip mroute-cache
  service-policy input DBN_LAN

  You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

• WAAS - WCCP L2-redirection in WS-C6509-E

  Hi,
  I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
  Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
  Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
  ip wccp version 2
  ip wccp 61 redirect-list 101
  ip wccp 62 redirect-list 101
  interface Vlan1
  description *** WAN routers and users ***
  ip address 10.0.16.1 255.255.240.0
  ip wccp 62 redirect out
  ip wccp 61 redirect in
  interface Vlan 200
  description *** WAEs ***
  ip address 10.34.114.65 255.255.255.252
  ip wccp redirect exclude in
  interface Vlan201
  description *** Servers and Users 1 ***
  ip address 10.15.240.1 255.255.240.0
  ip wccp 61 redirect in
  interface Vlan202
  description *** Servers and Users 2 ***
  ip address 10.16.128.1 255.255.240.0
  ip wccp 61 redirect in
  But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
  Can anybody help me with explaining me the way to configure that?

  Dan,
  I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
  But now, I don't understand the implications of use the command “egress-method negotiated-return intercept-method wccp”. What else should I consider or configure (in the router or in the WAE) to make this interception works?
  I think that the configuration on the routers and in the WAE should be something like this:
  --- Router 1
  ip wccp version 2
  ip wccp 61 redirect-list 101
  ip wccp 62 redirect-list 101
  interface Serial3/3:1
  ip address 10.34.113.213 255.255.255.252
  ip wccp 61 redirect in
  ip wccp 62 redirect in
  interface GigabitEthernet0/1
  ip address 10.0.16.2 255.255.240.0
  ip wccp redirect exclude in
  --- Router 2
  ip wccp version 2
  ip wccp 61 redirect-list 101
  ip wccp 62 redirect-list 101
  interface Serial3/3:1
  ip address 10.134.143.217 255.255.255.252
  ip wccp 61 redirect in
  ip wccp 62 redirect in
  interface GigabitEthernet0/1
  ip address 10.0.16.3 255.255.240.0
  ip wccp redirect exclude in
  --- WAE
  interface GigabitEthernet 1/0
  ip address 10.0.16.4 255.255.255.0
  exit
  egress-method negotiated-return intercept-method wccp
  wccp router-list 1 10.0.16.2 10.0.16.3
  wccp tcp-promiscuous router-list-num 1
  Thanks and Regards,
  Pablo

• WCCP src group & redirect/return method

  Has anyone here implemented 3rd party WAN optimization such as Bluecoat or Riverbed w/ WCCP?
  What service groups and redirect/return methods did you use, and on which Cisco switch/router platforms?
  I'd like to know what works, and what doesn't...
  It looks like you generally use service group 61 & 62 to redirect all TCP traffic to WAAS, based on source/destination IP's.
  Do those two service groups also work w/ 3rd party devices?
  If they don't, do I just pick some random service groups, other than the well known ones?
  How would the switch/router know what traffic to redirect, if no redirect-list is used?
  The Networkers' wccp presentation slides say if GRE is to be used w/ 6500's, generic GRE needs to be used instead of WCCP GRE.
  Where would you configure what type of GRE is used, within WAAS?
  Does anyone know if such setting exists on 3rd party devices?
  Our Bluecoat SE isn't even aware of two different versions of GRE, and neither was I, before I watched the Networkers session.

  Hi,
  I know with Riverbed you can use wccp 61/62 as well. I don't have experience with other vendors though.
  The router knows what to redirect based on the WCCP service number. It can be a well-known service or a custom service where you define what to redirect directly on the optimizer/web-cache device. The redirect list is only used to further limit what is redirected.
  In h/w forwarding platform WCCP GRE is handled in s/w, this is why using generic GRE is suggested. On WAAS you can configure it using "egress-method generic-gre intercept-method wccp"
  For more details check the "Egress Method" section in the following doc:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-629052.html
  Here you have WCCP redirection method supported and suggested for different Cisco platforms:
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
  hope this helps,
  Fabrizio

• WAAS WCCP help

  Hi guys,
  Please have a look at my topology attached.Right now this is what I have configured on the core:
  ip wccp 61
  ip wccp 62
  int vlan 151
  ip wccp 61 redirect in
  int vlan 173
  ip wccp 62 redirect in
  The same is configured on the branch office with the appropriate vlans.
  Whatever I do, the "total packets redirected" count never seems to increase. I tried turning on ip wccp 62 redirect out on vlan 173, and ip wccp 61 redirect in on the same vlan, but then only the count for service 61 goes up.
  Also, should I use access-lists to permit redirection only to branch offices that have a WAE? If I don't use a redirect-list, shouldn't all packets be redirected to the WAE, and then the WAE would decide whether to optimize or not based on if there's another WAE at the endpoint location?
  Here's an output of "sh ip wccp 61 detail"
  WCCP Cache-Engine information:
  Web Cache ID: x.x.x.x
  Protocol Version: 2.0
  State: Usable
  Redirection: L2
  Packet Return: GRE
  Packets Redirected: 0
  Connect Time: 00:51:22
  Assignment: MASK
  Any help is greatly appreciated.

  Since you are performing L2 rewrite under WCCP, you will not see the packets redirected increase. The redirection is handled by hardware instead of software. If redirection was done on a router, you would see packet increases.
  I have had WAAS in place for about a year now and you can see below that I have only redirected 2 packets. I am redirecting on a 6509 as well.
  mp1swcr01#show ip wccp 61
  Global WCCP information:
  Router information:
  Router Identifier:
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Cache Engines: 2
  Number of routers: 2
  Total Packets Redirected: 2
  Redirect access-list: WAAS_61
  Total Packets Denied Redirect: 9179
  Total Packets Unassigned: 186
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0

• WAAS: WCCP Mask or Hash on Routers?

  I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.

  The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
  WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
  L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
  The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
  Thanks,
  Aaron

• WAAS WCCP Errors

  Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
  Transparent GRE packets received: 0
  Transparent non-GRE packets received: 1940435323
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted: 461319375
  Invalid packets received: 731
  Packets received with invalid service: 0
  Packets received on a disabled service: 0
  Packets received too small: 0
  Packets dropped due to zero TTL: 0
  Packets dropped due to bad buckets: 617
  Packets dropped due to no redirect address: 0
  Packets dropped due to loopback redirect: 227
  Pass-through pkts dropped on assignment update:61
  Connections bypassed due to load: 0
  Packets sent back to router: 1829
  GRE packets sent to router (not bypass): 0
  Packets sent to another WAE: 63037
  GRE fragments redirected: 1116193
  GRE encapsulated fragments received: 0
  Packets failed encapsulated reassembly: 0
  Packets failed GRE encapsulation: 0
  Packets dropped due to invalid fwd method: 0
  Packets dropped due to insufficient memory: 0
  Packets bypassed, no conn at all: 0
  Packets bypassed, no pending connection: 0
  Packets due to clean wccp shutdown: 0
  Packets bypassed due to bypass-list lookup: 166
  Packets received with client IP addresses: 460833489
  Spoofed packets dropped: 57416
  Conditionally Accepted connections: 0
  Conditionally Bypassed connections: 0
  L2 Bypass packets destined for loopback: 0
  Packets w/WCCP GRE received too small: 0
  Packets dropped due to received on loopback: 219
  Packets dropped due to IP access-list deny: 0
  Packets fragmented for bypass: 0
  Packets fragmented for egress: 0
  Packet pullups needed: 5484
  Packets dropped due to no route found: 0

  Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
  Transparent GRE packets received: 0
  Transparent non-GRE packets received: 1940435323
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted: 461319375
  Invalid packets received: 731
  Packets received with invalid service: 0
  Packets received on a disabled service: 0
  Packets received too small: 0
  Packets dropped due to zero TTL: 0
  Packets dropped due to bad buckets: 617
  Packets dropped due to no redirect address: 0
  Packets dropped due to loopback redirect: 227
  Pass-through pkts dropped on assignment update:61
  Connections bypassed due to load: 0
  Packets sent back to router: 1829
  GRE packets sent to router (not bypass): 0
  Packets sent to another WAE: 63037
  GRE fragments redirected: 1116193
  GRE encapsulated fragments received: 0
  Packets failed encapsulated reassembly: 0
  Packets failed GRE encapsulation: 0
  Packets dropped due to invalid fwd method: 0
  Packets dropped due to insufficient memory: 0
  Packets bypassed, no conn at all: 0
  Packets bypassed, no pending connection: 0
  Packets due to clean wccp shutdown: 0
  Packets bypassed due to bypass-list lookup: 166
  Packets received with client IP addresses: 460833489
  Spoofed packets dropped: 57416
  Conditionally Accepted connections: 0
  Conditionally Bypassed connections: 0
  L2 Bypass packets destined for loopback: 0
  Packets w/WCCP GRE received too small: 0
  Packets dropped due to received on loopback: 219
  Packets dropped due to IP access-list deny: 0
  Packets fragmented for bypass: 0
  Packets fragmented for egress: 0
  Packet pullups needed: 5484
  Packets dropped due to no route found: 0

• WAAS WCCP Interception

  Is there any performance issues with redirecting wccp 62 on an SVI of the 6500 series switch? The WAN interfaces are not layer 3 but are associated with a vlan that has an SVI configured. I will be using redirect lists for interception.
  Regards,

  Clifton,
  On the 6500 platform, you need to follow these recommendations to ensure WCCP redirection happens completely in hardware:
  - L2 Forwarding (configured on WAE)
  - Mask Assignment (configured on WAE)
  - Inbound redirection (configured on 6500)
  - No 'ip wccp redirect exclude in' configured (on 6500)
  Zach

• Urgent ! Router-WAAS WCCP problem

  I have dot1q enabled 7507 connecting frame relay branch to data centre.
  Core WAAS sits on a VLAN subinterface.
  As soon as I enable "ip wcccp redirect 61 in" on VLAN trunked interface, I am loosing connection to the branch.
  the config is here..
  interface GigabitEthernet4/0/0
  description Core Data Centre Trunk VLAN 3,120 to SWDC03 3/16
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  load-interval 30
  negotiation auto
  no cdp enable
  interface GigabitEthernet4/0/0.3
  description Core Data Centre VLAN
  encap dot1q 3
  ip address xxxx
  ip wccp 61 redirect in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip route-cache flow
  no cdp enable
  standby 3 ip 10.64.205.17
  standby 3 priority 150
  standby 3 preempt
  interface GigabitEthernet4/0/0.120
  description Core WAAS VLAN120
  encap dot1q 120
  ip address yyyyyyy
  ip wccp redirect exclude in
  no ip redirects
  no ip unreachables
  interface Serial0/0/3.64 point-to-point
  ip wccp 62 redirect in
  The IOS version is rsp-jsv-mz.123-17b and WAAS version 4.0.13.I have tested this before without VLAN trunking on another router using a seperate interface and it was working.Any idea ?
  thanks

  thanks guys. I will explain the problem a bit more.When WAAS sits on a seperate i/f on WAN router, it works fine. i.e "wccp redirect 61 in " on interface connecting WAN router to Data Centre and "wccp redirect 62 in" on WAN frame relay. Then I configured the i/f connecting WAN router to Data Centre as dot1q trunk and a dedicated VLAN is created for WAAS. The default gateway for WAAS is HSRP address in 6509s. The WCCP router address configured in WAAS is the loopback0 address of the WAN router. The "wccp redirect 62 in" on WAN frame relay stays same. However, " wccp redirect 61 in " carried to a new subinterface on the same access as WAAS VLAN.
  All WCCP commands show that there is a connection between WAAS and WAN router, packet count goes up. However, all TCP sessions to the brach (initiated from the Data Centre) fail. I have also tested with and without "wccp redirect exclude in" on WAAS VLAN subinterface without success. Since I had to install the branch the WAAS on the weekend, I moved WAAS back to dedicated interface on WAN router. It works fine but I can not implement redundancy.
  The suggestion was to make WAN router subinterface HSRP active rather than 6509 MSFCs.So WAAS talks to WAN routers loopback address and default gateway also points to the same router rather than MSFC. I have not had a chance to test this but I will test in the coming weeks. I was also suggested to use layer2 redirection on 6509 but did not have any chance to look at it closely.
  thanks
  Serhat

• ASR1002 WCCP L2 Forwarding Redirection setup

  Hi WCCP experts,
  Two questions please.
  According to
  IP Application Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000).
  • The following limitation applies to WCCP Layer 2 Forwarding and Return feature:
  Layer 2 redirection requires that content engines be directly connected to an interface on each WCCP router.
  Q1. Will it work if there is a L2 switch between the WCCP router and conte engines?
  Right now we have the WCCP ASR1002 router connected to a L2 switch trunk port. One of the sub-interfaces will be used for the connection to content engines.
  . For content engines running Application and Content Networking System (ACNS) software, use the wccp
  custom-web-cache command with the l2-redirect keyword to configure L2 redirection. For content
  engines running Cisco Wide Area Application Services (WAAS) software, use the wccp tcp-promiscuous
  command with the l2-redirect keyword to configure L2 redirection.
  Q2. I have Blue Coat as content engines. What configuration commands ASR1002 should have for L2 redirection?
  Thanks
  Cedar

  Hi Cedar,
  If i am not wrong the directly connected actually means that ASR and CE or in your case Blue coat proxy should be in the same subnet. If they are in the same subnet then of course you can use switch in between.
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/iap-xe-3s-book/iap-wccp.html#GUID-CAE67F60-CD04-4134-9E7B-995E76608216
  Have a look at the link above and look at L2 redirection and return.
  Wccp customer-web-cache etc are all services and you can use any one or custom numbers as your network requirment. You can use 90 or web-cache which is for port 80 or 61, 62 etc.
  You can see the list of well known service groups.
  Regards,
  Kanwal