WAAS - WCCP L2-redirection in WS-C6509-E
Hi,
I have a costumer with three offices, one is the data center. The other two offices get information from the data center and between them.
Each one of these remotes offices go through two different SP to the data center, and each one is received in his own router. The core of the data center is a switch WS-C6509-E (IOS s72033-entservicesk9_wan-vz.122-18.SXF7.bin).
Because there are two different SP in the data center, the traffic redirection must be done in the switch c6500. I think that the following configuration is the correct one:
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Vlan1
description *** WAN routers and users ***
ip address 10.0.16.1 255.255.240.0
ip wccp 62 redirect out
ip wccp 61 redirect in
interface Vlan 200
description *** WAEs ***
ip address 10.34.114.65 255.255.255.252
ip wccp redirect exclude in
interface Vlan201
description *** Servers and Users 1 ***
ip address 10.15.240.1 255.255.240.0
ip wccp 61 redirect in
interface Vlan202
description *** Servers and Users 2 ***
ip address 10.16.128.1 255.255.240.0
ip wccp 61 redirect in
But now I read about the problems using GRE redirection in the switch c6500. I read too that the best way to do this is using L2-redirection, but I don't have any idea of how to do this. I am using the WAAS version 4.1.1.
Can anybody help me with explaining me the way to configure that?
Dan,
I think that the best option for this network is number one, use WCCP on the two 7206VXRs, and redirect the traffic to a single WAE in the same subnet of the hosts.
But now, I don't understand the implications of use the command âegress-method negotiated-return intercept-method wccpâ. What else should I consider or configure (in the router or in the WAE) to make this interception works?
I think that the configuration on the routers and in the WAE should be something like this:
--- Router 1
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.34.113.213 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.2 255.255.240.0
ip wccp redirect exclude in
--- Router 2
ip wccp version 2
ip wccp 61 redirect-list 101
ip wccp 62 redirect-list 101
interface Serial3/3:1
ip address 10.134.143.217 255.255.255.252
ip wccp 61 redirect in
ip wccp 62 redirect in
interface GigabitEthernet0/1
ip address 10.0.16.3 255.255.240.0
ip wccp redirect exclude in
--- WAE
interface GigabitEthernet 1/0
ip address 10.0.16.4 255.255.255.0
exit
egress-method negotiated-return intercept-method wccp
wccp router-list 1 10.0.16.2 10.0.16.3
wccp tcp-promiscuous router-list-num 1
Thanks and Regards,
Pablo
Similar Messages
-
Hello Everyone,
I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
Any ideas ?
interface FastEthernet0/0.999
description ****Dublin User Vlan****
encapsulation dot1Q 999 native
ip address x.x.x.x 255.255.255.192
ip helper-address 134.65.181.11
no ip redirects
no ip proxy-arp
ip wccp 61 redirect in
ip wccp 62 redirect out
ip flow ingress
no ip mroute-cache
service-policy input DBN_LANYou must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416 -
WAAS WCCP 6500 ACL Redirection
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi All
I'm sure I'm missing something simple here on a new install and I hope some one can point it out easily. I implemented the following config which worked except it understandably broke connections as everything got redirected. I'm running the WCCP config on a 6500 running 12.2(18) SXF
This config showed total redirected packets climbing sharply in a 'show ip wccp' on the 6500 but this config broke other things.
WAE:
interface GigabitEthernet 1/0
ip address 10.254.0.251 255.255.255.248
ip default-gateway 10.254.0.249
wccp router-list 1 10.254.0.249
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
6500:
ip wccp 61
ip wccp 62
interface Vlan<vlans to be accelerated>
description Local VLAN to be accelerated
ip wccp 61 redirect in
interface Vlan <WAAS vlan>
description WAAS Devices(CM and WAE)
ip address 10.254.0.249 255.255.255.248
interface Vlan <Vlan for WAN transit>
description Incoming WAN VLAN
ip wccp 62 redirect in
To try and limit redirection to just LAN space I swapped this:
ip wccp 61
ip wccp 62
for this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Ip access-list ext WAAS_Inbound
Permit ip 10.22.0.0 0.0.255.255 10.0.0.0 0.0.255.255
Ip access-l ext WAAS_Outbound
Permit ip 10.0.0.0 0.0.255.255 10.22.0.0 0.0.255.255
Ip wccp 62 redirect-list WAAS_Inbound
Ip wccp 61 redirect-list WAAS_Outbound
Once I did this, 'show ip wccp' on the 6500 stopped showing redirected packets but did start showing packets being denied redirect. Optimization stopped(according to the GUI) and I saw no hits on the access-lists(should I?).
Thanks for your help in advance.A fews questions/comments:
What type of Supervisor are you using?
What is the exact version of software you are using?
The fact that the 'packets redirected' counter is incrementing is a bad thing on the 6500. It means that the redirection is happening in software.
Can you also provide the output from the following commands:
sh ip wccp
sh ip wccp 61 det
sh ip wccp 62 det
Thanks,
Zach -
Hi guys,
Please have a look at my topology attached.Right now this is what I have configured on the core:
ip wccp 61
ip wccp 62
int vlan 151
ip wccp 61 redirect in
int vlan 173
ip wccp 62 redirect in
The same is configured on the branch office with the appropriate vlans.
Whatever I do, the "total packets redirected" count never seems to increase. I tried turning on ip wccp 62 redirect out on vlan 173, and ip wccp 61 redirect in on the same vlan, but then only the count for service 61 goes up.
Also, should I use access-lists to permit redirection only to branch offices that have a WAE? If I don't use a redirect-list, shouldn't all packets be redirected to the WAE, and then the WAE would decide whether to optimize or not based on if there's another WAE at the endpoint location?
Here's an output of "sh ip wccp 61 detail"
WCCP Cache-Engine information:
Web Cache ID: x.x.x.x
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:51:22
Assignment: MASK
Any help is greatly appreciated.Since you are performing L2 rewrite under WCCP, you will not see the packets redirected increase. The redirection is handled by hardware instead of software. If redirection was done on a router, you would see packet increases.
I have had WAAS in place for about a year now and you can see below that I have only redirected 2 packets. I am redirecting on a 6509 as well.
mp1swcr01#show ip wccp 61
Global WCCP information:
Router information:
Router Identifier:
Protocol Version: 2.0
Service Identifier: 61
Number of Cache Engines: 2
Number of routers: 2
Total Packets Redirected: 2
Redirect access-list: WAAS_61
Total Packets Denied Redirect: 9179
Total Packets Unassigned: 186
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0 -
Urgent ! Router-WAAS WCCP problem
I have dot1q enabled 7507 connecting frame relay branch to data centre.
Core WAAS sits on a VLAN subinterface.
As soon as I enable "ip wcccp redirect 61 in" on VLAN trunked interface, I am loosing connection to the branch.
the config is here..
interface GigabitEthernet4/0/0
description Core Data Centre Trunk VLAN 3,120 to SWDC03 3/16
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
negotiation auto
no cdp enable
interface GigabitEthernet4/0/0.3
description Core Data Centre VLAN
encap dot1q 3
ip address xxxx
ip wccp 61 redirect in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip route-cache flow
no cdp enable
standby 3 ip 10.64.205.17
standby 3 priority 150
standby 3 preempt
interface GigabitEthernet4/0/0.120
description Core WAAS VLAN120
encap dot1q 120
ip address yyyyyyy
ip wccp redirect exclude in
no ip redirects
no ip unreachables
interface Serial0/0/3.64 point-to-point
ip wccp 62 redirect in
The IOS version is rsp-jsv-mz.123-17b and WAAS version 4.0.13.I have tested this before without VLAN trunking on another router using a seperate interface and it was working.Any idea ?
thanksthanks guys. I will explain the problem a bit more.When WAAS sits on a seperate i/f on WAN router, it works fine. i.e "wccp redirect 61 in " on interface connecting WAN router to Data Centre and "wccp redirect 62 in" on WAN frame relay. Then I configured the i/f connecting WAN router to Data Centre as dot1q trunk and a dedicated VLAN is created for WAAS. The default gateway for WAAS is HSRP address in 6509s. The WCCP router address configured in WAAS is the loopback0 address of the WAN router. The "wccp redirect 62 in" on WAN frame relay stays same. However, " wccp redirect 61 in " carried to a new subinterface on the same access as WAAS VLAN.
All WCCP commands show that there is a connection between WAAS and WAN router, packet count goes up. However, all TCP sessions to the brach (initiated from the Data Centre) fail. I have also tested with and without "wccp redirect exclude in" on WAAS VLAN subinterface without success. Since I had to install the branch the WAAS on the weekend, I moved WAAS back to dedicated interface on WAN router. It works fine but I can not implement redundancy.
The suggestion was to make WAN router subinterface HSRP active rather than 6509 MSFCs.So WAAS talks to WAN routers loopback address and default gateway also points to the same router rather than MSFC. I have not had a chance to test this but I will test in the coming weeks. I was also suggested to use layer2 redirection on 6509 but did not have any chance to look at it closely.
thanks
Serhat -
Router IOS requirements to work with WAAS WCCP?
Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
Here is out WAAS 4.2.3 deployment in the network:
Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
Thanks a lot.Here you go.
http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
For IOS release, you will need a package that has WCCP support.
Hope this helps.
Regards.
PS: Please mark this as Answered, if this answers your question. -
Hi all,
Please see the attached diag for our waas setup. The traffic is not optimized and shows as pass-through in one end and no stats are shown in other end.
4500 switch config:
ip wccp 61 redirect-list wccp_list password xxxx
ip wccp 62 redirect-list wccp_list password xxxx
Interface Gi1/1
ip address 10.1.46.1 255.255.255.252
ip wccp 62 redirect in
interface vlan 170
ip address 10.46.170.10 255.255.255.0
ip wccp 61 redirect in
ip access-list extended wccp_list
permit ip 10.46.170.0 0.0.0.255 any
show commands:
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.46.1.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 150487
Process: 0
CEF: 0
Platform: 150487
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 2
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 232994
Process: 0
CEF: 0
Platform: 232994
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 3685761
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
3750x switch config:
ip wccp 61 redirect-list wccp_list password xxxx
ip wccp 62 redirect-list wccp_list password xxxx
Interface Gi1/0/1
ip address 10.1.46.2 255.255.255.252
ip wccp 62 redirect in
interface vlan 170
ip address 10.45.170.10 255.255.255.0
ip wccp 61 redirect in
ip access-list extended wccp_list
permit ip 10.45.170.0 0.0.0.255 any
show commands:
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.45.1.1
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 62
Process: 15
CEF: 47
Redirect access-list: wccp_list
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Service Identifier: 62
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: wccp_list
Total Packets Denied Redirect: 795
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Traffic is shown as pass-through in 10.46.40.20 and there is no tcp connections shown in 10.45.40.20! Any inputs?
RegardsG'day Giovanni,
The waas plugged in the 4500 shows PT no peer and the 3750X doesnt show anything at all.
I checked the 3750x it shows it is using desktop routing as the template.
Below is the output from 3750 about wccp 61 detail:
#sh ip wccp 61 detail
WCCP Client information:
WCCP Client ID: 10.45.40.20
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 62
Connect Time: 3w1d
Assignment: MASK
I can see the matches in the redirect list but nothing shows in the WAAS being optimized.
Extended IP access list wccp_list
10 permit tcp 10.45.170.0 0.0.0.255 any (76 matches)
20 permit tcp any 10.45.170.0 0.0.0.255
There is no firewall or bypass lists involved in this setup.
regards -
Hello,
I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
I cant get the packets to redirect.
The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
(After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
SDM prefer is enabled.
Here is the config:
SiteA#sh run
Building configuration...
Current configuration : 7699 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname SiteA
boot-start-marker
boot-end-marker
enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
no aaa new-model
switch 1 provision ws-c3750x-24
switch 2 provision ws-c3750x-24
system mtu routing 1500
ip routing
ip wccp 90 redirect-list 115 group-list 15
vtp mode transparent
track 1 ip sla 1 reachability
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
ip ssh version 2
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
interface GigabitEthernet1/0/1
no switchport
ip address 192.168.20.2 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/0/2
no switchport
ip address 192.168.20.9 255.255.255.252
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/0/1
description *BlueCoat Proxy*
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
no ip address
interface Vlan10
ip address 10.10.20.3 255.255.255.0
standby 10 ip 10.10.20.1
standby 10 priority 110
standby 10 preempt
ip wccp 90 redirect in
router eigrp 1
network 10.10.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.3
redistribute static
ip local policy route-map IP_SLA_SiteA
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.20.9
threshold 300
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging esm config
access-list 15 permit 10.10.20.220
access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
route-map IP_SLA_SiteA permit 10
match ip address 101
set ip next-hop 192.168.20.10
SiteA#
SiteA#show ip wccp 90
Global WCCP information:
Router information:
Router Identifier: 192.168.20.9
Protocol Version: 2.0
Service Identifier: 90
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 115
Total Packets Denied Redirect: 52389
Total Packets Unassigned: 71
Group access-list: 15
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
SiteA#show ip wccp 90 detail
WCCP Client information:
WCCP Client ID: 10.10.20.220
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 00:19:36
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00000000 0x0000003F 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0000: 0x00000000 0x00000000 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0001: 0x00000000 0x00000001 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0002: 0x00000000 0x00000002 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0003: 0x00000000 0x00000003 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0004: 0x00000000 0x00000004 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0005: 0x00000000 0x00000005 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0006: 0x00000000 0x00000006 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0007: 0x00000000 0x00000007 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0008: 0x00000000 0x00000008 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0009: 0x00000000 0x00000009 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0010: 0x00000000 0x0000000A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0011: 0x00000000 0x0000000B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0012: 0x00000000 0x0000000C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0013: 0x00000000 0x0000000D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0014: 0x00000000 0x0000000E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0015: 0x00000000 0x0000000F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0016: 0x00000000 0x00000010 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0017: 0x00000000 0x00000011 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0018: 0x00000000 0x00000012 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0019: 0x00000000 0x00000013 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0020: 0x00000000 0x00000014 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0021: 0x00000000 0x00000015 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0022: 0x00000000 0x00000016 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0023: 0x00000000 0x00000017 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0024: 0x00000000 0x00000018 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0025: 0x00000000 0x00000019 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0026: 0x00000000 0x0000001A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0027: 0x00000000 0x0000001B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0028: 0x00000000 0x0000001C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0029: 0x00000000 0x0000001D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0030: 0x00000000 0x0000001E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0031: 0x00000000 0x0000001F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0032: 0x00000000 0x00000020 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0033: 0x00000000 0x00000021 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0034: 0x00000000 0x00000022 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0035: 0x00000000 0x00000023 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0036: 0x00000000 0x00000024 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0037: 0x00000000 0x00000025 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0038: 0x00000000 0x00000026 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0039: 0x00000000 0x00000027 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0040: 0x00000000 0x00000028 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0041: 0x00000000 0x00000029 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0042: 0x00000000 0x0000002A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0043: 0x00000000 0x0000002B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0044: 0x00000000 0x0000002C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0045: 0x00000000 0x0000002D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0046: 0x00000000 0x0000002E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0047: 0x00000000 0x0000002F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0048: 0x00000000 0x00000030 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0049: 0x00000000 0x00000031 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0050: 0x00000000 0x00000032 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0051: 0x00000000 0x00000033 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0052: 0x00000000 0x00000034 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0053: 0x00000000 0x00000035 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0054: 0x00000000 0x00000036 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0055: 0x00000000 0x00000037 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0056: 0x00000000 0x00000038 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0057: 0x00000000 0x00000039 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0058: 0x00000000 0x0000003A 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0059: 0x00000000 0x0000003B 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0060: 0x00000000 0x0000003C 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0061: 0x00000000 0x0000003D 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0062: 0x00000000 0x0000003E 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
0063: 0x00000000 0x0000003F 0x0000 0x0000 0x0A0A14DC (10.10.20.220)
SiteA#
SiteA#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
SiteA#Hi Jon,
There are no more throughput issues.
Everything is working well. Thanks so much!
As for the WCCP,
I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
I'm not sure what you meant when you said:
Then you simply use site1 or site2's devices for web traffic.
Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
Right now it is pointing to 10.20.20.1 on the 3750_3.
Below is what I have so far on the 3750_3.
I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
UserSite(config)#do sh run
Building configuration...
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname UserSite
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750x-48p
switch 2 provision ws-c3750x-48p
system mtu routing 1500
ip routing
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 10
vlan 20
name clients
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
interface GigabitEthernet1/0/47
description *CERTES-MGMT-MAIN*
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/48
description *MAN-LINE-TO-DC-MAIN*
no switchport
ip address 192.168.20.1 255.255.255.252
speed 100
duplex full
interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/3
interface GigabitEthernet1/1/4
interface TenGigabitEthernet1/1/1
interface TenGigabitEthernet1/1/2
interface GigabitEthernet2/0/47
description *CERTES-MGMT-DR*
switchport access vlan 20
switchport mode access
interface GigabitEthernet2/0/48
description *MAN-LINE-TO-DC-DR*
no switchport
ip address 192.168.20.5 255.255.255.252
speed 100
duplex full
interface GigabitEthernet2/1/1
interface GigabitEthernet2/1/2
interface GigabitEthernet2/1/3
interface GigabitEthernet2/1/4
interface TenGigabitEthernet2/1/1
interface TenGigabitEthernet2/1/2
interface Vlan1
ip address 192.168.10.254 255.255.255.0
interface Vlan20
ip address 10.20.20.1 255.255.255.0
ip helper-address 10.10.20.30
router eigrp 1
network 10.20.20.0 0.0.0.255
network 192.168.10.0
network 192.168.20.0 0.0.0.7
offset-list 10 in 100 GigabitEthernet2/0/48
eigrp stub connected summary
ip local policy route-map PBR_Proxy
ip classless
ip http server
ip http secure-server
ip access-list extended Traffic2Proxy
permit tcp 10.20.20.0 0.0.0.255 eq www any
permit tcp 10.20.20.0 0.0.0.255 eq 443 any
ip sla enable reaction-alerts
route-map PBR_Proxy permit 10
match ip address Traffic2Proxy
set ip next-hop 192.168.50.220
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
end -
How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?
By default, WAAS preserves the DSCP marking on intercepted packets. There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels. Currently WAAS provides marking only. There is no action taken by WAAS based on the DSCP value.
Regards,
Zach -
WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection
I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
Standard acls parse the filteration process more quickly than extended.
thanks
AjazThe extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.
-
WAAS - WCCP redirect in Cat 3560
Are WAAS redirect ACLs supported on Catalyst 3560?
ThanksYou can only configure allow ACLs, no denys (except the deny all at the end).
Dan -
WAAS / WCCP service groups / L2 adjacencies
Hi all,
I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
Something like:
- two routers (rtr-A, rtr-B)
- two WAAS accelerators (waas-A, waas-B)
- rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
- rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
- rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
- rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
Here's a quick diagram:
http://i4.tinypic.com/62nhf5u.jpg
(all links are L3/routed)
cheers!Dale,
There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
Regards,
Zach -
WAAS: WCCP Mask or Hash on Routers?
I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.
The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
Thanks,
Aaron -
Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
Transparent GRE packets received: 0
Transparent non-GRE packets received: 1940435323
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 461319375
Invalid packets received: 731
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
Packets dropped due to bad buckets: 617
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect: 227
Pass-through pkts dropped on assignment update:61
Connections bypassed due to load: 0
Packets sent back to router: 1829
GRE packets sent to router (not bypass): 0
Packets sent to another WAE: 63037
GRE fragments redirected: 1116193
GRE encapsulated fragments received: 0
Packets failed encapsulated reassembly: 0
Packets failed GRE encapsulation: 0
Packets dropped due to invalid fwd method: 0
Packets dropped due to insufficient memory: 0
Packets bypassed, no conn at all: 0
Packets bypassed, no pending connection: 0
Packets due to clean wccp shutdown: 0
Packets bypassed due to bypass-list lookup: 166
Packets received with client IP addresses: 460833489
Spoofed packets dropped: 57416
Conditionally Accepted connections: 0
Conditionally Bypassed connections: 0
L2 Bypass packets destined for loopback: 0
Packets w/WCCP GRE received too small: 0
Packets dropped due to received on loopback: 219
Packets dropped due to IP access-list deny: 0
Packets fragmented for bypass: 0
Packets fragmented for egress: 0
Packet pullups needed: 5484
Packets dropped due to no route found: 0Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
Transparent GRE packets received: 0
Transparent non-GRE packets received: 1940435323
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 461319375
Invalid packets received: 731
Packets received with invalid service: 0
Packets received on a disabled service: 0
Packets received too small: 0
Packets dropped due to zero TTL: 0
Packets dropped due to bad buckets: 617
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect: 227
Pass-through pkts dropped on assignment update:61
Connections bypassed due to load: 0
Packets sent back to router: 1829
GRE packets sent to router (not bypass): 0
Packets sent to another WAE: 63037
GRE fragments redirected: 1116193
GRE encapsulated fragments received: 0
Packets failed encapsulated reassembly: 0
Packets failed GRE encapsulation: 0
Packets dropped due to invalid fwd method: 0
Packets dropped due to insufficient memory: 0
Packets bypassed, no conn at all: 0
Packets bypassed, no pending connection: 0
Packets due to clean wccp shutdown: 0
Packets bypassed due to bypass-list lookup: 166
Packets received with client IP addresses: 460833489
Spoofed packets dropped: 57416
Conditionally Accepted connections: 0
Conditionally Bypassed connections: 0
L2 Bypass packets destined for loopback: 0
Packets w/WCCP GRE received too small: 0
Packets dropped due to received on loopback: 219
Packets dropped due to IP access-list deny: 0
Packets fragmented for bypass: 0
Packets fragmented for egress: 0
Packet pullups needed: 5484
Packets dropped due to no route found: 0 -
WCCP GRE Redirection multiple hops
When using GRE redirection and negotiated return, is it possible to place the WAEs on a segment that is not directly attached to the routers? I have seen some documentation state, "It allows the WCCP clients to be separate from the router via multiple hops. With WAAS, the WAEs need to be connected directly to a tertiary or sub-interface of the router." This has left me a little confused, but seems like it is possible with new code. If it is possible, is there any possibility on looping occuring? I assume there isn't since the packets are tunneled to and from the routers which would bypass the inspection. This would also allow me to take advantage of WAAS over a high-speed/low latency link to a datacenter that does not physically have WAEs deployed.
Any input is much appreciated,
PatrickPatrick,
You are correct, the WAE with negotiated return can be multiple L3 hops away from the router (back in your DC). However for performance, of course it's recommended to be as close as possible. With the return traffic using GRE, the traffic is not being re-intercepted.
Thanks,
Dan
Maybe you are looking for
-
Inserting HTML into a table?
I am trying to find an easier method of inserting html code into a column of type varchar2. I have to insert 100's of lines of html into a table weekly and the inserts keep failing because of special charecters within the html code itself. I have wri
-
Why did Photo stream not sync in iCloud
Why didn't photo stream sync with iCloud on? I turned it on for both devices.
-
Issue updating iPad operating system
I have been trying to update the operating system on my ipad but each time i do it crashes at the last stage, can anyone help? It says the connection is timing out once it is 1% from complete!
-
ATV2 won't output HD to my HDTV
I had a first-generation Apple TV that worked fine with my Panasonic 54" HDTV. My wife got me an Apple TV 2 that will only give me 480p resolution using the same setup. In researching this problem, I believe the issue is this: While my TV supports 10
-
Generate sample php service in flash builder 4.5.
Hi all complete noob here. I have gone trough several tutorials and this keeps popping up. On most of these tutorials after clicking new data service and selecting PHP the tutorials have a link generate sample php. I am using flash builder 4.5 for ph