WAAS - WCCP L2-redirection in WS-C6509-E

Similar Messages

• WAAS - WCCP redirect inbound

  Hello Everyone,
  I notice on our 1841 router running version 12.4(22)T, the wccp redirect inbound method does not process through CEF. It will only process it through an outbound redirection. The 61 redirect inbound is applied to the subinterface on fas 0/0.
  Any ideas ?
  interface FastEthernet0/0.999
  description ****Dublin User Vlan****
  encapsulation dot1Q 999 native
  ip address x.x.x.x 255.255.255.192
  ip helper-address 134.65.181.11
  no ip redirects
  no ip proxy-arp
  ip wccp 61 redirect in
  ip wccp 62 redirect out
  ip flow ingress
  no ip mroute-cache
  service-policy input DBN_LAN

  You must configure these devices to use WCCP Version 2 instead of WCCP Version 1 because WCCP Version 1 supports web traffic (port 80) only. When you enable the TCP promiscuous mode service (WCCP Version 2 services 61 and 62) on a WAE and a router, you do not need to enable the CIFS caching service (WCCP Version 2 service 89) on the router or WAE.
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v401/quick/guide/wsqcg401.html#wp1357416

• WAAS WCCP 6500 ACL Redirection

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi All
        I'm sure I'm missing something simple here on a new install and I hope some one can point it out easily.  I implemented the following config which worked except it understandably broke connections as everything got redirected.  I'm running the WCCP config on a 6500 running 12.2(18) SXF
  This config showed total redirected packets climbing sharply in a 'show ip wccp' on the 6500 but this config broke other things.
  WAE:
  interface GigabitEthernet 1/0
  ip address 10.254.0.251 255.255.255.248
  ip default-gateway 10.254.0.249
  wccp router-list 1 10.254.0.249
  wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
  6500:
  ip wccp 61
  ip wccp 62
  interface Vlan<vlans to be accelerated>
  description Local VLAN to be accelerated
  ip wccp 61 redirect in
  interface Vlan <WAAS vlan>
  description WAAS Devices(CM and WAE)
  ip address 10.254.0.249 255.255.255.248
  interface Vlan <Vlan for WAN transit>
  description Incoming WAN VLAN
  ip wccp 62 redirect in
  To try and limit redirection to just LAN space I swapped this:
  ip wccp 61
  ip wccp 62
  for this:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Ip access-list ext WAAS_Inbound
    Permit ip 10.22.0.0 0.0.255.255 10.0.0.0 0.0.255.255
  Ip access-l ext WAAS_Outbound
  Permit ip 10.0.0.0 0.0.255.255 10.22.0.0 0.0.255.255
  Ip wccp 62 redirect-list WAAS_Inbound
  Ip wccp 61 redirect-list WAAS_Outbound
  Once I did this, 'show ip wccp'  on the 6500 stopped showing redirected packets but did start showing packets being denied redirect.  Optimization stopped(according to the GUI) and I saw no hits on the access-lists(should I?).
  Thanks for your help in advance.

  A fews questions/comments:
  What type of Supervisor are you using?
  What is the exact version of software you are using?
  The fact that the 'packets redirected' counter is incrementing is a bad thing on the 6500.  It means that the redirection is happening in software.
  Can you also provide the output from the following commands:
  sh ip wccp
  sh ip wccp 61 det
  sh ip wccp 62 det
  Thanks,
  Zach

• WAAS WCCP help

  Hi guys,
  Please have a look at my topology attached.Right now this is what I have configured on the core:
  ip wccp 61
  ip wccp 62
  int vlan 151
  ip wccp 61 redirect in
  int vlan 173
  ip wccp 62 redirect in
  The same is configured on the branch office with the appropriate vlans.
  Whatever I do, the "total packets redirected" count never seems to increase. I tried turning on ip wccp 62 redirect out on vlan 173, and ip wccp 61 redirect in on the same vlan, but then only the count for service 61 goes up.
  Also, should I use access-lists to permit redirection only to branch offices that have a WAE? If I don't use a redirect-list, shouldn't all packets be redirected to the WAE, and then the WAE would decide whether to optimize or not based on if there's another WAE at the endpoint location?
  Here's an output of "sh ip wccp 61 detail"
  WCCP Cache-Engine information:
  Web Cache ID: x.x.x.x
  Protocol Version: 2.0
  State: Usable
  Redirection: L2
  Packet Return: GRE
  Packets Redirected: 0
  Connect Time: 00:51:22
  Assignment: MASK
  Any help is greatly appreciated.

  Since you are performing L2 rewrite under WCCP, you will not see the packets redirected increase. The redirection is handled by hardware instead of software. If redirection was done on a router, you would see packet increases.
  I have had WAAS in place for about a year now and you can see below that I have only redirected 2 packets. I am redirecting on a 6509 as well.
  mp1swcr01#show ip wccp 61
  Global WCCP information:
  Router information:
  Router Identifier:
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Cache Engines: 2
  Number of routers: 2
  Total Packets Redirected: 2
  Redirect access-list: WAAS_61
  Total Packets Denied Redirect: 9179
  Total Packets Unassigned: 186
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0

• Urgent ! Router-WAAS WCCP problem

  I have dot1q enabled 7507 connecting frame relay branch to data centre.
  Core WAAS sits on a VLAN subinterface.
  As soon as I enable "ip wcccp redirect 61 in" on VLAN trunked interface, I am loosing connection to the branch.
  the config is here..
  interface GigabitEthernet4/0/0
  description Core Data Centre Trunk VLAN 3,120 to SWDC03 3/16
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  load-interval 30
  negotiation auto
  no cdp enable
  interface GigabitEthernet4/0/0.3
  description Core Data Centre VLAN
  encap dot1q 3
  ip address xxxx
  ip wccp 61 redirect in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip route-cache flow
  no cdp enable
  standby 3 ip 10.64.205.17
  standby 3 priority 150
  standby 3 preempt
  interface GigabitEthernet4/0/0.120
  description Core WAAS VLAN120
  encap dot1q 120
  ip address yyyyyyy
  ip wccp redirect exclude in
  no ip redirects
  no ip unreachables
  interface Serial0/0/3.64 point-to-point
  ip wccp 62 redirect in
  The IOS version is rsp-jsv-mz.123-17b and WAAS version 4.0.13.I have tested this before without VLAN trunking on another router using a seperate interface and it was working.Any idea ?
  thanks

  thanks guys. I will explain the problem a bit more.When WAAS sits on a seperate i/f on WAN router, it works fine. i.e "wccp redirect 61 in " on interface connecting WAN router to Data Centre and "wccp redirect 62 in" on WAN frame relay. Then I configured the i/f connecting WAN router to Data Centre as dot1q trunk and a dedicated VLAN is created for WAAS. The default gateway for WAAS is HSRP address in 6509s. The WCCP router address configured in WAAS is the loopback0 address of the WAN router. The "wccp redirect 62 in" on WAN frame relay stays same. However, " wccp redirect 61 in " carried to a new subinterface on the same access as WAAS VLAN.
  All WCCP commands show that there is a connection between WAAS and WAN router, packet count goes up. However, all TCP sessions to the brach (initiated from the Data Centre) fail. I have also tested with and without "wccp redirect exclude in" on WAAS VLAN subinterface without success. Since I had to install the branch the WAAS on the weekend, I moved WAAS back to dedicated interface on WAN router. It works fine but I can not implement redundancy.
  The suggestion was to make WAN router subinterface HSRP active rather than 6509 MSFCs.So WAAS talks to WAN routers loopback address and default gateway also points to the same router rather than MSFC. I have not had a chance to test this but I will test in the coming weeks. I was also suggested to use layer2 redirection on 6509 but did not have any chance to look at it closely.
  thanks
  Serhat

• Router IOS requirements to work with WAAS WCCP?

  Can some help me with up to date switch and router IOS requirements to work with WAAS WCCP configuration? There used to be a Cisco document explaining that but I can't find it any more.
  Here is out WAAS 4.2.3 deployment in the network:
  Data center: Cat6500 Sup720-3B running IOS 12.2(18)SXF12a will do WCCP L2 redirection. I've seen minimum Sup720 IOS requirement of 12.2(18)SXF13 in one place and 12.2(18)SXF16 in another, but there are also examples of using 12.2 (18) SXF5. Which one is the latest Cisco recommendation?
  Remote sites: 3825 and 3845 routers (some are running 12.4 T train and some are in 12.4 main line) will do WCCP GRE redirection to WAE's. One of the routers will use a WAE-NME-522 module. Others are WAE applicances. Again, what are the latest Cisco recommendations?
  Another question: for an IOS release, does it matter which package to use, such as advanced IP services, enterprise services, or SP services?
  Thanks a lot.

  Here you go.
  http://www.cisco.com/en/US/partner/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
  For IOS release, you will need a package that has WCCP support.
  Hope this helps.
  Regards.
  PS: Please mark this as Answered, if this answers your question.

• WAAS - wccp L2 setup

  Hi all,
  Please see the attached diag for our waas setup. The traffic is not optimized and shows as pass-through in one end and no stats are shown in other end.
  4500 switch config:
  ip wccp 61 redirect-list wccp_list password xxxx
  ip wccp 62 redirect-list wccp_list password xxxx
  Interface Gi1/1
  ip address 10.1.46.1 255.255.255.252
  ip wccp 62 redirect in
  interface vlan 170
  ip address 10.46.170.10 255.255.255.0
  ip wccp 61 redirect in
  ip access-list extended wccp_list
  permit ip 10.46.170.0 0.0.0.255 any
  show commands:
  sh ip wccp
  Global WCCP information:
      Router information:
          Router Identifier:                   10.46.1.1
          Protocol Version:                    2.0
      Service Identifier: 61
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets Redirected:            150487
            Process:                           0
            CEF:                               0
            Platform:                          150487
          Service mode:                        Open
          Service Access-list:                 -none-
          Total Packets Dropped Closed:        0
          Redirect access-list:                wccp_list
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       2
          Total GRE Bypassed Packets Received: 0
            Process:                           0
            CEF:                               0
            Platform:                          0
      Service Identifier: 62
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets Redirected:            232994
            Process:                           0
            CEF:                               0
            Platform:                          232994
          Service mode:                        Open
          Service Access-list:                 -none-
          Total Packets Dropped Closed:        0
          Redirect access-list:                wccp_list
          Total Packets Denied Redirect:       3685761
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total GRE Bypassed Packets Received: 0
            Process:                           0
            CEF:                               0
            Platform:                          0
  3750x switch config:
  ip wccp 61 redirect-list wccp_list password xxxx
  ip wccp 62 redirect-list wccp_list password xxxx
  Interface Gi1/0/1
  ip address 10.1.46.2 255.255.255.252
  ip wccp 62 redirect in
  interface vlan 170
  ip address 10.45.170.10 255.255.255.0
  ip wccp 61 redirect in
  ip access-list extended wccp_list
  permit ip 10.45.170.0 0.0.0.255 any
  show commands:
  sh ip wccp
  Global WCCP information:
      Router information:
          Router Identifier:                   10.45.1.1
          Protocol Version:                    2.0
      Service Identifier: 61
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        62
            Process:                           15
            CEF:                               47
          Redirect access-list:                wccp_list
          Total Packets Denied Redirect:       0
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0
      Service Identifier: 62
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                wccp_list
          Total Packets Denied Redirect:       795
          Total Packets Unassigned:            0
          Group access-list:                   -none-
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total Bypassed Packets Received:     0
  Traffic is shown as pass-through in 10.46.40.20 and there is no tcp connections shown in 10.45.40.20! Any inputs?
  Regards

  G'day Giovanni,
  The waas plugged in the 4500 shows PT no peer and the 3750X doesnt show anything at all.
  I checked the 3750x it shows it is using desktop routing as the template.
  Below is the output from 3750 about wccp 61 detail:
  #sh ip wccp 61 detail
  WCCP Client information:
          WCCP Client ID:          10.45.40.20
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Packets Redirected:    62
          Connect Time:          3w1d
          Assignment:            MASK
  I can see the matches in the redirect list but nothing shows in the WAAS being optimized.
  Extended IP access list wccp_list
      10 permit tcp 10.45.170.0 0.0.0.255 any (76 matches)
      20 permit tcp any 10.45.170.0 0.0.0.255
  There is no firewall or bypass lists involved in this setup.
  regards

• WCCP not redirecting packets

  Hello,
  I am trying to redirect packets to a bluecoat proxy sg using WCCP on a 3750x stack with IP services.
  I cant get the packets to redirect.
  The bluecoat device is on the same vlan as the client traffic that I am trying to redirect.
  It seems that when I apply the redirect on the vlan interface, the Bluecoat can see the traffic though.
  (After it is applied, I can no longer access the websites, but the bluecoat device shows some activity)
  SDM prefer is enabled.
  Here is the config:
  SiteA#sh run
  Building configuration...
  Current configuration : 7699 bytes
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SiteA
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$V1w8$6bmKd6oXWk//FH7/BaoFG.
  username systemsgo privilege 15 secret 5 $1$vu8O$1uMdtS1Gzk12.YT3RObZO1
  no aaa new-model
  switch 1 provision ws-c3750x-24
  switch 2 provision ws-c3750x-24
  system mtu routing 1500
  ip routing
  ip wccp 90 redirect-list 115 group-list 15
  vtp mode transparent
  track 1 ip sla 1 reachability
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 10
  ip ssh version 2
  interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0
  no ip address
  no ip route-cache cef
  no ip route-cache
  interface GigabitEthernet1/0/1
  no switchport
  ip address 192.168.20.2 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet1/0/2
  no switchport
  ip address 192.168.20.9 255.255.255.252
  interface GigabitEthernet1/0/3
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet1/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet2/0/1
  description *BlueCoat Proxy*
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet2/0/2
  switchport access vlan 10
  switchport mode access
  interface GigabitEthernet2/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet2/1/2
  interface GigabitEthernet2/1/3
  interface GigabitEthernet2/1/4
  interface TenGigabitEthernet2/1/1
  interface TenGigabitEthernet2/1/2
  interface Vlan1
  no ip address
  interface Vlan10
  ip address 10.10.20.3 255.255.255.0
  standby 10 ip 10.10.20.1
  standby 10 priority 110
  standby 10 preempt
  ip wccp 90 redirect in
  router eigrp 1
  network 10.10.20.0 0.0.0.255
  network 192.168.10.0
  network 192.168.20.0 0.0.0.3
  redistribute static
  ip local policy route-map IP_SLA_SiteA
  ip http server
  ip http secure-server
  ip route 0.0.0.0 0.0.0.0 192.168.20.10 track 1
  ip sla 1
  icmp-echo 4.2.2.2 source-ip 192.168.20.9
  threshold 300
  frequency 15
  ip sla schedule 1 life forever start-time now
  ip sla enable reaction-alerts
  logging esm config
  access-list 15 permit 10.10.20.220
  access-list 101 permit icmp host 192.168.20.9 host 4.2.2.2
  access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 10.20.20.0 0.0.0.255 any eq 443
  access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq 443
  access-list 115 permit tcp 10.10.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq www
  access-list 115 permit tcp 192.168.20.0 0.0.0.255 any eq 443
  route-map IP_SLA_SiteA permit 10
  match ip address 101
  set ip next-hop 192.168.20.10
  SiteA#
  SiteA#show ip wccp 90
  Global WCCP information:
      Router information:
          Router Identifier:                   192.168.20.9
          Protocol Version:                    2.0
      Service Identifier: 90
          Number of Service Group Clients:     1
          Number of Service Group Routers:     1
          Total Packets s/w Redirected:        0
            Process:                           0
            CEF:                               0
          Redirect access-list:                115
          Total Packets Denied Redirect:       52389
          Total Packets Unassigned:            71
          Group access-list:                   15
          Total Messages Denied to Group:      0
          Total Authentication failures:       0
          Total GRE Bypassed Packets Received: 0
  SiteA#show ip wccp 90 detail
  WCCP Client information:
          WCCP Client ID:          10.10.20.220
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           GRE
          Packets Redirected:    0
          Connect Time:          00:19:36
          Assignment:            MASK
          Mask  SrcAddr    DstAddr    SrcPort DstPort
          0000: 0x00000000 0x0000003F 0x0000  0x0000
          Value SrcAddr    DstAddr    SrcPort DstPort CE-IP
          0000: 0x00000000 0x00000000 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0001: 0x00000000 0x00000001 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0002: 0x00000000 0x00000002 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0003: 0x00000000 0x00000003 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0004: 0x00000000 0x00000004 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0005: 0x00000000 0x00000005 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0006: 0x00000000 0x00000006 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0007: 0x00000000 0x00000007 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0008: 0x00000000 0x00000008 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0009: 0x00000000 0x00000009 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0010: 0x00000000 0x0000000A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0011: 0x00000000 0x0000000B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0012: 0x00000000 0x0000000C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0013: 0x00000000 0x0000000D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0014: 0x00000000 0x0000000E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0015: 0x00000000 0x0000000F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0016: 0x00000000 0x00000010 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0017: 0x00000000 0x00000011 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0018: 0x00000000 0x00000012 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0019: 0x00000000 0x00000013 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0020: 0x00000000 0x00000014 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0021: 0x00000000 0x00000015 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0022: 0x00000000 0x00000016 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0023: 0x00000000 0x00000017 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0024: 0x00000000 0x00000018 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0025: 0x00000000 0x00000019 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0026: 0x00000000 0x0000001A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0027: 0x00000000 0x0000001B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0028: 0x00000000 0x0000001C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0029: 0x00000000 0x0000001D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0030: 0x00000000 0x0000001E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0031: 0x00000000 0x0000001F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0032: 0x00000000 0x00000020 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0033: 0x00000000 0x00000021 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0034: 0x00000000 0x00000022 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0035: 0x00000000 0x00000023 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0036: 0x00000000 0x00000024 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0037: 0x00000000 0x00000025 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0038: 0x00000000 0x00000026 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0039: 0x00000000 0x00000027 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0040: 0x00000000 0x00000028 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0041: 0x00000000 0x00000029 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0042: 0x00000000 0x0000002A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0043: 0x00000000 0x0000002B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0044: 0x00000000 0x0000002C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0045: 0x00000000 0x0000002D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0046: 0x00000000 0x0000002E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0047: 0x00000000 0x0000002F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0048: 0x00000000 0x00000030 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0049: 0x00000000 0x00000031 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0050: 0x00000000 0x00000032 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0051: 0x00000000 0x00000033 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0052: 0x00000000 0x00000034 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0053: 0x00000000 0x00000035 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0054: 0x00000000 0x00000036 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0055: 0x00000000 0x00000037 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0056: 0x00000000 0x00000038 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0057: 0x00000000 0x00000039 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0058: 0x00000000 0x0000003A 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0059: 0x00000000 0x0000003B 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0060: 0x00000000 0x0000003C 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0061: 0x00000000 0x0000003D 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0062: 0x00000000 0x0000003E 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
          0063: 0x00000000 0x0000003F 0x0000  0x0000  0x0A0A14DC (10.10.20.220)
  SiteA#
  SiteA#sh sdm prefer
  The current template is "desktop routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  3K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    11K
      number of directly-connected IPv4 hosts:        3K
      number of indirect IPv4 routes:                 8K
    number of IPv4 policy based routing aces:         0.5K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 1K
  SiteA#

  Hi Jon,
  There are no more throughput issues.
  Everything is working well. Thanks so much!
  As for the WCCP,
  I put the redirect acl on the L3 ports that connect back to 3750_3, but it is still not catching the traffic from the user vlan 20 on 3750_3. (We did however get it working for the server vlan in Site1 and Site2)
  I'm not sure what you meant when you said:
  Then you simply use site1 or site2's devices for web traffic.
  Do I need to change the gateway for the users vlan in Site 3750_3 to something else?
  Right now it is pointing to 10.20.20.1 on the 3750_3.
  Below is what I have so far on the 3750_3.
  I tried to force the traffic via PBR to the BlueCoat device, but that didnt seem to work either.
  UserSite(config)#do sh run
  Building configuration...
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname UserSite
  boot-start-marker
  boot-end-marker
  no aaa new-model
  switch 1 provision ws-c3750x-48p
  switch 2 provision ws-c3750x-48p
  system mtu routing 1500
  ip routing
  vtp mode transparent
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  vlan 10
  vlan 20
  name clients
  interface FastEthernet0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  interface GigabitEthernet1/0/47
  description *CERTES-MGMT-MAIN*
  switchport access vlan 20
  switchport mode access
  interface GigabitEthernet1/0/48
  description *MAN-LINE-TO-DC-MAIN*
  no switchport
  ip address 192.168.20.1 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet1/1/1
  interface GigabitEthernet1/1/2
  interface GigabitEthernet1/1/3
  interface GigabitEthernet1/1/4
  interface TenGigabitEthernet1/1/1
  interface TenGigabitEthernet1/1/2
  interface GigabitEthernet2/0/47
  description *CERTES-MGMT-DR*
  switchport access vlan 20
  switchport mode access
  interface GigabitEthernet2/0/48
  description *MAN-LINE-TO-DC-DR*
  no switchport
  ip address 192.168.20.5 255.255.255.252
  speed 100
  duplex full
  interface GigabitEthernet2/1/1
  interface GigabitEthernet2/1/2
  interface GigabitEthernet2/1/3
  interface GigabitEthernet2/1/4
  interface TenGigabitEthernet2/1/1
  interface TenGigabitEthernet2/1/2
  interface Vlan1
  ip address 192.168.10.254 255.255.255.0
  interface Vlan20
  ip address 10.20.20.1 255.255.255.0
  ip helper-address 10.10.20.30
  router eigrp 1
  network 10.20.20.0 0.0.0.255
  network 192.168.10.0
  network 192.168.20.0 0.0.0.7
  offset-list 10 in 100 GigabitEthernet2/0/48
  eigrp stub connected summary
  ip local policy route-map PBR_Proxy
  ip classless
  ip http server
  ip http secure-server
  ip access-list extended Traffic2Proxy
  permit tcp 10.20.20.0 0.0.0.255 eq www any
  permit tcp 10.20.20.0 0.0.0.255 eq 443 any
  ip sla enable reaction-alerts
  route-map PBR_Proxy permit 10
  match ip address Traffic2Proxy
  set ip next-hop 192.168.50.220
  line con 0
  exec-timeout 0 0
  privilege level 15
  logging synchronous
  login local
  line vty 0 4
  exec-timeout 30 0
  privilege level 15
  logging synchronous
  login local
  length 0
  transport input telnet ssh
  line vty 5 15
  exec-timeout 30 0
  privilege level 15
  logging synchronous
  login local
  transport input telnet ssh
  end

• How does QoS work with WAAS WCCP? What's the interaction between QoS Traffic Classification and WAE Traffic Application Policy?

  How does QoS work with WAAS WCCP? What's the interaction between Router QoS Traffic Classification and WAE Traffic Application Policy?

  By default, WAAS preserves the DSCP marking on intercepted packets.  There is a configuration option to set/override the DSCP value at the global (device), application, and classifier levels.  Currently WAAS provides marking only.  There is no action taken by WAAS based on the DSCP value.
  Regards,
  Zach

• WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection

  I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
  Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
  Standard acls parse the filteration process more quickly than extended.
  thanks
  Ajaz

  The extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.

• WAAS - WCCP redirect in Cat 3560

  Are WAAS redirect ACLs supported on Catalyst 3560?
  Thanks

  You can only configure allow ACLs, no denys (except the deny all at the end).
  Dan

• WAAS / WCCP service groups / L2 adjacencies

  Hi all,
  I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
  Something like:
  - two routers (rtr-A, rtr-B)
  - two WAAS accelerators (waas-A, waas-B)
  - rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
  - rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
  - rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
  - rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
  Here's a quick diagram:
  http://i4.tinypic.com/62nhf5u.jpg
  (all links are L3/routed)
  cheers!

  Dale,
  There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
  Regards,
  Zach

• WAAS: WCCP Mask or Hash on Routers?

  I'm starting thinking about using mask assign on an ISR router running 12:4(24)T with GRE/GRE. Has anyone done this before and can you use mask assign with GRE/GRE? We need to use it with GRE/GRE because our egress method has to be WCCP return. My thought was mask assign will be much better at load balancing across multiple WAEs in a cluster than hash because you can specify a long mask assignment. Right now, see more load on WAE than the other and are sometimes getting TFO overload.

  The page you linked contains recommendations (in bold) for each platform. On the ISR G2 specifically, you should be able to use any combination of GRE/L2 and MASK/HASH assignment. Some other platforms require specific disribution and redirection methods to maintain the hardware acceleration of WCCP traffic. However, the ISR G2 does not have this requirement.
  WCCP GRE and HASH distribution on ISR G2 is typically recommended to make deployment easier. With GRE, content devices can be an L3 hop away (if needed), and it reduces the chance of customers accidentally creating a WCCP redirect loop.
  L2 distribution and HASH redirection method should typically require the least CPU and memory load on the ISR. These should perform the best in most cases.
  The MASK distribution method gives better controls on how load is divided between multiple content devices, typically at the cost of more CPU and memory utilization. If you have only one or two content devices in your cluster, typically HASH will meet the need for slightly less CPU. As Zach said, most times MASK is used on the Datacenter side to give the ability to 'tweak' how the load is distributed across multiple devices.
  Thanks,
  Aaron

• WAAS WCCP Errors

  Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
  Transparent GRE packets received: 0
  Transparent non-GRE packets received: 1940435323
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted: 461319375
  Invalid packets received: 731
  Packets received with invalid service: 0
  Packets received on a disabled service: 0
  Packets received too small: 0
  Packets dropped due to zero TTL: 0
  Packets dropped due to bad buckets: 617
  Packets dropped due to no redirect address: 0
  Packets dropped due to loopback redirect: 227
  Pass-through pkts dropped on assignment update:61
  Connections bypassed due to load: 0
  Packets sent back to router: 1829
  GRE packets sent to router (not bypass): 0
  Packets sent to another WAE: 63037
  GRE fragments redirected: 1116193
  GRE encapsulated fragments received: 0
  Packets failed encapsulated reassembly: 0
  Packets failed GRE encapsulation: 0
  Packets dropped due to invalid fwd method: 0
  Packets dropped due to insufficient memory: 0
  Packets bypassed, no conn at all: 0
  Packets bypassed, no pending connection: 0
  Packets due to clean wccp shutdown: 0
  Packets bypassed due to bypass-list lookup: 166
  Packets received with client IP addresses: 460833489
  Spoofed packets dropped: 57416
  Conditionally Accepted connections: 0
  Conditionally Bypassed connections: 0
  L2 Bypass packets destined for loopback: 0
  Packets w/WCCP GRE received too small: 0
  Packets dropped due to received on loopback: 219
  Packets dropped due to IP access-list deny: 0
  Packets fragmented for bypass: 0
  Packets fragmented for egress: 0
  Packet pullups needed: 5484
  Packets dropped due to no route found: 0

  Any one know what "Spoofed packets dropped" and the "Packet pullups needed" are? Is the WAAS dropping packets it thinks it's being spoofed? Also, how can I get rid of the pullups? The WCCP setup is as follows; l2 forward/return to a 3750E stack switch, interfaces are setup as standby and the model is a 7371. I'm not using any WCCP redirect list.
  Transparent GRE packets received: 0
  Transparent non-GRE packets received: 1940435323
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted: 461319375
  Invalid packets received: 731
  Packets received with invalid service: 0
  Packets received on a disabled service: 0
  Packets received too small: 0
  Packets dropped due to zero TTL: 0
  Packets dropped due to bad buckets: 617
  Packets dropped due to no redirect address: 0
  Packets dropped due to loopback redirect: 227
  Pass-through pkts dropped on assignment update:61
  Connections bypassed due to load: 0
  Packets sent back to router: 1829
  GRE packets sent to router (not bypass): 0
  Packets sent to another WAE: 63037
  GRE fragments redirected: 1116193
  GRE encapsulated fragments received: 0
  Packets failed encapsulated reassembly: 0
  Packets failed GRE encapsulation: 0
  Packets dropped due to invalid fwd method: 0
  Packets dropped due to insufficient memory: 0
  Packets bypassed, no conn at all: 0
  Packets bypassed, no pending connection: 0
  Packets due to clean wccp shutdown: 0
  Packets bypassed due to bypass-list lookup: 166
  Packets received with client IP addresses: 460833489
  Spoofed packets dropped: 57416
  Conditionally Accepted connections: 0
  Conditionally Bypassed connections: 0
  L2 Bypass packets destined for loopback: 0
  Packets w/WCCP GRE received too small: 0
  Packets dropped due to received on loopback: 219
  Packets dropped due to IP access-list deny: 0
  Packets fragmented for bypass: 0
  Packets fragmented for egress: 0
  Packet pullups needed: 5484
  Packets dropped due to no route found: 0

• WCCP GRE Redirection multiple hops

  When using GRE redirection and negotiated return, is it possible to place the WAEs on a segment that is not directly attached to the routers? I have seen some documentation state, "It allows the WCCP clients to be separate from the router via multiple hops. With WAAS, the WAEs need to be connected directly to a tertiary or sub-interface of the router." This has left me a little confused, but seems like it is possible with new code. If it is possible, is there any possibility on looping occuring? I assume there isn't since the packets are tunneled to and from the routers which would bypass the inspection. This would also allow me to take advantage of WAAS over a high-speed/low latency link to a datacenter that does not physically have WAEs deployed.
  Any input is much appreciated,
  Patrick

  Patrick,
  You are correct, the WAE with negotiated return can be multiple L3 hops away from the router (back in your DC). However for performance, of course it's recommended to be as close as possible. With the return traffic using GRE, the traffic is not being re-intercepted.
  Thanks,
  Dan