WCCP: Cat6k & UDP L2-mask-Redirection

Hello,
We are using a non-cisco WCCPv2 client with L2, mask assignment with 2 groups to redirect all TCP and UDP pkts.
TCP wccp redirect-in on ingress vlan works perfectly (hw switched etc).
But when we use redirect in for the udp group, udp pkts are not redirected at all, CAT6k redirects tcp even if the tcp service group is not active/created.
Please see the attached file for more information.
Is this a known issue? Do we have a configuration problem?
Is our OS is too old? Is there a knob we can turn on (mls?) to make redirect-out policy do
hardware switching?
Please let us know. We'd really appreciate your input.
Thanks in advance.
# show fm wccp all
INGRESS WCCP
Interface Vlan11:
Service type = 1, id = 53
+----+-+---------------+---------------+-----+-----+---+---+-+---+------+----+------+
|Indx|T| Dest Ip Addr | Source Ip Addr|DPort|SPort|Pro|RFM|X|ToS|MRTNPC|Adj.| FM |
+----+-+---------------+---------------+-----+-----+---+---+-+---+-----+----+------+
1 V 0.0.0.0 172.27.110.5 0 0 17 --- 0 0 ----L- ---- SHORT
M 0.0.0.0 255.255.255.255 0 0 255 000 0 0
TM_PERMIT_RESULT
2 V 0.0.0.0 0.0.0.0 0 0 6 --- 0 0 ----L- 0 A-FF <<<<*****
M 0.0.0.0 0.0.0.0 0 0 255 000 0 0
TM_REDIRECT_ADJACENCY, idx: 0
3 V 0.0.0.0 0.0.0.0 0 0 0 --- 0 0 ----L- ---- SHORT
M 0.0.0.0 0.0.0.0 0 0 0 000 0 0
TM_L3_DENY_RESULT
Service type = 0, id = 0
+----+-+---------------+---------------+-----+-----+---+---+-+---+------+----+------+
|Indx|T| Dest Ip Addr | Source Ip Addr|DPort|SPort|Pro|RFM|X|ToS|MRTNPC|Adj.| FM |
+----+-+---------------+---------------+-----+-----+---+---+-+---+-----+----+------+
1 V 0.0.0.0 0.0.0.0 0 0 0 --- 0 0 ----L- ---- SHORT
M 0.0.0.0 0.0.0.0 0 0 0 000 0 0
TM_PERMIT_RESULT
2 V 0.0.0.0 0.0.0.0 0 0 0 --- 0 0 ----L- ---- SHORT
M 0.0.0.0 0.0.0.0 0 0 0 000 0 0
TM_L3_DENY_RESULT
Adjacencies:
Index : 0
Feature_id : 1D adj : 452DE0C0 vlan : 110 dmac : 000c.bd00.bb30
smac : 000a.f355.e640 encap : 1 mtu : 1518 TTL : 1
Rdt Indx : 0 recirc : 0 Non-Cachable : 0 Priority : 1

Hi Frank,
Thanks for the reply. But we want to redirect tcp and udp at the same time using l2 redirection in hw.

Similar Messages

WCCP redirect on 4507 to ironport

I am trying to setup WCCP on our 4507. For some reason I cannot get this to work! The config I have tried is below. I can't figure out what I'm doing wrong here!
ip wccp web-cache group-list IRONPORT-GROUPLIST
ip wccp source-interface GigabitEthernet2/24
Interface Vlan160
ip address 10.10.16.1 255.255.254.0
ip wccp web-cache redirect out
ip access-list IRONPORT-GROUPLIST
permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
On the ironport I setup web-cache under transparent redirection and provided the IP address I used to source from above (GigabitEthernet2/24). Here is the output I get on the 4507:
10CSW-LAN1#sh ip wccp web-cache
Global WCCP information:
    Router information:
        Router Identifier:                   10.11.1.9
        Configured source-interface:         GigabitEthernet2/24
        Protocol Version:                    2.0
    Service Identifier: web-cache
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets Redirected:            0
          Process:                           0
          CEF:                               0
          Platform:                          0
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect access-list:                -none-
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   IRONPORT_GROUPLIST
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0
          Process:                           0
          CEF:                               0
          Platform:                          0
Here is the debug output:
2w3d: WCCP-EVNT:Process: Start V2 (138)
2w3d: WCCP-EVNT:Successfully opened UDP socket
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
10CSW-LAN1(config)#
2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: setting up wc mask assignments
2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
2w3d: WCCP-EVNT:S0: copy blank current info
2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
10CSW-LAN1(config)#
2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5
2w3d: WCCP-EVNT:Process: Start V2 (138)
2w3d: WCCP-EVNT:Successfully opened UDP socket
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
10CSW-LAN1(config)#
2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: setting up wc mask assignments
2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
2w3d: WCCP-EVNT:S0: copy blank current info
2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
10CSW-LAN1(config)#
2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5

I would recommend doing the following. Also feel free to call into the ironport support line. It is listed at the bottom of the page.
Change the wccp service to service-number 90
Try to redirect inbound traffic not outbound traffic.
Set Load-balancing to mask
Set forward method to L2
Set return method to L2
ip wccp 90 group-list IRONPORT-GROUPLIST <- Set the wccp service-number
ip wccp source-interface GigabitEthernet2/24
Interface Vlan160
ip address 10.10.16.1 255.255.254.0
ip wccp 90 redirect out <- Set the WCCP Service-number try to redirect inbound traffic
ip access-list IRONPORT-GROUPLIST
permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
Below is an example of how you should setup your ironport for a customer service number. Place the port numbers that you want to redirect.
Christian Rahl
Customer Support Engineer
Cisco IronPort - Web Security Appliances
Cisco Technical Assistance Center RTP
United States Ironport: 1-877-641-IRON (4766)

C3750 & WCCP redirection

Hi all,
I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
        WAE-ENGINE ---- VLAN2--|
I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
ip wccp web-cache redirect in
I am using L2 redirect & L2 return & my state is "enabled":
Switch#show ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:          10.101.2.202
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             L2
        Packet Return:           L2
        Packets Redirected:    0
        Connect Time:          02:24:08
        Assignment:            MASK
First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
Third, my cache savings are 0 %
Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
Am i correct or am i wrong ? How to solve it ?
Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
regards,
Geert

Hi Geert,
With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
To redirect return traffic you will need to configure WCCP Dynamic Service group ,
By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
wccp version 2
wccp spoof-client-ip enable
You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
Hope this helps,
Best Regards,
Rahul

WCCP L2 support (Router or Switches only)

From the other conversations with this forum I understand that the routers support WCCP with GRE as the redirection option while the Catalyst family uses L2 redirection for WCCP. Is this confirmed or not. Nothing on Cisco's home page spells this one out.

HI,
that's not totaly true. If you have a look at the feature navigator (www.cisco.com/go/fn) and search for WCCP Layer 2 PFC Redirection, you will see that there are a lot of plattform supporting this.
From my knowledge this feature was introduced on the Cat6k plattform.
Just have a look at the FN to verify if your HW/SW supports this feature.
Kind Regards,
Jerg foerster

WCCP GRE between ProxySg & 6509 ?

Hello,
I want to run wccp gre between bluecoat proxsg and 6509 but i don't understand if it is possible with GRE (best practices "Cisco catalyst 6500 wccp gre return is handled in software", Bluecoat doc :"Typically, GRE forwarding is supported on software-based switching
platforms such as the Cisco 800, 1800, 2800, 3800, 7200, and 7500").
currently it's not run with windows seven client and ie7 and http in vlan 62 (wccp 1 redirect in).
Packets are bypassed (Total Bypassed Packets Received:     281) but there are exchanges between proxysg and 6509. where is the problem ? GRE ?
Thank you for your help !
Currently :
Cisco 6509 :
6509#show ip wccp 1
Global WCCP information:
    Router information:
        Router Identifier:                   10.42.11.61
        Protocol Version:                    2.0
    Service Identifier: 1
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        110
          Process:                           0
          CEF:                               110
        Redirect access-list:                100
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            36
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     281
6509#show ip wccp 1 view
    WCCP Routers Informed of:
        10.42.11.61
    WCCP Clients Visible:
        10.193.118.30
    WCCP Clients NOT Visible:
        -none-
ip wccp 1 redirect-list 100
Extended IP access list 100
    10 permit ip any any (110 matches)
    20 permit tcp any any eq www
    30 permit tcp any any eq 443
    40 permit tcp any any eq 8080
interface Vlan62
description EvoLAN_data
ip address 10.194.62.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip wccp 1 redirect in
ip pim sparse-mode
end
ProxySG
WCCP : v2
Forwarding/Return : Generic Gre
Assignment type : Mask
Home IP Router : 10.42.11.61 (Loopback 6509)

Hi,
Please look at the following document.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtwccpbc.html#wp1018512
I see that the Bypass counter is incrementing in the given output.
WCCP Bypass Packets
Web Cache Communication Protocol (WCCP) intercepts IP packets and redirects those packets to a destination other than the destination that is specified in the IP header. Typically the packets are redirected from a web server on the Internet to a web cache that is local to the destination.
Occasionally a web cache decides that it cannot deal with the redirected packets appropriately and returns the packets unchanged to the originating router. These packets are called "bypass packets" and are returned to the originating router encapsulated in generic routing encapsulation (GRE). The router decapsulates and forwards the packets normally.
Troubleshooting Tips
Problems have been encountered because CPU usage is very high when WCCP is enabled. The counters enable a determination of the bypass traffic directly on the router and can indicate whether or not this is the cause. In some situations, 10 percent bypass traffic may be normal; in other situations, it may be high. However, any figure above 25 percent should prompt a closer investigation of what is occurring in the web cache.
If the counters suggest that the level of bypass traffic is high, the next step is to examine the bypass counters in the web cache and determine why the web cache is choosing to bypass the traffic. You can log in to the web-cache console and use the command line interface (CLI) to investigate further. The counters allow you to determine the percent of traffic being bypassed.
see if the above doc helps.
regards,
Ajay Kumar

WCCP Multicast with 6500

I have two 6500s (6509-1 and 6509-2)and two WAE-674 devices. I am trying to configure these devices in a redundant way. However the WAEs form wccp relation only with the 6509-2.
6509-2#sh ip wccp 61 detail
WCCP Cache-Engine information:
Web Cache ID: 172.27.249.65
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
00000000000000000000000000000000
Hash Allotment: 128 (50.00%)
Packets Redirected: 0
Connect Time: 00:36:19
Web Cache ID: 172.27.249.66
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 128 (50.00%)
Packets Redirected: 0
Connect Time: 00:36:18
however on the 6509-1
6509-1#sh ip wccp 61 detail
WCCP Cache-Engine information:
Web Cache ID: 172.27.249.66
Protocol Version: 2.0
State: NOT Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 01:17:18
Assignment: MASK
Web Cache ID: 172.27.249.65
Protocol Version: 2.0
State: NOT Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 00:00:15
Assignment: MASK
Redirection (L2 on 6509-1 and GRE on the 6509-2) methods are shown differently on the 6500 switches.
However the configurations on the WAE side is same:
HOAE1674#sh run
<outputs omitted>
primary-interface Standby 1
interface Standby 1
ip address 172.27.249.65 255.255.255.240
exit
interface GigabitEthernet 1/0
standby 1 priority 250
exit
interface GigabitEthernet 2/0
standby 1
exit
ip default-gateway 172.27.249.78
<outputs omitted>
wccp router-list 1 224.10.10.10
wccp tcp-promiscuous router-list-num 1
wccp version 2
And the 6500 configurations:
6509-2#sh run int vlan 311
interface Vlan311
description WAAS-Normal
ip address 172.27.249.77 255.255.255.240
ip wccp 61 group-listen
ip wccp 62 group-listen
ip pim dense-mode
standby 211 ip 172.27.249.78
6509-2#sh run | i redire
ip wccp 61 group-address 224.10.10.10 redirect-list 101
ip wccp 62 group-address 224.10.10.10 redirect-list 102
I know that L2-redirection and masking advised on the 6500s, however when I configure, 6500 sh ip wccp output shows that GRE masking is used.
The WAE devices are connected directly to the 6509-2, I suspected a multicast issue, to test I shutdown the 6509-2 vlan interface but no help
The version on the 6500s are same (12.2SXF8), as I know that 12.2SXF14 is suggested. However a software upgrade requires a lot of change management procedures. I want to be sure that I did not make a configuration mistake.

Thanks Dan, Matthew
After I remove l2-return, wccp seems to be ok:
HOAE1674#sh run | i wccp
wccp router-list 1 224.10.10.10
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
wccp version 2
6509-1#sh ip wccp 61
Global WCCP information:
Router information:
Router Identifier: 192.168.2.253
Protocol Version: 2.0
Service Identifier: 61
Number of Cache Engines: 2
Number of routers: 2
Total Packets Redirected: 0
Redirect access-list: 101
Total Packets Denied Redirect: 13843
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
6509-1#sh ip wccp 61 de
WCCP Cache-Engine information:
Web Cache ID: 172.27.249.66
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Packets Redirected: 0
Connect Time: 01:32:23
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
0000: 0x00001741 0x00000000 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
0032: 0x00001000 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0033: 0x00001001 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0034: 0x00001040 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0035: 0x00001041 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0036: 0x00001100 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0037: 0x00001101 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
0038: 0x00001140 0x00000000 0x0000 0x0000 0xAC1BF942 (172.27.249.66)
Now I am trying to redirect packets over the these appliances.
However TCP connections could not be established between redireced subnets. I can sniff that packet is forwarded to the WAAS but it did not send a respond. I saw that bad bucket error are incrementing when I try new connections.
HOAE1674#sh wccp gre | i buckets
Packets dropped due to bad buckets: 516
regards,
Bulent

Configuring WCCP for http and https

How do I configure wccp on a 6509 to redirect http and https trafic to a S650. I am using the following config and http is working fine:
ip wccp version 2
ip wccp web-cache redirect-list aclwccp
interface Vlan23
description Rede Firewall
ip address 10.0.23.20 255.255.255.0
ip access-group 172 out
ip wccp web-cache redirect out
mls rp vtp-domain coc_block1
mls rp ip
mls netflow sampling
end
Should I config an other service for the https protocol?

Cecato,
The WSA can be configured to send 80 and 443 traffic, in the WCCP settings area (5.2.0+). There are some things you will need to be aware of before doing this though:
1. If you are on 5.2.0-x, you will not be able to inspect HTTPS traffic. Only version 5.5.0+ has the ability to decrypt HTTPS traffic. Because of this, it is not recommended to redirect port 443 on WSA version 5.2.
2. You will most likely need to specify a service ID other then web-cache. On most Cisco devices, web-cache is reserved for port 80 traffic only and cannot be changed. Any other service ID will work as you want it to.

WCCP not working

Hi,
I have issued these commands in my ASA 5520 to activate WCCP to redirect web traffic from a PC with IP 192.168.120.6 to a McAfee Web Gateway with IP 10.250.2.33:
access-list wccp-servers extended permit ip host 10.250.2.33 any
access-list wccp-traffic extended permit ip host 192.168.120.6 any
wccp 51 redirect-list wccp-traffic group-list wccp-servers password aspirina
wccp interface INSIDE_IF_FWSM 51 redirect in
We are seeing traffic in the WCCP statistics in ASA:
Global WCCP information:
    Router information:
        Router Identifier:                   19X.5X.12X.9X
        Protocol Version:                    2.0
    Service Identifier: 51
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            906
        Redirect access-list:                wccp-traffic
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            10
        Group access-list:                   wccp-servers
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
However, the PC can't access the internet. Moreover, in the MWG we don't see GRE traffic.
Thanks in advance.

Though this is in the wrong forum, maybe I can help. Can you do 'show wccp 51 detail' ? Did you already do a packet capture on your proxy? What are you seeing there?

WCCP problem or routing

Hi,
We have two datacenters same logical LAN.
Two ISP routers and two WAE 674 and using WCCP "egress-method negotiated-return intercept-method wccp"
See attached file.
The problem is when one of the "line" WAN interface goes down, some of the network are not reach from the LAN side and some are.
We are using BGP as routing protocol in the ISP routers.
Any suggestion for the problem?
Jan

Hello I am from the ISP and wanted to address these issues
2. When WAN goes down and LAN remains up, your WCCP is still UP and hence, it continues to forward packets out of same WAN interface but because that interface is down, packets ultimately die / gets blackholed.
3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
On question 2 with WCCP the router would still try to send packets out the wan interface even though its down?   Wouldn't the router be able to tell that routing changed to the source/dest subnets and not blindly send packets to a down interface?   If not then this most likely is what happened.
Here is the WAN interface config WCCP is enabled for inbound redirection but the same for the actual data LAN interface
interface GigabitEthernet0/0
description link to PE
bandwidth 9000
no ip address
ip route-cache flow
duplex full
speed 10
media-type rj45
no cdp enable
interface GigabitEthernet0/0.22
encapsulation dot1Q 22
ip address **********omit ****** 255.255.255.252
ip wccp 62 redirect in
no cdp enable
and here is the LAN side
interface GigabitEthernet0/1
no ip address
ip access-group 113 in
ip route-cache flow
duplex full
speed 100
media-type rj45
service-policy output CE_OUT_MARK_0
interface GigabitEthernet0/1.2450
description Customer LAN
encapsulation dot1Q 2450
ip address ********* 255.255.255.224
ip wccp 61 redirect in
no cdp enable
interface GigabitEthernet0/1.2459
description Connection to customer-managed WAE Device For WCCP
encapsulation dot1Q 2459
ip address ******** 255.255.255.224
ip wccp redirect exclude in
no cdp enable
interface GigabitEthernet0/1.2460
encapsulation dot1Q 2460
ip address ******* 255.255.255.224
ip wccp redirect exclude in
no cdp enable
The sister router is configured in much the same way.
On question 3
3. Another speculation is: Asymmetric routing. When WAN is down but LAN is up, you are forwarding soem traffic out of LAN but as WAN goes down, the return packets then come up on different interface and creates asymmetric routing.
Wouldn't Asymetric routing just result in non optimized connections as it would never see the tcp option set for optimization?
We are going to run this same test this weekend and I will look at all these things but it seems as though asymetric routing would result in no optimization but not packet blockage.   Regarding question 2 if wccp remains up and is black holing traffic I can see this as an issue for sure.
One last question also regarding the loopbacks and GRE return. There are distribute lists that block each router from learning the others loopback when the WAN is down.   Do you think this would matter?    Reason I ask is because on the Asymetric side again lets say a packet comes into router #1 via the lan and gets redirected to the WAE with source ip of the Loopback.   When the Was returns the packet to the router I would think it would not need routing to the #2 routers loopback as the destination at this point would be back to the client/server.   Also when the router forwards to the WAE what ip on the WAE does it use?

WCCP ACL on Catalyst 3750

Hi
I have a stack of 3750s with IP Services and 2 WAAS appliances connected to the stack. I am running wccp in the stack and redirecting traffic to the WAAS appliances using a redirect acl. I read in the command guide for the 3750 that ONLY permit entries are supported. I have a appox 20 vlans and there are local traffic flowing between some of them.
My questions is if I can`t use deny entries in the redirect acl in the switch, how can I stop the local traffic between the vlans getting redirected unnecessarly. The local traffic will be redirected to the WAAS appliance and then just go bypass and go back to the switch stack or does WCCP handle this in someway so only the first packets for each session gets redirected?
BR
CJ Ekman

Hey CJ,
Option 1: another option you might consider is intercepting closer to the WAN edge, if that's an available option for you.
Again, like Patrick mentioned it depends on your network / IP design but if you intercept closer to the WAN edge you should be able to avoid engineering a redirect ACL altogether.
Option 2: depending on the 3750 platform and code upgrade options, some of the latest 3750 IOS versions include support for deny entries for WCCP redirect ACLs. Check out these release notes (look at the very last bullet point in this list):
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/release/notes/OL24338.html#wp1009434
Hope this helps!
-Chet

Default interception behavior of TCP service 61 and 62?

When using TCP service groups 61 and 62 in WAAS WCCP redirection, is the default behavior to redirect all traffic or only all TCP traffic? I'm using Cat6500 to do L2 redirection and considering using redirect-list to reduce WAE processing load. If all traffic is to be redirected, then I need to exclude VoIP media traffic (UDP) as well. If just TCP is to be redirected, then I don't need to deny UDP in the redirect-list.
Another question: is it possible to use "ip wccp redirect" for trunk ports in L2 redirection if the switch is Layer 2 only?
Thanks a lot

WCCP 61/62 are TCP-promiscuous, this means that All TCP ports will be redirected to WAE. UDP traffic will not be redirected, however please check with your VOIP solution and make sure that phone registration is not on TCP port, if it do then a WCCP flap will cause all phones to re-register in your network.
WCCP can only be enable on IPV4 / Layer 3 enable interface, so a Trunk port with dot1q truning with no ip on it will not redirect any packets.
Hope this helps.
Ahsan

WAN Acceleration Configuration

Hello all,
We have purchased WAAS WAE 674 WAN Accelerator's, and I have a question on placement in our network. I've just recently implemented redundant WAN Lines (DS3's), and now would like to move my WAE674's so that they are accelerating traffic across both WAN lines.
Is this configuration possible with the 2 WAE674's (no inline cards), and WCCP forwarding, and my HQ WAAS controller, or do I have to purchase an additional 2 WAE 674's to accelarate both WAN lines.
Attached is a drawing for what our WAN design network looks like, we are using EIGRP as our routing protocol, and using per destination load sharing, and redistributing our static routes out from our HQ 6509E.
Please let me know if there is more information needed.
Thanks,
Jon

Hi Jon,
Here are the details of GRE and L2 WCCP redirection.
GRE allows datagrams to be encapsulated into IP packets at the WCCP-enabled router and then redirected to a WAE (the transparent proxy server). At this intermediate destination, the datagrams are decapsulated and then handled by the WAAS software. If the request cannot be handled locally, the origin server may be contacted by the associated WAE to complete the request. In doing so, the trip to the origin server appears to the inner datagrams as one hop. The redirected traffic using GRE usually is referred to as GRE tunnel traffic. With GRE, all redirection is handled by the router software.
Layer 2 redirection is accomplished when a WCCP-enabled router or switch takes advantage of internal switching hardware that either partially or fully implements the WCCP traffic interception and redirection functions at Layer 2. This type of redirection is currently supported only with the Catalyst 6500 series switches and Cisco 7200 and 7600 series routers. With Layer 2 redirection, the first redirected traffic packet is handled by the router software. The rest of the traffic is handled by the router hardware. The branch WAE instructs the router or switch to apply a bit mask to certain packet fields, which in turn provides a mask result or index mapped to the branch WAE in the service group in the form of a mask index address table. The redirection process is accelerated in the switching hardware, making Layer 2 redirection more efficient than Layer 3 GRE.
More details here:
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html
Cisco WAAS Software Release 4.0.13 introduces flexibility when using WCCPv2 as the redirection method. It allows configuration of egress method that increases Cisco WAAS deployment alternatives in cases using WCCP iterception. From Cisco WAAS 4.0.13 onward, the WCCP negotiated return is also supported as the egress method. This method allows the Cisco WAE to be deployed on the same subnet as users or servers and provides better support for preservation of the routing path chosen by the network, because the optimized traffic is returned to the redirecting router. The negotiated return egress method also helps ensure compatibility with asymmetric routing, equal-cost multipath (ECMP) load-balancing, and Hot Standby Router Protocol (HSRP) environments. The return traffic egress method is negotiated based on the WCCPv2 configuration on the router and the egress method configuration on the Cisco WAE.
You will find more information here:
http://www-europe.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd806d976a_ps6474_Products_White_Paper.html
Regards.

ASA: Authenticating Outbound Connections - Authentication-Gateway?

I use an ASA 5520 as I-Net Edge for 3 different groups of Users. Currently i control access in the internet segment for each groups by static dhcp leases based on MAC-Adresses.
As this is not the most secure approach i am looking for a different way to control access within my internet segment.
I am thinking of authenticating the users with username and password prior to establishing connections over the ASA. I think this can be done somehow with the cut-trough proxy feature. Unfortunately i have no ACS Server available so the cut-through approach is not possible.
Has anyone done a configuration setup where users get authenticated based on username/password prior to allowing a connection through the ASA so far?
A similar functionality is often seen on public hotspots in airports where you have to authenticate over a webpage before internet usage.
Is there an open source software capable of this authentication method and can you configure it in conjunction with an ASA? Maybe using the WCCP Feature?
This might be a little Offtopic but hopefully someone has already experience with this kind of setup.
Thanks for reading.
Roble

yeah i cant believe it either! http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/access_wccp.html#wp1105267
The following WCCPv2 features are not supported for the ASA:
•Multiple routers in a service group.
•Multicast WCCP.
•The Layer 2 redirect method.
•WCCP source address spoofing.
•WAAS devices.

Create .Mac website with different name?

My dot Mac account uses my name -- convenient for email. When I go to create a blog, which I'd rather not do under my name, iWeb publishes to a url with my dot Mac ID as part of the path. Is there some way to change that?

You can obtain a "Personal domain" and redirect or assign your web.mac.com account as a CNAME. I use www.ipower.com for $6.50 a year and a lot of people pay godaddy.com $9.99 a year for the same thing. Although with ipower I use a masking redirect (which always shows the domain you choose) and haven't seen if they offer the CNAME option. .Mac has instructions if you go to your account settings and click on "Personal Domain". But don't actually go through the process until you've set up on your domain provider's site because it will make your site inaccessible if it's not set up right (which can be fixed by deleting the Personal domain settings on .Mac).
Good luck!

Port is added by upnp but still inaccessible

Hi. I'm new to miniupnpd and iptables.
Just now I successfully installed and started miniupnpd on my Linux router, and I ran Skype which then successfully added port (55043) via upnp. However, the port was still inaccessible from internet.
Is there any other rules blocking the port?
Thanks.
# Generated by iptables-save v1.4.21 on Thu Jan 8 07:32:13 2015
*mangle
:PREROUTING ACCEPT [8930:2247957]
:INPUT ACCEPT [2302:241609]
:FORWARD ACCEPT [6604:2005580]
:OUTPUT ACCEPT [2939:780996]
:POSTROUTING ACCEPT [9533:2786104]
:MINIUPNPD - [0:0]
-A PREROUTING -i ppp0 -j MINIUPNPD
COMMIT
# Completed on Thu Jan 8 07:32:13 2015
# Generated by iptables-save v1.4.21 on Thu Jan 8 07:32:13 2015
*nat
:PREROUTING ACCEPT [54:4075]
:INPUT ACCEPT [11:641]
:OUTPUT ACCEPT [28:3667]
:POSTROUTING ACCEPT [28:3667]
:MINIUPNPD - [0:0]
:MINIUPNPD-PCP-PEER - [0:0]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1025 -j DNAT --to-destination 192.168.1.1:22
-A PREROUTING -i ppp0 -j MINIUPNPD
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MINIUPNPD-PCP-PEER
-A MINIUPNPD -p udp -m udp --dport 55043 -j DNAT --to-destination 192.168.1.140:55043
-A MINIUPNPD -p tcp -m tcp --dport 55043 -j DNAT --to-destination 192.168.1.140:55043
COMMIT
# Completed on Thu Jan 8 07:32:13 2015
# Generated by iptables-save v1.4.21 on Thu Jan 8 07:32:13 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [186:55628]
:MINIUPNPD - [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wlp1s0 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -i ppp0 ! -o ppp0 -j MINIUPNPD
-A MINIUPNPD -d 192.168.1.140/32 -p udp -m udp --dport 55043 -j ACCEPT
-A MINIUPNPD -d 192.168.1.140/32 -p tcp -m tcp --dport 55043 -j ACCEPT
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A fw-interfaces -i wlp1s0 -j ACCEPT
-A fw-open -d 192.168.1.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Jan 8 07:32:13 2015

what is the make and model of your router and/or modem?
www.portforward.com is a great website with walkthroughs and screen shots for port forwarding.
Bob Robertson - Lighter Klepto - I steal lighters, not bandwith

WCCP: Cat6k & UDP L2-mask-Redirection

Similar Messages

Maybe you are looking for