WCCP Multivendor Group
Hello,
I'm trying to build a WCCP service group with a CE500 ACNS 5.2.3,
Cisco Router with 12.2.8T5 and
CE BlueCoat ProxySG 3.2.4.8,
At this time the router can build the service just with one of them, but not with both.
Do you know if there is some restriction to form this multivendor service group in order to do load-balancing?
Your responses will be greatly appreciated...
Erick
Thanks for your response,
As Release notes http://www.cisco.com/en/US/products/sw/conntsw/ps491/prod_release_note09186a008034fc5d.html appoints:
"Because of these enhancements, receivers using ACNS 5.2 software cannot interact with senders using ACNS 5.0 or 5.1 software. The ACNS 5.2 multicast receiver will ignore files sent from an ACNS 5.0 or 5.1 multicast sender. However, an ACNS 5.2 multicast sender can interoperate with ACNS 5.0 or 5.1 multicast receivers because the software detects the lower software version and disables the checkpoint feature. Therefore, we recommend that you upgrade your multicast sender to ACNS 5.2 software first and then upgrade your receivers to ACNS 5.2 software"
After reading this note, I have open this case, please note that I'm dealing with a CacheFlow running another operating system not ACNS and I hope to add my Cisco ACNS CE to his group.
Regards,
Erick
Similar Messages
-
WAAS, wccp service groups and DC/Branch deployment
Hi,
I have two design queries relating to wccp service groups and WAAS in DC and branch deployments.
Firstly, lets say at the DC end I use wccp service 61 (source address) on the WAN interface of my edge-layer switches. I configure the L3 interfaces on the same switches (connecting to the LAN side) to use use wccp service 62 (destination address). The WAEs are using L2 at the edge layer; with masking etc.
I've read that at the branch office you need to 'reverse' the service group setup - so that if I have the same sort of setup at the branch using 3750s and WAEs then the WAN interface should be using wccp service 62 and the LAN side using wccp service 61.
If I assume that is correct, then how does this affect things when two branches are communicating with each other (and they are both setup the same) - will be waas not be effective in this scenario? (Assume that the DC waas does not see any branch-to-branch communication).
What happens if you have a consistent design across your network (61 on WAN, and 62 at LAN interfaces across all WAAS sites)?
Secondly, when using L2 wccp redirection and masking; do most deployments leave the mask as default (0x1741)? I'm thinking that in some situations it might be better to have an entire geographic location covering a few branches being sent to the same DC end WAE. For example, I might want everyone on a /24 subnet in one branch to be using the same WAE/dre cache at the DC; rather than the possibility of duplicate dre caches on DC end WAEs service the same branch subnet (I realise that redundancy might be an advantage should one DC WAE fail).
Is there a table/calculator somewhere that can work out what mask I could use to cover /24 or /22 or even /16 subnets to direct requests to the same WAE at the DC?
Thanks
CameronCameron,
Excellent questions. Rule of thumb is to use source IP based load balancing, so in the branches 61/LAN - 62/WAN and in the DC 61/WAN and 62/LAN. That being said, if there is some site to site traffic at the edges, you may get some splitting, however, unless there is enough traffic to make it a "mini-dc", changing the services around is generally a wash. Also, if you only have a single WAE at the edge, it won't matter either.
On the mask, default mask is definitely not desirable. I generally use Calc and convert my desired Mask from Binary to Hex. The following examples are assuming 4 bit masks, but you can use from 1 up to 6 or 7 max bits if you need more buckets.
If you are looking to group /24, you could be 0xF00 or similar.
If you are looking to group /22, use 0x3C00 or similar
When calculating your mask, don't put your bits in the host bits, only in the network bits. Also, remember that the leftmost bit is usually the decision maker, so don't make it too far to the left or all your traffic will be on one WAE. The less WAEs in your WCCP cluster, the less bits you should use in your mask (allow some extras for fault tolerence).
Hope that helps,
Dan -
WAAS / WCCP service groups / L2 adjacencies
Hi all,
I'm having trouble finding a definitive answer on this one. I'm working on a WAAS deployment in a network with asymmetric routing. I want to deploy WAAS accelerators at two geographically dispersed data centre sites (head end). Do the WAAS boxes themselves need to be L2 adjacent with each other in this configuration? i.e. can the service group consist of two routers (one at each DC) and two WAEs (one at each site), with routed links between the DCs (WAEs in separate IP subnets)?
Something like:
- two routers (rtr-A, rtr-B)
- two WAAS accelerators (waas-A, waas-B)
- rtr-A and waas-A are L2 adjacent and use WCCP w/L2 redirection
- rtr-B and waas-B are L2 adjacent and use WCCP w/L2 redirection
- rtr-A and waas-B are not L2 adjacent and use WCCP w/GRE redirection
- rtr-B and waas-A are not L2 adjacent and use WCCP w/GRE redirection
Here's a quick diagram:
http://i4.tinypic.com/62nhf5u.jpg
(all links are L3/routed)
cheers!Dale,
There is no requirement for the WAE's to be L2 adjacent to each other. Note that the WCCP Forwarding Method is negotiated per Service Group -- so it can either be L2 or GRE. Based on your description, you would want to use GRE Forwarding.
Regards,
Zach -
WCCP src group & redirect/return method
Has anyone here implemented 3rd party WAN optimization such as Bluecoat or Riverbed w/ WCCP?
What service groups and redirect/return methods did you use, and on which Cisco switch/router platforms?
I'd like to know what works, and what doesn't...
It looks like you generally use service group 61 & 62 to redirect all TCP traffic to WAAS, based on source/destination IP's.
Do those two service groups also work w/ 3rd party devices?
If they don't, do I just pick some random service groups, other than the well known ones?
How would the switch/router know what traffic to redirect, if no redirect-list is used?
The Networkers' wccp presentation slides say if GRE is to be used w/ 6500's, generic GRE needs to be used instead of WCCP GRE.
Where would you configure what type of GRE is used, within WAAS?
Does anyone know if such setting exists on 3rd party devices?
Our Bluecoat SE isn't even aware of two different versions of GRE, and neither was I, before I watched the Networkers session.Hi,
I know with Riverbed you can use wccp 61/62 as well. I don't have experience with other vendors though.
The router knows what to redirect based on the WCCP service number. It can be a well-known service or a custom service where you define what to redirect directly on the optimizer/web-cache device. The redirect list is only used to further limit what is redirected.
In h/w forwarding platform WCCP GRE is handled in s/w, this is why using generic GRE is suggested. On WAAS you can configure it using "egress-method generic-gre intercept-method wccp"
For more details check the "Egress Method" section in the following doc:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-629052.html
Here you have WCCP redirection method supported and suggested for different Cisco platforms:
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
hope this helps,
Fabrizio -
Hi Experts,
I am trying to understand how wccp service redirect determines when to and not to redirect traffic.
Given the below:
Router
int gi0/0 ---> inside lan interface
int gi1/0 ---> WAE connected interface with redirect exlude in
int s0/1 ---> WAN interface
ip wccp 61 redirect out
ip wccp 62 redirect in
From what i've understood so far, traffic coming from a client will enter the inside interface and hit the serial interface and given the redirect 61 statement will be redirected to the WAE via int gi1/0. After the WAE optimizes the traffic, it sends it back to the router and the packet then makes it way out the serial interface to a remote destination where another WAE is set.
My question is, does the WAE tag the optimized traffic that when it reaches the serial interface of the router, wccp of the router sees this and does not redirect it back to the WAE?
Thanks in advance.The wccp redirect exclude in configured on the WAE connected interface (gig 1/0 in your example) is what tells the router to not redirect the traffic coming from the WAE on this interface.
Regards,
Mike -
Help with EEM TCL / CLI scripting for re-direction/wccp counters
Being new with EEM scripting I wanted to see if I was on the right track and get some help to finish my idea.
Our problem I am trying to fix is our remote sites utilize pairs of Cat3650's for some routing and WCCP redirection. We are encountering ACL denial issues causing slow down and access issues. The fix for the issue we remove the WCCP service groups to break peering with our wan optimizers and re-insert the configuration thus re-establishing peering and restoring service.
My idea is to use a TCL scipt on a watchdog timer to parse the "sh ip wccp | inc denied (or unassign)" output for denial and unassignable error counters. If a counter is found I wanted to create a syslog message that would then kick off a simple EEM CLI script to remove the service groups, wait 10 seconds, then re-add the service groups. Please point me in the right direction if I am off track as I am not sure if I can use the EEM CLI for all this or since I want to retreive specific info from the sh ip wccp output if I do need to utilize TCL. I am also unsure if the "total denied" ascii string pulled via the "sh ip wccp | inc denied" will cause issues when attempting to just pull the counter information.
sh ip wccp | inc Denied Red
Total Packets Denied Redirect: 0
Total Packets Denied Redirect: 0
Script thus far :
TCL
if [catch {context_retrieve "EEM_WCCP_ERROR_COUNTER" "count"} result] {
set wccpcounter 0
} else {
set wccpcounter $result
} if [catch {cli_open} result] {
error $result
} else {
array set cli $result
} if [catch {cli_exec $cli(fd) "show ip wccp | incl Denied"} result] {
error $result
} else {
set cmd_output $result
set count ""
catch [regexp {receive ([0-9]+),} $cmd_output} ignore count]
set count
set diff [expr $count - $wccpcounter]
if {$diff != 0} {
action_syslog priority emergencies msg "WCCP counters showing incremental Denied packet counts"
if [catch {cli_close $cli(fd) $cli(tty_id)} result] {
error $result
context_save EEM_WCCP_ERROR_COUNTER count
CLI
event manager applet WCCP_COUNTER_WATCH
event syslog priority emergencies pattern "WCCP counters showing incremental Denied packet counts"
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "no ip wccp 61"
action 004 cli command "no ip wccp 62"
action 005 wait 10
action 006 cli command "ip wccp 61"
action 007 cli command "ip wccp 62"
action 008 wait 15
action 009 cli command "clear ip wccp"
action 010 cli command "end"
Thanks for all the helpThis won't work as EEM cannot intercept its own syslog messages. However, I'm not sure why you need this form of IPC anyway. Why not just make the Tcl script perform the needed CLI commands?
And, yes, you could use all applets here. But since you've written the hard stuff in Tcl already, it might be best just to add the missing calls to reconfigure WCCP to that script. -
Hi all,
I am trying to setup a web cache using a WAE-612 and a C3750 switch. The switch is configured with three interfaces:
CLIENTS ----- VLAN 1 ----- SWITCH ----- GI1/0/1 routed ---- SERVER(s)
WAE-ENGINE ---- VLAN2--|
I have configured inbound redirection on vlan 1 and inbound redirection on gi1/0/1
ip wccp web-cache redirect in
I am using L2 redirect & L2 return & my state is "enabled":
Switch#show ip wccp web-cache detail
WCCP Client information:
WCCP Client ID: 10.101.2.202
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 02:24:08
Assignment: MASK
First, the "packets redirected" counter doesn't increment, is this normal (maybe due to hardware redirection ?)
Second, i am seeing HTTP GET requests from my clients going to my WAE-engine and i am also seeing the WAE-engine sending them back to the switch (changed mac address, L2 redirection)
Third, my cache savings are 0 %
Fourth, i don't see any traffic returning into the WAE-engine. How can the WAE cache traffic if he never sees the server return traffic ?
Fifth, i have "spoof client ip" enabled on the WAE (need this for security reasons, web server verifies source ip address)
Now i am thinking it is logical that my cache savings are 0% . The web-cache service group redirects port 80 packets and the switch supports only "inbound" direction. This means that the switches never redirects the ANSWER of the server,so how on earth can it ever "cache" the response ?
Am i correct or am i wrong ? How to solve it ?
Should i use different WCCP service groups on the interfaces (for example: based on source ip redirection, the other on destination ip redirection)
PS. I am running 12.2(44)SE6 on the switch and 5.5.9.B9 on the WAE
regards,
GeertHi Geert,
With L2 redirection 'packets redirected' counter won't increment since its Hardware redirection. You might want to
check on WAE counter 'Transparent non-GRE packets received:' by running 'show wccp gre'
With wccp ip-spoofing enabled, requests will be sent to web server with Clients IP address. So yes you will need
to configure WCCP to catch return traffic coming from web server to be redirected to WAE.
To redirect return traffic you will need to configure WCCP Dynamic Service group ,
By default web-cache service will Mask on Destination address. Since we need to make sure return traffic is sent to
same WAE as forwarding traffic, we need to Mask return traffic on Source IP address.
This will config Service group 95 and it will Mask on Source IP which will be Webservers IP address
wccp service-number 95 mask src-ip-mask 0x1741 dst-ip-mask 0x0
wccp service-number 95 router-list-num 1 port-list-num 1 application cache l2-redirect mask-assign l2-return
wccp version 2
wccp spoof-client-ip enable
You will then need to enable 'ip wccp 95 redirect in' on the WAN interface.
Hope this helps,
Best Regards,
Rahul -
WCCP redirect on 4507 to ironport
I am trying to setup WCCP on our 4507. For some reason I cannot get this to work! The config I have tried is below. I can't figure out what I'm doing wrong here!
ip wccp web-cache group-list IRONPORT-GROUPLIST
ip wccp source-interface GigabitEthernet2/24
Interface Vlan160
ip address 10.10.16.1 255.255.254.0
ip wccp web-cache redirect out
ip access-list IRONPORT-GROUPLIST
permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
On the ironport I setup web-cache under transparent redirection and provided the IP address I used to source from above (GigabitEthernet2/24). Here is the output I get on the 4507:
10CSW-LAN1#sh ip wccp web-cache
Global WCCP information:
Router information:
Router Identifier: 10.11.1.9
Configured source-interface: GigabitEthernet2/24
Protocol Version: 2.0
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets Redirected: 0
Process: 0
CEF: 0
Platform: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: IRONPORT_GROUPLIST
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Process: 0
CEF: 0
Platform: 0
Here is the debug output:
2w3d: WCCP-EVNT:Process: Start V2 (138)
2w3d: WCCP-EVNT:Successfully opened UDP socket
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
10CSW-LAN1(config)#
2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: setting up wc mask assignments
2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
2w3d: WCCP-EVNT:S0: copy blank current info
2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
10CSW-LAN1(config)#
2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5
2w3d: WCCP-EVNT:Process: Start V2 (138)
2w3d: WCCP-EVNT:Successfully opened UDP socket
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:router-id set (initialise) 0.0.0.0 => 10.11.1.9
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: allocate wc orig mask info (540 bytes)
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:1
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated transmit interval to: 10000
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updated timer scaling factors to: 1 and 1
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group methods
2w3d: WCCP-EVNT:S0: HIA from 10.11.1.10 updating group timers
2w3d: WCCP-EVNT:S0: no srvc grp mask data to validate
2w3d: WCCP-EVNT:S0: created adjacency interest, 10.11.1.10
2w3d: WCCP-EVNT:S0: nexthop update oce for wc 10.11.1.10, 0x0 -> 0x23C10CF0 IP adj out of GigabitEthernet2/24, addr 10.11.1.10 23C10C80
2w3d: WCCP-EVNT:S0: track nexthop for wc 10.11.1.10 (OK)
2w3d: %WCCP-5-SERVICEFOUND: Service web-cache acquired on WCCP client 10.11.1.10
10CSW-LAN1(config)#
2w3d: WCCP-PKT:S0: Received HIA from 10.11.1.10, rcv_id:1
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: deallocate rtr_view (24 bytes)
2w3d: WCCP-EVNT:S0: allocate mask rtr_view (572 bytes)
2w3d: WCCP-EVNT:S0: copy orig info (540 bytes)
2w3d: WCCP-EVNT:S0: Assignment wait timer restarted, delay 50000
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: setting up wc mask assignments
2w3d: WCCP-EVNT:S0: allocate current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: set wc current assign info (540 bytes)
2w3d: WCCP-EVNT:S0: RA from 10.11.1.10 (id: 10.11.1.10), assignment key set to 10.11.1.10,3
2w3d: WCCP-EVNT:S0: Building new router view
2w3d: WCCP-EVNT:S0: reuse rtr_view (44 of 572 bytes)
2w3d: WCCP-EVNT:S0: copy blank current info
2w3d: WCCP-EVNT:S0: Assignment wait timer stopped
2w3d: WCCP-EVNT:S0: Built new router view: 1 routers, 1 usable WCCP clients, change # 2
2w3d: WCCP-PKT:S0: Received RA from 10.11.1.10, rcv_id:2
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:3
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:4
10CSW-LAN1(config)#
2w3d: %SEC-6-IPACCESSLOGP: list IRONPORT_GROUPLIST permitted udp 10.11.1.10(0) -> 10.11.1.9(0), 5 packets
10CSW-LAN1(config)#
2w3d: WCCP-EVNT:S0: updating wc orig assign info
2w3d: WCCP-EVNT:S0: reuse wc orig mask info (540 bytes)
2w3d: WCCP-EVNT:S0: wc assignment validated
2w3d: WCCP-PKT:S0: Sending ISY to 10.11.1.10, rcv_id:5I would recommend doing the following. Also feel free to call into the ironport support line. It is listed at the bottom of the page.
Change the wccp service to service-number 90
Try to redirect inbound traffic not outbound traffic.
Set Load-balancing to mask
Set forward method to L2
Set return method to L2
ip wccp 90 group-list IRONPORT-GROUPLIST <- Set the wccp service-number
ip wccp source-interface GigabitEthernet2/24
Interface Vlan160
ip address 10.10.16.1 255.255.254.0
ip wccp 90 redirect out <- Set the WCCP Service-number try to redirect inbound traffic
ip access-list IRONPORT-GROUPLIST
permit ip any host 10.11.1.10 (10.11.1.10 is the ironport proxy IP address)
Below is an example of how you should setup your ironport for a customer service number. Place the port numbers that you want to redirect.
Christian Rahl
Customer Support Engineer
Cisco IronPort - Web Security Appliances
Cisco Technical Assistance Center RTP
United States Ironport: 1-877-641-IRON (4766) -
WCCP assignment method mismatch
Hi all,
I am using a Cisco 3825 running 12.4(25G) code. I just upgraded my WAE (oe674) to 5.1.1c.
The WAE and router wouldnt peer due to assignment method mismatch when i do a show wccp router.
Router Information for Service Id: 61
Routers Seeing this Wide Area Engine(0)
-NONE-
Routers not Seeing this Wide Area Engine
10.204.28.1 - Assignment Method Mismatch
Routers Notified of from other WAE's
-NONE-
Router Information for Service Id: 62
Routers Seeing this Wide Area Engine(0)
-NONE-
Routers not Seeing this Wide Area Engine
10.204.28.1 - Assignment Method Mismatch
Routers Notified of from other WAE's
-NONE-
The WAE is configured as follows:
wccp router-list 1 10.204.28.1
wccp tcp-promiscuous service-pair 61 62
router-list-num 1
assignment-method mask
password ****
redirect-method gre
egress-method wccp-gre
enable
exit
wccp flow-redirect enable
When i changed the assignment method to hash, everything worked. I believe Cisco 3825 should support Mask.
Any advice?Hi Leonardo,
Did you try disabling wccp on router as well as WAE and re-enable it on router and then WAE and see if that makes a difference? If you have already done that and since as per documentation MASK assignment is supported in version you are running on router and it was working prior to upgrade, i would suggest capturing WCCP communication i.e HIA and ISU and opening a TAC case for further investigation. Did you follow the procedure as suggested in release notes during upgrade?
WCCP Interoperability
Central Managers running Version 5.1.1x can manage WAEs running software Versions 4.2.1 and later. However, we recommend that all WAEs in a given WCCP service group be running the same version.
Note All WAEs in a WCCP service group must have the same mask.
To upgrade the WAEs in your WCCP service group, follow these steps:
Step 1 You must disable WCCP redirection on the Cisco IOS router first. To remove the global WCCP configuration, use the following no ip wccp global configuration commands:
Router(config)# no ip wccp 61
Router(config)# no ip wccp 62
Step 2 Perform the WAAS software upgrade on all WAEs using the WAAS Central Manager GUI.
Step 3 Verify that all WAEs have been upgraded in the Devices pane of the WAAS Central Manager GUI. Choose Devices to view the software version of each WAE.
Step 4 If mask assignment is used for WCCP, ensure that all WAEs in the service group are using the same WCCP mask value.
Step 5 Reenable WCCP redirection on the Cisco IOS routers. To enable WCCP redirection, use the ip wccp global configuration commands:
Router(config)# ip wccp 61
Router(config)# ip wccp 62
Release notes for your reference.
http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v511/release/notes/ws511xrn.html#wp151010
Regards,
Kanwal -
Is it okay to use different service group numbers?
A new deployment of vWAAS in a DC connected to a Cat 6509 with existing WCCP redierection from an old WAAS deployment on that switch using service groups 61 and 62. I have researched service group numbers but only find a handful and want to ask the community if there are any issues using service groups 51 and 52, or 71 and 72 for this new deployment.
Thanks, KarlHi Karl,
Service groups 61 and 62 are tcp promiscous groups and will redirect all TCP traffic. Also, in case of the wccp web-cache , this is going to redirect all the traffic from TCP port 80 from routers to Cisco Cache/ACNS devices. Other Custom WCCP services c will use custom wccp number (90 - 97) . So if you want to redirect port 8080 you can use custom WCCP service group.
Some of the well known service groups are listed below and you can use which ever you want according to your requirement.
Service Name
Service Number
Protocol
Port
Priority
web-cache
0
tcp
80
240
dns
53
udp
53
202
ftp-native
60
tcp
200
tcp-promiscuous
61
tcp
34
tcp-promiscuous
62
tcp
34
https-cache
70
tcp
443
231
rtsp
80
tcp
554
200
wmt
81
tcp
1755
201
mmsu
82
udp
1755
201
rtspu
83
udp
5005
201
cifs-cache
89
tcp
139, 445
224
custom
90
220
custom
91
221
custom
92
222
custom
93
223
custom
94
224
custom
95
225
custom
96
226
custom
97
227
custom-web-cache
98
tcp
80
230
reverse-proxy
99
tcp
80
235
Regards,
Kanwal -
Hi,
I have issued these commands in my ASA 5520 to activate WCCP to redirect web traffic from a PC with IP 192.168.120.6 to a McAfee Web Gateway with IP 10.250.2.33:
access-list wccp-servers extended permit ip host 10.250.2.33 any
access-list wccp-traffic extended permit ip host 192.168.120.6 any
wccp 51 redirect-list wccp-traffic group-list wccp-servers password aspirina
wccp interface INSIDE_IF_FWSM 51 redirect in
We are seeing traffic in the WCCP statistics in ASA:
Global WCCP information:
Router information:
Router Identifier: 19X.5X.12X.9X
Protocol Version: 2.0
Service Identifier: 51
Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 906
Redirect access-list: wccp-traffic
Total Connections Denied Redirect: 0
Total Packets Unassigned: 10
Group access-list: wccp-servers
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
However, the PC can't access the internet. Moreover, in the MWG we don't see GRE traffic.
Thanks in advance.Though this is in the wrong forum, maybe I can help. Can you do 'show wccp 51 detail' ? Did you already do a packet capture on your proxy? What are you seeing there?
-
ASR1002 throughput degradation when wccp redirect-list is changed
We have two ASR 1002's going to 2 different WAN service providers, and two 7371 WAE load balanced by mask assignment. When we change the ACL (adding or removing lines) from our wccp redirect-list, the throughput on interfaces applied to the wccp service-groups is degraded to almost no traffic passing, until we completely remove wccp service group from the global configuration and then reapply. Then traffic throughput on the interface goes back to normal.
Our ACL defined in the redirect list specifies our specific networks on our WAN that have WAE's and need the redirection. All other networks are denied implicitly. We need to regularly change this ACL, and this service interruption is a major issue. This was not an issue before moving to the ASR platform from 7206's.
At TAC's request we have upgraded our IOS version to 15.1(3)S4 and that did not make any difference. Does anyone know why this occurs and if there is a way to work around this other than removing wccp configuration and adding back, every time the ACL needs to be modified?
As a side note to this... We have recently added riverbed appliances, and created separate service groups with separate redirect-lists. The exact same behavior occurs on the ASR 1002 when the ACL for the riverbed's redirect list is altered.Thank you very much for sharing that information. It is great to hear verification that the mask assignment change did resolve your problem. That is the latest resolution that TAC has recommended, but we have to restart the WCCP service on all redundant edge routers to be able to implement this, so planning the outage window is taking some time. We've been told that TAC will set this up in a lab and test for us by our Cisco SE. We're hoping to get verfication that this actually resolves the problem before we take the outage.
If you could, can you tell me if this resolved the issue 100% or do you still have any performance issues when making a change to your WCCP ACL going to your bluecoat equipment? We may also need to implement this in our redirects to BlueCoat from our Nexus. Do you happen to have a link to how to make this change in Bluecoat? Thanks again! -
Configure WCCP on a 4510 switch
I have to configure an instance of a WCCP on a 4510 switch and I have to admit have read the examples given by Cisco but dont have understanding of the example config
Router(config)#
ip wccp web-cache group-address 224.1.1.100 password alaska1
I have attached the config in question above and could someone please clarify what the group address 224.1.1.100 is ?
Many Thanks
MarkNow I have used what you say which is
ip wccp 99 group-list websense_proxy (Proxy server) but it does not give the option to create redirect list and this is the out put of sh ip wccp
Service Identifier: 99
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: websense_proxy
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0 Service Identifier: 99
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: websense_proxy
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0 -
VRF Aware WCCP !!!!!! PLEASE!!!!!!
I am looking for a forcast of when WCCP will have VRF support. Head-End scalability is pretty tough to achieve with out it. ywa I can stack WAE's ( up to 32) in a WCCP service group but if the Edge WAE's are in A VRF, it breaks.
Any Ideas?The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
Kindly find here GRE Tunnel with VRF Configuration Example:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
I have gotten as far as the WAE registering the router:
"WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
WCCP configuration for TCP Promiscuous succeeded.Please remember to
configure WCCP service 61 and 62 on the corresponding router."
wae01#sh wccp router
Router Information for Service: TCP Promiscuous 61
Routers Configured and Seeing this Wide Area Engine(1)
Router Id Sent To Recv ID
0.0.0.0 209.1.1.1 0000022F
The router registers the WAE as a WCCP client:
router04#
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
client 209.1.1.2"
"*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
client 209.1.1.2"
The router however cannot figure out what its ID is and does not see
itself as a WCCP group router.
router04#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 61
Number of Service Group Clients: 1
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: ACCELERATED-TRAFFIC
Total Packets Denied Redirect: 0
Total Packets Unassigned: 25957
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This is a short summary of important commands for working with VRF's.
View the VRF instances and the associated interfaces.
ml-mr-c6-gs#show ip vrf
Name Default RD Interfaces
blurvrf 100:2 Vlan215
Vlan326
tgvrf 100:1 Vlan132
Vlan325
TenGigabitEthernet1/1
ml-mr-c6-gs#
Show the routing table for a specific VRF.
ml-mr-c6-gs#show ip route vrf tgvrf
Routing Table: tgvrf
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
---More--
Gateway of last resort is 128.117.243.57 to network 0.0.0.0
O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
172.17.0.0/29 is subnetted, 3 subnets
O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
--More--
Debugging should otherwise be similar to a regular switch or router.
Final Teragrid VRF Design and Diagrams
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
Teragrid Testbed Design
http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
Configuring VRF-Lite
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
sachin garg -
Cisco WCCP (multicast method ) with Bluecoat Implementation
hi
Cisco WCCP with Bluecoat Implementation . during implemetation multicast packet not flow to other vlan interface.
few observation .
Cisco wccp with bluecoat proxy ( Multicast method ) - Multicast IP # 224.1.1.103 , Group 11, dense-mode
Same Vlan its working ( user and Proxy SG )
Different Vlan not working ( user Vlan 10 and server Vlan 20 )
sample configuration :
ip multicast-routing
ip wccp 11 group-address 224.1.1.103 redirect-list 103
sh ip access-lists 103
Extended IP access list 103
40 permit tcp 10.10.10.0 0.0.0.31 any eq 443
50 permit tcp 10.10.10.0 0.0.0.31 any eq www
60 permit tcp 10.10.10.0 0.0.0.31 any eq ftp
70 deny ip any any
interface Vlan10 description "AP_User_Range"
ip address 10.10.10.0 255.255.255.0
ip helper-address 10.10.20.100
ip wccp 11 redirect in
ip wccp 11 group-listen
ip pim dense-modeDear Jon,
After changes the WCCP Command ,still WCCP not working
but both client and Proxy Same VLAN its working fine with Multicast mode
interface Vlan10
description "AP_User_Range"
ip address 10.10.10.10 255.255.255.0
ip helper-address 10.10.10.100
ip wccp 11 redirect in
interface Vlan20
description PROXY_WAN_VLAN
ip address 10.10.20.10 255.255.255.0
ip helper-address 10.10.10.100
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp 11 group-listen
ip wccp 11 group-address 224.1.1.103 redirect-list 103
sh ip access-lists 103
Extended IP access list 103
40 permit tcp 10.10.10.0 0.0.0.255 any eq 443
50 permit tcp 10.10.10.0 0.0.0.255 any eq www
60 permit tcp 10.10.10.0 0.0.0.255 any eq ftp
70 deny ip any any
sh ip wccp
Global WCCP information:
Router information:
Router Identifier: -not yet determined-
Protocol Version: 2.0
Service Identifier: 11
Number of Service Group Clients: 0
Number of Service Group Routers: 0
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Service mode: Open
Service Access-list: -none-
Total Packets Dropped Closed: 0
Redirect access-list: 103
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total GRE Bypassed Packets Received: 0
Maybe you are looking for
-
File Sharing without a Network
im trying to share files with my friend who is not on the same network as me. he is in a different college all together. what we have accomplished is sharing itunes with eachother. we had to do this through hamachi. i was wondering if anyone knew how
-
When I try to open a raw file from lightroom 5.7 I get a message that I need camera raw 8.7.1. I downloaded the update as a zip file I extracted file then went through the install wizard process but still I cant get it to work. If I go to photoshop c
-
C2 03 and C2 02 WARNING for buyers
Hi all nokia fans and sufferers ... Recently it has been brought to my attention that all the phones with sliders and clamshells have a belt installed behind the display to convey the information. I have been told that the high end models of nokia ha
-
Lexical Parsing exception using JXQI for function in XQuery
How to parse Xquery containing new declared namespace, functions and then use the same function to operate upon Xquery along with it..... When i try to execute that XQuery using JXQI library, i get lexical parsing exception....... i m quite new to XQ
-
Hi Experts, We trying to submit e-fling , but getting some buiness errors as follows and then file is rejecting by Inland Revenue. Could someone please advise how to resolvethis. We are using SAP 4.6C with Business Connector 4.7. ===================