Web Cache Communication Protocol (WCCP)

A customer implemented a transparant Cisco WSA (Ironport) for the redirection of the http and https traffic. WCCP had to be configured on their Cisco 3750 switch with IOS releas 12.2(55)SE9.
First some background info on WCCP:

The Cisco IOS WCCP feature allows utilization of Cisco Cache Engines (or other caches running WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally. Traffic localization reduces transmission costs and download time.
WCCP enables Cisco IOS routing platforms to transparently redirect content requests. The main benefit of transparent redirection is that users need not configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and have their requests automatically redirected to a cache engine. The word “transparent” is this case means that the end user does not know that a requested file (such as a web page) came from the cache engine instead of from the originally specified server.
When a cache engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the cache engine issues its own request to the originally targeted server to get the required information. When the cache engine retrieves the requested information, it forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and substantially reducing transmission costs.
WCCP enables a series of cache engines, called a cache engine cluster, to provide content to a router or multiple routers. Network administrators can easily scale their cache engines to handle heavy traffic loads through these clustering capabilities. Cisco clustering technology enables each cache member to work in parallel, resulting in linear scalability. Clustering cache engines greatly improves the scalability, redundancy, and availability of your caching solution. You can cluster up to 32 cache engines to scale to your desired capacity.

I took the above text from the Cisco website, so if you want to read more on the theory behind WCCP check out: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf018.html

To configure WCCP on a Cisco 3750 there are some constraints:

  • Make sure SDM prefer is on an routing image
  • Forwarding can only be L2 (in the WSA this is default GRE or L2, configure it hard on L2 only)
  • Assignement method can only be MASK (in the WSA this is default HASH or MASK, configure it hard on MASK only)
  • Make sure clients and WSA are on different vlan’s
  • Forwarding redirect list can only understand PERMIT statements
  • When usig a dynamic WCCP identifier configure in the WSA the ports that have to be redirected, in this example it has to be 80(http) and 443(https)

Configuration will look like below:
First configure the routed vlan’s
!
vlan 100
name WSA
!
vlan 200
name Clients
!
int vlan 100
ip address 10.10.10.254 255.255.255.0
no shut
!
int vlan 200
ip address 172.18.10.254 255.255.255.0
no shut
!

Then configure the access-lists to “catch” the client traffic that has to be redirected:
!
ip access-list extended 100
permit tcp 172.18.10.0 0.0.0.255 any eq www
permit tcp 172.18.10.0 0.0.0.255 any eq 443
!
I used a numbered ACL, so I can debug it. A named list can’t be debugged! Make the ACL as specific as possible!

Then create an ACL for the redirect-list. This ACL consists of the WSA addresses.
!
access-list 10 permit 10.10.10.1
access-list 10 permit 10.10.10.2
!

The actual WCCP configuration consist out of two command.
A global command:
!
ip wccp 100 redirect-list 10
!

And a command on the client vlan interface:
!
int vlan 200
ip wccp 100 redirect in
!

There isn’t more to it. To check if WCCP is functioning use the “show ip wccp 100 [detail|view]” command.
To check a little deeper, use the “debug ip wccp packets” command. If you see the “WCCP2_HERE_I_AM” and “WCCP2_I_SEE_YOU” packets than the WCCP mechanism is functioning.
Even if WCCP functions it’s possible traffic does not get redirected. This can be due to a dozen of problems. First step is to check if the client traffic is redirect at all. This can be done by using the “debug ip packet detail 100” command. If no traffic hits the ACL, traffic won’t be redirected to the WSA.

Advertisements

Cisco stackport admin down

Lately one of our customers Cisco 3750 switch stacks has a syslog entry that states that one of the stackports is administratively down. About 10 seconds later the port comes up again. Because the redundant stackcables, the stack’s functionality is as usual. While troubleshooting it became clear to me it is possible to administratively shutdown a stack port.

I never knew that a stackport could be configured as administrativly down. After some research in the Cisco 3750 config guide I found out it is absolutly possible.
Normally a switchport is brought administratively down in the “interface configuration” mode. A stackport can be brought administratively down in the “privileged EXEC” mode, with the following command:

Switch01# switch <switch number> stack port <stack port number> disable/enable

Be carefull with this command, because if you shut the wrong stack port it’s possible that traffic is disrupted.