can't make redirect-list on 4507R-E

Abdul Basit Nisar Jilani · ‎02-11-2012

I need to deploy WAAS between a branch and HQ.

The HQ side is a catalyst switch 6509-E (VSS) and branch side is a catalyst 4507R-E.

The 6509-E supports "Redirect Filter" (an access-list) filtering just the traffic you want. The following is my access-list on HQ side :

ip wccp 61 redirect-list WCCPLIST group-list 3
ip wccp 62 redirect-list WCCPLIST group-list 3

access-list 3 permit 10.X.X.X <--------- WAE IP address

ip access-list extended WCCPLIST

remark ** ACL used for WCCP redirect-list **

remark Deny VoIP Control Traffic

deny tcp any any eq 1300

deny tcp any any eq 2428

deny tcp any any eq 2000

deny tcp any any eq 2001

deny tcp any any eq 2002

deny tcp any any eq 2443

deny tcp any any eq 1718

deny tcp any any eq 1719

deny tcp any any eq 1720

deny tcp any any eq 5060

deny tcp any any range 11000 11999

remark Deny MGT Traffic

deny tcp any any eq telnet

deny tcp any eq telnet any

deny tcp any any eq 22

deny tcp any any eq 161

deny tcp any any eq 162

deny tcp any any eq 123

deny tcp any any eq 8443

remark Deny Routing

deny tcp any any eq bgp

remark Deny Authentication Traffic

deny tcp any any eq tacacs

remark Accelerate Traffic between Branch and HQ

permit tcp 10.Br.Br.0 0.0.0.255 10.HQ.HQ.0 0.0.0.255

permit tcp 10.HQ.HQ.0 0.0.0.255 10.Br.Br.0 0.0.0.255

Whereas on the Branch side, the platform 4507R-E doesn't support ACL with WCCP, so it means the WCCP will intercept all the TCP traffic.

What would be the impact and how do i deal with this situation.

Or is the WAEintellgent enough to pass through the unwanted traffic ?

Or do i need to make individual policy for pass-through for each of the unwanted traffic ?

Regards,

Jilani

Daniel Arrondo Ostiz · ‎02-13-2012

Hi Jilani,

This should not be a big issue.

As you probably know, when WAAS wants to optimize a connection, it will add a option during the TCP handshake. Then, if this option is set also in the other direction, optimization will begin. In your case, since one of the branches has a ACL to limit what traffic is redirected, those connections that don't match the ACL will not get the TCP option inserted, and thus, they will not be optimized.

The only possible problem comes from the fact that, on the branch, all the traffic will be sent to the WAE. Even if it's in pass-through, this still requires some processing from the WAE (to decapsulate, route....), so, if you have a lot of TCP traffic that is not getting optimized, you may end up wasting a lot of resources on the WAE.

Unfortunatey, nothing you can do apart from migrating your 4500 to a different platform.

Regards

Daniel

finn.poulsen · ‎02-14-2012

Hi Jilani,

Can't see from your mail what kind of supervisor you are using in your 45xx switch.

But please be aware that if your're using af SUP-7-E or a SUP-7-L-E WCCP is NOT supported for the time being.

WCCP is supported in Hardware but we're waiting for a software release, which supports this.

This is according to the release notes :

SUP-7-L-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_25346.html

SUP-7-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_24726.html

Strange thing is that you can actually "configure" some WCCP stuff, but the config will never hit the running-config.

And you cannot enable WCCP.

Feature navigator states that WCCP is available in IOS XE 3.2.0XO (for SUP-7-L-E) but release notes tend to be more trustworthy that feature navigator.

Best Regards

Finn Poulsen

Abdul Basit Nisar Jilani · ‎02-14-2012

Hi Finn,

WS-C4507R-E with Sup V-10GE 10GE (X2)

and IOS : Advance Enterprise 12.2(33)SXI2a

I did not configured the WCCP yet on the boxes but i do see the comands coming up in configution mode for WCCP.

I used the Cisco Advisor Tool regarding the availability of WCCP feature on the these switches and it gives :

Catalyst 4507R-E-Sup5-10GE supports the following with the mentioned IOS:

WCCP Redirection on Inbound Interfaces
WCCP Version 2

But as Daniel mentioned, it shouldn't be an issue with WCCP without a redirect-list, provided i can configure them

I'll try it and let you guys know.

Re gards,

Jilani

finn.poulsen · ‎02-14-2012

Hi again,

OK - SUP V should be OK with respect to WCCP - however I don't think you've managed to get 12.2(33)SXI2a loaded on a SUP V - this is normally for a 6500 platform

However if you encounter overload problems on the branch WAE (to many concurrent TCP sessions) implement an Interception Access list on the WAAS itself - see here :

http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v441/configuration/guide/traffic.html#wp1206910

This will not prevent the (unwanted) sessions from reaching the branch WAE - but it will prevent the branch WAE from trying to negotiate an Optimization session with the Datacenter WAE, by putting the session in Passthrough immidiately.

This will prevent the session from counting against the TCP connection limit during the TCP 3-way handshare period.

Best regards

Finn

Abdul Basit Nisar Jilani · ‎02-14-2012

Yes Finn, you are right ! i can't put that IOS into SUP V , it was a copy paste mistake on my part

It is running: 12.2(54)SG entservices.

However, the link for Configuring an interception ACL is very useful. I didn't know that before. Thanks