Re: WCCP on Nexus 7K

davidbuit · ‎10-14-2010

I have a requirement to configure WCCP on the Nexus 7K for redirection of traffic to a WAN optimiser. I have multiple sources and destination that require redirection and therefore multiple source and destination interfaces.

To reduce configuration complexity, I was looking into configuring "redirect out" and "redirect in" on the same interface and possibly on multiple interfaces for different source and destination addresses (based on ACL's).

Is this possible/recommended?

Thanks

Bhavin Yadav · ‎10-14-2010

Hi David,

Here is the link to pre-requisite for WCCP with Nexus 7k.

Guidelines and Limitations for WCCPv2

If you add IN and OUT on same interface, please make sure to add "EXCLUDE IN" on interface connected to cache engine.

Please also make sure not to use ACL with deny all at the end as if you explicitly have a "deny ip any any" for WCCP redirect list, when the ACL merge happens in LC for WCCP, it translates to "permit ip any any" i.e. just do normal routing for the packets instead of WCCP redirect. ACL merge is done differently in N7k. On N7k, ACL merge is done at the LC and is not dependent on the feature semantics.

Please also note that 4.x NX-OS uses L2 / Mask based method to select the target appliance to send the redirected traffic. Redirect IN and OUT on same interface may cause high CPU issue.

Please also make sure to use latest NX-OS as lately lot of WCCP related fixes are addressed.

Hope this helps.

Regards.

PS: Please mark this as Answered, it it addresses your issue.

davidbuit · ‎10-17-2010

Thank you for the response. Just to clarify the following comment "Please also make sure no to use ACL with deny al at the end as if you explicitly have a "deny ip any any" for WCCP redirect list"

Are you suggesting that I need to deny traffic not required to be passed to the WAN optimizer followed by a permit ip any any?

It will be near impossible to deny all of my network ranges that don't require optimisation rather than simply permit the ranges requried and have a deny at the end of the acl.

Thanks again

Bhavin Yadav · ‎10-17-2010

Hi David,

If you explicitly have a "deny ip any any" for WCCP redirect list, when the ACL merge happens in LC for WCCP, it translates to "permit ip any any" i.e. just do normal routing for the packets instead of WCCP redirect. ACL merge is done differently in N7k when compared with Cat6k.

In Cat6k, each feature does its own ACL merge and all the feature semantics are done at the feature level. But on N7k, ACL merge is done at the LC and is not dependent on the feature semantics.

e.g.

When you will have the ACL that has the last line "permit ip any any", redirection will work fine. This is just to keep in mind if ACL does not work as expected with N7K 4.2.6 code.

> ip access-list waas

> 10 deny tcp any any eq 22

> 20 deny tcp any eq 22 any

> 190 deny tcp any any eq bgp

> 200 deny tcp any eq bgp any

> 210 permit ip any any

This will be applicable only if you want to use redirect list.

Hope that explains.

Regards.

davidbuit · ‎10-17-2010

Thank you. Does the same apply to version 5.X NX-OS code?

davidbuit · ‎10-20-2010

Hi Bhavin,

If I only want to redirect traffic between the networks 10.10.10.0/24 and 20.20.20.0/24 and have all other traffic route normally can I configure an acl as follows?

It isn't going to be possible for me to have a deny first for all unwanted traffic and then a permit ip any any.

ip access-list ACL-OPTIMIZE-INBOUND
remark *** OPTIMIZE-CLIENT-TO-SERVER ***
permit tcp 10.10.10.0/24 20.20.20.0/24

ip access-list ACL-OPTIMIZE-OUTBOUND
remark *** OPTIMIZE-SERVER-TO-CLIENT ***
permit tcp 20.20.20.0/24 10.10.10.0/24

ip wccp 61 redirect-list ACL-OPTIMIZE-INBOUND
ip wccp 62 redirect-list ACL-OPTIMIZE-OUTBOUND

int vlan 20
ip wccp 62 redirect in
ip wccp 61 redirect out

interface Ethernet1/10
descrip *** WAN Optimiser ***
ip wccp redirect exclude in

Thanks

Bhavin Yadav · ‎10-21-2010

Yep. Looks good.

Let us know how it goes.

Regards.

davidbuit · ‎10-31-2010

Hi,

Further to this configuration, I have a requirement to send more traffic to the optimzer from a different source/destination interfaces for different clients.

Can I apply the WCCP redirection to multiple interfaces as below or is it recommended that I create different wccp groups for the different clients e.g. use 61 and 62 for one groups of traffic and 71 and 72 for another?

The WAN optimiser is a Riverbed appliance.

************

Example 61, 62 and 71, 72

************

ip access-list ACL-OPTIMIZE-INBOUND-X
remark *** OPTIMIZE-CLIENT-TO-SERVER XXX ***
permit tcp 10.10.10.0/24 20.20.20.0/24

ip access-list ACL-OPTIMIZE-OUTBOUND-X
remark *** OPTIMIZE-SERVER-TO-CLIENT XXX***
permit tcp 20.20.20.0/24 10.10.10.0/24

ip access-list ACL-OPTIMIZE-INBOUND-Y
remark *** OPTIMIZE-CLIENT-TO-SERVER YYYY ***
permit tcp 30.30.30.0/24 40.40.40.0/24

ip access-list ACL-OPTIMIZE-OUTBOUND-Y
remark *** OPTIMIZE-SERVER-TO-CLIENT YYYY***
permit tcp 40.40.40.0/24 30.30.30.0/24

ip wccp 61 redirect-list ACL-OPTIMIZE-INBOUND-X
ip wccp 62 redirect-list ACL-OPTIMIZE-OUTBOUND-X

ip wccp 71 redirect-list ACL-OPTIMIZE-INBOUND-Y
ip wccp 72 redirect-list ACL-OPTIMIZE-OUTBOUND-Y

int vlan 20
description --- routing itnerface for client XXX traffic --
ip wccp 62 redirect in
ip wccp 61 redirect out

int vlan 21
description --- routing itnerface for client YYYY traffic --
ip wccp 72 redirect in
ip wccp 71 redirect out

interface Ethernet1/10
descrip *** WAN Optimiser ***
ip wccp redirect exclude in

*************

OR 61,62 for both

*************

ip access-list ACL-OPTIMIZE-INBOUND
remark *** OPTIMIZE-CLIENT-TO-SERVER XXX ***
permit tcp 10.10.10.0/24 20.20.20.0/24
remark *** OPTIMIZE-CLIENT-TO-SERVER YYYY ***
permit tcp 30.30.30.0/24 40.40.40.0/24

ip access-list ACL-OPTIMIZE-OUTBOUND
remark *** OPTIMIZE-SERVER-TO-CLIENT XXX***
permit tcp 20.20.20.0/24 10.10.10.0/24
remark *** OPTIMIZE-SERVER-TO-CLIENT YYYY***
permit tcp 40.40.40.0/24 30.30.30.0/24

ip wccp 61 redirect-list ACL-OPTIMIZE-INBOUND
ip wccp 62 redirect-list ACL-OPTIMIZE-OUTBOUND

int vlan 20
description --- routing itnerface for client XXX traffic --
ip wccp 62 redirect in
ip wccp 61 redirect out

int vlan 21
description --- routing itnerface for client YYYY traffic --
ip wccp 62 redirect in
ip wccp 61 redirect out

interface Ethernet1/10
descrip *** WAN Optimiser ***
ip wccp redirect exclude in

Bhavin Yadav · ‎11-01-2010

Hi David,

If your WAN optimizer is Riverbed, we highly recommend you use the services between 90-97 which are defined as open customized services. WCCP 61 and 62 are defined specifically for WAAS. It will work with service 61 and 62 but you may encounter unknown issues.

Further, instead of adding more services, just add WCCP statements where you want to add redirection of further traffic. No need to add any more services on routers / Riverbed.

Hope this helps.

Regards.

Roman Rodichev · ‎05-17-2011

David,

is there a reason why you used "ip wccp 61 redirect out" on your egress interface instead of "ip wccp 61 redirect in" on the ingress on your Nexus 7k? I noticed that 61 redirect in doesn't work and 61 redirect out does work. Did you experience the same?

Roman

davidbuit · ‎05-19-2011

We used 'in' and 'out' on the same interface to avoid having to make changes on a critical port-channel. Just remember to use exclude-in on the wccp port to avoid loops if you do this.

I experienced a number of issues most relating to the traffic definition acl's not being put into tcam . Try removing the configuration and re-applying it and ensure that the acl's are registered in TCAM

use the 'show sys internal access-list interface' command to check the tcam status for the specified interface.

e.g.

show sys internal access-list interface eth1/1 input entries detail module 1

show sys internal access-list interface eth1/1 input statistics 1

gilljon · ‎07-22-2013

Hello,

I am deploying WCCPv2 on a pair of N7K's in the same fashion as discussed in this post, i.e. both IN & OUT specified under the same interface. I do not see any traffic being redirected to the WAAS. In my setup, I have a client connected in the 10.10.10.0/24 VLAN (Aggregation VDC) and I am targetting a device accessible out the WAN interface (E1/9 in this instance in a Core VDC). The HTTP session (which is my test traffic) fails and I do not see any traffic being redirected. If I move the WCCP redirect IN to an interface connecting down to my VLAN (happens to be an interlink to the aggregation VDC on the same box, then redirect seems to be working. Does anyone have any thoughts or know of any problems using IN & OUT on the same interface on a N7K?

ip wccp 61 redirect-list WCCP-Redirect-61
ip wccp 62 redirect-list WCCP-Redirect-62
!
ip access-list WCCP-Redirect-61
10 permit ip 10.10.10.0/24 any
ip access-list WCCP-Redirect-62
10 permit ip any 10.10.10.0/24
!
interface Vlan17
**** this is where the WAAS is located*****
ip wccp redirect exclude in
!
interface Ethernet1/9
**** WAN interface ******
ip wccp 61 redirect in
ip wccp 62 redirect out