06-14-2011 04:24 AM - edited 03-04-2019 12:42 PM
Hi
I am trying to set up wccp to a bluecoat webcache on our network so i can test
IWA authentication but so far no luck.
When i do a sh ip wccp on the core router it looks good but none of my packets is being redirected -
Router information:
Router Identifier: x
Protocol Version: 2.0
Service Identifier: 3
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 116
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
This means that the router is seeing the webcache so they are talking.
Now i have the webcache on one vlan and the outgoing interface to the other switch and the internet is on another.
Is it correct that on the vlan interface with the webcache i put in this command -
ip wccp web-cache redirect out
And on the interface facing the switch which routes towards the internet -
ip wccp web-cache redirect in
Effectively i have a bluecoat off a switch which in turn is routed to another switch off which another bluecoat
is wccp 'd - can i do this .
Currently i cant seem to see any packets being redirected
Any ideas ?
Steve
06-14-2011 07:14 AM
Steve,
WCCP is done in hardware and the above counters are for software switched packets.
An ideal WCCP design is to have 'wccp redirect-in' on the user Vlan.
Any packet that matches the service group configured on the Blue Coat would be redirected.
The Blue Coat appliance must reside on its own Vlan and this Vlan can't have 'wccp redirect-in' configured.
There are some caveats with WCCP in the out direction and the answer depends on the platform you are using which you never stated.
Regards,
Edison
06-15-2011 01:40 AM
Hi Edison
I am using a 6500 with Sup 720 10GE and an MSFC3 daughterboard.
Are you saying I really need to put the test bluecoat in its own vlan.
The machine i wish to test with is in our management vlan and i have configured
an access list on this to restrict this to my own machine.
Do this mean i have to put the - ip wccp web-cache redirect in - in my management
vlan ?
Currently on our working bluecoat its in the same vlan as the outgoing interface to the internet
and we have this command on the interface - ip wccp 10 redirect out
Steve
06-15-2011 10:03 AM
On the Cat6k box, WCCP on egress is supported but in software. Not recommended to use this method.
You have to place the wccp on ingress in the management vlan and if you place the wccp on ingress on a vlan where the bluecoat resides, make sure to deny this IP with an ACL while using WCCP.
For a list of Best Practices and configuration guidelines, please refer to this document:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-629052.html
06-16-2011 01:56 AM
Thanks Edison
Thats odd as i said we have a bluecoat in the same vlan as the outgoing interface
with ip wccp 10 redirect out and it uses a hash assignment.
So are you saying if I
a. put - ip wccp 10 redirect in - on the vlan interface.
b. put the ip address of the webcache in an acl to deny it
It should work - i will give it a try now.
Also the link suggests use a mask based assignment method.
Steve
06-16-2011 02:24 AM
Just realized i have done this - here is my sh ip wccp detail -
WCCP Client information:
WCCP Client ID: x.x.x.x
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets s/w Redirected: 0
Connect Time: 17:37:15
Bypassed Packets
Process: 0
CEF: 0
Errors: 0
Or : sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 10.253.14.1
Protocol Version: 2.0
Service Identifier: 3
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 0
Process: 0
CEF: 0
Redirect access-list: 116
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
My access list is -
permit ip host x.x.x.x any
access-list 116 deny ip any any
Shouldnt this work as the router and the webcache can see each other but it doesnt.
Steve
06-17-2011 02:31 PM
Steve,
Please provide the config from the switch.
Did you configure the service-group in the web cache engine?
06-18-2011 10:28 AM
I agree with Edison, config is needed.
Also you are usign HASH assignement. That means that software processing will occur even if you change redirect from edress to ingress. You need MASK assignment for full hw acceleration.
Riccardo
07-11-2011 04:10 AM
Hi All
Here is the wccp config on the 6500- such as it is -
ip wccp 3 redirect-list 116
access-list 116 permit ip host (my ip address)
access-list 116 deny ip any any
!
!
These are the interfaces to the outgoing 6500 with the main bluecoat
working on wccp off it.
!
interface TenGigabitEthernet1/3/1
no switchport
no ip address
ip wccp 3 redirect out
ip ospf authentication-key xxxx
ip ospf mtu-ignore
channel-group 250 mode on
interface TenGigabitEthernet2/3/1
description 2nd IX link
no switchport
no ip address
ip wccp 3 redirect out
ip ospf authentication-key xxxx
ip ospf mtu-ignore
channel-group 250 mode on
interface Vlan253
ip address 10.14.253.254 255.255.255.0
ip directed-broadcast
ip wccp 3 redirect out
ip flow ingress
If you need more let me know
Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: