cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7104
Views
0
Helpful
8
Replies

Setting up wccp for testing

steve switzer
Level 1
Level 1

Hi

I am trying to set up wccp to a bluecoat webcache  on our network so i can test

IWA authentication but so far no luck.

When i do a sh ip wccp on the core router it looks good but none of my packets is being redirected -

Router information:
        Router Identifier:                   x
        Protocol Version:                    2.0

    Service Identifier: 3
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Redirect access-list:                116
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

This means that the router is seeing the webcache so they are talking.

Now i have the webcache on one vlan and the outgoing interface to the other  switch and the internet is on another.

Is it correct that on the vlan interface with the webcache i put in this command -

ip wccp web-cache redirect out

And on the interface facing the switch which routes towards the internet -

ip wccp web-cache redirect in

Effectively i have a bluecoat off a switch which in turn is routed to another switch off which another bluecoat

is wccp 'd  - can i do this .

Currently i cant seem to see any packets being redirected

Any ideas ?

Steve

8 Replies 8

Edison Ortiz
Hall of Fame
Hall of Fame

Steve,

WCCP is done in hardware and the above counters are for software switched packets.

An ideal WCCP design is to have 'wccp redirect-in' on the user Vlan.

Any packet that matches the service group configured on the Blue Coat would be redirected.

The Blue Coat appliance must reside on its own Vlan and this Vlan can't have 'wccp redirect-in' configured.

There are some caveats with WCCP in the out direction and the answer depends on the platform you are using which you never stated.

Regards,

Edison

Hi Edison

I am using a 6500 with Sup 720 10GE and an MSFC3 daughterboard.

Are you saying I really need to put the test bluecoat in its own vlan.

The machine i wish to test with is in our management vlan and i have configured

an access list on  this to restrict this to my own machine.

Do this mean i have to put the -  ip wccp web-cache redirect in - in my management

vlan ?

Currently on our working bluecoat its in the same vlan as the outgoing interface to the internet

and we have this command on the interface - ip wccp 10 redirect out

Steve

On the Cat6k box, WCCP on egress is supported but in software. Not recommended to use this method.

You have to place the wccp on ingress in the management vlan and if you place the wccp on ingress on a vlan where the bluecoat resides, make sure to deny this IP with an ACL while using WCCP.

For a list of Best Practices and configuration guidelines, please refer to this document:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-629052.html

steve switzer
Level 1
Level 1

Thanks Edison

Thats odd as i said we have  a bluecoat in the same vlan as the outgoing interface

with ip wccp 10 redirect out and it uses a hash assignment.

So are you saying if I

a. put - ip wccp 10 redirect in - on the vlan interface.

b. put the ip address of the webcache in an acl to deny it

It should work - i will give it a try now.

Also the link suggests use a mask based assignment method.

Steve

Just realized i have done this -  here is my sh ip wccp detail  -

WCCP Client information:

        WCCP Client ID:          x.x.x.x

        Protocol Version:        2.0

        State:                   Usable

        Redirection:             L2

        Packet Return:           GRE

        Assignment:              HASH

        Initial Hash Info:       00000000000000000000000000000000

                                 00000000000000000000000000000000

        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

        Hash Allotment:          256 (100.00%)

        Packets s/w Redirected:  0

        Connect Time:            17:37:15

        Bypassed Packets

          Process:               0

          CEF:                   0

          Errors:                0

Or :  sh ip wccp

Global WCCP information:
    Router information:
        Router Identifier:                   10.253.14.1
        Protocol Version:                    2.0

    Service Identifier: 3
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        0
          Process:                           0
          CEF:                               0
        Redirect access-list:                116
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

My  access list is -  

permit ip host x.x.x.x any
access-list 116 deny   ip any any

Shouldnt this work as the router and the webcache can see each other but it doesnt.

Steve

Steve,

Please provide the config from the switch.

Did you configure the service-group in the web cache engine?

I agree with Edison, config is needed.

Also you are usign HASH assignement. That means that software processing will occur even if you change redirect from edress to ingress. You need MASK assignment for full hw acceleration.

Riccardo

Hi All

Here is the wccp config on the 6500- such as it is -

ip wccp 3 redirect-list 116

access-list 116 permit ip host (my ip address)

access-list 116 deny   ip any any

!

!

These are the interfaces to the outgoing 6500 with the main bluecoat

working on wccp off it.

!

interface TenGigabitEthernet1/3/1

no switchport

no ip address

ip wccp 3 redirect out

ip ospf authentication-key xxxx

ip ospf mtu-ignore

channel-group 250 mode on

interface TenGigabitEthernet2/3/1

description 2nd IX link

no switchport

no ip address

ip wccp 3 redirect out

ip ospf authentication-key xxxx

ip ospf mtu-ignore

channel-group 250 mode on

interface Vlan253

ip address 10.14.253.254 255.255.255.0

ip directed-broadcast

ip wccp 3 redirect out

ip flow ingress

If you need more let me know

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: