cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3352
Views
35
Helpful
7
Replies

3560 with WCCP not working correctly

Not applicable

I am trying to configure a 3560 (Version 12.2(55)SE3) with IPServices to run WCCP to two to an Ironport WSA.

I believe everything is setup correctly, however WCCP is still not operational. I have check the debug logs on the switch and I'm presented with a number of messages along the lines of...

*Mar  1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: enter

*Mar  1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: exit

*Mar  1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: enter

*Mar  1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: reuse orig mask info (28 bytes)

*Mar  1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: exit

*Mar  1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 w/bad fwd method L2, received indirectly via FastEthernet0/1

*Mar  1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 with incompatible capabilites

I understand there are certain limitations on certain Cisco devices, and I'm not sure what these are for a 3560, however I have tried every combination on the Ironport appliance.

This includes, forwarding & return of just GRE, and also just L2, and then a combination of both.

WCCP web-cache view outputs the following on the switch...

    WCCP Routers Informed of:
        -none-

    WCCP Clients Visible:
        10.1.10.10

    WCCP Clients NOT Visible:
        -none-

If you need any further information please let me know, otherwise thanks in advance.

Neil

7 Replies 7

rsimoni
Cisco Employee
Cisco Employee

Hi Neil,

The message seems to say that your wccp client is not directly connected while L2 forwarding method is being used. The Wccp client (the Ironport in your case) MUST be connected at L2 (same subnet) for L2 forwarding.

For confirmation you can check "sh ip wccp det" and see which redirection and assignment are used and the state of wccp.

Also check the STP status of the port which is phisically connected to the Ironport as it must be forwarding.

Riccardo


					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

one more thought, port fast0/1 (which receives wccp packets from the wccp client) must have the wccp vlan (the one 10.1.10.10 resides on) allowed and forwarding.

Not applicable

Thanks Riccardo.

The Ironport is set to both GRE or L2, however the switch seems to be attempting L2.

WCCP Client information:

        WCCP Client ID:          192.168.254.26

        Protocol Version:        2.0

        State:                   NOT Usable (Protocol not L2 connected)

        Redirection:             L2

        Packet Return:           L2

        Packets Redirected:    0

        Connect Time:          01:19:30

        Assignment:            MASK

      

Should the switch dynamically pick up changes if I change the Ironport to GRE only, because this isn't the behavior I've been seeing...

Perhaps it's worth me clarifying the topology. I am meerly testing this at the moment, however...

Client --> Switch 1 (3560 with IPServices running WCCP) --> Routed Link --> Switch 2 --> Router 1 --> WAN --> Switch 3 (managed by 3rd party) --> Ironport Appliance.

Are you able to clarify a little more your suggestions around spanning tree please?


Thanks,

Neil

rsimoni
Cisco Employee
Cisco Employee

Hi Neil,

my suggestions are not apllicable as your setup cannot work 

The GRE forwarding method for packet redirection is not supported (as per config guide). The only supported redirect mode is L2.  Likely during the negotiation your Ironport tries to negotiate both modes and the Catalyst picks L2, which is the only one it can use.

Redirection:             L2    <<<<<

By supporting L2 redirect only it is implied that the wccp server (the switch in this case) and the wccp client (ironport appliance) must be in the same subnet. From your topology we see that this is not true as you have a routed link between the switch and the appliance.

This is what the switch is complaining about

State:                   NOT Usable (Protocol not L2 connected)  <<<<<<

and also ":*Mar  1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 w/bad fwd method L2, received indirectly via FastEthernet0/1"   which means exactly the same thing.

You should move your ironport to the location where switch 1 is, if this is possible.

To recap this is what the 3560/3750 supports in terms of wccp

Platform                  OS Version    Forwarding   Return         Assignment           Direction   Redirect list

Catalyst 3560/3750  12.2(37)SE        L2           GRE or L2*         Mask           In         Yes**

*Although GRE return mode is supported it is not recommended as it will cause CPU load (GRE encapsulation/decapsulation is not supported in hardware but handled in software)

** Only permit entries are supported

Riccardo

Not applicable

Thanks Riccardo.

Whilst I take on board your comments about the use of GRE and high CPU. Is the L2 Support only a limitation of the 3560? Could it be achieved across layer 3 with a different device?

Thanks,
Neil

rsimoni
Cisco Employee
Cisco Employee

Hi Neil,

just to be sure we are on the same page on cat3560/3750 GRE might be used for return traffic (causing high CPU) only; the redirect can be L2 (using L2 header and therefore L2 MAC address rewrite) instead.

About other switches, cat6500 and 7600 support also GRE as redirect method (although L2 is preferred); Cat4500 with Sup7E has the same limitation onf 3750. Not sure about other Cat4k supervisors; in case I need to check.

Riccardo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: