I am trying to configure a 3560 (Version 12.2(55)SE3) with IPServices to run WCCP to two to an Ironport WSA.
I believe everything is setup correctly, however WCCP is still not operational. I have check the debug logs on the switch and I'm presented with a number of messages along the lines of...
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: enter
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_update_assignment_status: exit
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: enter
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: reuse orig mask info (28 bytes)
*Mar 1 03:44:47.891: WCCP-EVNT:wccp_copy_wc_assignment_data: exit
*Mar 1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 w/bad fwd method L2, received indirectly via FastEthernet0/1
*Mar 1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 with incompatible capabilites
I understand there are certain limitations on certain Cisco devices, and I'm not sure what these are for a 3560, however I have tried every combination on the Ironport appliance.
This includes, forwarding & return of just GRE, and also just L2, and then a combination of both.
WCCP web-cache view outputs the following on the switch...
WCCP Routers Informed of:
WCCP Clients Visible:
WCCP Clients NOT Visible:
If you need any further information please let me know, otherwise thanks in advance.
The message seems to say that your wccp client is not directly connected while L2 forwarding method is being used. The Wccp client (the Ironport in your case) MUST be connected at L2 (same subnet) for L2 forwarding.
For confirmation you can check "sh ip wccp
Also check the STP status of the port which is phisically connected to the Ironport as it must be forwarding.
the wccp guide is here for your reference
one more thought, port fast0/1 (which receives wccp packets from the wccp client) must have the wccp vlan (the one 10.1.10.10 resides on) allowed and forwarding.
The Ironport is set to both GRE or L2, however the switch seems to be attempting L2.
WCCP Client information:
WCCP Client ID: 192.168.254.26
Protocol Version: 2.0
State: NOT Usable (Protocol not L2 connected)
Packet Return: L2
Packets Redirected: 0
Connect Time: 01:19:30
Should the switch dynamically pick up changes if I change the Ironport to GRE only, because this isn't the behavior I've been seeing...
Perhaps it's worth me clarifying the topology. I am meerly testing this at the moment, however...
Client --> Switch 1 (3560 with IPServices running WCCP) --> Routed Link --> Switch 2 --> Router 1 --> WAN --> Switch 3 (managed by 3rd party) --> Ironport Appliance.
Are you able to clarify a little more your suggestions around spanning tree please?
my suggestions are not apllicable as your setup cannot work
The GRE forwarding method for packet redirection is not supported (as per config guide). The only supported redirect mode is L2. Likely during the negotiation your Ironport tries to negotiate both modes and the Catalyst picks L2, which is the only one it can use.
Redirection: L2 <<<<<
By supporting L2 redirect only it is implied that the wccp server (the switch in this case) and the wccp client (ironport appliance) must be in the same subnet. From your topology we see that this is not true as you have a routed link between the switch and the appliance.
This is what the switch is complaining about
and also ":*Mar 1 03:44:47.891: WCCP-EVNT:S00: Here_I_Am packet from 10.1.10.10 w/bad fwd method L2, received indirectly via FastEthernet0/1" which means exactly the same thing.
You should move your ironport to the location where switch 1 is, if this is possible.
To recap this is what the 3560/3750 supports in terms of wccp
Platform OS Version Forwarding Return Assignment Direction Redirect list
Catalyst 3560/3750 12.2(37)SE L2 GRE or L2* Mask In Yes**
*Although GRE return mode is supported it is not recommended as it will cause CPU load (GRE encapsulation/decapsulation is not supported in hardware but handled in software)
** Only permit entries are supported
Whilst I take on board your comments about the use of GRE and high CPU. Is the L2 Support only a limitation of the 3560? Could it be achieved across layer 3 with a different device?
just to be sure we are on the same page on cat3560/3750 GRE might be used for return traffic (causing high CPU) only; the redirect can be L2 (using L2 header and therefore L2 MAC address rewrite) instead.
About other switches, cat6500 and 7600 support also GRE as redirect method (although L2 is preferred); Cat4500 with Sup7E has the same limitation onf 3750. Not sure about other Cat4k supervisors; in case I need to check.