Getting Started with WCCP

Patrick McHenry · ‎04-05-2012

Hi,

We are going to start implementing WCCP. We want to configure WCCP2 on our firewall and redirect traffic from our inside interface to the web cache engine. I've read several Documents on the subject but it's still a little vague.

If we want traffic coming from the inside that is headed to the Internet to be redirected to the Web cache engine, do I enter on the inside interface:

ip wccp web-cache redirect in?

Because I want to redirect traffic that is entering the inside interface.?

Also, must I create access-list? This part of WCCP doesn't seem clear. What are the ACLs for? Doesn't the web cache engines pick up the traffic automatically?

Thanks, Pat.

John Blakley · ‎04-05-2012

Pat,

You would configure it in the inbound direction in your case. Anyone going out to the internet will be going INto the interface and wccp will redirect it. You can redirect all traffic or certain hosts/subnets, etc. With an ACL, it tells the FW what to forward to the caching engine or not forward. What it doesn't forward will just go through your FW as normal traffic. You could tell your caching engine to not cache hits from a host, but there's really no reason to send it there in the first place if you don't have to.

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

Joseph W. Doherty · ‎04-05-2012

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Think of WCCP interface redirection statement sort of like an ACL. You can do it either on the ingress interface(s) or the egress interface(s). Often the latter is simpler as often just one interface goes to the firewall, but the former is often more efficient. (Also more efficient is L2 redirect [i.e. WCCP server on a subnet which the WCCP router has an interface on] rather than L3/GRE redirect.)

As John describes you can (optionally) use an ACL to determine what traffic should be sent to the WCCP server. Generally the WCCP servers will bounce back traffic they are not interested in, but as John describes, why send traffic to the WCCP server if you know it's not going to be processed on it.

Patrick McHenry · ‎04-05-2012

I want only 80 and 443 from all devices on the inside to go to the Web Cache Server. Could you please give me an example of the commands I would enter on the FW to accomplish this?

Thank you, Pat.

John Blakley · ‎04-05-2012

Patrick,

Try this:

access-list WebFilter permit tcp any any eq 443

access-list WebFilter permit tcp any any eq 80

access-list Cache permit host 192.168.1.50 <--- The address of your caching appliance

wccp web-cache redirect-list WebFilter group-list Cache

wccp interface inside web-cache redirect in

You *may* need to use an extended acl for the Cache like:

access-list Cache permit ip host 192.168.1.50 any

Here's a more in-depth document for you to review if needed:

https://supportforums.cisco.com/docs/DOC-12623

HTH, John *** Please rate all useful posts ***