Re: WCCP not working on Catalyst 9606

rlacy · ‎07-14-2021

We're currently in the process of migrating off 6509s and onto 9606s. We have Bluecoat as our content filtering (which we are also migrating from). We've moved Bluecoat off the 6500s and onto the 9606s, with basically the same access lists, however nothing is being redirected.

On the 6500s we used "addrgroup" to define denied destination IPs. This worked fine:

object-group ip address WCCP-ASG-IPBYPASS-PORT80WWW

Host-info <varies entries and IPs>

In the redirect access list:

deny tcp any addrgroup WCCP-ASG-IPBYPASS-PORT80WWW eq www

On the 9606s, the commands changed slightly, and not redirecting ANY traffic:

object-group network WCCP_IPBYPASS_PORT80WWW
host <varies entries and IPs>

In the redirect access list:

deny tcp any object-group WCCP_IPBYPASS_PORT80WWW eq www

There are multiple other lines in the access list (both allows and denies) with either networks or other object-groups. As I said, the configuration on the 6509 worked flawlessly

Cisco is telling us that object-groups are not supported in WCCP re-direct access lists. Anyone else run into this?

I would hate to have a LONG redirect access list, jumbled with a bunch of IPs and I don't know what they are for. I would much prefer using object-groups to separate that out

Any insight or help would be appreciated

Alex Pfeil · ‎07-14-2021

Do you have the complete configuration applied?

For example:

Until you configure a WCCP service using the ip wccp {web-cache | service-number } global configuration command, WCCP is disabled on the device. The first use of a form of the ip wccp command enables WCCP.

IP Addressing Services Configuration Guide, Cisco IOS XE Gibraltar 16.11.x (Catalyst 9600 Switches) - Configuring WCCP [Support] - Cisco

If Cisco says that the ACLs you are using are not valid. You could easily create another ACL that would be valid, and test it. That would at least point at the ACLs as the issue or not.

rlacy · ‎07-14-2021

Yes, I've read through that document about 12 times in the last 2 days

WCCP is enabled, and we see the neighbors

sh ip wccp summary
WCCP version 2 enabled, 4 services

Service Clients Routers Assign Redirect Bypass
------- ------- ------- ------ -------- ------
Default routing table (Router Id: 10.16.251.10):
5 2 2 MASK L2 L2
6 2 2 MASK L2 L2

I do plan to test, however I'm hoping there will be a workaround

rlacy · ‎07-16-2021

Update:

Cisco Catalyst team now involved, and said there's no reason is should not work. They are still investigating

Also found that if running more that 1 redirect on an interface, the "ip wccp services check all" needs to be in the config

More to come

mauricio.andrade81 · ‎10-22-2021

Hi, do you have any update from TAC? I´ve a similar issue but the traffic is redirect fine, the strange is the acl/wccp counters not increment.

regards,

rlacy · ‎03-21-2022

Quite a few things I've learned about WCCP and 9606s since I first posted

1. Named object groups are no longer supported

2. WCCP is VERY buggy on the 9606

3. If running more than 1 WCCP instance, the command "ip wccp check services all" must be used

4. You must use the correct sdm template based on the size of your environment. If the "PBR ACL" table becomes over utilized, it will stop re-directing. Use the command "show platform hardware fed active fwd-asic resource tcam utilization" to show utilization. This link shows sdm templates: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/17-3/configuration_guide/sys_mgmt/b_173_sys_mgmt_9600_cg/configuring_sdm_templates.html
5. TAC actually told me that don't rely on counters anymore as they are so buggy and sometimes do not work

Due to the over utilization of the SDM template we are using, and the fact named ACLs are not supported anymore, we're having to re-work all of our WCCP to best work in our enviroment

Hope this helps. We're still having occasional issues