WCCP redirection - WCCP on 6500

Blog

Jan 17, 2012 4:39 AM
Jan 17th, 2012

WCCP Redirection

The WCCP entity, not the 6500 dictates the hash tables and mask/value sets to the Catalyst 6500. So configuration of the redirect method is done on that appliance, and not on the 6500 switch. The 6500 will determine the best redirect method available, based on the WCCP communications with the WCCP entity/group. This negotiated forwarding method determines how redirected traffic is forwarded to the appliance, with two available options;

  • GRE (L3)
  • MAC address rewrites (L2).

With WCCP v1, the only redirection option is GRE (also referred to as L3 redirection) encapsulation. With L3 redirection, each WCCP redirected packet is encapsulated in a GRE header marked with a protocol type 0x883E followed by a four-octet WCCP Redirect header, which is subsequently sent to the WCCP appliance (a Cache Engine for example).

With the introduction of WCCP v2, Accelerated WCCP or L2 redirection was added to take advantage of hardware switching platforms such as the Catalyst 6500. When using L2 redirection, the WCCP appliance and Catalyst 6500 must be L2 adjacent (within the same L2 VLAN). Redirected L2 traffic does not use GRE encapsulation, rather the MAC destination address is re-written by the Catalyst 6500 to that of the L2 connected WCCP Entity, and forwarded through normal hardware switching.

Note: The method of forwarding to the WCCP device may not be the same method that the WCCP device is using to send traffic back to the Catalyst 6500. The WCCP protocol will be used to negotiate a forward and return method that both devices support.

L3 (GRE) Forwarding Method Detail

l3-gre.jpg

WCCP L3 operation involves the use of GRE as an encapsulation method. Redirected packets are encapsulated in a GRE header with a protocol type of 0x883e, along with a 4-byte WCCP Redirection header that includes a service ID and hash bucket matched (WCCP v2 only). The use of GRE enables the WCCP client to be separated from the 6500 via multiple Layer 3 (routed) hops.

The options available for WCCP redirection in this scenario include:

Ingress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)

Ingress - L3 (GRE) redirection + Mask Assignment (Full Hardware Processing - Sup32/Sup720 only)

Egress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)

Egress - L3 (GRE) redirection + Mask Assignment (Requires Software Processing)

Ingress - GRE + Hash Assignment

On the Supervisor 2, each GRE packet is sent to the MSFC for processing. Since GRE encapsulation is not supported in hardware, the MSFC must apply both GRE and WCCP headers, forcing software switching for all traffic.

When using the Hash Assignment method, the Supervisor 32 and Supervisor 720 forward the first packet of every flow in software to establish a Netflow table entry. The packet is then encapsulated in GRE (the encapsulation and forwarding of the initial packet is done in software) and forwarded to the WCCP appliance.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware for Sup720 and Sup32. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platforms. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

Ingress - GRE + Mask Assignment

On the Supervisor 2, each GRE packet is sent to the MSFC for processing. Since GRE encapsulation is not supported in hardware, the MSFC must apply both GRE and WCCP headers, forcing software switching for all traffic.

When using the Mask Assignment method, the Supervisor 32 and Supervisor 720 forward the initial and subsequent packets in hardware, because GRE is supported natively, and the mask assign uses the ACL TCAM hardware for forwarding.

Egress - GRE + Hash Assignment

On the Supervisor 2, each packet is sent to the MSFC for processing. Since GRE encapsulation is not supported in hardware, the MSFC must apply both GRE and WCCP headers, forcing software switching for all traffic.

When using the Hash Assignment method with the Supervisor 32 and Supervisor 720, the 6500 will forward the initial packet of every flow in software to establish the Netflow table entry. The packet is then encapsulated in GRE and forwarded to the WCCP entity.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platforms. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

Egress - GRE + Mask Assignment

On the Supervisor 2, each packet is sent to the MSFC for processing. Since GRE encapsulation is not supported in hardware, the MSFC must apply both GRE and WCCP headers, forcing software switching for all traffic.

On the Supervisor 32 and Supervisor 720, when using the Mask Assignment method, the first packet of every flow is software switched to establish the Netflow table entry. None of the supervisors support egress ACL adjacency programming which forces this software processing using Netflow resources(instead of hardware ACL TCAM) for the initial packet in each flow. The packet is then encapsulated in GRE, and forwarded to the WCCP appliance.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platforms. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

L2 Forwarding Method Detail

With L2 forwarding, the WCCP entities (ACNS, WAFS, WAAS, etc.) within a service group are part of the same subnet and L2 adjacent to the Catalyst 6500. This enables high throughput, low latency redirection of traffic. It is important to note the ingress interface (where WCCP is configured) and the interface where the WCCP appliance(s) are located must be on different VLAN's.

With L2 redirection, the packet is rewritten with the source MAC set to the router, and the destination MAC set to the Cache Engine. The only disadvantage of using this redirect method is that the Cache engine must be Layer 2 reachable by the Catalyst, and must reside on a different L3 interface than the configured ingress WCCP interface.

Note: The method of forwarding to the WCCP device may not be the same method that the WCCP device is using to send traffic BACK to the Catalyst 6500. The WCCP protocol should be used to negotiate a forward and return method that both devices support.

The options available for WCCP redirection in this scenario include:

Ingress - L2 redirection + Hash Assignment (Requires Software Processing)

Ingress - L2 redirection + Mask Assignment (Full Hardware Processing - recommended)

Egress - L2 redirection + Hash Assignment (Requires Software Processing)

Egress - L2 redirection + Mask Assignment (Requires Software Processing)

Ingress - L2 + Hash Assignment

When configured on ingress with L2+Hash Assignment, WCCP traffic will send the first packet in every flow to be software switched, creating a Netflow entry in the hardware Netflow table. The Netflow flow-mask will be set to interface full-flow mode, which could impact other Netflow features configured on the switch.

Since WCCP is a stateless mechanism, the information is not maintained in software, rather it is maintained in hardware, as entries in the netflow table. Subsequent traffic in the flow will be forwarded in hardware, as long as a netflow table entry exists.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platforms. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

Ingress - L2 + Mask Assignment

When configured on ingress, L2+Mask Assignment is the most efficient WCCP method supported on the Catalyst 6500. All traffic is hardware switched, including the initial packet in each flow. No software redirection is required, providing initial and subsequent packet forwarding in hardware.

The hardware ACL TCAM resources of the 6500 are used to pre-program the hardware entries, before any WCCP packets are received.

In order to use this method, and utilize full hardware switching, the WCCP entity must also support L2 redirect, and the mask assignment method. Configuration of this method is completed on the WCCP entity, and the 6500 will negotiate the best method during the WCCP initial communications with the WCCP entity/group.

Egress - L2 + Hash Assignment

With Egress L2+Hash Assignment, WCCP traffic will send the first packet in every flow to be software switched, creating a Netflow entry in the hardware Netflow table. The Netflow flow-mask will be set to interface full-flow mode, which could impact other Netflow features configured on the switch.

Additionally, when configured in the egress direction, an additional FIB lookup is required on the first packet of the flow to determine the adjacency associated with the CE, which requires packet recirculation within the 6500. Subsequent packets will be Netflow switched in hardware.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platform. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

Egress - L2 + Mask Assignment

When configured in the egress direction, L2+Mask Assignment switches the first packet in each flow in software, just like the L2+Hash Assignment case. Subsequent packets will be Netflow switched in hardware. The Netflow flow-mask will be set to interface full-flow mode, which could impact other Netflow features configured on the switch.

The PFC2 and PFC3 do not support egress ACL adjacency programming which forces software processing for the initial packet in each flow, subsequent packets in the flow are forwarded in hardware.

The establishment of the Netflow entry impacts CPU utilization, but subsequent packet forwarding is done in hardware. Traffic patterns, especially the number of unique flows, will dictate how much the CPU is utilized. If the Netflow resources of the 6500 are consumed, then all traffic will be forwarded in software.

The netflow resources of the supervisor PFC differ across the various platforms. Currently, the largest Netflow resources are available on the PFC-3BXL on the Supervisor 720 platform.

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Blog

Posted January 17, 2012 at 4:39 AM
Stats:
Comments:0 Avg. Rating:0
Views:4516   
Shares:0

Related Content