06-12-2007 02:56 AM
Hi Sir,
I have a Catalyst 6509 with redundant Supervisor Engine 720 in a data center. It is hybrid mode (i.e. CatOS and MSFC IOS).
It's connected to an edge WAN router connecting to branch offices. I'm implementing a WAE at the data center to optimize TCP traffic between the various server farms in the data center and the branch offices.
The WAE is L2 adjacent to the Catalyst 6509. The WCCPv2 config of the C6509 is as follows:
!
ip wccp version 2
ip wccp 61
ip wccp 62
!
int vla 100
description *** Connection to WAN Router to Branch Offices ***
ip address 172.16.100.1 255.255.255.0
ip wccp 61 redirect out
ip wccp 62 redirect in
!
int vla 200
description *** Connection to Data Center WAE (L2 adjacent) ***
ip address 172.16.200.1 255.255.255.0
ip wccp redirect exclude in
!
int vla 10
description *** Server Farm 1 ***
ip address 172.16.10.1 255.255.255.0
!
int vla 20
description *** Server Farm 2 ***
ip address 172.16.20.1 255.255.255.0
!
int vla 30
description *** Server Farm 3 ***
ip address 172.16.30.1 255.255.255.0
!
int vla 40
description *** Server Farm 4 ***
ip address 172.16.40.1 255.255.255.0
!
router ospf 1
netw 172.16.0.0 0.0.255.255 ar 0
!
Because it is not known which server farm the remote users need to access to, I do not want to apply inbound redirection on the server farm interfaces. Instead, I'm doing both inbound and outbound redirection on the interface connecting to the edge WAN router. Is my config valid and recommended for production environment?
I came across a note that says:
*** Setting outbound redirection on Cat6k/76xx may lead to 100% CPU on the switch ***
Can anyone verify the above statement?
Thank you.
B.Rgds,
Lim TS
06-12-2007 04:48 AM
Lim TS,
While your configuration is valid, it is not recommended. The issue with outbound redirection on the 6500/Sup720 is that the first packet for every flow gets punted to the MSFC and switched in software. Subsequent packets for the flow are netflow switched in hardware. So there is involvement from the MSFC in the redirection process, which can lead to elevated levels of CPU utilization -- even in environments with moderate traffic flow.
The best practice is the following on the 6500/Sup720:
- Use l2-redirect
- Use mask-assign
- Only use inbound redirection
- Do NOT use 'ip wccp redirect exclude in'
- Use the following minimum software versions in hybrid:
CatOS 8.5 / 12.2(18)SXF5
Thanks,
Zach
06-12-2007 05:47 AM
Hi Zach,
Thanks for your response. It's informative.
My CatOS version is 8.3(4) and MSFC IOS version is 12.2(17d)SXB6. I can't upgrade them to the recommended version in time for the WAE deployment.
The remote users may also need to access to server farms located in another data center, which are routed through this Catalyst 6509. Reason I configure outbound redirection on the interface to the WAN router is to have the flexibility to intercept all data center traffic to the remote sites.
On the WAE, I do have the following command:
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
Does the above command free the CPU from the redirection process? I'm really worried about the CPU utilization after I roll out the WAE.
I understand "ip wccp redirect exclude in" is not required if we are not doing any outbound redirection. In my case, it is required to prevent traffic from the WAE being redirected back to itself.
Is this the best I can do given my scenario?
Please advise further.
Thank you.
B.Rgds,
Lim TS
06-12-2007 06:02 AM
Lim TS,
WCCP is not supported on the Sup720 prior to CatOS 8.5 and IOS 12.2(18)SXD1.
Any time outbound redirection is configured, the MSFC is involved in the redirection process, even when the 'l2-redirect mask-assign' options are configured.
Thanks,
Zach
06-12-2007 07:14 PM
Hi Zach,
My WAE deployment yesterday wasn't a successful one. After I enabled interception on the Cat6509 and the remote WCCP router, I could ping to remote hosts but they could not access to Internet (i.e. TCP apps fail).
I understand this is one of the common issues of misconfiguration of network interception which can lead to traffic being "black-holed", i.e. distant devices are pingable, but no application traffic can pass.
The traffic redirection at data center to its local WAE seems not working fine. I suspect bugs because the current MSFC IOS version [12.2(17d)SXB6] does not meet minimum recommended version for WCCP [12.2(18)SXF5].
In my scenario, I'd like to only optimize traffic between remote segments (e.g. 172.16.90.0/24 & 172.16.91.0/24) and the data center. So I use redirect-list on the Cat6509 as follows:
Data Center Cat6509
-------------------
!
ip access-list extended WAAS_ACL
permit ip any 172.16.90.0 0.0.0.255
permit ip 172.16.90.0 0.0.0.255 any
permit ip any 172.16.91.0 0.0.0.255
permit ip 172.16.91.0 0.0.0.255 any
!
ip wccp 61 redirect-list WAAS_ACL
ip wccp 62 redirect-list WAAS_ACL
!
int vla 100
description *** Connection to WAN Router to Branch Offices ***
ip wccp 61 redirect out
ip wccp 62 redirect in
!
int vla 200
description *** Connection to Data Center WAE (L2 adjacent) ***
ip address 172.16.200.1 255.255.255.0
ip wccp redirect exclude in
!
Data Center WAE
---------------
!
ip default-gateway 172.16.200.1
!
wccp router-list 1 172.16.200.1
wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign
wccp version 2
!
Am I running into Bug ID CSCsh98343? I don't fully understand the workaround. Can you kindly help me?
Thank you.
B.Rgds,
Lim TS
06-12-2007 07:38 PM
Hi Zach,
Should I be configuring the redirect-list as follows, as per the workaround?
!
ip access-list extended WAAS_61OUT
permit ip any 172.16.90.0 0.0.0.255
permit ip any 172.16.91.0 0.0.0.255
!
ip access-list extended WAAS_62IN
permit ip 172.16.90.0 0.0.0.255 any
permit ip 172.16.91.0 0.0.0.255 any
!
ip wccp 61 redirect-list WAAS_61OUT
ip wccp 62 redirect-list WAAS_62IN
!
What's your thoughts?
Thank you.
B.Rgds,
Lim TS
06-12-2007 09:54 PM
Lim TS,
The behavior of WCCP on the Sup720 prior to 12.2(18)SXD1 will be unpredictable. I would not recommend that you use WCCP unless you can upgrade. Do you have other interception alternatives (PBR, Inline, etc.)?
Regarding the specific defect you mentioned, your proposed ACL's look correct.
Thanks,
Zach
06-12-2007 10:25 PM
Hi Zach,
Thanks again for your response.
The WAE doesn't have an inline card. I may need to explore doing PBR.
By the way, should I configure the options "l2-redirect" and "mask-assign" on the WAE when interfacing to Catalyst 6500? Are they significant, e.g. improve performance?
The thing is, I previously did a lab test using Cisco 1841. I didn't configure the two options on the WAE and the setup worked. I'm wondering should I leave out the two options in production environment.
Thank you.
B.Rgds,
Lim TS
06-13-2007 04:41 AM
Lim TS,
The l2-redirect and mask-assign options are recommended on the hardware-based platforms (i.e. Catalyst 6500).
Thanks,
Zach
06-13-2007 07:11 PM
Hi Zach,
Noted with thanks.
Our local Cisco SE has shown me a long list of WCCP-related bugs. Now I understand why Cisco stresses us to use the minimum recommended IOS version.
To minimize risks, I'm looking into configuring PBR on the data center switches, whereas the remote router is still configured with WCCP [it's a 7206VXR and IOS version is 12.1(27b)E1 that meets min. requirement of 12.1(14)]. Do you recommend a mix of PBR and WCCP?
Thanks for your patient in answering my inquiries.
B.Rgds,
Lim TS
06-13-2007 10:31 PM
Lim TS,
The interception choice you make is local to the site, so yes, mixing PBR and WCCP will be fine.
Thanks,
Zach
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: