cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1090
Views
0
Helpful
10
Replies

Recommended WCCPv2 Configuration for WAE

limtohsoon
Level 1
Level 1

Hi Sir,

I have a Catalyst 6509 with redundant Supervisor Engine 720 in a data center. It is hybrid mode (i.e. CatOS and MSFC IOS).

It's connected to an edge WAN router connecting to branch offices. I'm implementing a WAE at the data center to optimize TCP traffic between the various server farms in the data center and the branch offices.

The WAE is L2 adjacent to the Catalyst 6509. The WCCPv2 config of the C6509 is as follows:

!

ip wccp version 2

ip wccp 61

ip wccp 62

!

int vla 100

description *** Connection to WAN Router to Branch Offices ***

ip address 172.16.100.1 255.255.255.0

ip wccp 61 redirect out

ip wccp 62 redirect in

!

int vla 200

description *** Connection to Data Center WAE (L2 adjacent) ***

ip address 172.16.200.1 255.255.255.0

ip wccp redirect exclude in

!

int vla 10

description *** Server Farm 1 ***

ip address 172.16.10.1 255.255.255.0

!

int vla 20

description *** Server Farm 2 ***

ip address 172.16.20.1 255.255.255.0

!

int vla 30

description *** Server Farm 3 ***

ip address 172.16.30.1 255.255.255.0

!

int vla 40

description *** Server Farm 4 ***

ip address 172.16.40.1 255.255.255.0

!

router ospf 1

netw 172.16.0.0 0.0.255.255 ar 0

!

Because it is not known which server farm the remote users need to access to, I do not want to apply inbound redirection on the server farm interfaces. Instead, I'm doing both inbound and outbound redirection on the interface connecting to the edge WAN router. Is my config valid and recommended for production environment?

I came across a note that says:

*** Setting outbound redirection on Cat6k/76xx may lead to 100% CPU on the switch ***

Can anyone verify the above statement?

Thank you.

B.Rgds,

Lim TS

10 Replies 10

Zach Seils
Level 7
Level 7

Lim TS,

While your configuration is valid, it is not recommended. The issue with outbound redirection on the 6500/Sup720 is that the first packet for every flow gets punted to the MSFC and switched in software. Subsequent packets for the flow are netflow switched in hardware. So there is involvement from the MSFC in the redirection process, which can lead to elevated levels of CPU utilization -- even in environments with moderate traffic flow.

The best practice is the following on the 6500/Sup720:

- Use l2-redirect

- Use mask-assign

- Only use inbound redirection

- Do NOT use 'ip wccp redirect exclude in'

- Use the following minimum software versions in hybrid:

CatOS 8.5 / 12.2(18)SXF5

Thanks,

Zach

Hi Zach,

Thanks for your response. It's informative.

My CatOS version is 8.3(4) and MSFC IOS version is 12.2(17d)SXB6. I can't upgrade them to the recommended version in time for the WAE deployment.

The remote users may also need to access to server farms located in another data center, which are routed through this Catalyst 6509. Reason I configure outbound redirection on the interface to the WAN router is to have the flexibility to intercept all data center traffic to the remote sites.

On the WAE, I do have the following command:

wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign

Does the above command free the CPU from the redirection process? I'm really worried about the CPU utilization after I roll out the WAE.

I understand "ip wccp redirect exclude in" is not required if we are not doing any outbound redirection. In my case, it is required to prevent traffic from the WAE being redirected back to itself.

Is this the best I can do given my scenario?

Please advise further.

Thank you.

B.Rgds,

Lim TS

Lim TS,

WCCP is not supported on the Sup720 prior to CatOS 8.5 and IOS 12.2(18)SXD1.

Any time outbound redirection is configured, the MSFC is involved in the redirection process, even when the 'l2-redirect mask-assign' options are configured.

Thanks,

Zach

Hi Zach,

My WAE deployment yesterday wasn't a successful one. After I enabled interception on the Cat6509 and the remote WCCP router, I could ping to remote hosts but they could not access to Internet (i.e. TCP apps fail).

I understand this is one of the common issues of misconfiguration of network interception which can lead to traffic being "black-holed", i.e. distant devices are pingable, but no application traffic can pass.

The traffic redirection at data center to its local WAE seems not working fine. I suspect bugs because the current MSFC IOS version [12.2(17d)SXB6] does not meet minimum recommended version for WCCP [12.2(18)SXF5].

In my scenario, I'd like to only optimize traffic between remote segments (e.g. 172.16.90.0/24 & 172.16.91.0/24) and the data center. So I use redirect-list on the Cat6509 as follows:

Data Center Cat6509

-------------------

!

ip access-list extended WAAS_ACL

permit ip any 172.16.90.0 0.0.0.255

permit ip 172.16.90.0 0.0.0.255 any

permit ip any 172.16.91.0 0.0.0.255

permit ip 172.16.91.0 0.0.0.255 any

!

ip wccp 61 redirect-list WAAS_ACL

ip wccp 62 redirect-list WAAS_ACL

!

int vla 100

description *** Connection to WAN Router to Branch Offices ***

ip wccp 61 redirect out

ip wccp 62 redirect in

!

int vla 200

description *** Connection to Data Center WAE (L2 adjacent) ***

ip address 172.16.200.1 255.255.255.0

ip wccp redirect exclude in

!

Data Center WAE

---------------

!

ip default-gateway 172.16.200.1

!

wccp router-list 1 172.16.200.1

wccp tcp-promiscuous router-list-num 1 l2-redirect mask-assign

wccp version 2

!

Am I running into Bug ID CSCsh98343? I don't fully understand the workaround. Can you kindly help me?

Thank you.

B.Rgds,

Lim TS

Hi Zach,

Should I be configuring the redirect-list as follows, as per the workaround?

!

ip access-list extended WAAS_61OUT

permit ip any 172.16.90.0 0.0.0.255

permit ip any 172.16.91.0 0.0.0.255

!

ip access-list extended WAAS_62IN

permit ip 172.16.90.0 0.0.0.255 any

permit ip 172.16.91.0 0.0.0.255 any

!

ip wccp 61 redirect-list WAAS_61OUT

ip wccp 62 redirect-list WAAS_62IN

!

What's your thoughts?

Thank you.

B.Rgds,

Lim TS

Lim TS,

The behavior of WCCP on the Sup720 prior to 12.2(18)SXD1 will be unpredictable. I would not recommend that you use WCCP unless you can upgrade. Do you have other interception alternatives (PBR, Inline, etc.)?

Regarding the specific defect you mentioned, your proposed ACL's look correct.

Thanks,

Zach

Hi Zach,

Thanks again for your response.

The WAE doesn't have an inline card. I may need to explore doing PBR.

By the way, should I configure the options "l2-redirect" and "mask-assign" on the WAE when interfacing to Catalyst 6500? Are they significant, e.g. improve performance?

The thing is, I previously did a lab test using Cisco 1841. I didn't configure the two options on the WAE and the setup worked. I'm wondering should I leave out the two options in production environment.

Thank you.

B.Rgds,

Lim TS

Lim TS,

The l2-redirect and mask-assign options are recommended on the hardware-based platforms (i.e. Catalyst 6500).

Thanks,

Zach

Hi Zach,

Noted with thanks.

Our local Cisco SE has shown me a long list of WCCP-related bugs. Now I understand why Cisco stresses us to use the minimum recommended IOS version.

To minimize risks, I'm looking into configuring PBR on the data center switches, whereas the remote router is still configured with WCCP [it's a 7206VXR and IOS version is 12.1(27b)E1 that meets min. requirement of 12.1(14)]. Do you recommend a mix of PBR and WCCP?

Thanks for your patient in answering my inquiries.

B.Rgds,

Lim TS

Lim TS,

The interception choice you make is local to the site, so yes, mixing PBR and WCCP will be fine.

Thanks,

Zach

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: