WCCP With IP Spoof on 6500 and high CPU utilization

Answered Question
Dec 9th, 2007

Hi all,

Recently I configured a 6500 with SUP-720 for transparent web caching with IP Spoofing. The configuration was quite simple.

The idea behind IP Spoof enabled cache is to redirect both send and receive traffic to web cache and the box will spoof the source ip of the original user requesting the page. you have to do the following tasks:

1- Set 2 WCCP general configuration one with "ip wccp web-cache" and the other with "ip wccp 95"

2- On the VLAN/L3 Port facing the Internet you have to set "ip wccp web-cache redirect out" to redirect outbound connections to web cache.

3- On the VLAN/L3 Port facing cache interface you have to set "ip wccp redirect exclude in" to exclude web cache traffic itself.

4- On the VLAN/L3 Port facing users you have to set "ip wccp 95 redirect out" to redirect incoming traffic (web responses to cache).

Everything works just fine during the test using redirect-list to limit the scope of the change to the test PC but as soon as i remove the redirect-list to redirect all users traffic to the web cache the 6500 with the golden sup720 explode with %100 cpu usage and the box starts to drop traffic!

I've done so many tests with different modular / non modular IOS of different versions but no success. As i searched the command reference for the 12.2 IOS I've noticed that using WCCP requires full and interface-full mls flow configuration I've done it as well but again no success. Generally something like 250mbps traffic passes this 6500 but I've tested even with 100mbps and still IP INPUT process (or ios-base process in modular IOS) eat up all the CPU. Another point that may help is that using WCCP without IP spoof (just "ip wccp web-cache" command) only takes %15 of CPU handling 150mbps traffic. Other configuration regarding cache is that it's using version 2, GRE for Assignment Method and Layer 2 for Forwarding Method and no WCCP password is in place. There is an "accelerated" keyword for wccp but it seems it works only with WCCP version 1. I've seen some comments regarding high CPU utilization on 6500 but all of them state that it's been fixed before 12.2(18)SXD4 (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/msfc_ios.html). i've tested the following IOS:

s72033-adventerprisek9_wan-mz.122-33.SXH.bin

s72033-adventerprisek9_wan-vz.122-33.SXH.bin

s72033-advipservicesk9_wan-mz.122-18.SXF12.bin

which are the latest available.

Does any one has any idea???

I have this problem too.
0 votes
Correct Answer by Zach Seils about 8 years 12 months ago

Ali,

The issue is that not all of your traffic is being redirected in hardware. When you configure outbound interception on the 6500/Sup720, the first packet for every flow is punted to the MSFC and switched in software. Subsequent packets for that flow are redirected in hardware using NetFlow forwarding. So the impact on your MSFC CPU utilization is tied to the number of connections per second (cps) being redirected, as well as some overhead for managing the NetFlow forwarding table.

In addition, the command 'ip wccp redirect exclude in' is not completely understood by the 6500 hardware. So again, the first packet for every flow entering the interface with this configured must be punted to the MSFC and switched in software.

And finally, the use of mask assignment (as opposed to hash assignment) is needed to ensure that all interception is handled in hardware).

Taking these three points together, the following configuration is required if you want WCCP interception to be handled completely in hardware on the 6500/Sup720:

- GRE or L2 forwarding

- Mask assignment

- Inbound redirection

- No 'ip wccp redirect exclude in'

This will require you to reverse the logic of how your service groups are applied:

- 'ip wccp web-cache redirect in' on client-facing interfaces

- 'ip wccp 95 redirect in' on internet-facing interfaces

If you have any questions, please let us know.

Zach

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Zach Seils Sun, 12/09/2007 - 07:01

Ali,

The issue is that not all of your traffic is being redirected in hardware. When you configure outbound interception on the 6500/Sup720, the first packet for every flow is punted to the MSFC and switched in software. Subsequent packets for that flow are redirected in hardware using NetFlow forwarding. So the impact on your MSFC CPU utilization is tied to the number of connections per second (cps) being redirected, as well as some overhead for managing the NetFlow forwarding table.

In addition, the command 'ip wccp redirect exclude in' is not completely understood by the 6500 hardware. So again, the first packet for every flow entering the interface with this configured must be punted to the MSFC and switched in software.

And finally, the use of mask assignment (as opposed to hash assignment) is needed to ensure that all interception is handled in hardware).

Taking these three points together, the following configuration is required if you want WCCP interception to be handled completely in hardware on the 6500/Sup720:

- GRE or L2 forwarding

- Mask assignment

- Inbound redirection

- No 'ip wccp redirect exclude in'

This will require you to reverse the logic of how your service groups are applied:

- 'ip wccp web-cache redirect in' on client-facing interfaces

- 'ip wccp 95 redirect in' on internet-facing interfaces

If you have any questions, please let us know.

Zach

alibashivan Sun, 12/09/2007 - 10:18

Thank you very much friend, that works just fine with almost no CPU increase!!!

wish you the best!

Actions

This Discussion