cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
958
Views
0
Helpful
8
Replies

WCCP problem

anasmomo
Level 1
Level 1

Dear All,

Can you please help me to solve a problem related to WCCP?. i have two cisco 6509 switches, and i have VLAN 100 configured as a HSRP group, this VLAN comes from external network and the users use it (VIP 192.168.100.1) to access the internal VLANs. we added a VLAN 250 also as a HSRP group and we installed TrendMicro servers in order to redirect HTTP and FTP traffic that come from VLAN 100 and destined to the internal VLANs to the Trendmicro servers.

i think that the WCCP is not working, because when i do the "show ip wccp" command it give me the number of redirected packets is 0.

the following is the configurations and the show command:

interface Vlan100

description Extrenal

ip address 192.168.100.2 255.255.255.0

ip wccp 80 redirect in

standby 100 ip 192.168.100.1

standby 100 priority 110

standby 100 preempt

interface Vlan250

description Virus-Scanner

ip address 10.100.2.2 255.255.255.0

standby 250 ip 10.100.2.1

standby 250 priority 110

standby 250 preempt

DOH-C6509-1#sh ip wccp

Global WCCP information:

Router information:

Router Identifier: 1.1.1.1

Protocol Version: 2.0

Service Identifier: 80

Number of Cache Engines: 4

Number of routers: 2

Total Packets Redirected: 0

Redirect access-list: -none-

Total Packets Denied Redirect: 0

Total Packets Unassigned: 7673923

Group access-list: -none-

Total Messages Denied to Group: 0

Total Authentication failures: 0

DOH-C6509-1#sh run | in wccp

ip wccp 80

ip wccp 80 redirect in

can you please help me to identify what is the problem?

Thanks

Anas

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Anas,

WCCP by default redirects TCP 80 = www

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/wccp.html#wp1000978

The standard service is web cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines. This service is referred to as a well-known service, because the characteristics of the web cache service are known by both the router and cache engines. A description of a well-known service is not required beyond a service identification (in this case, the command line interface (CLI) provides a web-cache keyword in the command syntax).

Or you find a way to specify mail and FTP traffic or you can use a PBR (policy based routing ) route-map applied inbound to vlan 100.

See

To accommodate the various types of services available, WCCPv2 introduces the concept of multiple service groups. Service information is specified in the WCCP configuration commands using dynamic services identification numbers (such as 98) or a predefined service keywords (such as web-cache). This information is used to validate that service group members are all using or providing the same service.

in the same document

Hope to help

Giuseppe

Dear Giuseppe,

i already configured serveic number 80, but i think from the "show ip wccp" that it is not working fine.

The configuration:

ip wccp 80

interface vlan 100

ip wccp 80 redirect in

regards,

Hello Anas,

yes I agree

the sh ip wccp shows 0 packets redirected.

the question is in regard to vlan 100 inbound where the well known ports for HTTP and FTP ?

Are the servers the destination addresses of inbound flows ?

Or the inbound flows are not intercepted or the wccp feature is bypassed by CEF multilayer switching.

WCCP by default operates only on TCP port 80 server side.

If I understood correctly you have defined a dynamic service group on the web-cache for FTP protocol.

But FTP protocol uses multiple sockets TCP ports there is the control session and the data session.

I would add an access-list with the log option to cause a CEF table change and see if anything changes.

Hope to help

Giuseppe

Hello,

i clear the CEF table by using "clear ip cef epoch full", but still the WCCP is not working and the redirect packet is 0.

Anas

Hello Anas,

the suggestion to add an access-list is in order to create new CEF entries or even with the log option to cause the packets to be not CEF switched.

We used this trick on C6500s with huge BGP tables to check if they had CEF troubles and it worked.

Later Cisco TAC suggested us an IOS upgrade and we did it.

In your case the first thing to verify is if flows are defined to be redirected on the cache for the service group you are using because default behaviuor is to redirect only HTTP traffic.

I would try to delete and create again service definition on the web Cache(s).

Because FTP has two sessions (control and data) I would try with Telnet port 23 to see if it is able to redirect it.

Hope to help

Giuseppe

Hello,

Do you mean that i should add ACL to permit all ip traffic with log argument and apply it to the "in" direction of VLAN 100?

Thanks and regards,

Anas

Hello Anas,

yes I mean to try to apply an acl to Vlan 100 with the log option to bypass CEF.

Hope to help

Giuseppe

Hello Giuseppe,

i configured the access list with the log option, and i tried to transfer FTP and HTTP but it didnt work.

Thanks

Anas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco