01-05-2009 09:01 AM - edited 03-06-2019 03:15 AM
Dear All,
Can you please help me to solve a problem related to WCCP?. i have two cisco 6509 switches, and i have VLAN 100 configured as a HSRP group, this VLAN comes from external network and the users use it (VIP 192.168.100.1) to access the internal VLANs. we added a VLAN 250 also as a HSRP group and we installed TrendMicro servers in order to redirect HTTP and FTP traffic that come from VLAN 100 and destined to the internal VLANs to the Trendmicro servers.
i think that the WCCP is not working, because when i do the "show ip wccp" command it give me the number of redirected packets is 0.
the following is the configurations and the show command:
interface Vlan100
description Extrenal
ip address 192.168.100.2 255.255.255.0
ip wccp 80 redirect in
standby 100 ip 192.168.100.1
standby 100 priority 110
standby 100 preempt
interface Vlan250
description Virus-Scanner
ip address 10.100.2.2 255.255.255.0
standby 250 ip 10.100.2.1
standby 250 priority 110
standby 250 preempt
DOH-C6509-1#sh ip wccp
Global WCCP information:
Router information:
Router Identifier: 1.1.1.1
Protocol Version: 2.0
Service Identifier: 80
Number of Cache Engines: 4
Number of routers: 2
Total Packets Redirected: 0
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 7673923
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
DOH-C6509-1#sh run | in wccp
ip wccp 80
ip wccp 80 redirect in
can you please help me to identify what is the problem?
Thanks
Anas
01-05-2009 09:24 AM
Hello Anas,
WCCP by default redirects TCP 80 = www
see
The standard service is web cache, which intercepts TCP port 80 (HTTP) traffic and redirects that traffic to the cache engines. This service is referred to as a well-known service, because the characteristics of the web cache service are known by both the router and cache engines. A description of a well-known service is not required beyond a service identification (in this case, the command line interface (CLI) provides a web-cache keyword in the command syntax).
Or you find a way to specify mail and FTP traffic or you can use a PBR (policy based routing ) route-map applied inbound to vlan 100.
See
To accommodate the various types of services available, WCCPv2 introduces the concept of multiple service groups. Service information is specified in the WCCP configuration commands using dynamic services identification numbers (such as 98) or a predefined service keywords (such as web-cache). This information is used to validate that service group members are all using or providing the same service.
in the same document
Hope to help
Giuseppe
01-05-2009 10:24 AM
Dear Giuseppe,
i already configured serveic number 80, but i think from the "show ip wccp" that it is not working fine.
The configuration:
ip wccp 80
interface vlan 100
ip wccp 80 redirect in
regards,
01-05-2009 11:16 AM
Hello Anas,
yes I agree
the sh ip wccp shows 0 packets redirected.
the question is in regard to vlan 100 inbound where the well known ports for HTTP and FTP ?
Are the servers the destination addresses of inbound flows ?
Or the inbound flows are not intercepted or the wccp feature is bypassed by CEF multilayer switching.
WCCP by default operates only on TCP port 80 server side.
If I understood correctly you have defined a dynamic service group on the web-cache for FTP protocol.
But FTP protocol uses multiple sockets TCP ports there is the control session and the data session.
I would add an access-list with the log option to cause a CEF table change and see if anything changes.
Hope to help
Giuseppe
01-11-2009 02:09 AM
Hello,
i clear the CEF table by using "clear ip cef epoch full", but still the WCCP is not working and the redirect packet is 0.
Anas
01-11-2009 05:09 AM
Hello Anas,
the suggestion to add an access-list is in order to create new CEF entries or even with the log option to cause the packets to be not CEF switched.
We used this trick on C6500s with huge BGP tables to check if they had CEF troubles and it worked.
Later Cisco TAC suggested us an IOS upgrade and we did it.
In your case the first thing to verify is if flows are defined to be redirected on the cache for the service group you are using because default behaviuor is to redirect only HTTP traffic.
I would try to delete and create again service definition on the web Cache(s).
Because FTP has two sessions (control and data) I would try with Telnet port 23 to see if it is able to redirect it.
Hope to help
Giuseppe
01-11-2009 09:06 AM
Hello,
Do you mean that i should add ACL to permit all ip traffic with log argument and apply it to the "in" direction of VLAN 100?
Thanks and regards,
Anas
01-11-2009 11:40 AM
Hello Anas,
yes I mean to try to apply an acl to Vlan 100 with the log option to bypass CEF.
Hope to help
Giuseppe
01-11-2009 09:59 PM
Hello Giuseppe,
i configured the access list with the log option, and i tried to transfer FTP and HTTP but it didnt work.
Thanks
Anas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide